43268e15a2d54f9e108f292c2fd56a7c7a835a156845677081c29b00e6ecb365

Analysis

max time kernel
150s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
02/08/2024, 22:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

43268e15a2d54f9e108f292c2fd56a7c7a835a156845677081c29b00e6ecb365.exe
Size

161KB
MD5

483463b08050f33774f37972d454fca8
SHA1

138f4aa49f1607d0f91bc6fd0f84e45106877654
SHA256

43268e15a2d54f9e108f292c2fd56a7c7a835a156845677081c29b00e6ecb365
SHA512

b2b168289dc0e1ac9c16d0b5c1da4af6b1b844aa859b4f6dc0c79a080109680cbb667e38565e0e1b249da7ff6654b86ab9cc0a18d696a5af969509953b7dab1a
SSDEEP

3072:sftffjmNCslzQC4U29RUoKK1YUoXO3tEKWZumax8apm1G7OXBShPnX5e2:0VfjmN1lzQC4NRaGUOEp/IPX5e

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2320	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2784	Logo1_.exe
2420	43268e15a2d54f9e108f292c2fd56a7c7a835a156845677081c29b00e6ecb365.exe

Loads dropped DLL 1 IoCs

pid	Process
2320	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STRTEDGE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pt_PT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\meta_engine\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ICE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\wmpenc.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Portable Devices\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.en-us\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\misc\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Lime\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Publisher.en-us\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Defender\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zu\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CANYON\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sw\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\extensions\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Portal\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\ACCWIZ\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ne\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Things\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Slate\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Photo Viewer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	43268e15a2d54f9e108f292c2fd56a7c7a835a156845677081c29b00e6ecb365.exe
File created	C:\Windows\Logo1_.exe	43268e15a2d54f9e108f292c2fd56a7c7a835a156845677081c29b00e6ecb365.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	43268e15a2d54f9e108f292c2fd56a7c7a835a156845677081c29b00e6ecb365.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logo1_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	43268e15a2d54f9e108f292c2fd56a7c7a835a156845677081c29b00e6ecb365.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2784	Logo1_.exe
2784	Logo1_.exe
2784	Logo1_.exe
2784	Logo1_.exe
2784	Logo1_.exe
2784	Logo1_.exe
2784	Logo1_.exe
2784	Logo1_.exe
2784	Logo1_.exe
2784	Logo1_.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 2320	2352	43268e15a2d54f9e108f292c2fd56a7c7a835a156845677081c29b00e6ecb365.exe	29
PID 2352 wrote to memory of 2320	2352	43268e15a2d54f9e108f292c2fd56a7c7a835a156845677081c29b00e6ecb365.exe	29
PID 2352 wrote to memory of 2320	2352	43268e15a2d54f9e108f292c2fd56a7c7a835a156845677081c29b00e6ecb365.exe	29
PID 2352 wrote to memory of 2320	2352	43268e15a2d54f9e108f292c2fd56a7c7a835a156845677081c29b00e6ecb365.exe	29
PID 2352 wrote to memory of 2784	2352	43268e15a2d54f9e108f292c2fd56a7c7a835a156845677081c29b00e6ecb365.exe	30
PID 2352 wrote to memory of 2784	2352	43268e15a2d54f9e108f292c2fd56a7c7a835a156845677081c29b00e6ecb365.exe	30
PID 2352 wrote to memory of 2784	2352	43268e15a2d54f9e108f292c2fd56a7c7a835a156845677081c29b00e6ecb365.exe	30
PID 2352 wrote to memory of 2784	2352	43268e15a2d54f9e108f292c2fd56a7c7a835a156845677081c29b00e6ecb365.exe	30
PID 2784 wrote to memory of 2836	2784	Logo1_.exe	31
PID 2784 wrote to memory of 2836	2784	Logo1_.exe	31
PID 2784 wrote to memory of 2836	2784	Logo1_.exe	31
PID 2784 wrote to memory of 2836	2784	Logo1_.exe	31
PID 2836 wrote to memory of 2920	2836	net.exe	34
PID 2836 wrote to memory of 2920	2836	net.exe	34
PID 2836 wrote to memory of 2920	2836	net.exe	34
PID 2836 wrote to memory of 2920	2836	net.exe	34
PID 2320 wrote to memory of 2420	2320	cmd.exe	35
PID 2320 wrote to memory of 2420	2320	cmd.exe	35
PID 2320 wrote to memory of 2420	2320	cmd.exe	35
PID 2320 wrote to memory of 2420	2320	cmd.exe	35
PID 2320 wrote to memory of 2420	2320	cmd.exe	35
PID 2320 wrote to memory of 2420	2320	cmd.exe	35
PID 2320 wrote to memory of 2420	2320	cmd.exe	35
PID 2784 wrote to memory of 1220	2784	Logo1_.exe	20
PID 2784 wrote to memory of 1220	2784	Logo1_.exe	20

