45aa4ca3a7d1a7581b1a57f410da318f5cd7f7c3245de154672b4a9e6b4b7393

Analysis

max time kernel
150s
max time network
20s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
21/07/2024, 22:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

45aa4ca3a7d1a7581b1a57f410da318f5cd7f7c3245de154672b4a9e6b4b7393.exe
Size

88KB
MD5

872feeda0dd842b2faa66a7f0cba7a48
SHA1

a89b48f540510c7a6d88a5ec748bf27bdd69ee54
SHA256

45aa4ca3a7d1a7581b1a57f410da318f5cd7f7c3245de154672b4a9e6b4b7393
SHA512

dc42388860cdba80fd46ea920df924965fe72f0a804b2279fbe36ac9c8c9a3c7a94f9cb77a2f3afbab86a3b346d632a25dd2d1393345f4240bfb0ab4f3e5e6c8
SSDEEP

1536:pJ3SHuJV9Ntyapmebn4ddJZeY86iLflLJYEIs67rxo:pJkuJVL8LK4ddJMY86ipmns6S

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2036	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2448	Logo1_.exe
3024	45aa4ca3a7d1a7581b1a57f410da318f5cd7f7c3245de154672b4a9e6b4b7393.exe

Loads dropped DLL 1 IoCs

pid	Process
2036	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SKY\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tt\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\requests\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\km\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Solitaire\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\Mahjong.exe	Logo1_.exe
File opened for modification	C:\Program Files\Windows Journal\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LAYERS\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\More Games\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\ext\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pt_PT\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Mail\wabmig.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\de\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Mail\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Hearts\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Indian\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LAYERS\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	45aa4ca3a7d1a7581b1a57f410da318f5cd7f7c3245de154672b4a9e6b4b7393.exe
File created	C:\Windows\Logo1_.exe	45aa4ca3a7d1a7581b1a57f410da318f5cd7f7c3245de154672b4a9e6b4b7393.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2448	Logo1_.exe
2448	Logo1_.exe
2448	Logo1_.exe
2448	Logo1_.exe
2448	Logo1_.exe
2448	Logo1_.exe
2448	Logo1_.exe
2448	Logo1_.exe
2448	Logo1_.exe
2448	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 2036	1712	45aa4ca3a7d1a7581b1a57f410da318f5cd7f7c3245de154672b4a9e6b4b7393.exe	29
PID 1712 wrote to memory of 2036	1712	45aa4ca3a7d1a7581b1a57f410da318f5cd7f7c3245de154672b4a9e6b4b7393.exe	29
PID 1712 wrote to memory of 2036	1712	45aa4ca3a7d1a7581b1a57f410da318f5cd7f7c3245de154672b4a9e6b4b7393.exe	29
PID 1712 wrote to memory of 2036	1712	45aa4ca3a7d1a7581b1a57f410da318f5cd7f7c3245de154672b4a9e6b4b7393.exe	29
PID 1712 wrote to memory of 2448	1712	45aa4ca3a7d1a7581b1a57f410da318f5cd7f7c3245de154672b4a9e6b4b7393.exe	30
PID 1712 wrote to memory of 2448	1712	45aa4ca3a7d1a7581b1a57f410da318f5cd7f7c3245de154672b4a9e6b4b7393.exe	30
PID 1712 wrote to memory of 2448	1712	45aa4ca3a7d1a7581b1a57f410da318f5cd7f7c3245de154672b4a9e6b4b7393.exe	30
PID 1712 wrote to memory of 2448	1712	45aa4ca3a7d1a7581b1a57f410da318f5cd7f7c3245de154672b4a9e6b4b7393.exe	30
PID 2448 wrote to memory of 2120	2448	Logo1_.exe	31
PID 2448 wrote to memory of 2120	2448	Logo1_.exe	31
PID 2448 wrote to memory of 2120	2448	Logo1_.exe	31
PID 2448 wrote to memory of 2120	2448	Logo1_.exe	31
PID 2120 wrote to memory of 2788	2120	net.exe	34
PID 2120 wrote to memory of 2788	2120	net.exe	34
PID 2120 wrote to memory of 2788	2120	net.exe	34
PID 2120 wrote to memory of 2788	2120	net.exe	34
PID 2036 wrote to memory of 3024	2036	cmd.exe	35
PID 2036 wrote to memory of 3024	2036	cmd.exe	35
PID 2036 wrote to memory of 3024	2036	cmd.exe	35
PID 2036 wrote to memory of 3024	2036	cmd.exe	35
PID 2448 wrote to memory of 1380	2448	Logo1_.exe	20
PID 2448 wrote to memory of 1380	2448	Logo1_.exe	20

