d201c90c43bb1ee4407474c35c91f4d30b69c28761b6298c52cee4e3ae862d30

Analysis

max time kernel
149s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
25/07/2024, 15:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d201c90c43bb1ee4407474c35c91f4d30b69c28761b6298c52cee4e3ae862d30.exe
Size

227KB
MD5

02c4ea427f436b0bbf54254d7a2ed92a
SHA1

4a63201662f5e527c06ec7575f6419e084ee0297
SHA256

d201c90c43bb1ee4407474c35c91f4d30b69c28761b6298c52cee4e3ae862d30
SHA512

02e6aaf891744d2b83ba01d96fce1170832d1210620be6d0d71db5d970b21c868ba3d473ec5678e6b002b44b89e7226eb2e8c137aa8a13382a505237ccf2fdda
SSDEEP

3072:pDkuJVLUdeKzC/lzMPySe8DnpeIPipoHbKvXWXz9LRnsaJUS+6wPXD3fxNW7gq5n:6uJWdeKzC/leySe8AIqpoHbnDns1ND9m

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
900	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2292	Logo1_.exe
2512	d201c90c43bb1ee4407474c35c91f4d30b69c28761b6298c52cee4e3ae862d30.exe

Loads dropped DLL 1 IoCs

pid	Process
900	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.WW\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_output\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{1A1CC958-2235-4531-8015-5AFE1D6CBF7D}\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AFTRNOON\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUECALM\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\in_sidebar\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Purble Place\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gd\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Triedit\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\InfoPath.en-us\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\zi\Antarctica\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\ACCWIZ\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\th\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Defender\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STRTEDGE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ast\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightOrange\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	d201c90c43bb1ee4407474c35c91f4d30b69c28761b6298c52cee4e3ae862d30.exe
File created	C:\Windows\Logo1_.exe	d201c90c43bb1ee4407474c35c91f4d30b69c28761b6298c52cee4e3ae862d30.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d201c90c43bb1ee4407474c35c91f4d30b69c28761b6298c52cee4e3ae862d30.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logo1_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2292	Logo1_.exe
2292	Logo1_.exe
2292	Logo1_.exe
2292	Logo1_.exe
2292	Logo1_.exe
2292	Logo1_.exe
2292	Logo1_.exe
2292	Logo1_.exe
2292	Logo1_.exe
2292	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 900	2876	d201c90c43bb1ee4407474c35c91f4d30b69c28761b6298c52cee4e3ae862d30.exe	29
PID 2876 wrote to memory of 900	2876	d201c90c43bb1ee4407474c35c91f4d30b69c28761b6298c52cee4e3ae862d30.exe	29
PID 2876 wrote to memory of 900	2876	d201c90c43bb1ee4407474c35c91f4d30b69c28761b6298c52cee4e3ae862d30.exe	29
PID 2876 wrote to memory of 900	2876	d201c90c43bb1ee4407474c35c91f4d30b69c28761b6298c52cee4e3ae862d30.exe	29
PID 2876 wrote to memory of 2292	2876	d201c90c43bb1ee4407474c35c91f4d30b69c28761b6298c52cee4e3ae862d30.exe	31
PID 2876 wrote to memory of 2292	2876	d201c90c43bb1ee4407474c35c91f4d30b69c28761b6298c52cee4e3ae862d30.exe	31
PID 2876 wrote to memory of 2292	2876	d201c90c43bb1ee4407474c35c91f4d30b69c28761b6298c52cee4e3ae862d30.exe	31
PID 2876 wrote to memory of 2292	2876	d201c90c43bb1ee4407474c35c91f4d30b69c28761b6298c52cee4e3ae862d30.exe	31
PID 2292 wrote to memory of 2824	2292	Logo1_.exe	32
PID 2292 wrote to memory of 2824	2292	Logo1_.exe	32
PID 2292 wrote to memory of 2824	2292	Logo1_.exe	32
PID 2292 wrote to memory of 2824	2292	Logo1_.exe	32
PID 2824 wrote to memory of 2492	2824	net.exe	34
PID 2824 wrote to memory of 2492	2824	net.exe	34
PID 2824 wrote to memory of 2492	2824	net.exe	34
PID 2824 wrote to memory of 2492	2824	net.exe	34
PID 900 wrote to memory of 2512	900	cmd.exe	35
PID 900 wrote to memory of 2512	900	cmd.exe	35
PID 900 wrote to memory of 2512	900	cmd.exe	35
PID 900 wrote to memory of 2512	900	cmd.exe	35
PID 2292 wrote to memory of 1208	2292	Logo1_.exe	20
PID 2292 wrote to memory of 1208	2292	Logo1_.exe	20

