03fddb5af843d31e16c50429d45552214a725769ccd53839fe3c3917adf58e3c

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
19-07-2024 06:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

03fddb5af843d31e16c50429d45552214a725769ccd53839fe3c3917adf58e3c.exe
Size

244KB
MD5

2828638fc1c23a51f16d6556a8b5e3af
SHA1

4e3e41821ffd6f42c8317fe421fc08e9054559bf
SHA256

03fddb5af843d31e16c50429d45552214a725769ccd53839fe3c3917adf58e3c
SHA512

dc812937bec06af35346257540573dfa1e7e51d2766450a554013a3b2f90d5dcbcfee838d2ee5952fb37dd3209b5e2776ef02f61520942a6ca54a216ca106c4f
SSDEEP

6144:cVfjmN9qml5a6EdkQxiUmRQColKGAOPQK2GwIgfx+qSfF0:e7+Uml5a6EdkQgUmR7G9QK3wJx+qSfF0

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2020	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1352	Logo1_.exe
2644	03fddb5af843d31e16c50429d45552214a725769ccd53839fe3c3917adf58e3c.exe

Loads dropped DLL 1 IoCs

pid	Process
2020	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\locale\tt\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Defender\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proofing.en-us\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_extractor\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Purble Place\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ku_IQ\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fy\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ja\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\FreeCell\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Mail\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\deploy\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\MSBuild\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\or_IN\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sq\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_out\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	Logo1_.exe
File created	C:\Program Files\Microsoft Games\More Games\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lt\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SLATE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Antarctica\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\1042\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SpringGreen\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	03fddb5af843d31e16c50429d45552214a725769ccd53839fe3c3917adf58e3c.exe
File created	C:\Windows\Logo1_.exe	03fddb5af843d31e16c50429d45552214a725769ccd53839fe3c3917adf58e3c.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1352	Logo1_.exe
1352	Logo1_.exe
1352	Logo1_.exe
1352	Logo1_.exe
1352	Logo1_.exe
1352	Logo1_.exe
1352	Logo1_.exe
1352	Logo1_.exe
1352	Logo1_.exe
1352	Logo1_.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 2020	1948	03fddb5af843d31e16c50429d45552214a725769ccd53839fe3c3917adf58e3c.exe	30
PID 1948 wrote to memory of 2020	1948	03fddb5af843d31e16c50429d45552214a725769ccd53839fe3c3917adf58e3c.exe	30
PID 1948 wrote to memory of 2020	1948	03fddb5af843d31e16c50429d45552214a725769ccd53839fe3c3917adf58e3c.exe	30
PID 1948 wrote to memory of 2020	1948	03fddb5af843d31e16c50429d45552214a725769ccd53839fe3c3917adf58e3c.exe	30
PID 1948 wrote to memory of 1352	1948	03fddb5af843d31e16c50429d45552214a725769ccd53839fe3c3917adf58e3c.exe	32
PID 1948 wrote to memory of 1352	1948	03fddb5af843d31e16c50429d45552214a725769ccd53839fe3c3917adf58e3c.exe	32
PID 1948 wrote to memory of 1352	1948	03fddb5af843d31e16c50429d45552214a725769ccd53839fe3c3917adf58e3c.exe	32
PID 1948 wrote to memory of 1352	1948	03fddb5af843d31e16c50429d45552214a725769ccd53839fe3c3917adf58e3c.exe	32
PID 1352 wrote to memory of 1676	1352	Logo1_.exe	33
PID 1352 wrote to memory of 1676	1352	Logo1_.exe	33
PID 1352 wrote to memory of 1676	1352	Logo1_.exe	33
PID 1352 wrote to memory of 1676	1352	Logo1_.exe	33
PID 1676 wrote to memory of 2608	1676	net.exe	35
PID 1676 wrote to memory of 2608	1676	net.exe	35
PID 1676 wrote to memory of 2608	1676	net.exe	35
PID 1676 wrote to memory of 2608	1676	net.exe	35
PID 2020 wrote to memory of 2644	2020	cmd.exe	36
PID 2020 wrote to memory of 2644	2020	cmd.exe	36
PID 2020 wrote to memory of 2644	2020	cmd.exe	36
PID 2020 wrote to memory of 2644	2020	cmd.exe	36
PID 2020 wrote to memory of 2644	2020	cmd.exe	36
PID 2020 wrote to memory of 2644	2020	cmd.exe	36
PID 2020 wrote to memory of 2644	2020	cmd.exe	36
PID 1352 wrote to memory of 1228	1352	Logo1_.exe	21
PID 1352 wrote to memory of 1228	1352	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1228
- C:\Users\Admin\AppData\Local\Temp\03fddb5af843d31e16c50429d45552214a725769ccd53839fe3c3917adf58e3c.exe
  "C:\Users\Admin\AppData\Local\Temp\03fddb5af843d31e16c50429d45552214a725769ccd53839fe3c3917adf58e3c.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1948
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$aD98.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2020
  - - C:\Users\Admin\AppData\Local\Temp\03fddb5af843d31e16c50429d45552214a725769ccd53839fe3c3917adf58e3c.exe
      "C:\Users\Admin\AppData\Local\Temp\03fddb5af843d31e16c50429d45552214a725769ccd53839fe3c3917adf58e3c.exe"
      4⤵
      Executes dropped EXE
      PID:2644
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1352
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1676
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
471KB

