21b2fe6f61a3addeefd5375d6b9220016c9d0de6df80242c2771c0c2c24d6d55

Analysis

max time kernel
149s
max time network
124s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
21/07/2024, 17:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

21b2fe6f61a3addeefd5375d6b9220016c9d0de6df80242c2771c0c2c24d6d55.exe
Size

1.6MB
MD5

a51b6ea36c95074022a1d75cf50ff03d
SHA1

68d264386d390d0f8395895d69ec1d629c4d0361
SHA256

21b2fe6f61a3addeefd5375d6b9220016c9d0de6df80242c2771c0c2c24d6d55
SHA512

7df03e9ff1d4dd7d2376d7274cbc201b449aea002d7a4a543dd2b06502b42931db49b50629d2d50de569b907b1aca038a497ff81ecd2b853b6dac899b12b37ca
SSDEEP

24576:97+ruBJ+lZfz3ObxtBEImd0fcU0vbC50j1Z8bDeL/EapfnGmnIV6BU8SHD1NJcjl:97xSd0fcU0vbCWjM2L/E0nGmZUnHRWt

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2808	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2356	Logo1_.exe
2676	21b2fe6f61a3addeefd5375d6b9220016c9d0de6df80242c2771c0c2c24d6d55.exe

Loads dropped DLL 1 IoCs

pid	Process
2808	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SPRING\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Desert\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\IRIS\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\chkrzm.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\INDUST\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VGX\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\on_desktop\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nb\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\uk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Mail\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Media Renderer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUECALM\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CAPSULES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\lt\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	21b2fe6f61a3addeefd5375d6b9220016c9d0de6df80242c2771c0c2c24d6d55.exe
File created	C:\Windows\Logo1_.exe	21b2fe6f61a3addeefd5375d6b9220016c9d0de6df80242c2771c0c2c24d6d55.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2356	Logo1_.exe
2356	Logo1_.exe
2356	Logo1_.exe
2356	Logo1_.exe
2356	Logo1_.exe
2356	Logo1_.exe
2356	Logo1_.exe
2356	Logo1_.exe
2356	Logo1_.exe
2356	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 2808	2872	21b2fe6f61a3addeefd5375d6b9220016c9d0de6df80242c2771c0c2c24d6d55.exe	30
PID 2872 wrote to memory of 2808	2872	21b2fe6f61a3addeefd5375d6b9220016c9d0de6df80242c2771c0c2c24d6d55.exe	30
PID 2872 wrote to memory of 2808	2872	21b2fe6f61a3addeefd5375d6b9220016c9d0de6df80242c2771c0c2c24d6d55.exe	30
PID 2872 wrote to memory of 2808	2872	21b2fe6f61a3addeefd5375d6b9220016c9d0de6df80242c2771c0c2c24d6d55.exe	30
PID 2872 wrote to memory of 2356	2872	21b2fe6f61a3addeefd5375d6b9220016c9d0de6df80242c2771c0c2c24d6d55.exe	32
PID 2872 wrote to memory of 2356	2872	21b2fe6f61a3addeefd5375d6b9220016c9d0de6df80242c2771c0c2c24d6d55.exe	32
PID 2872 wrote to memory of 2356	2872	21b2fe6f61a3addeefd5375d6b9220016c9d0de6df80242c2771c0c2c24d6d55.exe	32
PID 2872 wrote to memory of 2356	2872	21b2fe6f61a3addeefd5375d6b9220016c9d0de6df80242c2771c0c2c24d6d55.exe	32
PID 2356 wrote to memory of 2324	2356	Logo1_.exe	33
PID 2356 wrote to memory of 2324	2356	Logo1_.exe	33
PID 2356 wrote to memory of 2324	2356	Logo1_.exe	33
PID 2356 wrote to memory of 2324	2356	Logo1_.exe	33
PID 2324 wrote to memory of 2180	2324	net.exe	35
PID 2324 wrote to memory of 2180	2324	net.exe	35
PID 2324 wrote to memory of 2180	2324	net.exe	35
PID 2324 wrote to memory of 2180	2324	net.exe	35
PID 2808 wrote to memory of 2676	2808	cmd.exe	36
PID 2808 wrote to memory of 2676	2808	cmd.exe	36
PID 2808 wrote to memory of 2676	2808	cmd.exe	36
PID 2808 wrote to memory of 2676	2808	cmd.exe	36
PID 2356 wrote to memory of 1120	2356	Logo1_.exe	20
PID 2356 wrote to memory of 1120	2356	Logo1_.exe	20

