1039f1f87ca63acec4ab781e75bea9704a16e3c5e2bcbfe1dd9e7807f309aaa0

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
05/08/2024, 18:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1039f1f87ca63acec4ab781e75bea9704a16e3c5e2bcbfe1dd9e7807f309aaa0.exe
Size

1019KB
MD5

5bbc6945a17157f1c599b98ec10b355f
SHA1

fa74daf9bbe2c1934b955fb2d2bfe438053f518e
SHA256

1039f1f87ca63acec4ab781e75bea9704a16e3c5e2bcbfe1dd9e7807f309aaa0
SHA512

0498864f9091e546007e5d122ed0103c82246dd10446c3f2b47a7f5f7e5f889f4056e1927b74936635e95be6eb96526eb2bb0542c7f751d25b54cfce6b562dfd
SSDEEP

24576:comUFhNcmLFj4svqaShRsUiTfjo5ya8j8k:cCGmxj4svqaShRibza8T

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2228	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2688	Logo1_.exe
2716	1039f1f87ca63acec4ab781e75bea9704a16e3c5e2bcbfe1dd9e7807f309aaa0.exe

Loads dropped DLL 3 IoCs

pid	Process
2228	cmd.exe
1256	Explorer.EXE
1256	Explorer.EXE

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Publisher.en-us\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Americana\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FRAR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	Logo1_.exe
File created	C:\Program Files (x86)\Uninstall Information\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Servers\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\HostSideAdapters\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATER\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\zi\SystemV\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Portal\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\HostSideAdapters\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Journal\Templates\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\vi\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ca@valencia\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Defender\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\ImagingDevices.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSTORDB.EXE	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\in_sidebar\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	1039f1f87ca63acec4ab781e75bea9704a16e3c5e2bcbfe1dd9e7807f309aaa0.exe
File created	C:\Windows\Logo1_.exe	1039f1f87ca63acec4ab781e75bea9704a16e3c5e2bcbfe1dd9e7807f309aaa0.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1039f1f87ca63acec4ab781e75bea9704a16e3c5e2bcbfe1dd9e7807f309aaa0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logo1_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

