d7ff01923f66f0c2480391761e3e885c640df41c5d9935fbdad128471709d11e

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
03/07/2024, 14:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d7ff01923f66f0c2480391761e3e885c640df41c5d9935fbdad128471709d11e.exe
Size

3.0MB
MD5

7068ca7ab0b08a45be3189616a0981ab
SHA1

13790b2b37df8542892db4838c1e8820cee9130a
SHA256

d7ff01923f66f0c2480391761e3e885c640df41c5d9935fbdad128471709d11e
SHA512

0fd2ebe99e3c2d817aa7783751a9ff2d45746c74fcb20ab884526315fa72ded74d039213c1ca0ca79eaf431eaf11788361ffa950ce25e9236bba6a53eb1df704
SSDEEP

49152:dOnKV1GmNiJNiBkvEzs/7PDiYBJqgnv46z7153rfdc:dwDYijiS/7PDiYBJxJ5dc

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2208	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2204	Logo1_.exe
2748	d7ff01923f66f0c2480391761e3e885c640df41c5d9935fbdad128471709d11e.exe

Loads dropped DLL 4 IoCs

pid	Process
2208	cmd.exe
2748	d7ff01923f66f0c2480391761e3e885c640df41c5d9935fbdad128471709d11e.exe
2748	d7ff01923f66f0c2480391761e3e885c640df41c5d9935fbdad128471709d11e.exe
2748	d7ff01923f66f0c2480391761e3e885c640df41c5d9935fbdad128471709d11e.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Australia\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hi\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\uk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\lua\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\STARTUP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1036\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\meta_engine\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Excel.en-us\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Triedit\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\InfoPathOMFormServicesV12\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ks_IN\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\te\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Internet Explorer\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	d7ff01923f66f0c2480391761e3e885c640df41c5d9935fbdad128471709d11e.exe
File created	C:\Windows\Logo1_.exe	d7ff01923f66f0c2480391761e3e885c640df41c5d9935fbdad128471709d11e.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2204	Logo1_.exe
2204	Logo1_.exe
2204	Logo1_.exe
2204	Logo1_.exe
2204	Logo1_.exe
2204	Logo1_.exe
2204	Logo1_.exe
2204	Logo1_.exe
2204	Logo1_.exe
2204	Logo1_.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2748	d7ff01923f66f0c2480391761e3e885c640df41c5d9935fbdad128471709d11e.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 2208	2872	d7ff01923f66f0c2480391761e3e885c640df41c5d9935fbdad128471709d11e.exe	28
PID 2872 wrote to memory of 2208	2872	d7ff01923f66f0c2480391761e3e885c640df41c5d9935fbdad128471709d11e.exe	28
PID 2872 wrote to memory of 2208	2872	d7ff01923f66f0c2480391761e3e885c640df41c5d9935fbdad128471709d11e.exe	28
PID 2872 wrote to memory of 2208	2872	d7ff01923f66f0c2480391761e3e885c640df41c5d9935fbdad128471709d11e.exe	28
PID 2872 wrote to memory of 2204	2872	d7ff01923f66f0c2480391761e3e885c640df41c5d9935fbdad128471709d11e.exe	30
PID 2872 wrote to memory of 2204	2872	d7ff01923f66f0c2480391761e3e885c640df41c5d9935fbdad128471709d11e.exe	30
PID 2872 wrote to memory of 2204	2872	d7ff01923f66f0c2480391761e3e885c640df41c5d9935fbdad128471709d11e.exe	30
PID 2872 wrote to memory of 2204	2872	d7ff01923f66f0c2480391761e3e885c640df41c5d9935fbdad128471709d11e.exe	30
PID 2204 wrote to memory of 2664	2204	Logo1_.exe	31
PID 2204 wrote to memory of 2664	2204	Logo1_.exe	31
PID 2204 wrote to memory of 2664	2204	Logo1_.exe	31
PID 2204 wrote to memory of 2664	2204	Logo1_.exe	31
PID 2664 wrote to memory of 2716	2664	net.exe	33
PID 2664 wrote to memory of 2716	2664	net.exe	33
PID 2664 wrote to memory of 2716	2664	net.exe	33
PID 2664 wrote to memory of 2716	2664	net.exe	33
PID 2208 wrote to memory of 2748	2208	cmd.exe	34
PID 2208 wrote to memory of 2748	2208	cmd.exe	34
PID 2208 wrote to memory of 2748	2208	cmd.exe	34
PID 2208 wrote to memory of 2748	2208	cmd.exe	34
PID 2208 wrote to memory of 2748	2208	cmd.exe	34
PID 2208 wrote to memory of 2748	2208	cmd.exe	34
PID 2208 wrote to memory of 2748	2208	cmd.exe	34
PID 2204 wrote to memory of 1204	2204	Logo1_.exe	21
PID 2204 wrote to memory of 1204	2204	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204
- C:\Users\Admin\AppData\Local\Temp\d7ff01923f66f0c2480391761e3e885c640df41c5d9935fbdad128471709d11e.exe
  "C:\Users\Admin\AppData\Local\Temp\d7ff01923f66f0c2480391761e3e885c640df41c5d9935fbdad128471709d11e.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a18BE.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2208
  - - C:\Users\Admin\AppData\Local\Temp\d7ff01923f66f0c2480391761e3e885c640df41c5d9935fbdad128471709d11e.exe
      "C:\Users\Admin\AppData\Local\Temp\d7ff01923f66f0c2480391761e3e885c640df41c5d9935fbdad128471709d11e.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:2748
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2204
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2664
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
254KB

