8784bb93b9c1e49191218d6c0193778dc69a4028e4cef3071ba5020b2747cddf

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
11/08/2024, 19:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8784bb93b9c1e49191218d6c0193778dc69a4028e4cef3071ba5020b2747cddf.exe
Size

88KB
MD5

b9844b9f674ca46f85caaab2410a8bf7
SHA1

eb94964cf3b89ec303d1e317899b55a9f39d792d
SHA256

8784bb93b9c1e49191218d6c0193778dc69a4028e4cef3071ba5020b2747cddf
SHA512

a2f6c5204c983ebdd6a0fe5f02c89f37042ca69586399b1762b6e67db06ac438898593d13b9c7d44a9f58cee31ae613a8fc7ff7a1f4ad88cb72ab58850820979
SSDEEP

1536:pf1d93SHuJV9Ntyapmebn4ddJZeY86iLflLJYEIs67rxo:pfFkuJVL8LK4ddJMY86ipmns6S

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2924	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2352	Logo1_.exe
2608	8784bb93b9c1e49191218d6c0193778dc69a4028e4cef3071ba5020b2747cddf.exe

Loads dropped DLL 1 IoCs

pid	Process
2924	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\d3d11\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\on_desktop\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\images\cursors\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\wabmig.exe	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CANYON\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1031\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\gui\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Mail\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\eo\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Americana\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Oasis\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\requests\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\cmm\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1036\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\STS2\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\te\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_splitter\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SPRING\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\uz\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\sidebar.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hy\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Mozilla Firefox\defaults\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\wmpenc.exe	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	8784bb93b9c1e49191218d6c0193778dc69a4028e4cef3071ba5020b2747cddf.exe
File created	C:\Windows\Logo1_.exe	8784bb93b9c1e49191218d6c0193778dc69a4028e4cef3071ba5020b2747cddf.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8784bb93b9c1e49191218d6c0193778dc69a4028e4cef3071ba5020b2747cddf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logo1_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2352	Logo1_.exe
2352	Logo1_.exe
2352	Logo1_.exe
2352	Logo1_.exe
2352	Logo1_.exe
2352	Logo1_.exe
2352	Logo1_.exe
2352	Logo1_.exe
2352	Logo1_.exe
2352	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2864 wrote to memory of 2924	2864	8784bb93b9c1e49191218d6c0193778dc69a4028e4cef3071ba5020b2747cddf.exe	30
PID 2864 wrote to memory of 2924	2864	8784bb93b9c1e49191218d6c0193778dc69a4028e4cef3071ba5020b2747cddf.exe	30
PID 2864 wrote to memory of 2924	2864	8784bb93b9c1e49191218d6c0193778dc69a4028e4cef3071ba5020b2747cddf.exe	30
PID 2864 wrote to memory of 2924	2864	8784bb93b9c1e49191218d6c0193778dc69a4028e4cef3071ba5020b2747cddf.exe	30
PID 2864 wrote to memory of 2352	2864	8784bb93b9c1e49191218d6c0193778dc69a4028e4cef3071ba5020b2747cddf.exe	31
PID 2864 wrote to memory of 2352	2864	8784bb93b9c1e49191218d6c0193778dc69a4028e4cef3071ba5020b2747cddf.exe	31
PID 2864 wrote to memory of 2352	2864	8784bb93b9c1e49191218d6c0193778dc69a4028e4cef3071ba5020b2747cddf.exe	31
PID 2864 wrote to memory of 2352	2864	8784bb93b9c1e49191218d6c0193778dc69a4028e4cef3071ba5020b2747cddf.exe	31
PID 2352 wrote to memory of 1976	2352	Logo1_.exe	33
PID 2352 wrote to memory of 1976	2352	Logo1_.exe	33
PID 2352 wrote to memory of 1976	2352	Logo1_.exe	33
PID 2352 wrote to memory of 1976	2352	Logo1_.exe	33
PID 1976 wrote to memory of 3012	1976	net.exe	35
PID 1976 wrote to memory of 3012	1976	net.exe	35
PID 1976 wrote to memory of 3012	1976	net.exe	35
PID 1976 wrote to memory of 3012	1976	net.exe	35
PID 2924 wrote to memory of 2608	2924	cmd.exe	36
PID 2924 wrote to memory of 2608	2924	cmd.exe	36
PID 2924 wrote to memory of 2608	2924	cmd.exe	36
PID 2924 wrote to memory of 2608	2924	cmd.exe	36
PID 2352 wrote to memory of 1120	2352	Logo1_.exe	20
PID 2352 wrote to memory of 1120	2352	Logo1_.exe	20

