996e392337632ecb6f33cfd8d0d494b019402f17443b03e242cfd8b623d74334

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
29/06/2024, 22:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

996e392337632ecb6f33cfd8d0d494b019402f17443b03e242cfd8b623d74334.exe
Size

43KB
MD5

ec472ea21659c69224b1109d26e98b63
SHA1

88dbe3034006da80c43c2d8da2f3440ee4b7efec
SHA256

996e392337632ecb6f33cfd8d0d494b019402f17443b03e242cfd8b623d74334
SHA512

7c55ae6f1dae3a126f30bc873ab1b33a4ae55eeb95bdbc36af85ef8ab2a0d7ba160bfe7f02fa29d161bf79403937a777f10d7f6f4ccc0d8e40a067f2372dd7b0
SSDEEP

768:p3KT16GVRu1yK9fMnJG2V9dHS8/WQ3655Kv1X/qY1MSd:p6J3SHuJV9NDHqaNrFd

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2304	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2292	Logo1_.exe
2752	996e392337632ecb6f33cfd8d0d494b019402f17443b03e242cfd8b623d74334.exe

Loads dropped DLL 1 IoCs

pid	Process
2304	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_splitter\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Library\Analysis\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Computers\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\eu\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\oc\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\es\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fy\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Mail\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pt_BR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\zi\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Australia\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Americana\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInViews\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\FreeCell\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.en-us\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ku_IQ\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PrivateAssemblies\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\management\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Antarctica\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInSideAdapters\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Logo1_.exe
File created	C:\Program Files (x86)\Windows Media Player\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\et\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	996e392337632ecb6f33cfd8d0d494b019402f17443b03e242cfd8b623d74334.exe
File created	C:\Windows\Logo1_.exe	996e392337632ecb6f33cfd8d0d494b019402f17443b03e242cfd8b623d74334.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2292	Logo1_.exe
2292	Logo1_.exe
2292	Logo1_.exe
2292	Logo1_.exe
2292	Logo1_.exe
2292	Logo1_.exe
2292	Logo1_.exe
2292	Logo1_.exe
2292	Logo1_.exe
2292	Logo1_.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2752	996e392337632ecb6f33cfd8d0d494b019402f17443b03e242cfd8b623d74334.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2804 wrote to memory of 2304	2804	996e392337632ecb6f33cfd8d0d494b019402f17443b03e242cfd8b623d74334.exe	28
PID 2804 wrote to memory of 2304	2804	996e392337632ecb6f33cfd8d0d494b019402f17443b03e242cfd8b623d74334.exe	28
PID 2804 wrote to memory of 2304	2804	996e392337632ecb6f33cfd8d0d494b019402f17443b03e242cfd8b623d74334.exe	28
PID 2804 wrote to memory of 2304	2804	996e392337632ecb6f33cfd8d0d494b019402f17443b03e242cfd8b623d74334.exe	28
PID 2804 wrote to memory of 2292	2804	996e392337632ecb6f33cfd8d0d494b019402f17443b03e242cfd8b623d74334.exe	29
PID 2804 wrote to memory of 2292	2804	996e392337632ecb6f33cfd8d0d494b019402f17443b03e242cfd8b623d74334.exe	29
PID 2804 wrote to memory of 2292	2804	996e392337632ecb6f33cfd8d0d494b019402f17443b03e242cfd8b623d74334.exe	29
PID 2804 wrote to memory of 2292	2804	996e392337632ecb6f33cfd8d0d494b019402f17443b03e242cfd8b623d74334.exe	29
PID 2292 wrote to memory of 2392	2292	Logo1_.exe	31
PID 2292 wrote to memory of 2392	2292	Logo1_.exe	31
PID 2292 wrote to memory of 2392	2292	Logo1_.exe	31
PID 2292 wrote to memory of 2392	2292	Logo1_.exe	31
PID 2304 wrote to memory of 2752	2304	cmd.exe	33
PID 2304 wrote to memory of 2752	2304	cmd.exe	33
PID 2304 wrote to memory of 2752	2304	cmd.exe	33
PID 2304 wrote to memory of 2752	2304	cmd.exe	33
PID 2304 wrote to memory of 2752	2304	cmd.exe	33
PID 2304 wrote to memory of 2752	2304	cmd.exe	33
PID 2304 wrote to memory of 2752	2304	cmd.exe	33
PID 2392 wrote to memory of 2732	2392	net.exe	34
PID 2392 wrote to memory of 2732	2392	net.exe	34
PID 2392 wrote to memory of 2732	2392	net.exe	34
PID 2392 wrote to memory of 2732	2392	net.exe	34
PID 2292 wrote to memory of 1200	2292	Logo1_.exe	21
PID 2292 wrote to memory of 1200	2292	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200
- C:\Users\Admin\AppData\Local\Temp\996e392337632ecb6f33cfd8d0d494b019402f17443b03e242cfd8b623d74334.exe
  "C:\Users\Admin\AppData\Local\Temp\996e392337632ecb6f33cfd8d0d494b019402f17443b03e242cfd8b623d74334.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$aD0B.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2304
  - - C:\Users\Admin\AppData\Local\Temp\996e392337632ecb6f33cfd8d0d494b019402f17443b03e242cfd8b623d74334.exe
      "C:\Users\Admin\AppData\Local\Temp\996e392337632ecb6f33cfd8d0d494b019402f17443b03e242cfd8b623d74334.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: GetForegroundWindowSpam
      PID:2752
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2292
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2392
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
254KB