MD5
cf823f44216d1c695cbb388843937b5f

SHA1
2ea48a151e1699e9ce9ba9681e635ce14d4da085

SHA256
bb6669dfa86ddab20f435009522d8df6e2e503b641bb65b116338e337c4c3104

SHA512
6a1afb35ec967f03db55636f1e01e699b8d1fdc62dade946978ec26013ba0a44a8d4ebc0d8723dc028c62674fa3db344588ab6bf83ecf65b47545e351debfb47

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
474KB

MD5
1ca79e3c2539763b0aaac5de49795afe

SHA1
2d240aef9a2cce22578f42ebecd3058e37a404a8

SHA256
e3e49eceb810b34fc826d70c6556d927a363f29c90b347ee4cfd61d7ba3ff2d9

SHA512
4e24d3ebcefa6545d85517bbc5bff3285f85a5967da1642a6e4e53bc2c41efc8b9092a3bbb56c1670b215d623ff5c320bcb06f654ac97482a5dff0da208349e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a18BE.bat

Filesize
722B

MD5
73b765acc8621acf77911706a9042096

SHA1
c55d1e0fb66cecc2ecd7f92b42f3f552f138a8d2

SHA256
3a01861b8b61e4f13ad7f6d2dcbd3412118c462cad798caf79da734e6490db5c

SHA512
24d416ee3ebff5d52c05db5b72c7a5952f99885a2f582b869ad9d082e81f10eeaa361c94339bb2c99251bc2b5ff12b4aacc4f20208c0691f6906709616fad3c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\d7ff01923f66f0c2480391761e3e885c640df41c5d9935fbdad128471709d11e.exe.exe

Filesize
2.9MB

MD5
0b034269c98948c378cc41caeeec2691

SHA1
d6adfd8ceb33dcd1bf415900aafe889e29450699

SHA256
3e41b62ca8b78f95edef4d238ad411db8be8358af531ba373dfd76e2f1ace6fd

SHA512
2d0747353c6a46616854ca4a5e4f256138f531c0173710881f58cad40a01a57416331ce0c49b35923dc16889059e86c5fcefdf6264f1ff32c0c149f92e5d50a2

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
263fdf92db7400b1cdf4ebc4961adef4

SHA1
03f3c20d4e557bd7c1af8d3e49a61021f0bfc578

SHA256
0ae70243c1675a43383ede422438a0748689cdf8a0311c2b5ca55be987e3edc7

SHA512
c38d1e57b58250d888f9a7d251f2b57dd1be88f28cf77defad34d2cde00dd57763f46408ae2bd8790af5be752f3cdf00fe788122f851c8559b69c175670e5624

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2297530677-1229052932-2803917579-1000\_desktop.ini

Filesize
8B

MD5
6890820ebb29213eaf25c92e56fd41ee

SHA1
b926083cf18461657f09f2a4af604f8fafa4ae29

SHA256
ddb532e0e9d9e9a382d9f92ef1e5e26eba608b5f3335f1b711d99044240af3f9

SHA512
5ebefef8f75ecb9fce8854606cb41402dabf66347ddbbd1075f5b94a5794fc4ca240c615eee930a6eedfd117e011afd8772aba2db2c83df0f376c84e8f512cda

Download Submit
memory/1204-36-0x00000000025C0000-0x00000000025C1000-memory.dmp

Filesize
4KB

Download
memory/2204-821-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2204-103-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2204-38-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2204-3316-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2204-45-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2204-51-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2204-97-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2204-20-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2204-2377-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2204-1856-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2872-17-0x0000000001DA0000-0x0000000001DD6000-memory.dmp

Filesize
216KB

Download
memory/2872-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2872-16-0x0000000001DA0000-0x0000000001DD6000-memory.dmp

Filesize
216KB

Download
memory/2872-18-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download