dfb7b44bb0d17ea8e1041fd012fc5c89a6d1d7c10fe7a7805c0134a07e7b6766

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19/07/2024, 00:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dfb7b44bb0d17ea8e1041fd012fc5c89a6d1d7c10fe7a7805c0134a07e7b6766.exe
Size

2.1MB
MD5

14bdd80a78d22e859f3beabfdfec953f
SHA1

c2db58a2f591e676c6675cc660980dbd4f6eb3e9
SHA256

dfb7b44bb0d17ea8e1041fd012fc5c89a6d1d7c10fe7a7805c0134a07e7b6766
SHA512

9757601bd8aeef1debf85556c98c5e28b6104c446393d0c51a6c35407df2ad6970d6a7568644a8159e4bb245a6c91dcb4dafa8e20e1900ca228a17ff6c8c829e
SSDEEP

49152:YOoP/iZtI3UL5tj1XUNgASK4CTfVf1WZ62U//of6VwcNc+0eW3hz/1bmgZO:7oGY/orcUnu

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2804	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2820	Logo1_.exe
2720	dfb7b44bb0d17ea8e1041fd012fc5c89a6d1d7c10fe7a7805c0134a07e7b6766.exe

Loads dropped DLL 1 IoCs

pid	Process
2804	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RICEPAPR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EXPEDITN\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\nl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Updater6\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\zi\Africa\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\on_desktop\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\es_MX\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Journal\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EVRGREEN\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\More Games\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Mail\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Defender\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Solitaire\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cgg\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_output\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	dfb7b44bb0d17ea8e1041fd012fc5c89a6d1d7c10fe7a7805c0134a07e7b6766.exe
File created	C:\Windows\Logo1_.exe	dfb7b44bb0d17ea8e1041fd012fc5c89a6d1d7c10fe7a7805c0134a07e7b6766.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2820	Logo1_.exe
2820	Logo1_.exe
2820	Logo1_.exe
2820	Logo1_.exe
2820	Logo1_.exe
2820	Logo1_.exe
2820	Logo1_.exe
2820	Logo1_.exe
2820	Logo1_.exe
2820	Logo1_.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 2804	2212	dfb7b44bb0d17ea8e1041fd012fc5c89a6d1d7c10fe7a7805c0134a07e7b6766.exe	30
PID 2212 wrote to memory of 2804	2212	dfb7b44bb0d17ea8e1041fd012fc5c89a6d1d7c10fe7a7805c0134a07e7b6766.exe	30
PID 2212 wrote to memory of 2804	2212	dfb7b44bb0d17ea8e1041fd012fc5c89a6d1d7c10fe7a7805c0134a07e7b6766.exe	30
PID 2212 wrote to memory of 2804	2212	dfb7b44bb0d17ea8e1041fd012fc5c89a6d1d7c10fe7a7805c0134a07e7b6766.exe	30
PID 2212 wrote to memory of 2820	2212	dfb7b44bb0d17ea8e1041fd012fc5c89a6d1d7c10fe7a7805c0134a07e7b6766.exe	31
PID 2212 wrote to memory of 2820	2212	dfb7b44bb0d17ea8e1041fd012fc5c89a6d1d7c10fe7a7805c0134a07e7b6766.exe	31
PID 2212 wrote to memory of 2820	2212	dfb7b44bb0d17ea8e1041fd012fc5c89a6d1d7c10fe7a7805c0134a07e7b6766.exe	31
PID 2212 wrote to memory of 2820	2212	dfb7b44bb0d17ea8e1041fd012fc5c89a6d1d7c10fe7a7805c0134a07e7b6766.exe	31
PID 2820 wrote to memory of 2688	2820	Logo1_.exe	32
PID 2820 wrote to memory of 2688	2820	Logo1_.exe	32
PID 2820 wrote to memory of 2688	2820	Logo1_.exe	32
PID 2820 wrote to memory of 2688	2820	Logo1_.exe	32
PID 2688 wrote to memory of 2864	2688	net.exe	35
PID 2688 wrote to memory of 2864	2688	net.exe	35
PID 2688 wrote to memory of 2864	2688	net.exe	35
PID 2688 wrote to memory of 2864	2688	net.exe	35
PID 2804 wrote to memory of 2720	2804	cmd.exe	36
PID 2804 wrote to memory of 2720	2804	cmd.exe	36
PID 2804 wrote to memory of 2720	2804	cmd.exe	36
PID 2804 wrote to memory of 2720	2804	cmd.exe	36
PID 2804 wrote to memory of 2720	2804	cmd.exe	36
PID 2804 wrote to memory of 2720	2804	cmd.exe	36
PID 2804 wrote to memory of 2720	2804	cmd.exe	36
PID 2820 wrote to memory of 1212	2820	Logo1_.exe	21
PID 2820 wrote to memory of 1212	2820	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1212
- C:\Users\Admin\AppData\Local\Temp\dfb7b44bb0d17ea8e1041fd012fc5c89a6d1d7c10fe7a7805c0134a07e7b6766.exe
  "C:\Users\Admin\AppData\Local\Temp\dfb7b44bb0d17ea8e1041fd012fc5c89a6d1d7c10fe7a7805c0134a07e7b6766.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$aFBAD.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\Users\Admin\AppData\Local\Temp\dfb7b44bb0d17ea8e1041fd012fc5c89a6d1d7c10fe7a7805c0134a07e7b6766.exe
      "C:\Users\Admin\AppData\Local\Temp\dfb7b44bb0d17ea8e1041fd012fc5c89a6d1d7c10fe7a7805c0134a07e7b6766.exe"
      4⤵
      Executes dropped EXE
      PID:2720
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2688
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
bc108c29e92cf4fae14d6db05637a1c0

