321baf82b42a1a0946076e21ffcd9ce905a54569a57f73cf807a6cd165b5d2ef

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
02/08/2024, 03:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

321baf82b42a1a0946076e21ffcd9ce905a54569a57f73cf807a6cd165b5d2ef.exe
Size

66KB
MD5

d9c46fcbae058fde58d6853a1fd0d566
SHA1

d8029d6661e1b9c2d23384acd0c0e64131a442c2
SHA256

321baf82b42a1a0946076e21ffcd9ce905a54569a57f73cf807a6cd165b5d2ef
SHA512

ab404c2fd835cea4e5e5efbc8759aad48241a76ab6df7f6e0100b92fc196096bb277c84793e8aca5e01e12697e66d85c674b8efee53d177938587843ed72b5b5
SSDEEP

1536:plJ3SHuJV9NBriw+d9bHrkT5gUHz7FxtJ:plJkuJVLBrBkfkT5xHzD

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2736	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2488	Logo1_.exe
2652	321baf82b42a1a0946076e21ffcd9ce905a54569a57f73cf807a6cd165b5d2ef.exe

Loads dropped DLL 1 IoCs

pid	Process
2736	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	Logo1_.exe
File opened for modification	C:\Program Files\Windows Journal\PDIALOG.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\gl\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	Logo1_.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Defender\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Google\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\OneNote.en-us\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Mahjong\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ne\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\logger\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Solitaire\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zh_TW\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Mahjong\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Portable Devices\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SUMIPNTG\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.en\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\VPREVIEW.EXE	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	321baf82b42a1a0946076e21ffcd9ce905a54569a57f73cf807a6cd165b5d2ef.exe
File created	C:\Windows\Logo1_.exe	321baf82b42a1a0946076e21ffcd9ce905a54569a57f73cf807a6cd165b5d2ef.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	321baf82b42a1a0946076e21ffcd9ce905a54569a57f73cf807a6cd165b5d2ef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logo1_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2488	Logo1_.exe
2488	Logo1_.exe
2488	Logo1_.exe
2488	Logo1_.exe
2488	Logo1_.exe
2488	Logo1_.exe
2488	Logo1_.exe
2488	Logo1_.exe
2488	Logo1_.exe
2488	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 2736	2848	321baf82b42a1a0946076e21ffcd9ce905a54569a57f73cf807a6cd165b5d2ef.exe	30
PID 2848 wrote to memory of 2736	2848	321baf82b42a1a0946076e21ffcd9ce905a54569a57f73cf807a6cd165b5d2ef.exe	30
PID 2848 wrote to memory of 2736	2848	321baf82b42a1a0946076e21ffcd9ce905a54569a57f73cf807a6cd165b5d2ef.exe	30
PID 2848 wrote to memory of 2736	2848	321baf82b42a1a0946076e21ffcd9ce905a54569a57f73cf807a6cd165b5d2ef.exe	30
PID 2848 wrote to memory of 2488	2848	321baf82b42a1a0946076e21ffcd9ce905a54569a57f73cf807a6cd165b5d2ef.exe	31
PID 2848 wrote to memory of 2488	2848	321baf82b42a1a0946076e21ffcd9ce905a54569a57f73cf807a6cd165b5d2ef.exe	31
PID 2848 wrote to memory of 2488	2848	321baf82b42a1a0946076e21ffcd9ce905a54569a57f73cf807a6cd165b5d2ef.exe	31
PID 2848 wrote to memory of 2488	2848	321baf82b42a1a0946076e21ffcd9ce905a54569a57f73cf807a6cd165b5d2ef.exe	31
PID 2488 wrote to memory of 2960	2488	Logo1_.exe	32
PID 2488 wrote to memory of 2960	2488	Logo1_.exe	32
PID 2488 wrote to memory of 2960	2488	Logo1_.exe	32
PID 2488 wrote to memory of 2960	2488	Logo1_.exe	32
PID 2960 wrote to memory of 2608	2960	net.exe	35
PID 2960 wrote to memory of 2608	2960	net.exe	35
PID 2960 wrote to memory of 2608	2960	net.exe	35
PID 2960 wrote to memory of 2608	2960	net.exe	35
PID 2736 wrote to memory of 2652	2736	cmd.exe	36
PID 2736 wrote to memory of 2652	2736	cmd.exe	36
PID 2736 wrote to memory of 2652	2736	cmd.exe	36
PID 2736 wrote to memory of 2652	2736	cmd.exe	36
PID 2488 wrote to memory of 1228	2488	Logo1_.exe	21
PID 2488 wrote to memory of 1228	2488	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1228
- C:\Users\Admin\AppData\Local\Temp\321baf82b42a1a0946076e21ffcd9ce905a54569a57f73cf807a6cd165b5d2ef.exe
  "C:\Users\Admin\AppData\Local\Temp\321baf82b42a1a0946076e21ffcd9ce905a54569a57f73cf807a6cd165b5d2ef.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a5947.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\Users\Admin\AppData\Local\Temp\321baf82b42a1a0946076e21ffcd9ce905a54569a57f73cf807a6cd165b5d2ef.exe
      "C:\Users\Admin\AppData\Local\Temp\321baf82b42a1a0946076e21ffcd9ce905a54569a57f73cf807a6cd165b5d2ef.exe"
      4⤵
      Executes dropped EXE
      PID:2652
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2488
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2960
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
254KB

