d860aafb9c03cacf572ac7a1d6e22ab8996bbfe39374ad2029e2406089fdbf99

Analysis

max time kernel
150s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19/07/2024, 06:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d860aafb9c03cacf572ac7a1d6e22ab8996bbfe39374ad2029e2406089fdbf99.exe
Size

30KB
MD5

af9753edb24301e7d8642170f72f7b3d
SHA1

999f06323e4815f3bc4ad663e2f5100004d77399
SHA256

d860aafb9c03cacf572ac7a1d6e22ab8996bbfe39374ad2029e2406089fdbf99
SHA512

4069220af9249fd2af16170211e36e7fdb6f319c60410fb5131a4cc6930a06c4b8042dc7550382d02cd01b05da3ec9632f0ed99ff110d61aff7f7956e98e72e5
SSDEEP

768:0f1ODKAaDMG8H92RwZNQSwcfymNBg+g61GoZwaW:0NfgLdQAQfcfymN+

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2592	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
588	Logo1_.exe
2784	d860aafb9c03cacf572ac7a1d6e22ab8996bbfe39374ad2029e2406089fdbf99.exe

Loads dropped DLL 1 IoCs

pid	Process
2592	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Chess\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\vi\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\3082\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\More Games\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sr\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\nn\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1049\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\am_ET\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Journal\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SpringGreen\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ff\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_splitter\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\te\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\management\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\3082\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\ManagedObjects\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Media Player\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\en-US\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	d860aafb9c03cacf572ac7a1d6e22ab8996bbfe39374ad2029e2406089fdbf99.exe
File created	C:\Windows\Logo1_.exe	d860aafb9c03cacf572ac7a1d6e22ab8996bbfe39374ad2029e2406089fdbf99.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
588	Logo1_.exe
588	Logo1_.exe
588	Logo1_.exe
588	Logo1_.exe
588	Logo1_.exe
588	Logo1_.exe
588	Logo1_.exe
588	Logo1_.exe
588	Logo1_.exe
588	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1328 wrote to memory of 2592	1328	d860aafb9c03cacf572ac7a1d6e22ab8996bbfe39374ad2029e2406089fdbf99.exe	30
PID 1328 wrote to memory of 2592	1328	d860aafb9c03cacf572ac7a1d6e22ab8996bbfe39374ad2029e2406089fdbf99.exe	30
PID 1328 wrote to memory of 2592	1328	d860aafb9c03cacf572ac7a1d6e22ab8996bbfe39374ad2029e2406089fdbf99.exe	30
PID 1328 wrote to memory of 2592	1328	d860aafb9c03cacf572ac7a1d6e22ab8996bbfe39374ad2029e2406089fdbf99.exe	30
PID 1328 wrote to memory of 588	1328	d860aafb9c03cacf572ac7a1d6e22ab8996bbfe39374ad2029e2406089fdbf99.exe	31
PID 1328 wrote to memory of 588	1328	d860aafb9c03cacf572ac7a1d6e22ab8996bbfe39374ad2029e2406089fdbf99.exe	31
PID 1328 wrote to memory of 588	1328	d860aafb9c03cacf572ac7a1d6e22ab8996bbfe39374ad2029e2406089fdbf99.exe	31
PID 1328 wrote to memory of 588	1328	d860aafb9c03cacf572ac7a1d6e22ab8996bbfe39374ad2029e2406089fdbf99.exe	31
PID 588 wrote to memory of 2764	588	Logo1_.exe	33
PID 588 wrote to memory of 2764	588	Logo1_.exe	33
PID 588 wrote to memory of 2764	588	Logo1_.exe	33
PID 588 wrote to memory of 2764	588	Logo1_.exe	33
PID 2764 wrote to memory of 2816	2764	net.exe	35
PID 2764 wrote to memory of 2816	2764	net.exe	35
PID 2764 wrote to memory of 2816	2764	net.exe	35
PID 2764 wrote to memory of 2816	2764	net.exe	35
PID 2592 wrote to memory of 2784	2592	cmd.exe	36
PID 2592 wrote to memory of 2784	2592	cmd.exe	36
PID 2592 wrote to memory of 2784	2592	cmd.exe	36
PID 2592 wrote to memory of 2784	2592	cmd.exe	36
PID 588 wrote to memory of 1188	588	Logo1_.exe	21
PID 588 wrote to memory of 1188	588	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1188
- C:\Users\Admin\AppData\Local\Temp\d860aafb9c03cacf572ac7a1d6e22ab8996bbfe39374ad2029e2406089fdbf99.exe
  "C:\Users\Admin\AppData\Local\Temp\d860aafb9c03cacf572ac7a1d6e22ab8996bbfe39374ad2029e2406089fdbf99.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1328
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$aA267.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2592
  - - C:\Users\Admin\AppData\Local\Temp\d860aafb9c03cacf572ac7a1d6e22ab8996bbfe39374ad2029e2406089fdbf99.exe
      "C:\Users\Admin\AppData\Local\Temp\d860aafb9c03cacf572ac7a1d6e22ab8996bbfe39374ad2029e2406089fdbf99.exe"
      4⤵
      Executes dropped EXE
      PID:2784
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:588
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2764
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
cd747b331519ffcc6805e37da9d18557