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1220
- C:\Users\Admin\AppData\Local\Temp\43268e15a2d54f9e108f292c2fd56a7c7a835a156845677081c29b00e6ecb365.exe
  "C:\Users\Admin\AppData\Local\Temp\43268e15a2d54f9e108f292c2fd56a7c7a835a156845677081c29b00e6ecb365.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2352
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$aF27A.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2320
  - - C:\Users\Admin\AppData\Local\Temp\43268e15a2d54f9e108f292c2fd56a7c7a835a156845677081c29b00e6ecb365.exe
      "C:\Users\Admin\AppData\Local\Temp\43268e15a2d54f9e108f292c2fd56a7c7a835a156845677081c29b00e6ecb365.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2420
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2784
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2836
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
a1c7c7b7e79c5287b58e925a70575c88

SHA1
d8ee1ce08655bb1af22365c7449c4d3f6438ef0a

SHA256
c3e2bb4b9fb57ecc260fa17c29866436ba39ca9a0de4c60f8e61a5c0f3c7addc

SHA512
3838d8b08413eea478cdbf2f16477018f71fa8ed3d1bb4e7e4ce9d56d3662f217847003b3d5438bad3961e336fdfdfc376411c608a302cacd5204d18595e26b1

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
471KB

MD5
4cfdb20b04aa239d6f9e83084d5d0a77

SHA1
f22863e04cc1fd4435f785993ede165bd8245ac6

SHA256
30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

SHA512
35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aF27A.bat

Filesize
722B

MD5
6a25117b53475eb780288dc68f5f18a5

SHA1
e98c1e2764af9d825c359d1fd20c0b8cde7b6a26

SHA256
bfac9155d123cc293860bcc91e28e43cafb7df73efc6638946aa0a58f7c8e4e3

SHA512
e3c6877588ff040fed4cc6f402d50631d5d1fdac7b602e14e2b8843aacdf44bb6a4f14bc925f22852df71a60d38a11ce59277475717a16b9f7e78f9a3cf4dcdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\43268e15a2d54f9e108f292c2fd56a7c7a835a156845677081c29b00e6ecb365.exe.exe

Filesize
135KB

MD5
0adbdeb9cf366c4ce8b44099b7bf362e

SHA1
1b8b04023317d3e14a8753c9fc0a2680e26ff577

SHA256
ab2b342d9c99bd9dbc50f0782c4755d7dd27e4af9c3ae2fb24490c57dcceb991

SHA512
46e4c3b7426bcdd17d26bac41f9a1787765bf90cb80ac601799cb13d2ddd9db10511abd73badcc43c2553a203b98cc13924fd98908064440ce9b8ecde9aafa22

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
c70a9fd793f9c5f5732962c32f7e3775

SHA1
3aa103a49c3a16b06a9ff57ef7f853541591854a

SHA256
2f34c344d764cecda5b05bdcea2283b882998e6fff50ac121ed8c133996518ca

SHA512
f93db88e4247a545a557fbf2d654898f1c9cf8bfb819f4b8279f838d1666054489d51227189bd92fcee4fee97e8cc90f38cbb863e2b0d1adb2979b982789fe3a

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2212144002-1172735686-1556890956-1000\_desktop.ini

Filesize
8B

MD5
5e797d005cfee3b802f98412c511983c

SHA1
1c65a747549afbed9971b65c604d64ec1f1ab898

SHA256
dcb1b824282c0cca0aaad7a62d7857039122e25a100766f82c85f227b36e4c88

SHA512
41116f81a81859b0608b0150a4cd791b3fba9e7516ff3eb98494a3802a3532dda052a2ed955d64c023fe6d8113079d7190df6f5bcc7ef86c8e743419a758706b

Download Submit
memory/1220-29-0x0000000002650000-0x0000000002651000-memory.dmp

Filesize
4KB

Download
memory/2352-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2352-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2784-21-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2784-46-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2784-92-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2784-98-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2784-239-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2784-1875-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2784-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2784-3335-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2784-33-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download