980e85853235ef87a8bd9522ba137a8c5e656bbf18f52bfa510375e6b3d0fc1b

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
09/08/2024, 04:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

980e85853235ef87a8bd9522ba137a8c5e656bbf18f52bfa510375e6b3d0fc1b.exe
Size

5.0MB
MD5

9a865d37089064791e3e0cb6ca09e14f
SHA1

40b42badd7fcd4461345475aeb5d2e2c2d9afdca
SHA256

980e85853235ef87a8bd9522ba137a8c5e656bbf18f52bfa510375e6b3d0fc1b
SHA512

0bfcd679316dbf9ebc4bb298a8441f00739c82589c7e078b35d9136a203fe803fa075e42c8f15316a38c724a6332d40b0542973bf30209e6c90ef614dfd4f1c1
SSDEEP

98304:OHnFkb1kjZ2vFFWjb8ww1V9CYPASWNZ7WCGEr9raRtvVjiwy3Gq:xb1+b8wwxCYP1WNZWM4tJiwyv

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2988	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2704	Logo1_.exe
2720	980e85853235ef87a8bd9522ba137a8c5e656bbf18f52bfa510375e6b3d0fc1b.exe

Loads dropped DLL 2 IoCs

pid	Process
2988	cmd.exe
2988	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\People\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ar\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\meta\art\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\vi\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CAPSULES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\brx\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Journal\PDIALOG.exe	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Slate\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	Logo1_.exe
File created	C:\Program Files\Java\jre7\bin\server\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\d3d9\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\control\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Discussion\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1041\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\IRIS\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\br\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Media Player\Network Sharing\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\gui\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\da\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	980e85853235ef87a8bd9522ba137a8c5e656bbf18f52bfa510375e6b3d0fc1b.exe
File created	C:\Windows\Logo1_.exe	980e85853235ef87a8bd9522ba137a8c5e656bbf18f52bfa510375e6b3d0fc1b.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	980e85853235ef87a8bd9522ba137a8c5e656bbf18f52bfa510375e6b3d0fc1b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logo1_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2704	Logo1_.exe
2704	Logo1_.exe
2704	Logo1_.exe
2704	Logo1_.exe
2704	Logo1_.exe
2704	Logo1_.exe
2704	Logo1_.exe
2704	Logo1_.exe
2704	Logo1_.exe
2704	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1072 wrote to memory of 2988	1072	980e85853235ef87a8bd9522ba137a8c5e656bbf18f52bfa510375e6b3d0fc1b.exe	31
PID 1072 wrote to memory of 2988	1072	980e85853235ef87a8bd9522ba137a8c5e656bbf18f52bfa510375e6b3d0fc1b.exe	31
PID 1072 wrote to memory of 2988	1072	980e85853235ef87a8bd9522ba137a8c5e656bbf18f52bfa510375e6b3d0fc1b.exe	31
PID 1072 wrote to memory of 2988	1072	980e85853235ef87a8bd9522ba137a8c5e656bbf18f52bfa510375e6b3d0fc1b.exe	31
PID 1072 wrote to memory of 2704	1072	980e85853235ef87a8bd9522ba137a8c5e656bbf18f52bfa510375e6b3d0fc1b.exe	32
PID 1072 wrote to memory of 2704	1072	980e85853235ef87a8bd9522ba137a8c5e656bbf18f52bfa510375e6b3d0fc1b.exe	32
PID 1072 wrote to memory of 2704	1072	980e85853235ef87a8bd9522ba137a8c5e656bbf18f52bfa510375e6b3d0fc1b.exe	32
PID 1072 wrote to memory of 2704	1072	980e85853235ef87a8bd9522ba137a8c5e656bbf18f52bfa510375e6b3d0fc1b.exe	32
PID 2704 wrote to memory of 2732	2704	Logo1_.exe	33
PID 2704 wrote to memory of 2732	2704	Logo1_.exe	33
PID 2704 wrote to memory of 2732	2704	Logo1_.exe	33
PID 2704 wrote to memory of 2732	2704	Logo1_.exe	33
PID 2732 wrote to memory of 2064	2732	net.exe	36
PID 2732 wrote to memory of 2064	2732	net.exe	36
PID 2732 wrote to memory of 2064	2732	net.exe	36
PID 2732 wrote to memory of 2064	2732	net.exe	36
PID 2988 wrote to memory of 2720	2988	cmd.exe	37
PID 2988 wrote to memory of 2720	2988	cmd.exe	37
PID 2988 wrote to memory of 2720	2988	cmd.exe	37
PID 2988 wrote to memory of 2720	2988	cmd.exe	37
PID 2704 wrote to memory of 1260	2704	Logo1_.exe	21
PID 2704 wrote to memory of 1260	2704	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1260
- C:\Users\Admin\AppData\Local\Temp\980e85853235ef87a8bd9522ba137a8c5e656bbf18f52bfa510375e6b3d0fc1b.exe
  "C:\Users\Admin\AppData\Local\Temp\980e85853235ef87a8bd9522ba137a8c5e656bbf18f52bfa510375e6b3d0fc1b.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1072
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a2D09.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2988
  - - C:\Users\Admin\AppData\Local\Temp\980e85853235ef87a8bd9522ba137a8c5e656bbf18f52bfa510375e6b3d0fc1b.exe
      "C:\Users\Admin\AppData\Local\Temp\980e85853235ef87a8bd9522ba137a8c5e656bbf18f52bfa510375e6b3d0fc1b.exe"
      4⤵
      Executes dropped EXE
      PID:2720
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2732
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
474KB