SHA1
2f325060de25fd11643e65c5c2d4c270ea698213

SHA256
8ffc8a2d08b441ca06abd0ff43de7173627fd14851a4692abc05337f0705b138

SHA512
5914f3ae245c35bb2db544e1ebfc3ad13d0b8166115eb331cf673071e4f7f4a5048f9138545c9e795bf32ef22dcf3af002594b24d572e9fa8eff11e412b11873

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
471KB

MD5
99ea9b604a7a734d3087fa6159684c42

SHA1
709fa1068ad4d560fe03e05b68056f1b0bedbfc8

SHA256
3f733f9e6fec7c4165ca8ba41eb23f604a248babe794c4ad2c6c3ce8032aab1c

SHA512
7af8008c7e187f925c62efc97e1891a7a38d089302dba39fbde137fb895e0592847ed0982c824c2075be8e6b95b6ce165ecb848ab85adf53779ebef613410fbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aA267.bat

Filesize
722B

MD5
5fc568df02d3c92361774a3de9921e6a

SHA1
a087f536be99a1c98c34ee08214ba88600b7f346

SHA256
9c74f0275445945f4f455a7fae9e4ced94bb71bb83ec7f758e7ebccb483e8c0c

SHA512
663199b5eaa7c00bc3e8f20bf54bc105c73b95171df7a86c60062273876027202bc65de5b85ef314d6820783c7cb1b00a14753d1f24f78263099e1d4fe09bcde

Download Submit
C:\Users\Admin\AppData\Local\Temp\d860aafb9c03cacf572ac7a1d6e22ab8996bbfe39374ad2029e2406089fdbf99.exe.exe

Filesize
4KB

MD5
b7d959f6f32038c3e13bcff7e4286428

SHA1
d22222044057a0008e1f00e570a56e940eedcb28

SHA256
5d6c94f6ddf0ba84f9cdb9cb20758bbf4a01aa29e64b8ea6c3247eef0a885954

SHA512
0e64077e9bdd9f62f4746ec9737e046d37a50820b4246f30fac4181124f17e394b8a7e593c250af503e0aa8c338689d04d7a1ff30b85859a1314bf94fd8a3eb3

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
1db2d1075a960d9a5c56f4b822cb985a

SHA1
417113208e3467d81239a961ffd7bf3dd419a852

SHA256
d098a0b2b602f4b516a6311d99f33b2c18d410e8f3c126a023f540272474d790

SHA512
54215acd66a9ee27349f9c2fe23fd07703e887900c05bd91875681ff29b0ecc8627d4e17861f06290dd924c3c5672b22d3fd839103921d7363cfed649b8ee144

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1506706701-1246725540-2219210854-1000\_desktop.ini

Filesize
9B

MD5
1368e4d784ef82633de86fa6bc6e37f9

SHA1
77c7384e886b27647bb4f2fd364e7947e7b6abc6

SHA256
57507bed6cf91d70e66bd4cc287634889ef30b648cb7c44a4edec0e2cb68b772

SHA512
3cb7168e776eb564768e30eba43174014a85108ab306a7c07a1522fb42173c381a5bff9ac10944fd345dd5308061cbe2878c60d1e878f8768281c1adcf5dd85b

Download Submit
memory/588-46-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/588-1875-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/588-92-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/588-33-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/588-21-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/588-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/588-98-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/588-3334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/588-1530-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1188-31-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/1328-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1328-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2784-29-0x0000000000B30000-0x0000000000B38000-memory.dmp

Filesize
32KB

Download
memory/2784-28-0x00000000742FE000-0x00000000742FF000-memory.dmp

Filesize
4KB

Download