SHA1
c4803b03d1849e50a937ed4d183269528a0deec7

SHA256
ecef36a3738bc05dafc98acfed4c57dc324b804898dc4dea594f785e583916af

SHA512
1ae7f5ae357865bcb6461333b3592cb52ba2d5d253ac8ee11bc7599cba2aa11b45ef656faa985640118e19939f818bcb0bee92f70f23766c397a99dcb737f6d9

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
471KB

MD5
f9fc019eacb573ec828d2d9ff6a48318

SHA1
b91958dc8d178b6eeb35e829bab84d0fb12c2280

SHA256
bf9ba3df2bad76d15f4efe42c0c59f37b9454907958892df8ab996552658934e

SHA512
998ba7bc7cdd5df3e1acfda6f4f92ec9d27732e1e182177dff310f3c918f3be99626a3526bebdff5bb7eb980640434baf56e0f08bfd125168c0a9e37e7239305

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aFBAD.bat

Filesize
722B

MD5
12d58d9748e9c4a8e6742847ad106217

SHA1
a471f72beeb0ea419dd50354a5174d3b8ee37fb0

SHA256
9ae48bb030f44cd52a5fc733b1e775b5bfdc6815a0d26c7713d37306f379f8b2

SHA512
b6dc6f43fff9b716c6a826154f26f812e05fead7896b3e5a76f3d16cc307b8afa44b1c595ab566e0cfb42b2895bb989e0fc5a0dbb88c94d9e79f15b8a8378bb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\dfb7b44bb0d17ea8e1041fd012fc5c89a6d1d7c10fe7a7805c0134a07e7b6766.exe.exe

Filesize
2.0MB

MD5
4b588fa7bdaa08909d3dc972eaf57f99

SHA1
abf382f8cf34117b8ceffbd855bcddc3f13ab5bc

SHA256
a0b3cc4b54ca1f7c488984ad15953874bee19698fd235db8478a907777ba7953

SHA512
957ed4c030266a9447ff74eb0769bb586468117a6df84db619bc98d50c5fc873899c1c4bbca03ccd0532f4a50d7dde33a27164ee4e300cc58bea86b8e38a84a4

Download Submit
C:\Windows\rundl132.exe

Filesize
26KB

MD5
06479588faccf09230d80eeff6a0f558

SHA1
142ac2edd0c11583d9780872a945adf460384adb

SHA256
0d7f3fa5542d49ea4691ab0a3bc7ff8be10cbdecbe33d0fb74714b8f821c783a

SHA512
fb2b014d1f41a0a2e107571bc943ecee25d1e1c3797be189c191a64093bd5e7e80c1ed5df1f9fa76130c3f8ddf312e02bbdf7cd5a68ee409a5f6c7cd9b4b23e1

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-940600906-3464502421-4240639183-1000\_desktop.ini

Filesize
9B

MD5
1368e4d784ef82633de86fa6bc6e37f9

SHA1
77c7384e886b27647bb4f2fd364e7947e7b6abc6

SHA256
57507bed6cf91d70e66bd4cc287634889ef30b648cb7c44a4edec0e2cb68b772

SHA512
3cb7168e776eb564768e30eba43174014a85108ab306a7c07a1522fb42173c381a5bff9ac10944fd345dd5308061cbe2878c60d1e878f8768281c1adcf5dd85b

Download Submit
memory/1212-31-0x0000000003C20000-0x0000000003C21000-memory.dmp

Filesize
4KB

Download
memory/2212-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2212-17-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/2212-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2820-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2820-46-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2820-92-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2820-98-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2820-787-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2820-1875-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2820-33-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2820-2862-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2820-3335-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2820-19-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download