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1120
- C:\Users\Admin\AppData\Local\Temp\21b2fe6f61a3addeefd5375d6b9220016c9d0de6df80242c2771c0c2c24d6d55.exe
  "C:\Users\Admin\AppData\Local\Temp\21b2fe6f61a3addeefd5375d6b9220016c9d0de6df80242c2771c0c2c24d6d55.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$aFC3A.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2808
  - - C:\Users\Admin\AppData\Local\Temp\21b2fe6f61a3addeefd5375d6b9220016c9d0de6df80242c2771c0c2c24d6d55.exe
      "C:\Users\Admin\AppData\Local\Temp\21b2fe6f61a3addeefd5375d6b9220016c9d0de6df80242c2771c0c2c24d6d55.exe"
      4⤵
      Executes dropped EXE
      PID:2676
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2356
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2324
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
66d4efe97255d7f5df009ae36b629ad0

SHA1
a8e7ee1de31b8b17e4e7d436d1b8abe86fe03c4d

SHA256
b591324aa4910b50618bde85821c8fc3e1bf992b56bdc2c9d4e1abc6c314e732

SHA512
304cd4dacac48a0ad66d69a5fb7083f59402fa39f5e1031ec156d9a47ebaf5ef48e00de6bfca8cd96fbf94a5537b489ec4a34355cefc20a777ab6c29e287c88e

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
471KB

MD5
4cfdb20b04aa239d6f9e83084d5d0a77

SHA1
f22863e04cc1fd4435f785993ede165bd8245ac6

SHA256
30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

SHA512
35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aFC3A.bat

Filesize
722B

MD5
dfef2838e337e465b0ca61f3e263cc9a

SHA1
5e70bac6e93f949756b404217994668257d839b8

SHA256
986617a403382f09ffce27e8bcd9ca987639e68a7555817327fe061cbcd21d98

SHA512
59ea5f6ec07a14f71e8e33225edef27968b9202d035072ba11572cc709b4954cbfa92d25022ee5820a12d18c3e4f9bc195f91585923191d12d543c50f1e7d2d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\21b2fe6f61a3addeefd5375d6b9220016c9d0de6df80242c2771c0c2c24d6d55.exe.exe

Filesize
1.6MB

MD5
2f1b439fd1f15f43152be897992846be

SHA1
d228752fc169c6ade421478f91e1b7bbf69d65c5

SHA256
d336a0b1a4a71f31730877b98c8ca6bf1f32543bcd910bed7c0f3e7f26a25f47

SHA512
57d9f6b9c0a62027c45ebb3627faf8b44ec7c66d4635d057a6871b2507ca52d68d871b63b0869181abef5de7053e9e37efd62ea1f5c5e46dc7e2055d7599dcd9

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
11ea1edd35759a6d8d4b6c8cdbcef148

SHA1
758e0f7e1742f411e3835ca691cf64c24756945d

SHA256
76317f6340de7844413cbb84531dc8be88600eb35dfafeaf2a55db88cd9ead16

SHA512
aabd5cc419ecaca3bfeccdd8b5af08cb331974aa781245341a7e91247eac8dafb086e0a413348cd16fb56afe6d522a31a940afc03ca1dff481d7b20f0cfc4ceb

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3502430532-24693940-2469786940-1000\_desktop.ini

Filesize
9B

MD5
2efce5174bcf8d378a924333f75e26ad

SHA1
4fe6e1d729b55d42eb9d74aca11b36a94402de14

SHA256
04ccb9bec2864153c72852867d8e65dca07eca4e5edcfb4beb62cb364dcd91fa

SHA512
24684969632fb0562a3a7a5fec91d869d627730d8e9d83a2b17e326d7047e3fbff205eec207914e42ecd50fef68a212c19f3599ded271c00e66acc22f1f04c16

Download Submit
memory/1120-29-0x00000000025C0000-0x00000000025C1000-memory.dmp

Filesize
4KB

Download
memory/2356-21-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2356-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2356-38-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2356-44-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2356-90-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2356-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2356-669-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2356-1874-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2356-1988-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2356-3334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2872-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2872-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download