1d3b2253f7c55bce891fc5b2133880437d46632b1a856b9d5fe8803c738e8b7f

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19/07/2024, 23:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d3b2253f7c55bce891fc5b2133880437d46632b1a856b9d5fe8803c738e8b7f.exe
Size

1.8MB
MD5

60b10a4af07682a0ca724035f5a25a0d
SHA1

84122cff45661974b7c03237e6162ee57616640f
SHA256

1d3b2253f7c55bce891fc5b2133880437d46632b1a856b9d5fe8803c738e8b7f
SHA512

dd18725c1e7ea3e3be9117887a4e7b6d299702f17844ab1c884c16be7f17cf955fa54ea3c1d7bf8558b51cac0461b0b040b9af8da127a8b6f620efc362299d88
SSDEEP

24576:t7lcLHGGDQlGxWKGN/F8e0a5UW+e4byRvJGkn/VRGdeT+V0R:t7lWW97TeBsGkn/VkiU0

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2228	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2544	Logo1_.exe
2736	1d3b2253f7c55bce891fc5b2133880437d46632b1a856b9d5fe8803c738e8b7f.exe

Loads dropped DLL 2 IoCs

pid	Process
2228	cmd.exe
2228	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\applet\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaire.exe	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ach\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CASCADE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInSideAdapters\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\es_MX\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Google\CrashReports\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightOrange\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\gd\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\visualization\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CAPSULES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\sidebar.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\brx\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\wmpenc.exe	Logo1_.exe
File created	C:\Program Files\Mozilla Firefox\fonts\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\te\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Wordconv.exe	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Swirl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Basic\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Triedit\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_output\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ICE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SONORA\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\HostSideAdapters\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\FAX\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	Logo1_.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATERMAR\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	1d3b2253f7c55bce891fc5b2133880437d46632b1a856b9d5fe8803c738e8b7f.exe
File created	C:\Windows\Logo1_.exe	1d3b2253f7c55bce891fc5b2133880437d46632b1a856b9d5fe8803c738e8b7f.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2544	Logo1_.exe
2544	Logo1_.exe
2544	Logo1_.exe
2544	Logo1_.exe
2544	Logo1_.exe
2544	Logo1_.exe
2544	Logo1_.exe
2544	Logo1_.exe
2544	Logo1_.exe
2544	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1288 wrote to memory of 2228	1288	1d3b2253f7c55bce891fc5b2133880437d46632b1a856b9d5fe8803c738e8b7f.exe	28
PID 1288 wrote to memory of 2228	1288	1d3b2253f7c55bce891fc5b2133880437d46632b1a856b9d5fe8803c738e8b7f.exe	28
PID 1288 wrote to memory of 2228	1288	1d3b2253f7c55bce891fc5b2133880437d46632b1a856b9d5fe8803c738e8b7f.exe	28
PID 1288 wrote to memory of 2228	1288	1d3b2253f7c55bce891fc5b2133880437d46632b1a856b9d5fe8803c738e8b7f.exe	28
PID 1288 wrote to memory of 2544	1288	1d3b2253f7c55bce891fc5b2133880437d46632b1a856b9d5fe8803c738e8b7f.exe	29
PID 1288 wrote to memory of 2544	1288	1d3b2253f7c55bce891fc5b2133880437d46632b1a856b9d5fe8803c738e8b7f.exe	29
PID 1288 wrote to memory of 2544	1288	1d3b2253f7c55bce891fc5b2133880437d46632b1a856b9d5fe8803c738e8b7f.exe	29
PID 1288 wrote to memory of 2544	1288	1d3b2253f7c55bce891fc5b2133880437d46632b1a856b9d5fe8803c738e8b7f.exe	29
PID 2544 wrote to memory of 2260	2544	Logo1_.exe	30
PID 2544 wrote to memory of 2260	2544	Logo1_.exe	30
PID 2544 wrote to memory of 2260	2544	Logo1_.exe	30
PID 2544 wrote to memory of 2260	2544	Logo1_.exe	30
PID 2260 wrote to memory of 2288	2260	net.exe	33
PID 2260 wrote to memory of 2288	2260	net.exe	33
PID 2260 wrote to memory of 2288	2260	net.exe	33
PID 2260 wrote to memory of 2288	2260	net.exe	33
PID 2228 wrote to memory of 2736	2228	cmd.exe	34
PID 2228 wrote to memory of 2736	2228	cmd.exe	34
PID 2228 wrote to memory of 2736	2228	cmd.exe	34
PID 2228 wrote to memory of 2736	2228	cmd.exe	34
PID 2544 wrote to memory of 1196	2544	Logo1_.exe	21
PID 2544 wrote to memory of 1196	2544	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1196
- C:\Users\Admin\AppData\Local\Temp\1d3b2253f7c55bce891fc5b2133880437d46632b1a856b9d5fe8803c738e8b7f.exe
  "C:\Users\Admin\AppData\Local\Temp\1d3b2253f7c55bce891fc5b2133880437d46632b1a856b9d5fe8803c738e8b7f.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1288
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a9434.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2228
  - - C:\Users\Admin\AppData\Local\Temp\1d3b2253f7c55bce891fc5b2133880437d46632b1a856b9d5fe8803c738e8b7f.exe
      "C:\Users\Admin\AppData\Local\Temp\1d3b2253f7c55bce891fc5b2133880437d46632b1a856b9d5fe8803c738e8b7f.exe"
      4⤵
      Executes dropped EXE
      PID:2736
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2544
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2260
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
12f3b8d191112f1a2bb95cfd7bee23b1

