2881367fb21d09434476b52cb5ac879e9165579e3ece129b08c75dc8caaa60ea

Analysis

max time kernel
149s
max time network
126s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
07/07/2024, 12:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2881367fb21d09434476b52cb5ac879e9165579e3ece129b08c75dc8caaa60ea.exe
Size

142KB
MD5

2393a15ef9bd961fbca6bdbb6febf154
SHA1

6e903e00bd2cb5ddaaa943612dc1c9052fce758d
SHA256

2881367fb21d09434476b52cb5ac879e9165579e3ece129b08c75dc8caaa60ea
SHA512

6538c613b36f91276710c96eacd6d407bb18b2026d9a9cd9acf37c7db0513cdb41f883d73cf061a6a0cca218064cb4aa3b59eba9fa9ee75942e4166cc91228a9
SSDEEP

3072:hftffepVPXmZWXyaiedMbrN6pnoXPBsr5Zrt:pVfgPXSNaPM4loo5Z5

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2312	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1988	Logo1_.exe
2724	2881367fb21d09434476b52cb5ac879e9165579e3ece129b08c75dc8caaa60ea.exe

Loads dropped DLL 2 IoCs

pid	Process
2312	cmd.exe
2312	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bs\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\et\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{2B81D3B1-6134-4F8A-A160-385C02BE7682}\chrome_installer.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sv\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ca@valencia\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\tt\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\as_IN\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\Lang\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Journal\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\gd\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\lua\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RADIAL\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Google\Update\Download\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Oasis\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\zi\Antarctica\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgzm.exe	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\NETWORK\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	2881367fb21d09434476b52cb5ac879e9165579e3ece129b08c75dc8caaa60ea.exe
File created	C:\Windows\Logo1_.exe	2881367fb21d09434476b52cb5ac879e9165579e3ece129b08c75dc8caaa60ea.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1988	Logo1_.exe
1988	Logo1_.exe
1988	Logo1_.exe
1988	Logo1_.exe
1988	Logo1_.exe
1988	Logo1_.exe
1988	Logo1_.exe
1988	Logo1_.exe
1988	Logo1_.exe
1988	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2312	2380	2881367fb21d09434476b52cb5ac879e9165579e3ece129b08c75dc8caaa60ea.exe	31
PID 2380 wrote to memory of 2312	2380	2881367fb21d09434476b52cb5ac879e9165579e3ece129b08c75dc8caaa60ea.exe	31
PID 2380 wrote to memory of 2312	2380	2881367fb21d09434476b52cb5ac879e9165579e3ece129b08c75dc8caaa60ea.exe	31
PID 2380 wrote to memory of 2312	2380	2881367fb21d09434476b52cb5ac879e9165579e3ece129b08c75dc8caaa60ea.exe	31
PID 2380 wrote to memory of 1988	2380	2881367fb21d09434476b52cb5ac879e9165579e3ece129b08c75dc8caaa60ea.exe	32
PID 2380 wrote to memory of 1988	2380	2881367fb21d09434476b52cb5ac879e9165579e3ece129b08c75dc8caaa60ea.exe	32
PID 2380 wrote to memory of 1988	2380	2881367fb21d09434476b52cb5ac879e9165579e3ece129b08c75dc8caaa60ea.exe	32
PID 2380 wrote to memory of 1988	2380	2881367fb21d09434476b52cb5ac879e9165579e3ece129b08c75dc8caaa60ea.exe	32
PID 1988 wrote to memory of 1068	1988	Logo1_.exe	33
PID 1988 wrote to memory of 1068	1988	Logo1_.exe	33
PID 1988 wrote to memory of 1068	1988	Logo1_.exe	33
PID 1988 wrote to memory of 1068	1988	Logo1_.exe	33
PID 1068 wrote to memory of 528	1068	net.exe	36
PID 1068 wrote to memory of 528	1068	net.exe	36
PID 1068 wrote to memory of 528	1068	net.exe	36
PID 1068 wrote to memory of 528	1068	net.exe	36
PID 2312 wrote to memory of 2724	2312	cmd.exe	37
PID 2312 wrote to memory of 2724	2312	cmd.exe	37
PID 2312 wrote to memory of 2724	2312	cmd.exe	37
PID 2312 wrote to memory of 2724	2312	cmd.exe	37
PID 1988 wrote to memory of 1188	1988	Logo1_.exe	21
PID 1988 wrote to memory of 1188	1988	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1188
- C:\Users\Admin\AppData\Local\Temp\2881367fb21d09434476b52cb5ac879e9165579e3ece129b08c75dc8caaa60ea.exe
  "C:\Users\Admin\AppData\Local\Temp\2881367fb21d09434476b52cb5ac879e9165579e3ece129b08c75dc8caaa60ea.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$aCC63.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2312
  - - C:\Users\Admin\AppData\Local\Temp\2881367fb21d09434476b52cb5ac879e9165579e3ece129b08c75dc8caaa60ea.exe
      "C:\Users\Admin\AppData\Local\Temp\2881367fb21d09434476b52cb5ac879e9165579e3ece129b08c75dc8caaa60ea.exe"
      4⤵
      Executes dropped EXE
      PID:2724
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1988
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1068
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
e11871beadd1e16296ca2e88c8d5e774

