d9a1fee73bbabf615efe795b0e23b708e726fe2a8b9303ead84988e9f28c3a16

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
13/07/2024, 14:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d9a1fee73bbabf615efe795b0e23b708e726fe2a8b9303ead84988e9f28c3a16.exe
Size

258KB
MD5

d3f2d3e13d28341a0cccbc01adedd184
SHA1

62550d29c50193d51bcfde0ac4b90b4a4bbf2f04
SHA256

d9a1fee73bbabf615efe795b0e23b708e726fe2a8b9303ead84988e9f28c3a16
SHA512

8c783b9d30f32d524aa8261b0f78c8fea2a20a4f5d53e1667e3918a0dcea9b56ece0f996e4d18bdc595612f6d67bd780a61bc93eba624959552c32436818d6d3
SSDEEP

1536:s3SHmLKarIpYQILFkbeumIkA39xSZW175V7UZQJ0UjsWpcdVO4Mqg+aJRaCAd1uq:skF3plLRkgUA1nQZwFGVO4Mqg+WDY

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2676	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2364	Logo1_.exe
2816	d9a1fee73bbabf615efe795b0e23b708e726fe2a8b9303ead84988e9f28c3a16.exe

Loads dropped DLL 1 IoCs

pid	Process
2676	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VBA\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSTORE.EXE	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sm\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Internet Explorer\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AFTRNOON\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\skins\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightOrange\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\wa\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Mozilla Firefox\fonts\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Hearts\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SKY\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Space Templates\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sw\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SoftBlue\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Triedit\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\in_sidebar\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SubsetList\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PROPLUS\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	d9a1fee73bbabf615efe795b0e23b708e726fe2a8b9303ead84988e9f28c3a16.exe
File created	C:\Windows\Logo1_.exe	d9a1fee73bbabf615efe795b0e23b708e726fe2a8b9303ead84988e9f28c3a16.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2364	Logo1_.exe
2364	Logo1_.exe
2364	Logo1_.exe
2364	Logo1_.exe
2364	Logo1_.exe
2364	Logo1_.exe
2364	Logo1_.exe
2364	Logo1_.exe
2364	Logo1_.exe
2364	Logo1_.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 844 wrote to memory of 2676	844	d9a1fee73bbabf615efe795b0e23b708e726fe2a8b9303ead84988e9f28c3a16.exe	30
PID 844 wrote to memory of 2676	844	d9a1fee73bbabf615efe795b0e23b708e726fe2a8b9303ead84988e9f28c3a16.exe	30
PID 844 wrote to memory of 2676	844	d9a1fee73bbabf615efe795b0e23b708e726fe2a8b9303ead84988e9f28c3a16.exe	30
PID 844 wrote to memory of 2676	844	d9a1fee73bbabf615efe795b0e23b708e726fe2a8b9303ead84988e9f28c3a16.exe	30
PID 844 wrote to memory of 2364	844	d9a1fee73bbabf615efe795b0e23b708e726fe2a8b9303ead84988e9f28c3a16.exe	31
PID 844 wrote to memory of 2364	844	d9a1fee73bbabf615efe795b0e23b708e726fe2a8b9303ead84988e9f28c3a16.exe	31
PID 844 wrote to memory of 2364	844	d9a1fee73bbabf615efe795b0e23b708e726fe2a8b9303ead84988e9f28c3a16.exe	31
PID 844 wrote to memory of 2364	844	d9a1fee73bbabf615efe795b0e23b708e726fe2a8b9303ead84988e9f28c3a16.exe	31
PID 2364 wrote to memory of 2704	2364	Logo1_.exe	32
PID 2364 wrote to memory of 2704	2364	Logo1_.exe	32
PID 2364 wrote to memory of 2704	2364	Logo1_.exe	32
PID 2364 wrote to memory of 2704	2364	Logo1_.exe	32
PID 2704 wrote to memory of 2584	2704	net.exe	35
PID 2704 wrote to memory of 2584	2704	net.exe	35
PID 2704 wrote to memory of 2584	2704	net.exe	35
PID 2704 wrote to memory of 2584	2704	net.exe	35
PID 2676 wrote to memory of 2816	2676	cmd.exe	36
PID 2676 wrote to memory of 2816	2676	cmd.exe	36
PID 2676 wrote to memory of 2816	2676	cmd.exe	36
PID 2676 wrote to memory of 2816	2676	cmd.exe	36
PID 2676 wrote to memory of 2816	2676	cmd.exe	36
PID 2676 wrote to memory of 2816	2676	cmd.exe	36
PID 2676 wrote to memory of 2816	2676	cmd.exe	36
PID 2364 wrote to memory of 1196	2364	Logo1_.exe	21
PID 2364 wrote to memory of 1196	2364	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1196
- C:\Users\Admin\AppData\Local\Temp\d9a1fee73bbabf615efe795b0e23b708e726fe2a8b9303ead84988e9f28c3a16.exe
  "C:\Users\Admin\AppData\Local\Temp\d9a1fee73bbabf615efe795b0e23b708e726fe2a8b9303ead84988e9f28c3a16.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:844
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a22BD.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2676
  - - C:\Users\Admin\AppData\Local\Temp\d9a1fee73bbabf615efe795b0e23b708e726fe2a8b9303ead84988e9f28c3a16.exe
      "C:\Users\Admin\AppData\Local\Temp\d9a1fee73bbabf615efe795b0e23b708e726fe2a8b9303ead84988e9f28c3a16.exe"
      4⤵
      Executes dropped EXE
      PID:2816
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2364
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2704
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
252KB

