ab1be4da62098e3d427de141197804441f03cb74313a99e42b820b4ff7e4a440

Analysis

max time kernel
149s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19/07/2024, 04:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab1be4da62098e3d427de141197804441f03cb74313a99e42b820b4ff7e4a440.exe
Size

52KB
MD5

8e292fad26fb924c8449c326b876919d
SHA1

968348980f7ae2de50cf33988efa2ab640955179
SHA256

ab1be4da62098e3d427de141197804441f03cb74313a99e42b820b4ff7e4a440
SHA512

5df10465ae21ba23c2d47cdd54102ef10cfc2b500001f3e593bc3eafcc43b7b8936fee19fa4d43b4d81bdac7ed0cbb89a95e85024910e67bcfe13d8cb7cb6c51
SSDEEP

768:p5GQ16GVRu1yK9fMnJG2V9dHS85qgt6jpYU5ltbDrYiI0oPxWExI:p593SHuJV9NP6jWWvr78Pxc

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2132	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2184	Logo1_.exe
2160	ab1be4da62098e3d427de141197804441f03cb74313a99e42b820b4ff7e4a440.exe

Loads dropped DLL 5 IoCs

pid	Process
2132	cmd.exe
3000	WerFault.exe
3000	WerFault.exe
3000	WerFault.exe
3000	WerFault.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ku_IQ\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\FAX\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Defender\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PrivateAssemblies\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VC\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInViews\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ARCTIC\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Internet Explorer\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SubsetList\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ja\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Uninstall Information\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ar\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Chess\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\et\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ug\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\management\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Internet Explorer\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	ab1be4da62098e3d427de141197804441f03cb74313a99e42b820b4ff7e4a440.exe
File created	C:\Windows\Logo1_.exe	ab1be4da62098e3d427de141197804441f03cb74313a99e42b820b4ff7e4a440.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2184	Logo1_.exe
2184	Logo1_.exe
2184	Logo1_.exe
2184	Logo1_.exe
2184	Logo1_.exe
2184	Logo1_.exe
2184	Logo1_.exe
2184	Logo1_.exe
2184	Logo1_.exe
2184	Logo1_.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 1768 wrote to memory of 2132	1768	ab1be4da62098e3d427de141197804441f03cb74313a99e42b820b4ff7e4a440.exe	30
PID 1768 wrote to memory of 2132	1768	ab1be4da62098e3d427de141197804441f03cb74313a99e42b820b4ff7e4a440.exe	30
PID 1768 wrote to memory of 2132	1768	ab1be4da62098e3d427de141197804441f03cb74313a99e42b820b4ff7e4a440.exe	30
PID 1768 wrote to memory of 2132	1768	ab1be4da62098e3d427de141197804441f03cb74313a99e42b820b4ff7e4a440.exe	30
PID 1768 wrote to memory of 2184	1768	ab1be4da62098e3d427de141197804441f03cb74313a99e42b820b4ff7e4a440.exe	31
PID 1768 wrote to memory of 2184	1768	ab1be4da62098e3d427de141197804441f03cb74313a99e42b820b4ff7e4a440.exe	31
PID 1768 wrote to memory of 2184	1768	ab1be4da62098e3d427de141197804441f03cb74313a99e42b820b4ff7e4a440.exe	31
PID 1768 wrote to memory of 2184	1768	ab1be4da62098e3d427de141197804441f03cb74313a99e42b820b4ff7e4a440.exe	31
PID 2184 wrote to memory of 2864	2184	Logo1_.exe	32
PID 2184 wrote to memory of 2864	2184	Logo1_.exe	32
PID 2184 wrote to memory of 2864	2184	Logo1_.exe	32
PID 2184 wrote to memory of 2864	2184	Logo1_.exe	32
PID 2864 wrote to memory of 2840	2864	net.exe	35
PID 2864 wrote to memory of 2840	2864	net.exe	35
PID 2864 wrote to memory of 2840	2864	net.exe	35
PID 2864 wrote to memory of 2840	2864	net.exe	35
PID 2132 wrote to memory of 2160	2132	cmd.exe	36
PID 2132 wrote to memory of 2160	2132	cmd.exe	36
PID 2132 wrote to memory of 2160	2132	cmd.exe	36
PID 2132 wrote to memory of 2160	2132	cmd.exe	36
PID 2160 wrote to memory of 3000	2160	ab1be4da62098e3d427de141197804441f03cb74313a99e42b820b4ff7e4a440.exe	37
PID 2160 wrote to memory of 3000	2160	ab1be4da62098e3d427de141197804441f03cb74313a99e42b820b4ff7e4a440.exe	37
PID 2160 wrote to memory of 3000	2160	ab1be4da62098e3d427de141197804441f03cb74313a99e42b820b4ff7e4a440.exe	37
PID 2184 wrote to memory of 1268	2184	Logo1_.exe	21
PID 2184 wrote to memory of 1268	2184	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1268
- C:\Users\Admin\AppData\Local\Temp\ab1be4da62098e3d427de141197804441f03cb74313a99e42b820b4ff7e4a440.exe
  "C:\Users\Admin\AppData\Local\Temp\ab1be4da62098e3d427de141197804441f03cb74313a99e42b820b4ff7e4a440.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1768
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$aB7DA.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2132
  - - C:\Users\Admin\AppData\Local\Temp\ab1be4da62098e3d427de141197804441f03cb74313a99e42b820b4ff7e4a440.exe
      "C:\Users\Admin\AppData\Local\Temp\ab1be4da62098e3d427de141197804441f03cb74313a99e42b820b4ff7e4a440.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2160
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2160 -s 124
        5⤵
        Loads dropped DLL
        
