d123d39c153b968fd4a0a7f4f5b488778e48b1bcf45e37a9956e84c710a2dead

Analysis

max time kernel
149s
max time network
117s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
27/06/2024, 04:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d123d39c153b968fd4a0a7f4f5b488778e48b1bcf45e37a9956e84c710a2dead.exe
Size

260KB
MD5

e2cbfa7c2535dccb0498e65a13d663e0
SHA1

d09b49a7cf5b57199a449379dfb14d6bd27254ee
SHA256

d123d39c153b968fd4a0a7f4f5b488778e48b1bcf45e37a9956e84c710a2dead
SHA512

73121287523b692ad2b72ab1d8298b2fa76cee13019061dfbd1d779275b271bbbcfe4fbf616c265cc082ea2de4105264a819fbfd58d6938afada76386304c928
SSDEEP

1536:pM3SHuJV9N1ILFkbeumIkA39xSZW175V7UZQJ0UjsWpcdVO4Mqg+aJRaCAd1uhNS:pMkuJVL1LRkgUA1nQZwFGVO4Mqg+WDY

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2556	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2748	Logo1_.exe
2440	d123d39c153b968fd4a0a7f4f5b488778e48b1bcf45e37a9956e84c710a2dead.exe

Loads dropped DLL 1 IoCs

pid	Process
2556	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\az\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Network Sharing\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Purble Place\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Journal\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\af\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\hrtfs\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\an\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\zi\Antarctica\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_splitter\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\JOURNAL\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.en-us\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\da\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA6\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Servers\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1049\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RICEPAPR\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	d123d39c153b968fd4a0a7f4f5b488778e48b1bcf45e37a9956e84c710a2dead.exe
File created	C:\Windows\Logo1_.exe	d123d39c153b968fd4a0a7f4f5b488778e48b1bcf45e37a9956e84c710a2dead.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2748	Logo1_.exe
2748	Logo1_.exe
2748	Logo1_.exe
2748	Logo1_.exe
2748	Logo1_.exe
2748	Logo1_.exe
2748	Logo1_.exe
2748	Logo1_.exe
2748	Logo1_.exe
2748	Logo1_.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 2556	2872	d123d39c153b968fd4a0a7f4f5b488778e48b1bcf45e37a9956e84c710a2dead.exe	28
PID 2872 wrote to memory of 2556	2872	d123d39c153b968fd4a0a7f4f5b488778e48b1bcf45e37a9956e84c710a2dead.exe	28
PID 2872 wrote to memory of 2556	2872	d123d39c153b968fd4a0a7f4f5b488778e48b1bcf45e37a9956e84c710a2dead.exe	28
PID 2872 wrote to memory of 2556	2872	d123d39c153b968fd4a0a7f4f5b488778e48b1bcf45e37a9956e84c710a2dead.exe	28
PID 2872 wrote to memory of 2748	2872	d123d39c153b968fd4a0a7f4f5b488778e48b1bcf45e37a9956e84c710a2dead.exe	29
PID 2872 wrote to memory of 2748	2872	d123d39c153b968fd4a0a7f4f5b488778e48b1bcf45e37a9956e84c710a2dead.exe	29
PID 2872 wrote to memory of 2748	2872	d123d39c153b968fd4a0a7f4f5b488778e48b1bcf45e37a9956e84c710a2dead.exe	29
PID 2872 wrote to memory of 2748	2872	d123d39c153b968fd4a0a7f4f5b488778e48b1bcf45e37a9956e84c710a2dead.exe	29
PID 2748 wrote to memory of 2544	2748	Logo1_.exe	31
PID 2748 wrote to memory of 2544	2748	Logo1_.exe	31
PID 2748 wrote to memory of 2544	2748	Logo1_.exe	31
PID 2748 wrote to memory of 2544	2748	Logo1_.exe	31
PID 2544 wrote to memory of 2624	2544	net.exe	33
PID 2544 wrote to memory of 2624	2544	net.exe	33
PID 2544 wrote to memory of 2624	2544	net.exe	33
PID 2544 wrote to memory of 2624	2544	net.exe	33
PID 2556 wrote to memory of 2440	2556	cmd.exe	34
PID 2556 wrote to memory of 2440	2556	cmd.exe	34
PID 2556 wrote to memory of 2440	2556	cmd.exe	34
PID 2556 wrote to memory of 2440	2556	cmd.exe	34
PID 2556 wrote to memory of 2440	2556	cmd.exe	34
PID 2556 wrote to memory of 2440	2556	cmd.exe	34
PID 2556 wrote to memory of 2440	2556	cmd.exe	34
PID 2748 wrote to memory of 1132	2748	Logo1_.exe	20
PID 2748 wrote to memory of 1132	2748	Logo1_.exe	20