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1380
- C:\Users\Admin\AppData\Local\Temp\45aa4ca3a7d1a7581b1a57f410da318f5cd7f7c3245de154672b4a9e6b4b7393.exe
  "C:\Users\Admin\AppData\Local\Temp\45aa4ca3a7d1a7581b1a57f410da318f5cd7f7c3245de154672b4a9e6b4b7393.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1712
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$aF7C7.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2036
  - - C:\Users\Admin\AppData\Local\Temp\45aa4ca3a7d1a7581b1a57f410da318f5cd7f7c3245de154672b4a9e6b4b7393.exe
      "C:\Users\Admin\AppData\Local\Temp\45aa4ca3a7d1a7581b1a57f410da318f5cd7f7c3245de154672b4a9e6b4b7393.exe"
      4⤵
      Executes dropped EXE
      PID:3024
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2448
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2120
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
254KB

MD5
54d3a05979fe44a5a21b0c2947cf3ff6

SHA1
04afd636f094ca4517e459e7ab81dc4cceaae947

SHA256
8acb2c40e69bf0a088cd26657fae2da09a2d086e88067096f9bebc77f4516082

SHA512
e727d980520aff2beabf08ee3fa0a6ef2f6a825f40e71b027a4721f06e3f096057681d30d16940ac7fe7a2606008db51d72b745c479905b0218bdc0c1436a600

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
474KB

MD5
07f921c054538a3bebf429f5869296c8

SHA1
7413fb91523507562d36faf5000ef6413f1d0bf9

SHA256
9bb3c8862682b9322762cfbfd2c908bb76c918798c93161fc515c1b224f8ca70

SHA512
01f2a00dbae29e7a6e7e9944626e3161d9ce8371bab315d70dffbe8f6c755cf5d650ae9ff0a74d1176bd6fd0f4a229cf81e735a0403865c282334b7ffe04d67b

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aF7C7.bat

Filesize
722B

MD5
c179cbe6213363f1323b48ad38a12f72

SHA1
1b86abf64f5f6c8a8155d6c237847392c47cc282

SHA256
a76b15e21f176e704901141ec1e3eee75a43dd7258495686e9a87f652e34eef0

SHA512
bd084b15fabf6b60b94d2f7975a39816a0d172556bd53960a415478ae2dfc34baa8e2bec3d4991fa1cb341b4da402abc5436d6bde17f893a5b5352456013de77

Download Submit
C:\Users\Admin\AppData\Local\Temp\45aa4ca3a7d1a7581b1a57f410da318f5cd7f7c3245de154672b4a9e6b4b7393.exe.exe

Filesize
59KB

MD5
dfc18f7068913dde25742b856788d7ca

SHA1
cbaa23f782c2ddcd7c9ff024fd0b096952a2b387

SHA256
ff4ac75c02247000da084de006c214d3dd3583867bd3533ba788e22734c7a2bf

SHA512
d0c7ec1dae41a803325b51c12490c355ed779d297daa35247889950491e52427810132f0829fc7ffa3022f1a106f4e4ba78ed612223395313a6f267e9ab24945

Download Submit
C:\Windows\rundl132.exe

Filesize
29KB

MD5
968fbfebdf34cc885e51e8bcaa182f2e

SHA1
91df1a0b7046e2eaef764223f16a5c9dee88afdb

SHA256
5f7bff7aecb05283cfb2d2c3675e507495f6e06200be3b0ab1e00f76f038a5ce

SHA512
28dfdbc55a467a9ff5ce094532246c2ae748b9473fa80ae7485249f0d3493549970e16df948ebfcb080b3e3e15a6b605aa491cbd36d2537ba2c99140eefcf065

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2172136094-3310281978-782691160-1000\_desktop.ini

Filesize
9B

MD5
2efce5174bcf8d378a924333f75e26ad

SHA1
4fe6e1d729b55d42eb9d74aca11b36a94402de14

SHA256
04ccb9bec2864153c72852867d8e65dca07eca4e5edcfb4beb62cb364dcd91fa

SHA512
24684969632fb0562a3a7a5fec91d869d627730d8e9d83a2b17e326d7047e3fbff205eec207914e42ecd50fef68a212c19f3599ded271c00e66acc22f1f04c16

Download Submit
memory/1380-29-0x0000000002D80000-0x0000000002D81000-memory.dmp

Filesize
4KB

Download
memory/1712-16-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1712-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2448-21-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2448-44-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2448-90-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2448-96-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2448-479-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2448-1873-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2448-38-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2448-3333-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2448-31-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download