1de57f0180e5ea10fd664a46b9bbb57f207ffe7a0d5f859c2b21a2f50e08c375

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
18/07/2024, 23:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1de57f0180e5ea10fd664a46b9bbb57f207ffe7a0d5f859c2b21a2f50e08c375.exe
Size

393KB
MD5

32773f8fd6050b46d67d72ec4daf2f39
SHA1

ea9e18a70b8bf11c59a5c809c07edb03bb52a00c
SHA256

1de57f0180e5ea10fd664a46b9bbb57f207ffe7a0d5f859c2b21a2f50e08c375
SHA512

a5ee10c0cdcb91ba8bd9d38fe23c8e8106a1b6eee9a2c9b3614a7512e14ffc214800039587922caeb5f786030fc6495a8b712f1cd41119d353897b31c3c05908
SSDEEP

6144:AuJxnDXYQ/BWJjmpgtBZQZKQj8p3jyb7HREd4SZ1tzLbF:rDXYJmSTZwYp32bY4qtDF

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2488	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1408	Logo1_.exe
2856	1de57f0180e5ea10fd664a46b9bbb57f207ffe7a0d5f859c2b21a2f50e08c375.exe

Loads dropped DLL 1 IoCs

pid	Process
2488	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\Office14\Library\SOLVER\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gu\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Defender\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SONORA\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CANYON\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hy\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Library\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Journal\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSOUC.EXE	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\he\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LAYERS\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Network Sharing\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\management\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Defender\MpCmdRun.exe	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\More Games\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Uninstall Information\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\de\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\da\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sr\LC_MESSAGES\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	1de57f0180e5ea10fd664a46b9bbb57f207ffe7a0d5f859c2b21a2f50e08c375.exe
File created	C:\Windows\Logo1_.exe	1de57f0180e5ea10fd664a46b9bbb57f207ffe7a0d5f859c2b21a2f50e08c375.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1408	Logo1_.exe
1408	Logo1_.exe
1408	Logo1_.exe
1408	Logo1_.exe
1408	Logo1_.exe
1408	Logo1_.exe
1408	Logo1_.exe
1408	Logo1_.exe
1408	Logo1_.exe
1408	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 2488	1984	1de57f0180e5ea10fd664a46b9bbb57f207ffe7a0d5f859c2b21a2f50e08c375.exe	31
PID 1984 wrote to memory of 2488	1984	1de57f0180e5ea10fd664a46b9bbb57f207ffe7a0d5f859c2b21a2f50e08c375.exe	31
PID 1984 wrote to memory of 2488	1984	1de57f0180e5ea10fd664a46b9bbb57f207ffe7a0d5f859c2b21a2f50e08c375.exe	31
PID 1984 wrote to memory of 2488	1984	1de57f0180e5ea10fd664a46b9bbb57f207ffe7a0d5f859c2b21a2f50e08c375.exe	31
PID 1984 wrote to memory of 1408	1984	1de57f0180e5ea10fd664a46b9bbb57f207ffe7a0d5f859c2b21a2f50e08c375.exe	32
PID 1984 wrote to memory of 1408	1984	1de57f0180e5ea10fd664a46b9bbb57f207ffe7a0d5f859c2b21a2f50e08c375.exe	32
PID 1984 wrote to memory of 1408	1984	1de57f0180e5ea10fd664a46b9bbb57f207ffe7a0d5f859c2b21a2f50e08c375.exe	32
PID 1984 wrote to memory of 1408	1984	1de57f0180e5ea10fd664a46b9bbb57f207ffe7a0d5f859c2b21a2f50e08c375.exe	32
PID 1408 wrote to memory of 2292	1408	Logo1_.exe	33
PID 1408 wrote to memory of 2292	1408	Logo1_.exe	33
PID 1408 wrote to memory of 2292	1408	Logo1_.exe	33
PID 1408 wrote to memory of 2292	1408	Logo1_.exe	33
PID 2292 wrote to memory of 2820	2292	net.exe	36
PID 2292 wrote to memory of 2820	2292	net.exe	36
PID 2292 wrote to memory of 2820	2292	net.exe	36
PID 2292 wrote to memory of 2820	2292	net.exe	36
PID 2488 wrote to memory of 2856	2488	cmd.exe	37
PID 2488 wrote to memory of 2856	2488	cmd.exe	37
PID 2488 wrote to memory of 2856	2488	cmd.exe	37
PID 2488 wrote to memory of 2856	2488	cmd.exe	37
PID 1408 wrote to memory of 1220	1408	Logo1_.exe	21
PID 1408 wrote to memory of 1220	1408	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1220
- C:\Users\Admin\AppData\Local\Temp\1de57f0180e5ea10fd664a46b9bbb57f207ffe7a0d5f859c2b21a2f50e08c375.exe
  "C:\Users\Admin\AppData\Local\Temp\1de57f0180e5ea10fd664a46b9bbb57f207ffe7a0d5f859c2b21a2f50e08c375.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$aEDA9.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2488
  - - C:\Users\Admin\AppData\Local\Temp\1de57f0180e5ea10fd664a46b9bbb57f207ffe7a0d5f859c2b21a2f50e08c375.exe
      "C:\Users\Admin\AppData\Local\Temp\1de57f0180e5ea10fd664a46b9bbb57f207ffe7a0d5f859c2b21a2f50e08c375.exe"
      4⤵
      Executes dropped EXE
      PID:2856
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1408
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2292
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
254KB

