269d22000aaa7278e3eb86dba01c1e9cced1911fccf7dcea84c7c59e9060397d

Analysis

max time kernel
147s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
21/07/2024, 17:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

269d22000aaa7278e3eb86dba01c1e9cced1911fccf7dcea84c7c59e9060397d.exe
Size

3.0MB
MD5

8d282225f46571f7f75b702f5f7e85ad
SHA1

72ea49277feec83f2b609ba32e6d5321ad55f7e6
SHA256

269d22000aaa7278e3eb86dba01c1e9cced1911fccf7dcea84c7c59e9060397d
SHA512

668fe66324c211f207bbfae852a674e175575896abeac66c1a90567e66341828e6057b1fc7eef79f8d1d786129e41b464067196dd2fcba5b87c8fc59e8a1c8e5
SSDEEP

49152:87QIGwdA0g6CupcLp0pHwjOLaUIeJSBTXJeKPTSuN0o8hedRW9GoNeDJ:RIGH6CupcLp0pHnFSNXJ3TSW0oTW9jNq

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2452	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1184	Logo1_.exe
2904	269d22000aaa7278e3eb86dba01c1e9cced1911fccf7dcea84c7c59e9060397d.exe

Loads dropped DLL 1 IoCs

pid	Process
2452	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CANYON\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\wmlaunch.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSACCESS.EXE	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\zi\Indian\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SETLANG.EXE	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Swirl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Chess\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RIPPLE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\kab\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Library\SOLVER\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ka\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\ManagedObjects\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Mozilla Firefox\fonts\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Defender\MpCmdRun.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STRTEDGE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\is\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PowerPoint.en-us\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\Components\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	269d22000aaa7278e3eb86dba01c1e9cced1911fccf7dcea84c7c59e9060397d.exe
File created	C:\Windows\Logo1_.exe	269d22000aaa7278e3eb86dba01c1e9cced1911fccf7dcea84c7c59e9060397d.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1184	Logo1_.exe
1184	Logo1_.exe
1184	Logo1_.exe
1184	Logo1_.exe
1184	Logo1_.exe
1184	Logo1_.exe
1184	Logo1_.exe
1184	Logo1_.exe
1184	Logo1_.exe
1184	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 2452	2028	269d22000aaa7278e3eb86dba01c1e9cced1911fccf7dcea84c7c59e9060397d.exe	29
PID 2028 wrote to memory of 2452	2028	269d22000aaa7278e3eb86dba01c1e9cced1911fccf7dcea84c7c59e9060397d.exe	29
PID 2028 wrote to memory of 2452	2028	269d22000aaa7278e3eb86dba01c1e9cced1911fccf7dcea84c7c59e9060397d.exe	29
PID 2028 wrote to memory of 2452	2028	269d22000aaa7278e3eb86dba01c1e9cced1911fccf7dcea84c7c59e9060397d.exe	29
PID 2028 wrote to memory of 1184	2028	269d22000aaa7278e3eb86dba01c1e9cced1911fccf7dcea84c7c59e9060397d.exe	31
PID 2028 wrote to memory of 1184	2028	269d22000aaa7278e3eb86dba01c1e9cced1911fccf7dcea84c7c59e9060397d.exe	31
PID 2028 wrote to memory of 1184	2028	269d22000aaa7278e3eb86dba01c1e9cced1911fccf7dcea84c7c59e9060397d.exe	31
PID 2028 wrote to memory of 1184	2028	269d22000aaa7278e3eb86dba01c1e9cced1911fccf7dcea84c7c59e9060397d.exe	31
PID 1184 wrote to memory of 2672	1184	Logo1_.exe	32
PID 1184 wrote to memory of 2672	1184	Logo1_.exe	32
PID 1184 wrote to memory of 2672	1184	Logo1_.exe	32
PID 1184 wrote to memory of 2672	1184	Logo1_.exe	32
PID 2452 wrote to memory of 2904	2452	cmd.exe	34
PID 2452 wrote to memory of 2904	2452	cmd.exe	34
PID 2452 wrote to memory of 2904	2452	cmd.exe	34
PID 2452 wrote to memory of 2904	2452	cmd.exe	34
PID 2672 wrote to memory of 2648	2672	net.exe	35
PID 2672 wrote to memory of 2648	2672	net.exe	35
PID 2672 wrote to memory of 2648	2672	net.exe	35
PID 2672 wrote to memory of 2648	2672	net.exe	35
PID 1184 wrote to memory of 1192	1184	Logo1_.exe	20
PID 1184 wrote to memory of 1192	1184	Logo1_.exe	20

