f323939b4735cd1ab29983151baf96973ae5c7bd84a520ceb1d5f741a672b11d

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
19-07-2024 19:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f323939b4735cd1ab29983151baf96973ae5c7bd84a520ceb1d5f741a672b11d.exe
Size

5.7MB
MD5

a814aa6131dc962f4fb291c787b682f3
SHA1

a7088f874b88a6e06a48f924bf2aa11e884e4f13
SHA256

f323939b4735cd1ab29983151baf96973ae5c7bd84a520ceb1d5f741a672b11d
SHA512

7b98bb10ce15b0eddf366a766c691935d95957a842ae8f9149d9dd53ad2e1a97b30d83affbb45018b14909e5e7750789ca587ff3f0fa17a76f4b4df27cd46be7
SSDEEP

49152:GPv94AEsKU8ggw1g+1CART5eBiyKS3EI3wybn20DCYIHvc8ixuZm9+fWsw6dTPBJ:YKUgTH2M2m9UMpu1QfLczqssnKSk

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2556	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
292	Logo1_.exe
2772	f323939b4735cd1ab29983151baf96973ae5c7bd84a520ceb1d5f741a672b11d.exe

Loads dropped DLL 1 IoCs

pid	Process
2556	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ta\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\wab.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\wmprph.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sk\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Defender\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Defender\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Portable Devices\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\et\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SUMIPNTG\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sr\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Google\Update\Install\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\More Games\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Journal\Templates\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\security\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATER\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Solitaire\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\dtplugin\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Internet Explorer\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\es_MX\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Chess\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Mail\WinMail.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	f323939b4735cd1ab29983151baf96973ae5c7bd84a520ceb1d5f741a672b11d.exe
File created	C:\Windows\Logo1_.exe	f323939b4735cd1ab29983151baf96973ae5c7bd84a520ceb1d5f741a672b11d.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
292	Logo1_.exe
292	Logo1_.exe
292	Logo1_.exe
292	Logo1_.exe
292	Logo1_.exe
292	Logo1_.exe
292	Logo1_.exe
292	Logo1_.exe
292	Logo1_.exe
292	Logo1_.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1040 wrote to memory of 2556	1040	f323939b4735cd1ab29983151baf96973ae5c7bd84a520ceb1d5f741a672b11d.exe	30
PID 1040 wrote to memory of 2556	1040	f323939b4735cd1ab29983151baf96973ae5c7bd84a520ceb1d5f741a672b11d.exe	30
PID 1040 wrote to memory of 2556	1040	f323939b4735cd1ab29983151baf96973ae5c7bd84a520ceb1d5f741a672b11d.exe	30
PID 1040 wrote to memory of 2556	1040	f323939b4735cd1ab29983151baf96973ae5c7bd84a520ceb1d5f741a672b11d.exe	30
PID 1040 wrote to memory of 292	1040	f323939b4735cd1ab29983151baf96973ae5c7bd84a520ceb1d5f741a672b11d.exe	31
PID 1040 wrote to memory of 292	1040	f323939b4735cd1ab29983151baf96973ae5c7bd84a520ceb1d5f741a672b11d.exe	31
PID 1040 wrote to memory of 292	1040	f323939b4735cd1ab29983151baf96973ae5c7bd84a520ceb1d5f741a672b11d.exe	31
PID 1040 wrote to memory of 292	1040	f323939b4735cd1ab29983151baf96973ae5c7bd84a520ceb1d5f741a672b11d.exe	31
PID 292 wrote to memory of 2440	292	Logo1_.exe	33
PID 292 wrote to memory of 2440	292	Logo1_.exe	33
PID 292 wrote to memory of 2440	292	Logo1_.exe	33
PID 292 wrote to memory of 2440	292	Logo1_.exe	33
PID 2440 wrote to memory of 2480	2440	net.exe	35
PID 2440 wrote to memory of 2480	2440	net.exe	35
PID 2440 wrote to memory of 2480	2440	net.exe	35
PID 2440 wrote to memory of 2480	2440	net.exe	35
PID 292 wrote to memory of 1252	292	Logo1_.exe	21
PID 292 wrote to memory of 1252	292	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1252
- C:\Users\Admin\AppData\Local\Temp\f323939b4735cd1ab29983151baf96973ae5c7bd84a520ceb1d5f741a672b11d.exe
  "C:\Users\Admin\AppData\Local\Temp\f323939b4735cd1ab29983151baf96973ae5c7bd84a520ceb1d5f741a672b11d.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1040
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$aBE02.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    PID:2556
  - - C:\Users\Admin\AppData\Local\Temp\f323939b4735cd1ab29983151baf96973ae5c7bd84a520ceb1d5f741a672b11d.exe
      "C:\Users\Admin\AppData\Local\Temp\f323939b4735cd1ab29983151baf96973ae5c7bd84a520ceb1d5f741a672b11d.exe"
      4⤵
      Executes dropped EXE
      PID:2772
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:292
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2440
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
254KB