MD5
1b12b9060b8875ff79fd921d924df171

SHA1
2cefdd8b0ba05d21051feb64909fef80f4d4f799

SHA256
b4e50274be3a43611ffaa568b252b827c66855f4f50024b31ac68712cdb4eaba

SHA512
26c4d288eb0525f4abaa9fa9704aabd30b21d0dc444a4d352edc92ca584b384c00dc16c3ba9b904ba9cf8718a0e51501e505873d5b09cfc76013eb8f5e5f393a

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a2D09.bat

Filesize
722B

MD5
1bfe55c3401a36d17601596a4e1aa13b

SHA1
295eeaf5b1c4e0975a24294a81e05a848bdc6bfd

SHA256
b277f0e30592700cba777f867d09eaf98582a91b40541ded1cc19cfd4adc364c

SHA512
5adcaf590a421f4fbe2b45d51d77d57e43a796518b6a55cd3ac63538c884bda9e27c80e1f1ce5d0a59ad6566da7b628a2010ec463e30df2746f28ac818f0f069

Download Submit
C:\Users\Admin\AppData\Local\Temp\980e85853235ef87a8bd9522ba137a8c5e656bbf18f52bfa510375e6b3d0fc1b.exe.exe

Filesize
4.9MB

MD5
2d70546451f3e8d9789d2fceb8d8c37b

SHA1
aeb828c385965f741a557cbc8c9da0229f3071f0

SHA256
13975ac0c6064bf4b4899a660405182f92be91bc1e479c4df0a6b29c6ee724d5

SHA512
dc21cbad4ecedf8e0a2638594bb5103ace40e9dae2c42346ff0e9fd7f19aeff67ec613e595e9ed4e850969618936fa03fd51fb76707df2f1334225745def3c39

Download Submit
C:\Windows\rundl132.exe

Filesize
29KB

MD5
7df4cd4ea9e18ac4eac10b27f9b1befc

SHA1
cf3502a223bd7ad9f15dc01f765bdc55304b228d

SHA256
d3a2638f1ce0bfb967235ed43cb85a5d429a462d5231af8abee7219f7b8b3ae3

SHA512
e7f8467655f3eab4aedbc933740a502ad95525007c27cd0ab923c8a65ce7419fdf895070e593dc5851641bc256b6881dbb728520be892f1b96a6ccd525c8bf33

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2703099537-420551529-3771253338-1000\_desktop.ini

Filesize
8B

MD5
fcbaf0a2c3988ef775359f94d545ab42

SHA1
174ccd98ff87b8e6f46eebc493f379beafeb3b08

SHA256
895aaa8dac57f2bb76ddc8c2681e0480bf57dbf3f62cda3840cb448b8615612f

SHA512
7c81b6445708b1c482599bfb808e90462d6111e885691dd947d9cdf95ba028d580b20027575814a310a81f310261b649792b65153ce43063da063b5005561d20

Download Submit
memory/1072-16-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1072-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1260-30-0x00000000025B0000-0x00000000025B1000-memory.dmp

Filesize
4KB

Download
memory/2704-21-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2704-39-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2704-45-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2704-91-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2704-97-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2704-1317-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2704-1874-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2704-3333-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2704-32-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download