        PID:3000
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2184
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2864
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
254KB

MD5
576f46118027bdc1d7c8e8be75fb64c4

SHA1
661955a312849b675e85a66c15b41b163f2886a3

SHA256
a509a22398e49890b21ed2a4ef0811a77279c475771c7bced27b5ee9ef957e5c

SHA512
2227a3807baa854f1d36f742285a12bb0359779c3533ea932cf3481bbfe4a2887aabf316438fd5511506e3746dbef8ebfec299ef66c3fbae08763d8039464771

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
474KB

MD5
81e51673a97afb89c6762e25450e0afa

SHA1
63756c6fbc59b14d69aad2d9f6ec8a76161f8882

SHA256
ca803738679f2d4b2b0e993df8a2b069cd61043981d0f15e56c6270063b4327f

SHA512
0fb8a3eb57004d98ffab71aecc73724a077e796de3d723010f4afe241cd15c0e886d07a12b9927495c5b845bd50e6b4b491d611935b43b10f3fbe4b2d45e2ac3

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aB7DA.bat

Filesize
722B

MD5
3a13334c002e69b9533d0991c78cbe01

SHA1
9ec61fdfd468a150ae51c0bc8a8df33e4db6675b

SHA256
62841d097ad34d17e20851eca878341cc1f383e5c768bc509591e7ab709b1821

SHA512
3419cd0fac09f3bf677003af35b8994bdabc8d952daec31dd29a638336ba8d34b80db0dd4fbf3bbf53c6ed01d55f2f6a778cfea866406a062ce6078430095d53

Download Submit
C:\Users\Admin\AppData\Local\Temp\ab1be4da62098e3d427de141197804441f03cb74313a99e42b820b4ff7e4a440.exe.exe

Filesize
23KB

MD5
3f9dbfee668294872ef01b90740b01d0

SHA1
99a4702b65485cd14736b1c2cdfb81b455dda01c

SHA256
40b32fea1fcadcb2db369475e2bba58b0b83f5c3bb647e2e63877726c35a9f86

SHA512
0113cec160d97ea0cce70860cc5b79b502d16191ee237a3abb84309499be193aa0127dbcb41fc05a90fa61484b061ec4332ad29a918db598e32fe832b74bd1e3

Download Submit
C:\Windows\rundl132.exe

Filesize
29KB

MD5
a138bbeeec7d59fbd516ef0237d829c6

SHA1
e32be6ab403d2f1af197ec5543e0142320078a2a

SHA256
046edb4bab763c08349077cc670cdfe5eaf12056913bdd6a0beb4acfe7e93e8f

SHA512
458ff81f98d79b44edf27d2b0b981d33e9678270dd206ac59ed0333a0f2535dd7062b75e56dbe5976fc80d67c89460278eec982b025743d9465fe5360119879c

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1506706701-1246725540-2219210854-1000\_desktop.ini

Filesize
9B

MD5
1368e4d784ef82633de86fa6bc6e37f9

SHA1
77c7384e886b27647bb4f2fd364e7947e7b6abc6

SHA256
57507bed6cf91d70e66bd4cc287634889ef30b648cb7c44a4edec0e2cb68b772

SHA512
3cb7168e776eb564768e30eba43174014a85108ab306a7c07a1522fb42173c381a5bff9ac10944fd345dd5308061cbe2878c60d1e878f8768281c1adcf5dd85b

Download Submit
memory/1268-33-0x0000000002BC0000-0x0000000002BC1000-memory.dmp

Filesize
4KB

Download
memory/1768-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1768-16-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2184-37-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2184-44-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2184-50-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2184-96-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2184-102-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2184-1216-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2184-1879-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2184-3338-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2184-18-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download