MD5
35c50162c24e761ad0549fa11015086c

SHA1
7a0fb869ba47515165e9b169f62b17884f612288

SHA256
f5ad8b7ec85e0179ff31b2e81f9e5b87a1709bbf43477cb8ecbc26d240af6ba8

SHA512
8d4ea51c1c78737d68ec2474a39c794582a06d6e1d6a7afed0d2e91d98ebfeaffe0c9c74de5befe1cc7304f9deb7bd445e83ba716099ed7ff5957abe693b531e

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
474KB

MD5
c14a5111b798cff20d7d66b0e035d409

SHA1
29f0894552b30815fed6ad231b5721e876869552

SHA256
fd6f57dc1b82f6301cbecbf9db5728a9a69b10e3edbf4f8a1dfef571c77a6cb6

SHA512
a4d8b74216c76fa3d48ab7300452725602bc6d5bcc0e6c23d458d65362cd24751f23755180ae69633090b172e95f18f225c0cb4a71dd1e050d8b3dff466e7f1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aD0B.bat

Filesize
721B

MD5
fd26f23140b28d9ad5eabd41695b53e2

SHA1
76f47d1a132a7efbe64647af6d6dd2ef175e4402

SHA256
3ed6837ec2e6d68d7f75747c27f88491cecae11159a50ccb1132a032c354f10a

SHA512
9cd21192a29c077fe6d41c9d5ba398b4fd38c64dce4524e81672bd951e20fee52c39be8a1ffd57ced33e0a441e9f6f3b46454b68b14fec4819e18ce931b495ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\996e392337632ecb6f33cfd8d0d494b019402f17443b03e242cfd8b623d74334.exe.exe

Filesize
14KB

MD5
ad782ffac62e14e2269bf1379bccbaae

SHA1
9539773b550e902a35764574a2be2d05bc0d8afc

SHA256
1c8a77db924ebeb952052334dc95add388700c02b073b07973cd8fe0a0a360b8

SHA512
a1e9d6316ffc55f4751090961733e98c93b2a391666ff50b50e9dea39783746e501d14127e7ee9343926976d7e3cd224f13736530354d8466ea995dab35c8dc2

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
8c6b85febc7553f8c09cbfeff36d858c

SHA1
67c9a9b4889f4fbfb42b86c58db4b1363b3fd8c7

SHA256
d21ab0f12887db876a7dd11b3bccbae582c84625947539c04cba611990bb39d7

SHA512
d7eb118f384316fa81306f8d8689ccd925a934f7984470873c2e9e304cc6f18e67c32b7b12509ca07e0eade2016f2909c1cc64914548c1ac835242f35e6c0aba

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1340930862-1405011213-2821322012-1000\_desktop.ini

Filesize
9B

MD5
2822854d33e24347f613c750df46b810

SHA1
c2ea2529c032aa552d5a8301900cf27fc0f6045c

SHA256
73f2f888bdeaf9427c7aa3355fbe711e6570fb5e9e48c3f64cd229198ce85ad2

SHA512
21fff5d14e03a0420d9242a095c2e93ac2b7e6b9e49d12da907394ac9725bb746896721ceded88411895e9630a8ffbface168f0c02630b33300647d3d9e3326c

Download Submit
memory/1200-30-0x0000000002E90000-0x0000000002E91000-memory.dmp

Filesize
4KB

Download
memory/2292-640-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2292-97-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2292-32-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2292-19-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2292-39-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2292-45-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2292-91-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2292-3334-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2292-2154-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2292-1874-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2804-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2804-17-0x0000000000220000-0x0000000000256000-memory.dmp

Filesize
216KB

Download
memory/2804-15-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2804-16-0x0000000000220000-0x0000000000256000-memory.dmp

Filesize
216KB

Download