MD5
fa896b1a1baf5f45aea85220ab7e1451

SHA1
67ebf535abc679003bc0287f6609928254099548

SHA256
5e936af51fa0d229ec5bdd438cb8deb162b49ec6a2c4e0bd1440a0520b411af0

SHA512
7df32225824d5ae6be9c6c7789332a1b0f2b9928b143e45847f1a4f1179952366309a5cc6755abbfb1e55fb19b069f20515d3b72c6be22c67f39d827f4728c4b

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
472KB

MD5
88eb1bca8c399bc3f46e99cdde2f047e

SHA1
55fafbceb011e1af2edced978686a90971bd95f2

SHA256
42fd78c05bc240d4ded16ac974f17c336f6ae3a1814d548021c48a942cc30428

SHA512
149d4de0c024e25a13a7bb17471e6f48391d4f26b1c8388672320eed1c255f84219ad7b72bbebc531ae558d5192dd4bb6d0dddd6c65a45300c8e8348a4fb3728

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a22BD.bat

Filesize
722B

MD5
39b4ae30784f6d8b11814bb0092b58b8

SHA1
b1490f56bb136ada1b68debb8d387bf8e196cc6c

SHA256
7f024d32928076d9c8c4195b13f29720c4db56b0c575b1500e1541cb9acb7caf

SHA512
ce485e0b2b23da9fc76ad8e6ea545e449df3e3cda90a91eca9859c1eb04d0d8015dd117eaca83df51e70c46477ef9449599a72948b6e787d5a51aa733729b7fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\d9a1fee73bbabf615efe795b0e23b708e726fe2a8b9303ead84988e9f28c3a16.exe.exe

Filesize
231KB

MD5
6f581a41167d2d484fcba20e6fc3c39a

SHA1
d48de48d24101b9baaa24f674066577e38e6b75c

SHA256
3eb8d53778eab9fb13b4c97aeab56e4bad2a6ea3748d342f22eaf4d7aa3185a7

SHA512
e1177b6cea89445d58307b3327c78909adff225497f9abb8de571cdd114b547a8f515ec3ab038b583bf752a085b231f6329d6ca82fbe6be8a58cd97a1dbaf0f6

Download Submit
C:\Windows\rundl132.exe

Filesize
27KB

MD5
197c989de5ac7908f2d316404cb84a07

SHA1
d1dae3498db6c1b6fad51faadf8cede9af544e0b

SHA256
619bd3af03d3e7dca486da54b01733d77aa3c4cc404a2b9d1c2bab1ee335af24

SHA512
039e5754edac6eefefa8b5c6a8600a3e3fb6f8bb2470fff57b0d53cc483da17be8b3688fbc5b26112726816c3f28c74596e85c3e4411cfc310abb1c77d230540

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3294248377-1418901787-4083263181-1000\_desktop.ini

Filesize
9B

MD5
76853822695e9314b90b205b5517a435

SHA1
de6e48d84826cfcd19abbaa1ff3daddc8d825fbf

SHA256
477608616359abe01b8ca52b48468a243766d1cc1569a285e6060139e5cd91d7

SHA512
74fec6d54ce20fe2ae6ccf59b4fdf8b36d7e03b0576e7c6633c34ae3ceb7d2a0e0e36204cb76956e306ae263a779431df59aeb175a0a56750832c71a8fe98783

Download Submit
memory/844-16-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/844-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1196-29-0x0000000002DE0000-0x0000000002DE1000-memory.dmp

Filesize
4KB

Download
memory/2364-18-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2364-45-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2364-91-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2364-97-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2364-724-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2364-1874-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2364-39-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2364-2482-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2364-3334-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2364-32-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download