SHA1
64c98d0b55e00a5aef431cf285c86030bac64b9f

SHA256
4e71f3d0a47c4d503c416a7290fd28209c5cbaf25751626af7f097d7df10d71b

SHA512
dc59104a94375a0258ee96407689c036f1bca19f5a9a7564a835e934b9238278d457d24fb3a6a0c4e8ffe8198bfebae60aba450239344c9e74411f627615299f

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aCC63.bat

Filesize
722B

MD5
59fb39e25d87ef76da267df3ca54f7a0

SHA1
ff99b2514e7b0e3b2d106189a768f96ccf29d885

SHA256
e99432dae93ec1560979bc8b5c22956ca2290a481223b77719dea90c5a30cf31

SHA512
23b6361d015b7aeec22a3c11ae8ca5d045e5745635a96e8f205db195b94da8af0eee51fa04acf83ae1b95a785f52dfb40998118bcccd3d377f659cdc6902fe2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2881367fb21d09434476b52cb5ac879e9165579e3ece129b08c75dc8caaa60ea.exe.exe

Filesize
116KB

MD5
14260726256d54de6ccb2eff1003c05c

SHA1
073c85b1d5dade530694ef00543698f16d39fd45

SHA256
3970359aee5c8cb9451c2c84ae6d4c859999a40ae955d8ade9abacba215a087a

SHA512
8bf2d18c0bc4cb42af52ff223199f3504caf73e99fd49dd489306d79364c57d2b5d61039d83cebf898aedc825ab52397613b498aa49b6714fb4fe485112b7d7d

Download Submit
C:\Windows\rundl132.exe

Filesize
26KB

MD5
2baf3b6dac6e813b0db68fadecb9e0a5

SHA1
1aca0077e090a90fe827bd1e5775e59600dbdcaa

SHA256
db3eb113e4b0349c2a1fdfb199b61df69158d220edf69f58ea0768244ee02269

SHA512
d03838146804f9a5a1ffcb564e9058372d88889b751502bb827345314662748b9fef6bef2fbe65750aa8c6f9406cf9e5a0dfc07bbddc9dffd54a761fb155ebbc

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3450744190-3404161390-554719085-1000\_desktop.ini

Filesize
8B

MD5
dad51e3f99562a570bb1182af054feaf

SHA1
b7fe437bfcc8d0745bf9cf3add29a6ce6cdb669d

SHA256
eecf9e0242482d54457b5a8f574245aae7badb5fcde35ebca2e0ca3c672c6903

SHA512
0d22ff0e9ed2f47d06bf6bb7c7969d5eb3e6680e4f289aede1c7af75d6efd856cb5d0e5989326233a8997f626cf5cbfcad1382759772ba7c56970eefcc63e1a3

Download Submit
memory/1188-30-0x0000000002D30000-0x0000000002D31000-memory.dmp

Filesize
4KB

Download
memory/1988-1877-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1988-34-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1988-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1988-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1988-93-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1988-99-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1988-233-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1988-18-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1988-3033-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1988-3338-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2380-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2380-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download