MD5
0795c21dfe1d48ae3c5586a240647f76

SHA1
8edc74eab834763e5e075ca28d9eb51e8c8c8037

SHA256
a85e40de74038beed1ca308efbca3958e083dd751bf5e3137d1ee46d40ed34b4

SHA512
5317ffa8781f2bcf2f88c5edbac2d14b5ee2b575d955466386a5b78ba5e18d90497c3e0139622b515f4b1b21c6cffe7a93c9c239cce8563fce9ce45a272f21c0

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
474KB

MD5
c14a5111b798cff20d7d66b0e035d409

SHA1
29f0894552b30815fed6ad231b5721e876869552

SHA256
fd6f57dc1b82f6301cbecbf9db5728a9a69b10e3edbf4f8a1dfef571c77a6cb6

SHA512
a4d8b74216c76fa3d48ab7300452725602bc6d5bcc0e6c23d458d65362cd24751f23755180ae69633090b172e95f18f225c0cb4a71dd1e050d8b3dff466e7f1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a5947.bat

Filesize
722B

MD5
1e0b254f42cabe673afbc66ec9f02e1e

SHA1
68eb5e81a109a8501db5ae9e7d6c799ee677d9d0

SHA256
fa32a50c24d50286bbc96af9d758c0dcc4c6a3d34f4966734df003c3335f206c

SHA512
fce569944a638c71d291925a9de5d5e6e72da82c0d2a11de07d00a6a77b23dbe3328c95667710ab9a509a518155de92f47b8db3ff622d92a838d4dc18d693ade

Download Submit
C:\Users\Admin\AppData\Local\Temp\321baf82b42a1a0946076e21ffcd9ce905a54569a57f73cf807a6cd165b5d2ef.exe.exe

Filesize
36KB

MD5
9f498971cbe636662f3d210747d619e1

SHA1
44b8e2732fa1e2f204fc70eaa1cb406616250085

SHA256
8adf6748981c3e7b62f5dbca992be6675574fffbce7673743f2d7fe787d56a41

SHA512
b73083c2f7b028d2946cb8f7b4fe2289fedaa4175364a2aac37db0aeff4602aede772ccc9eba7e6dcfcb7276e52604ca45d8021952201b5834485b48bca3dc93

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
969ca95b42d09902c25ce0405cd80f81

SHA1
da605dc4d41e85c75724af64651413d121ae3f3b

SHA256
fe7715f49620e9769a915b8df49aba8b8ab7aa20bad950cf7114b4c23f15bcad

SHA512
ae6b87682a192d09cbee82009529645596aa04d54154b83e87274c705cf7ddc6c459bf2975e35e1ee5336cb82dcee91344fe79c182c983fa96e6149b22f47472

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3450744190-3404161390-554719085-1000\_desktop.ini

Filesize
8B

MD5
5e797d005cfee3b802f98412c511983c

SHA1
1c65a747549afbed9971b65c604d64ec1f1ab898

SHA256
dcb1b824282c0cca0aaad7a62d7857039122e25a100766f82c85f227b36e4c88

SHA512
41116f81a81859b0608b0150a4cd791b3fba9e7516ff3eb98494a3802a3532dda052a2ed955d64c023fe6d8113079d7190df6f5bcc7ef86c8e743419a758706b

Download Submit
memory/1228-29-0x0000000002D80000-0x0000000002D81000-memory.dmp

Filesize
4KB

Download
memory/2488-21-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2488-32-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2488-39-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2488-45-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2488-91-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2488-97-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2488-830-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2488-1874-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2488-2829-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2488-3334-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2848-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2848-16-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download