7f022228f3f2c00afdb223ab4a2019df589c5d0b3f4613d0601ecf1b18306543

Analysis

max time kernel
149s
max time network
124s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
19-07-2024 00:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f022228f3f2c00afdb223ab4a2019df589c5d0b3f4613d0601ecf1b18306543.exe
Size

9.3MB
MD5

d2b1541ff598446f3f09148afe8c47b9
SHA1

1804af94038499102571ec048953f6304251ea36
SHA256

7f022228f3f2c00afdb223ab4a2019df589c5d0b3f4613d0601ecf1b18306543
SHA512

d9d2cca702750094b9a386e4ef41c21be52255e1c1d5e50d99b65831d0f5f1f5a5f0b63986ecebd0a434ba0ccbf8f5efa088091f513f7dbece529f8709f46ba1
SSDEEP

98304:pxfZeZiONXe0cK7jfI60f8BYNg3kQVLPXnmGLH376+MyUXnby:pNZekOte0cifXmZNg0ILPXnmGDm3

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2896	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2884	Logo1_.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\DVD Maker\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PAPYRUS\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STRTEDGE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Defender\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\an\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\as_IN\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\da\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\he\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Americana\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Hearts\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\MSBuild\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pt_PT\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SoftBlue\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	Logo1_.exe
File created	C:\Program Files (x86)\Windows Media Player\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Internet Explorer\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Mail\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\InfoPath.en-us\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SpringGreen\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgzm.exe	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Kentucky\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\brx\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	7f022228f3f2c00afdb223ab4a2019df589c5d0b3f4613d0601ecf1b18306543.exe
File created	C:\Windows\Logo1_.exe	7f022228f3f2c00afdb223ab4a2019df589c5d0b3f4613d0601ecf1b18306543.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2884	Logo1_.exe
2884	Logo1_.exe
2884	Logo1_.exe
2884	Logo1_.exe
2884	Logo1_.exe
2884	Logo1_.exe
2884	Logo1_.exe
2884	Logo1_.exe
2884	Logo1_.exe
2884	Logo1_.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2840 wrote to memory of 2896	2840	7f022228f3f2c00afdb223ab4a2019df589c5d0b3f4613d0601ecf1b18306543.exe	30
PID 2840 wrote to memory of 2896	2840	7f022228f3f2c00afdb223ab4a2019df589c5d0b3f4613d0601ecf1b18306543.exe	30
PID 2840 wrote to memory of 2896	2840	7f022228f3f2c00afdb223ab4a2019df589c5d0b3f4613d0601ecf1b18306543.exe	30
PID 2840 wrote to memory of 2896	2840	7f022228f3f2c00afdb223ab4a2019df589c5d0b3f4613d0601ecf1b18306543.exe	30
PID 2840 wrote to memory of 2884	2840	7f022228f3f2c00afdb223ab4a2019df589c5d0b3f4613d0601ecf1b18306543.exe	31
PID 2840 wrote to memory of 2884	2840	7f022228f3f2c00afdb223ab4a2019df589c5d0b3f4613d0601ecf1b18306543.exe	31
PID 2840 wrote to memory of 2884	2840	7f022228f3f2c00afdb223ab4a2019df589c5d0b3f4613d0601ecf1b18306543.exe	31
PID 2840 wrote to memory of 2884	2840	7f022228f3f2c00afdb223ab4a2019df589c5d0b3f4613d0601ecf1b18306543.exe	31
PID 2884 wrote to memory of 2640	2884	Logo1_.exe	33
PID 2884 wrote to memory of 2640	2884	Logo1_.exe	33
PID 2884 wrote to memory of 2640	2884	Logo1_.exe	33
PID 2884 wrote to memory of 2640	2884	Logo1_.exe	33
PID 2640 wrote to memory of 1488	2640	net.exe	35
PID 2640 wrote to memory of 1488	2640	net.exe	35
PID 2640 wrote to memory of 1488	2640	net.exe	35
PID 2640 wrote to memory of 1488	2640	net.exe	35
PID 2884 wrote to memory of 1208	2884	Logo1_.exe	21
PID 2884 wrote to memory of 1208	2884	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208
- C:\Users\Admin\AppData\Local\Temp\7f022228f3f2c00afdb223ab4a2019df589c5d0b3f4613d0601ecf1b18306543.exe
  "C:\Users\Admin\AppData\Local\Temp\7f022228f3f2c00afdb223ab4a2019df589c5d0b3f4613d0601ecf1b18306543.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a6A67.bat
    3⤵
    - Deletes itself
    PID:2896
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2884
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2640
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:1488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
254KB