SHA1
d94f507ea727297135f9bf008d6efe6eb86f6f22

SHA256
2e172398cde965d531116947949d660d2edb9a99eacbd4148a300daa6baa06cb

SHA512
a87d51fe42ae1d8c8a88b8bccf2abf4481c07b2beb0988faaa58b58323a67eb23ed7138aca6a390ee714cee63322f47f98ff0ccf8f7bba65bd0b88644821d07d

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
471KB

MD5
4cfdb20b04aa239d6f9e83084d5d0a77

SHA1
f22863e04cc1fd4435f785993ede165bd8245ac6

SHA256
30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

SHA512
35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a9434.bat

Filesize
722B

MD5
16f99e4fa63735e4fc54fde79b1c6180

SHA1
e1535228033117420be3c64a51632f2720ae8406

SHA256
88949f6614a13573016bf7a5285696669ebd662755a673df21f8f5e483123233

SHA512
fc0619e8b46cce5148b2cdcfeaf77a408ec60e028cf5391d3ba5dba517155ef317228bdaf725e9067830528a52542bc18979227dbca70a3a2486e719d6f424df

Download Submit
C:\Users\Admin\AppData\Local\Temp\1d3b2253f7c55bce891fc5b2133880437d46632b1a856b9d5fe8803c738e8b7f.exe.exe

Filesize
1.8MB

MD5
5bba2c03ebe6eacec539e80718a7584d

SHA1
1f7ea60cfb661395e70da7b005dfbb1de5cc514e

SHA256
594367491de1ed61fb3e87876a211d942a13f2e75862436cb68b2173788bc887

SHA512
fbdc107b8eb021f1627c8970ecfa8bd00c5db0aed592f0c57def4f0bdee3bb74e857571238c21acbf3a08065230d8d2fc8288aa76440511c281e351ef2116310

Download Submit
C:\Windows\rundl132.exe

Filesize
26KB

MD5
86388f01ef5edd8fcb17e03ac469f128

SHA1
2d3d227bdc7837933200e3ac0a72f516c4bc783e

SHA256
542449f63c2a4f3155e7710424ff31b6cffa821f3c8019ccf6c794a46a66c571

SHA512
cc9abfb0a73783ad25b52335710bf4f625d3e44c9eb46ea05826b7f0eacaa8a9e50aba270273110b59a3ab3cbcc5d6620c8f732dba3057ab1d9f3960049996bf

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1506706701-1246725540-2219210854-1000\_desktop.ini

Filesize
9B

MD5
1368e4d784ef82633de86fa6bc6e37f9

SHA1
77c7384e886b27647bb4f2fd364e7947e7b6abc6

SHA256
57507bed6cf91d70e66bd4cc287634889ef30b648cb7c44a4edec0e2cb68b772

SHA512
3cb7168e776eb564768e30eba43174014a85108ab306a7c07a1522fb42173c381a5bff9ac10944fd345dd5308061cbe2878c60d1e878f8768281c1adcf5dd85b

Download Submit
memory/1196-32-0x00000000024C0000-0x00000000024C1000-memory.dmp

Filesize
4KB

Download
memory/1288-17-0x00000000003B0000-0x00000000003E4000-memory.dmp

Filesize
208KB

Download
memory/1288-16-0x00000000003B0000-0x00000000003E4000-memory.dmp

Filesize
208KB

Download
memory/1288-11-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2544-38-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2544-22-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2544-45-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2544-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2544-52-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2544-97-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2544-103-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2544-1538-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2544-1880-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2544-3339-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2736-37-0x0000000000400000-0x00000000005C8000-memory.dmp

Filesize
1.8MB

Download
memory/2736-30-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download