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1192
- C:\Users\Admin\AppData\Local\Temp\269d22000aaa7278e3eb86dba01c1e9cced1911fccf7dcea84c7c59e9060397d.exe
  "C:\Users\Admin\AppData\Local\Temp\269d22000aaa7278e3eb86dba01c1e9cced1911fccf7dcea84c7c59e9060397d.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a204D.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2452
  - - C:\Users\Admin\AppData\Local\Temp\269d22000aaa7278e3eb86dba01c1e9cced1911fccf7dcea84c7c59e9060397d.exe
      "C:\Users\Admin\AppData\Local\Temp\269d22000aaa7278e3eb86dba01c1e9cced1911fccf7dcea84c7c59e9060397d.exe"
      4⤵
      Executes dropped EXE
      PID:2904
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1184
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2672
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
36caa3af38ebf56cd8ee834190ec3358

SHA1
e19f7997038b7703e2e6b8355a3968ed910c3d81

SHA256
d7e2f0712c06ea1f22c537a4ea7dbd52c8625e795a9adeb9ac69c563dc192171

SHA512
6115d28aeac898db83f97d548111509ffcc42238e6b452740cc34efcd068d0f6c7dc9b43eed2ecdfed23b7ba1211be3cee451806918be7888ece6ff9c821d44d

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
471KB

MD5
4cfdb20b04aa239d6f9e83084d5d0a77

SHA1
f22863e04cc1fd4435f785993ede165bd8245ac6

SHA256
30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

SHA512
35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a204D.bat

Filesize
722B

MD5
ae726af1d154e9ea0466a279b40ceb52

SHA1
877d692218e69ea382b4fdb897ef52a67d31ab07

SHA256
1e8678423baa674e3cb15f78dfd3a59302a827a25bc18595c707ea029143e0cd

SHA512
336e9c0846b26e8a98c6ef48d73b18bdf0b64bac407c6dd069f195a8d307f13cfd2758dff858b2415194c9c7587f6dba0ba5f8b90e5fde82fec1c4f707f7fb7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\269d22000aaa7278e3eb86dba01c1e9cced1911fccf7dcea84c7c59e9060397d.exe.exe

Filesize
3.0MB

MD5
946a34b9908db3f1c9a10d100ca74761

SHA1
e2502980bfeee547bb38888af11d2e3ab764a1f8

SHA256
6121bed8071607efe9743e2c5582395ebcac5cbab77da05d8120aa9d308d946e

SHA512
84ff6a78c80b36db6ef55c7df51bc7432cf83752c33e4c5e7a88fa540d2f7fe26ed47b5bb5bf16a768e087fd1633e65f841b591cc39c0b7f1f18b40cbc3506a3

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
f352e9f0f79f4824907e742caa681192

SHA1
e966dd9264543e3425ff991228fc2800f92fdd70

SHA256
23f5e80fd82e45a3133287609845215b73d8e2be13a65b0e116185e7531a2766

SHA512
11c22a372dba41cef48f07a3dc608cbd7fb5c3e3dd5effc977c6339709f1e26a8e4395cee61fd3b29cb264b69cffebd989ae084c551cbf7cd4650185a1fb3513

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2212144002-1172735686-1556890956-1000\_desktop.ini

Filesize
9B

MD5
2efce5174bcf8d378a924333f75e26ad

SHA1
4fe6e1d729b55d42eb9d74aca11b36a94402de14

SHA256
04ccb9bec2864153c72852867d8e65dca07eca4e5edcfb4beb62cb364dcd91fa

SHA512
24684969632fb0562a3a7a5fec91d869d627730d8e9d83a2b17e326d7047e3fbff205eec207914e42ecd50fef68a212c19f3599ded271c00e66acc22f1f04c16

Download Submit
memory/1184-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1184-19-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1184-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1184-45-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1184-91-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1184-97-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1184-271-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1184-1875-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1184-3335-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1192-30-0x00000000029A0000-0x00000000029A1000-memory.dmp

Filesize
4KB

Download
memory/2028-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2028-18-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2028-12-0x00000000002A0000-0x00000000002D4000-memory.dmp

Filesize
208KB

Download