MD5
a8b7c1ba4c500c2cb687c7f4bce018b0

SHA1
a783e6dbfe3bd45cfa6cbc28762cf0797fd836a3

SHA256
bfa9ecf007c5465a62a61aba5e2e877d368fb5244d8cc33cc5fa55cb4ded96fd

SHA512
65a295d88cfce62d37da55e616c702e16558d25dcd1f1c1935061e5889fb8a3b63209d5e3ecd809bf22c7c71bbb68c85a6bf77d044297ba56215ff60a5a8ca53

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
474KB

MD5
17e5de36cf448d652adab881a4557ec2

SHA1
c45337444120f4cc4a9a65b2bee63cd61618ca2a

SHA256
32568fb07078e0d4e77efac9ad862454dba63de5c5f920d9a14de709372f2430

SHA512
22678c9ca2d70d9a3377d1f2c6c91d7649adcaccee564acdf1bd6373e60f13f6e21fc09feed5b590475889996287961a1450542741ef0888a4a0b5e9c9812b92

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a6A67.bat

Filesize
722B

MD5
21ebf4301416a5232888dd6a6b4610c3

SHA1
bb667848d4f98888062f7edf6aa978a1bcb757b9

SHA256
11338071f85ee32f8948a57f9cf3b0a298efde8c465596839bf4613b17d2b438

SHA512
b005ddcae1bb00b3f72dad6bd3633cdc2b3f48fb65423ace60b0dd84c770cf1a184d2bc4d6309140b54236048886417a7f1f4f6652c1101abe6a9ad134ca7c07

Download Submit
C:\Users\Admin\AppData\Local\Temp\7f022228f3f2c00afdb223ab4a2019df589c5d0b3f4613d0601ecf1b18306543.exe.exe

Filesize
9.3MB

MD5
b86f86ef5c09df3336638ad99b7c0c0f

SHA1
0428ad68c4dd86cebf917582d9de21ad2bdac97f

SHA256
3ef229a273ff767f0dbc891329fa906455e8f696beb5b6611efe9d6f657d7ced

SHA512
cd3ef6725bbc15c2090f3eee10af01766030a428ec39e8dab8f0174961e9aaef1a573fdbba3f7db0e251c5888a83b701cfab8055b28c30474405c2b00e826f97

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
4802c5016b56d4a1f24c8d16866fcc23

SHA1
f05497539ede5715a7256ac7c1dab625fe73b0a0

SHA256
3bc455ad00bba41a9bac61e589f52498152b8826eadfb793429a5de2df4bd26e

SHA512
2ceda43de11f621b40060f43f344bf4e933bd85069414000dffd1b08f6b4ef9a2e57c2a6b7ba232a4d1ad3e50b6018e7eb526afbc48b01f190244ccb03d5eb21

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3434294380-2554721341-1919518612-1000\_desktop.ini

Filesize
9B

MD5
1368e4d784ef82633de86fa6bc6e37f9

SHA1
77c7384e886b27647bb4f2fd364e7947e7b6abc6

SHA256
57507bed6cf91d70e66bd4cc287634889ef30b648cb7c44a4edec0e2cb68b772

SHA512
3cb7168e776eb564768e30eba43174014a85108ab306a7c07a1522fb42173c381a5bff9ac10944fd345dd5308061cbe2878c60d1e878f8768281c1adcf5dd85b

Download Submit
memory/1208-63-0x0000000002E00000-0x0000000002E01000-memory.dmp

Filesize
4KB

Download
memory/2840-16-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2840-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2884-75-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2884-68-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2884-81-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2884-127-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2884-133-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2884-873-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2884-1910-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2884-2020-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2884-3370-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2884-18-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2896-57-0x0000000002490000-0x0000000002491000-memory.dmp

Filesize
4KB

Download