Modifies registry class 20 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	1039f1f87ca63acec4ab781e75bea9704a16e3c5e2bcbfe1dd9e7807f309aaa0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}"	1039f1f87ca63acec4ab781e75bea9704a16e3c5e2bcbfe1dd9e7807f309aaa0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}"	1039f1f87ca63acec4ab781e75bea9704a16e3c5e2bcbfe1dd9e7807f309aaa0.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewVersion = "0"	1039f1f87ca63acec4ab781e75bea9704a16e3c5e2bcbfe1dd9e7807f309aaa0.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_Classes\Local Settings	1039f1f87ca63acec4ab781e75bea9704a16e3c5e2bcbfe1dd9e7807f309aaa0.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	1039f1f87ca63acec4ab781e75bea9704a16e3c5e2bcbfe1dd9e7807f309aaa0.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	1039f1f87ca63acec4ab781e75bea9704a16e3c5e2bcbfe1dd9e7807f309aaa0.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	1039f1f87ca63acec4ab781e75bea9704a16e3c5e2bcbfe1dd9e7807f309aaa0.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	1039f1f87ca63acec4ab781e75bea9704a16e3c5e2bcbfe1dd9e7807f309aaa0.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000	1039f1f87ca63acec4ab781e75bea9704a16e3c5e2bcbfe1dd9e7807f309aaa0.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	1039f1f87ca63acec4ab781e75bea9704a16e3c5e2bcbfe1dd9e7807f309aaa0.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	1039f1f87ca63acec4ab781e75bea9704a16e3c5e2bcbfe1dd9e7807f309aaa0.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000	1039f1f87ca63acec4ab781e75bea9704a16e3c5e2bcbfe1dd9e7807f309aaa0.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	1039f1f87ca63acec4ab781e75bea9704a16e3c5e2bcbfe1dd9e7807f309aaa0.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	1039f1f87ca63acec4ab781e75bea9704a16e3c5e2bcbfe1dd9e7807f309aaa0.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	1039f1f87ca63acec4ab781e75bea9704a16e3c5e2bcbfe1dd9e7807f309aaa0.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	1039f1f87ca63acec4ab781e75bea9704a16e3c5e2bcbfe1dd9e7807f309aaa0.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	1039f1f87ca63acec4ab781e75bea9704a16e3c5e2bcbfe1dd9e7807f309aaa0.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	1039f1f87ca63acec4ab781e75bea9704a16e3c5e2bcbfe1dd9e7807f309aaa0.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	1039f1f87ca63acec4ab781e75bea9704a16e3c5e2bcbfe1dd9e7807f309aaa0.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2688	Logo1_.exe
2688	Logo1_.exe
2688	Logo1_.exe
2688	Logo1_.exe
2688	Logo1_.exe
2688	Logo1_.exe
2688	Logo1_.exe
2688	Logo1_.exe
2688	Logo1_.exe
2688	Logo1_.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2716	1039f1f87ca63acec4ab781e75bea9704a16e3c5e2bcbfe1dd9e7807f309aaa0.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2716	1039f1f87ca63acec4ab781e75bea9704a16e3c5e2bcbfe1dd9e7807f309aaa0.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 2228	2376	1039f1f87ca63acec4ab781e75bea9704a16e3c5e2bcbfe1dd9e7807f309aaa0.exe	31
PID 2376 wrote to memory of 2228	2376	1039f1f87ca63acec4ab781e75bea9704a16e3c5e2bcbfe1dd9e7807f309aaa0.exe	31
PID 2376 wrote to memory of 2228	2376	1039f1f87ca63acec4ab781e75bea9704a16e3c5e2bcbfe1dd9e7807f309aaa0.exe	31
PID 2376 wrote to memory of 2228	2376	1039f1f87ca63acec4ab781e75bea9704a16e3c5e2bcbfe1dd9e7807f309aaa0.exe	31
PID 2376 wrote to memory of 2688	2376	1039f1f87ca63acec4ab781e75bea9704a16e3c5e2bcbfe1dd9e7807f309aaa0.exe	32
PID 2376 wrote to memory of 2688	2376	1039f1f87ca63acec4ab781e75bea9704a16e3c5e2bcbfe1dd9e7807f309aaa0.exe	32
PID 2376 wrote to memory of 2688	2376	1039f1f87ca63acec4ab781e75bea9704a16e3c5e2bcbfe1dd9e7807f309aaa0.exe	32
PID 2376 wrote to memory of 2688	2376	1039f1f87ca63acec4ab781e75bea9704a16e3c5e2bcbfe1dd9e7807f309aaa0.exe	32
PID 2688 wrote to memory of 1472	2688	Logo1_.exe	34
PID 2688 wrote to memory of 1472	2688	Logo1_.exe	34
PID 2688 wrote to memory of 1472	2688	Logo1_.exe	34
PID 2688 wrote to memory of 1472	2688	Logo1_.exe	34
PID 1472 wrote to memory of 2884	1472	net.exe	36
PID 1472 wrote to memory of 2884	1472	net.exe	36
PID 1472 wrote to memory of 2884	1472	net.exe	36
PID 1472 wrote to memory of 2884	1472	net.exe	36
PID 2228 wrote to memory of 2716	2228	cmd.exe	37
PID 2228 wrote to memory of 2716	2228	cmd.exe	37
PID 2228 wrote to memory of 2716	2228	cmd.exe	37
PID 2228 wrote to memory of 2716	2228	cmd.exe	37
PID 2688 wrote to memory of 1256	2688	Logo1_.exe	21
PID 2688 wrote to memory of 1256	2688	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Loads dropped DLL
PID:1256
- C:\Users\Admin\AppData\Local\Temp\1039f1f87ca63acec4ab781e75bea9704a16e3c5e2bcbfe1dd9e7807f309aaa0.exe
  "C:\Users\Admin\AppData\Local\Temp\1039f1f87ca63acec4ab781e75bea9704a16e3c5e2bcbfe1dd9e7807f309aaa0.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$aD623.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2228
  - - C:\Users\Admin\AppData\Local\Temp\1039f1f87ca63acec4ab781e75bea9704a16e3c5e2bcbfe1dd9e7807f309aaa0.exe
      "C:\Users\Admin\AppData\Local\Temp\1039f1f87ca63acec4ab781e75bea9704a16e3c5e2bcbfe1dd9e7807f309aaa0.exe"
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      PID:2716
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1472
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
254KB