MD5
4cfdb20b04aa239d6f9e83084d5d0a77

SHA1
f22863e04cc1fd4435f785993ede165bd8245ac6

SHA256
30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

SHA512
35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aD98.bat

Filesize
721B

MD5
44bb1e5eb18aac81ac92e183510176b0

SHA1
c1e542dc241e135c43e39a85e3868c3f8dcc0648

SHA256
0cca1ebba8e4854016cb060e0f7ddbfe82fa7a854be719b6d9b6854bdc97f182

SHA512
17ffc13055c22060b842bf8b500662c2b828188c176bd59a2ea6928b68a70cbc5491d5e02bab357b6f757afe9c50976b533fd9f98a2fe732d79de2b8f5d70b50

Download Submit
C:\Users\Admin\AppData\Local\Temp\03fddb5af843d31e16c50429d45552214a725769ccd53839fe3c3917adf58e3c.exe.exe

Filesize
217KB

MD5
021c57c74de40f7c3b4fcf58a54d3649

SHA1
ef363ab45b6fe3dd5b768655adc4188aadf6b6fd

SHA256
04adf40ba58d0ab892091c188822191f2597bc47dab8b92423e8fc546dc437ef

SHA512
77e3bbb08c661285a49a66e8090a54f535727731c44b7253ea09ffe9548bae9d120ef38a67dfa8a5d8da170dde3e9c1928b96c64dfc07b7f67f93b478937c018

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
5baaa7218d49b4357f4b6d043e6a9ee1

SHA1
53dd6fcaa614d3c83645842887d3374f442139b3

SHA256
1f9628abf48c70faa563f7567e75782c372a09caa4f9afd2d3d9757156fabe17

SHA512
b62675b8642357aac26b554c0a197995fb8ac2fe4f9936ee8af8da55c14951f8b856a1c94d3c1c470b98c016085c3782c0ead4403512511f7d9d6f56a7f13b66

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2172136094-3310281978-782691160-1000\_desktop.ini

Filesize
9B

MD5
1368e4d784ef82633de86fa6bc6e37f9

SHA1
77c7384e886b27647bb4f2fd364e7947e7b6abc6

SHA256
57507bed6cf91d70e66bd4cc287634889ef30b648cb7c44a4edec0e2cb68b772

SHA512
3cb7168e776eb564768e30eba43174014a85108ab306a7c07a1522fb42173c381a5bff9ac10944fd345dd5308061cbe2878c60d1e878f8768281c1adcf5dd85b

Download Submit
memory/1228-30-0x00000000025B0000-0x00000000025B1000-memory.dmp

Filesize
4KB

Download
memory/1352-91-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1352-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1352-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1352-45-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1352-97-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1352-460-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1352-1874-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1352-3334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1352-19-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1948-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1948-17-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1948-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download