MD5
30bff846494ca412fc500f2f9ede0b5d

SHA1
455b6701bd389d7298bbc142cc77731a63c4fd80

SHA256
f39618de808174d224e7f458adc7e1220f1c024d25d295fc8d6aaad6f73431d7

SHA512
d225e78ef20eb4cae6fa47621a118ea24772b2d7a481735e0fc6c9a191fa30df5b9e3de280cd1f9f33e09a51bd45738c008c4ff68026c99aee6480191cca542a

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
474KB

MD5
6eabc463f8025a7e6e65f38cba22f126

SHA1
3e430ee5ec01c5509ed750b88d3473e7990dfe95

SHA256
cc8da3ecd355b519d81415d279ed037c725ba221bf323d250aa92ee2b2b88ca7

SHA512
c8fde7026ac8633403bbefee4b044457184388fb7343d8c46f5f7f272724227976bf485ea91da49e2a85dd0cfb73f260ac705d8007333dd3e5539fe5ed67e3ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aBE02.bat

Filesize
722B

MD5
0871ab19daf27d16037e7155ddf560a8

SHA1
32344b829869b8c524c529f6a2d165284549a15d

SHA256
14284e375da24506100fe65905ded5af025863cbe570dda400832d3f076d4741

SHA512
9eed25d9e908b841a3f4edc431fef05629cc95c8bee73e849358b3d6e94af77b6c7ef49eec2e8bdc0b8cd94835ab8c460e55c7a672a9bc6023beae8a1eb6be15

Download Submit
C:\Users\Admin\AppData\Local\Temp\f323939b4735cd1ab29983151baf96973ae5c7bd84a520ceb1d5f741a672b11d.exe.exe

Filesize
5.7MB

MD5
ba18e99b3e17adb5b029eaebc457dd89

SHA1
ec0458f3c00d35b323f08d4e1cc2e72899429c38

SHA256
f5ee36de8edf9be2ac2752b219cfdcb7ca1677071b8e116cb876306e9f1b6628

SHA512
1f41929e6f5b555b60c411c7810cbf14e3af26100df5ac4533ec3739a278c1b925687284660efb4868e3741305098e2737836229efc9fe46c97a6057c10e677c

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
4021e95f53a46471094fb2b6922b0093

SHA1
fc0244446084e4b0aab07d360833f879525a65d5

SHA256
b40765ce00f6d00c86e0db93742528d876ac7b4ccaca14b7fc5f19f933ad527c

SHA512
4c73f144b7a5d95d3baf8bab52b7a4d25ccb373c2b6cbe4fc138bdb5ef358ca035e9261ff82f4705a47dfb77745a58f98b91b5e7fba1547d0a742f506573f361

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3502430532-24693940-2469786940-1000\_desktop.ini

Filesize
9B

MD5
1368e4d784ef82633de86fa6bc6e37f9

SHA1
77c7384e886b27647bb4f2fd364e7947e7b6abc6

SHA256
57507bed6cf91d70e66bd4cc287634889ef30b648cb7c44a4edec0e2cb68b772

SHA512
3cb7168e776eb564768e30eba43174014a85108ab306a7c07a1522fb42173c381a5bff9ac10944fd345dd5308061cbe2878c60d1e878f8768281c1adcf5dd85b

Download Submit
memory/292-93-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/292-629-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/292-20-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/292-33-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/292-3337-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/292-40-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/292-2038-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/292-47-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/292-1877-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/292-99-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1040-16-0x0000000000220000-0x0000000000256000-memory.dmp

Filesize
216KB

Download
memory/1040-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1040-41-0x0000000000220000-0x0000000000256000-memory.dmp

Filesize
216KB

Download
memory/1040-17-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1040-18-0x0000000000220000-0x0000000000256000-memory.dmp

Filesize
216KB

Download
memory/1252-31-0x0000000002A80000-0x0000000002A81000-memory.dmp

Filesize
4KB

Download