MD5
e298ded38c899ae1f61fb97dc5e9bfdc

SHA1
06a0037f8de58600fc61f5a731fde84158b08830

SHA256
e0677d7b8be5c75da83b52fc5179f211efcd05f4f4233233a4bf43b77ceb8f32

SHA512
da5a40db008b00ead658194af17b75406a7b4ae96af06ef72c87a30037ab1208041d7ee7ae6c52984a45c9fb65012f2467fa8be88dcef23e4fab23d4f666b8d3

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
474KB

MD5
ff973db02a999ecbc9be9bb33499796d

SHA1
2fadc83cfc56463a638456cb4cf77be605793a9f

SHA256
bf3b2ca265dc1f3583cb5276da1f4c83404d5f547919d17d7bd4c328071507dd

SHA512
fb673f91884b3eb805809887432ac810c4d525db0bc5c1f7103b14e3d62284fb25e122c7e957981d864b699fb005e34d0c5583ac80436ecf673f22704d4e5ed0

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aEDA9.bat

Filesize
722B

MD5
40affd59dba68a3df0c79b93352637df

SHA1
35368b7b768a3ce58ea1f9ffd954e83378c54da0

SHA256
0b53658217d500697ff29a357cef0ea39e36e9da5896c3363ff2b8ce85b40b4c

SHA512
b1437c6d79912283953bc50c60580df9a7e89cb8ae69e5c51b4b1e0dba3593c2a5e2d48f8f82e147be5afc3428f94434911ec67fca10cab23bcf3de4747a1ee8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1de57f0180e5ea10fd664a46b9bbb57f207ffe7a0d5f859c2b21a2f50e08c375.exe.exe

Filesize
364KB

MD5
213eeb5e8f54231f68e5b26a0fc81bd1

SHA1
1bc31a42536eacbb57d1cd92ec4b5524a82264d2

SHA256
b309045509efc205eb35d6037d64640093fde6c54ec5934e329b447417005a50

SHA512
ce35c5f453126c98329df141f821c55692f9252549c76921c231d8170df356cda1689e636758519c0b6898f11b5c836cdb4967d296b99f915e4d1980470a083b

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
b938b3b5eeb9962908ab443e79cdb91d

SHA1
33f55a3f58f055862f72ad9c439fdc706176cdff

SHA256
3a6b8afb955bb49b1c82ce5ff988f8e382fa764fd8c4ed89deedbfd94dbd954c

SHA512
c1172a96991bbe0351271adda5e1ac7069c86c4900ac6b7e36305f7c438e092eeb1cc27c5b7d81c8baa08e5e466cabcb903df4d9b5bc6c7d8258cf8a9ff7298a

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-940600906-3464502421-4240639183-1000\_desktop.ini

Filesize
9B

MD5
2d55518fd017e47e3d2fdb1499f0a0cb

SHA1
5e0e91cf08f4b70c94d582ee42471bf8ff44c6ff

SHA256
d615830656bcceecc6fa1159903a379b6e729160ef16ceff51d5c27d2540e52d

SHA512
d689aad66c472ce7380828a7363d8626c99dc7025828ccc8f69701e3659e176cf0aa50cfc69d4d813986d823a2075067195b35843f16c1144e6d74094916c2ee

Download Submit
memory/1220-29-0x0000000002D70000-0x0000000002D71000-memory.dmp

Filesize
4KB

Download
memory/1408-96-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1408-31-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1408-38-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1408-44-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1408-90-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1408-748-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1408-1873-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1408-2259-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1408-3333-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1408-21-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1984-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1984-16-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download