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1120
- C:\Users\Admin\AppData\Local\Temp\8784bb93b9c1e49191218d6c0193778dc69a4028e4cef3071ba5020b2747cddf.exe
  "C:\Users\Admin\AppData\Local\Temp\8784bb93b9c1e49191218d6c0193778dc69a4028e4cef3071ba5020b2747cddf.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2864
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$aFBEC.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2924
  - - C:\Users\Admin\AppData\Local\Temp\8784bb93b9c1e49191218d6c0193778dc69a4028e4cef3071ba5020b2747cddf.exe
      "C:\Users\Admin\AppData\Local\Temp\8784bb93b9c1e49191218d6c0193778dc69a4028e4cef3071ba5020b2747cddf.exe"
      4⤵
      Executes dropped EXE
      PID:2608
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2352
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1976
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
254KB

MD5
0e96df2b803787ad87d98fb164a286f5

SHA1
0790c9a340015c2e2ebbd5459c90b82cf6ae5f3a

SHA256
8951711f84a55417c6e4f31b004f415a75abe8b26696751f840fcc8e928b9a8e

SHA512
5fcc84cd18c7f9927e200ba37cc5ecf8d877736c3b14bc95d23aa734e9257db9b40a154cedcc56f1f3222f8153f93ca45ee2307315cfe3a14430a6c77d06501e

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
474KB

MD5
2d816096dcd7a9b38e9b445b75c019a1

SHA1
e3c192f07e460078a7b2db4aeb94d4c53700bd75

SHA256
43b6be2e758c7e161993e451ce005a00345b4f3ba8b3c069d55ce93ac7e19758

SHA512
6af3ed08658c195072f549af50b96cd05e8070bf468add1884caba811145e88e28ff016298ea52078d7d31bded223c12bf6ca294219610ba2a5036dd442d356c

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aFBEC.bat

Filesize
722B

MD5
02a46d64e6c63b7ad72464cd1e175097

SHA1
2e8570c5136c6e3814e1ad87819adb03a0e2e9a4

SHA256
47ecc05a71dd2f29bb575e4827f19dc9ce4d50d5ef9d44eb413a9c02ae25381b

SHA512
7c2e3fd64fa3653842a4fb20863e7d49141053b747ccb99ac7fffa558a381cf955425b81df55011723478bb22de76101805845dd0dc7d6407966a53d6d9c8ae9

Download Submit
C:\Users\Admin\AppData\Local\Temp\8784bb93b9c1e49191218d6c0193778dc69a4028e4cef3071ba5020b2747cddf.exe.exe

Filesize
59KB

MD5
dfc18f7068913dde25742b856788d7ca

SHA1
cbaa23f782c2ddcd7c9ff024fd0b096952a2b387

SHA256
ff4ac75c02247000da084de006c214d3dd3583867bd3533ba788e22734c7a2bf

SHA512
d0c7ec1dae41a803325b51c12490c355ed779d297daa35247889950491e52427810132f0829fc7ffa3022f1a106f4e4ba78ed612223395313a6f267e9ab24945

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
44e459665555aa71b27739a4c8e0ce2e

SHA1
a356a45529a77684280cab95f9658263facadedc

SHA256
791918b0fdd6d93878a051a648a2d60d04f2e12fb5428d138dcc2b63fbf94c13

SHA512
ede586c602defafd40a4507989f664d3345a5b0b2172251e10f84d87e44ee56b9546e04c7f7aeb621d72be7714de56f01ca06c0cf266938165d3408cc92969b7

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3502430532-24693940-2469786940-1000\_desktop.ini

Filesize
9B

MD5
79a2fb76ad00a8ac07f11b6a179f5297

SHA1
72b4f589fd7945d8c80b370d1d3a1f2467f3eb81

SHA256
2f723e98c3a3556269a4d81d4a27d6a0ab13a84c5ba737493c07354a2608684f

SHA512
3a21c2e60e8e035fb90d428e86bb927077d8354a16f1abc291ccba4a4d7fee4f51cf781fa9202e5602a88ca70a6ba264ac49762100be5f6e09a2ec930e098168

Download Submit
memory/1120-29-0x00000000025C0000-0x00000000025C1000-memory.dmp

Filesize
4KB

Download
memory/2352-21-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2352-32-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2352-39-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2352-45-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2352-91-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2352-97-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2352-726-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2352-1875-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2352-2427-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2352-3335-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2864-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2864-16-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download