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208
- C:\Users\Admin\AppData\Local\Temp\d201c90c43bb1ee4407474c35c91f4d30b69c28761b6298c52cee4e3ae862d30.exe
  "C:\Users\Admin\AppData\Local\Temp\d201c90c43bb1ee4407474c35c91f4d30b69c28761b6298c52cee4e3ae862d30.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$aA026.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:900
  - - C:\Users\Admin\AppData\Local\Temp\d201c90c43bb1ee4407474c35c91f4d30b69c28761b6298c52cee4e3ae862d30.exe
      "C:\Users\Admin\AppData\Local\Temp\d201c90c43bb1ee4407474c35c91f4d30b69c28761b6298c52cee4e3ae862d30.exe"
      4⤵
      Executes dropped EXE
      PID:2512
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2292
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2824
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
254KB

MD5
132b1054bb0e7b6218acdac339075c24

SHA1
5be0ac90dcd8027957dc58019939d463a4b5cb33

SHA256
9cf3400b73dc386b4e95e4a9b6802218465152dd3bf69a0c3f5182e841f5b9fa

SHA512
523be3b86e15c6a503d0e7725e22f5141e864da0c394ba6983724102504699186ca9ee7c2455e05cb46b390a63e58b07cd15992fade73cb5b69d9921945c2416

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
474KB

MD5
1b12b9060b8875ff79fd921d924df171

SHA1
2cefdd8b0ba05d21051feb64909fef80f4d4f799

SHA256
b4e50274be3a43611ffaa568b252b827c66855f4f50024b31ac68712cdb4eaba

SHA512
26c4d288eb0525f4abaa9fa9704aabd30b21d0dc444a4d352edc92ca584b384c00dc16c3ba9b904ba9cf8718a0e51501e505873d5b09cfc76013eb8f5e5f393a

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aA026.bat

Filesize
722B

MD5
89731c4fa6620035b958ac1a06d30366

SHA1
99b760561f22f6da16f2661d5886ac649756279f

SHA256
40736155c12fb07eda490ecf49a0fb1188d88e37c5320c96fc618ab245c168ac

SHA512
dcc95d9b0eaa57b4046144ad8e243b637c31006193e8eb204b893eac2717073c828511109d011b43fda4cab1a8ead4f8776ddbd18a4c069911dcd5dc547fb358

Download Submit
C:\Users\Admin\AppData\Local\Temp\d201c90c43bb1ee4407474c35c91f4d30b69c28761b6298c52cee4e3ae862d30.exe.exe

Filesize
198KB

MD5
e133c2d85cff4edd7fe8e8f0f8be6cdb

SHA1
b8269209ebb6fe44bc50dab35f97b0ae244701b4

SHA256
6c5e7d9c81a409e67c143cd3aed33bddc3967fa4c9ab3b98560b7d3bf57d093d

SHA512
701b7d1c7e154519d77043f7de09d60c1ff76c95f820fc1c9afca19724efb0847d646686053354156fd4e8a9dab1f29a79d3223f939a3ff1b3613770dc8603b1

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
142e748c5fabc8e6a94a96addb8a052c

SHA1
f6a084680684360e5f16605356478ea44ff601ec

SHA256
a87bd54b51faa9c1aaf95ca5ba954b7f9c8bf9dd12c84776fade9492e96048cf

SHA512
a8fd76408fdf985c1d7dad9e7f239c7b9bfb0a7c01307a12d285c5369b00500fd25ad7005d76b30bacf03c01b781386dc0c010e02abc3330f446aad3ccdcc32c

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1506706701-1246725540-2219210854-1000\_desktop.ini

Filesize
9B

MD5
c20162cff0e529974834e150d7e6691f

SHA1
512e9821581354bd8078227ddf386b17e771ff38

SHA256
82f2070eb6138ab12ec2a1f0c3ca7b3b97db75cc19a5076ed382b017f309bdd6

SHA512
c2c414232ac5fc3d7ff195523c49610795d0ea4d95c69748ef9ddd4a42203ace52a7da8594cb20102743a21b6eb5bd9e7ee5915513a9c11a0db319323538d744

Download Submit
memory/1208-30-0x0000000002CC0000-0x0000000002CC1000-memory.dmp

Filesize
4KB

Download
memory/2292-1874-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2292-32-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2292-39-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2292-45-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2292-91-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2292-97-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2292-722-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2292-19-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2292-2605-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2292-3334-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2876-18-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2876-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2876-12-0x0000000000220000-0x0000000000256000-memory.dmp

Filesize
216KB

Download