MD5
9847ca511a706e02201174d989ce9f24

SHA1
d978d520076d4a3c1f70c0b8396da4f1968d8b62

SHA256
94f7bbe2eebfa0448998e049d8fcc2df919741f968ee7a552230fae1fc0363d9

SHA512
a6de0cfb0db635de9692d8968d13367fe7e56eaffe8d4440dafdca9bf5efe91fe0c9e55982d9adc49d1ee484fdaa5856d53c258202d6304fad30da2dd214e188

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
474KB

MD5
56cebfce204894f67e08409427777bad

SHA1
4d6beead1404a1feff0e6b10694dba870748f102

SHA256
4e7887ca484b27d36861bfb01027885da6810b1162800abbf99fa4cacf466603

SHA512
7f8bd01f09cfb2fde7b4e4eb856a502f7f37742414ecc88d9a431755338f3f93712c9a15d45ead7c1fbf53ff4ab9cb6417a65bcf7d67fcdddee40703b3f62894

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aD623.bat

Filesize
722B

MD5
3f0b1f342c76820baf9be4bc947ea9ed

SHA1
e6cf8d09900f94cea9ea2f166689afc27a0e6363

SHA256
0f2caa5b92b16bb5937debdc80b7b8c711a3a6d48044edc6cca998dc7cc7a3a0

SHA512
c62f38f910f69c1a35ae7dd7ec62ab4620b2ce78a6edfa401102de282eb7c444ba86603549305f3de592a599dbb1080b986d9cf336a963518b1e6f316d832526

Download Submit
C:\Users\Admin\AppData\Local\Temp\1039f1f87ca63acec4ab781e75bea9704a16e3c5e2bcbfe1dd9e7807f309aaa0.exe.exe

Filesize
990KB

MD5
0c45b1af9f410771bfd1740f40dc4173

SHA1
b896091855905e152abf260a64ebdf8b0c38aeb4

SHA256
3f1a80889fc13d98a26b8b6ac034d8ff4a04a5e3fe6c41c994585f5ba3e32bb2

SHA512
b23e2cb50ed312cb261df84a87283520079cd479ca16c19079abfce4f5ea18cbc730a191af480431f99d5a062e4b853745140d5e9d40003395f16b5867a11d5e

Download Submit
C:\Windows\rundl132.exe

Filesize
29KB

MD5
2c2a254f4ac4becff7c1ed95d1dfc193

SHA1
832200e5634e50357289652ac22084ef08089309

SHA256
33bef330eba567c27023e923fc3691905f377e95b42999689e93a892f64fa369

SHA512
f8ebfadfb39b23bdb76e3403a7d55f8dd19e64f21f81642b3fa5bdfad278e0acc79682a05edaa8d7438aa2240a9a00cc8f615edee27a86b23db9d5ae5f69657d

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3502430532-24693940-2469786940-1000\_desktop.ini

Filesize
8B

MD5
0eba530c95ed92c62635372036e559bf

SHA1
d24bedd9e198e4f71f8e9d0dc36351d486609337

SHA256
fdac71b01088c649a174d112f28b274807c720c98d39c8ea678b0832f8cd4b39

SHA512
7bf606115d882198ab92ff5d7f9f92f83e2e8bb4c2be9601ace2de9d7613938a56ffd51331ae22ff62b47fcc8bb54e9007a0375348a4a37b3b82e59d8ca1f3b1

Download Submit
memory/1256-32-0x0000000002610000-0x0000000002611000-memory.dmp

Filesize
4KB

Download
memory/2376-16-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2376-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2688-42-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2688-35-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2688-49-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2688-95-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2688-101-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2688-728-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2688-1878-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2688-2376-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2688-3338-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2688-21-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2716-28-0x0000000005600000-0x0000000005610000-memory.dmp

Filesize
64KB

Download