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1132
- C:\Users\Admin\AppData\Local\Temp\d123d39c153b968fd4a0a7f4f5b488778e48b1bcf45e37a9956e84c710a2dead.exe
  "C:\Users\Admin\AppData\Local\Temp\d123d39c153b968fd4a0a7f4f5b488778e48b1bcf45e37a9956e84c710a2dead.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a281A.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2556
  - - C:\Users\Admin\AppData\Local\Temp\d123d39c153b968fd4a0a7f4f5b488778e48b1bcf45e37a9956e84c710a2dead.exe
      "C:\Users\Admin\AppData\Local\Temp\d123d39c153b968fd4a0a7f4f5b488778e48b1bcf45e37a9956e84c710a2dead.exe"
      4⤵
      Executes dropped EXE
      PID:2440
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2748
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2544
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
254KB

MD5
9f4db9169bc4c2cb9ae29c63e23c9211

SHA1
43b5413ad63389b7fc2616bce8f1512df14c9cac

SHA256
0cc00fdc207b21cd348a30390a3e24141effb188c0ffa1d2333f8a4fd5102c01

SHA512
20852e014d46e5f1c57249106d5a4771ef5dc177a278cc8827c3814e24a5f2219c766d3faf2b7724d6cff2cd9a1db24447e53b5e0cef1508ea4b81d26aa91e1e

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
474KB

MD5
c2896b1eaaa71425b83650a70d538088

SHA1
f79c6bc80ecf8b44392e8246ba5fbaff53bf600c

SHA256
6b3df95b82ba5605c64fec3348cf631dfdd3665db4487332dffecf2adba34b2c

SHA512
39090078ac16120c6d7e359da9b54736c1cde63002f5cabb00647238d407b74f368b49d0ab041325f16abdd87b7420343045a1047c3174139231ceb6440550d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a281A.bat

Filesize
722B

MD5
40043453c1ca55c282119ec69f993ddb

SHA1
bbf389ae6774af5bcde74791f94b82e2e1a765d2

SHA256
ff237766e15464a8283d0938a607b7957f1985ee9ff61ced8a1ac3ec7cdba2df

SHA512
6e92a1afee6e4712f6fc87f72e715b263b110301416d97997c098a4cf4edbb7ec2736506616e6f0e66f4ab0c21a2326c1499b78dffbe890e44a541d019f70bd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\d123d39c153b968fd4a0a7f4f5b488778e48b1bcf45e37a9956e84c710a2dead.exe.exe

Filesize
231KB

MD5
6f581a41167d2d484fcba20e6fc3c39a

SHA1
d48de48d24101b9baaa24f674066577e38e6b75c

SHA256
3eb8d53778eab9fb13b4c97aeab56e4bad2a6ea3748d342f22eaf4d7aa3185a7

SHA512
e1177b6cea89445d58307b3327c78909adff225497f9abb8de571cdd114b547a8f515ec3ab038b583bf752a085b231f6329d6ca82fbe6be8a58cd97a1dbaf0f6

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
ffd4c08e47961e2de68bbe4105d8d26a

SHA1
4cfa8ccbd7efb2e91d193765ff10a7db5672ee66

SHA256
8145b427321f639aea369886bf367b29002dd11e45087b4361f7da2c0eff2791

SHA512
d755ae9bea63b39f99d3ed5a3396af855984d1afff1df4d7107342ec6ace5cb1b91cbd96d27770ccafd5e4f78e7616f99f92def5c0a9c74862b229e12e8be60a

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2721934792-624042501-2768869379-1000\_desktop.ini

Filesize
9B

MD5
7d17b811a66f09661920bf5af1f95ae9

SHA1
f974fb71f0c9242357d308243f16d5509a0fb040

SHA256
1ffbf32a83283a76202c268eb3ea579c4b39aa6fb11fc42ad18318286fbf749c

SHA512
019689bb28dd360a9b3fe6696944854f806ebe877734f4f8533f7c2508d371049a96f6c7bd5dda908ab91686dbfba4a54335cbc6c4d649775e62912f0af730e3

Download Submit
memory/1132-29-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download
memory/2748-96-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2748-31-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2748-38-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2748-44-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2748-90-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2748-1120-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2748-1849-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2748-3308-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2748-18-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2872-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2872-16-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download