a31291ed0c125210458a2b6992bb29537c42b5e0f400c20520430e5110854c41

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
14/08/2024, 07:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a31291ed0c125210458a2b6992bb29537c42b5e0f400c20520430e5110854c41.exe
Size

52KB
MD5

97fb100639b9d31dd0fc73f8e3edc522
SHA1

dc31aa572fd3448de36d46eb41a048e998e720fd
SHA256

a31291ed0c125210458a2b6992bb29537c42b5e0f400c20520430e5110854c41
SHA512

ebc86c380a548cde2050e6af1a10df5cee67b1f0e8a0fb622b442df8ca92f282a5232fce3788871d077f10c559dadfb1982e2f7a67af8853147b7a9106efee00
SSDEEP

768:pa888ZT16GVRu1yK9fMnJG2V9dHS85qgt6jpYU5ltbDrYiI0oPxWExI:pPJ3SHuJV9NP6jWWvr78Pxc

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2476	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2328	Logo1_.exe
2980	a31291ed0c125210458a2b6992bb29537c42b5e0f400c20520430e5110854c41.exe

Loads dropped DLL 5 IoCs

pid	Process
2476	cmd.exe
2660	WerFault.exe
2660	WerFault.exe
2660	WerFault.exe
2660	WerFault.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\Solitaire.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hy\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\amd64\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Triedit\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Americana\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Defender\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\cs\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Media Player\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ta\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\et\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VC\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access_output\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\meta_engine\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Slate\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ICE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	a31291ed0c125210458a2b6992bb29537c42b5e0f400c20520430e5110854c41.exe
File created	C:\Windows\Logo1_.exe	a31291ed0c125210458a2b6992bb29537c42b5e0f400c20520430e5110854c41.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logo1_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a31291ed0c125210458a2b6992bb29537c42b5e0f400c20520430e5110854c41.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2328	Logo1_.exe
2328	Logo1_.exe
2328	Logo1_.exe
2328	Logo1_.exe
2328	Logo1_.exe
2328	Logo1_.exe
2328	Logo1_.exe
2328	Logo1_.exe
2328	Logo1_.exe
2328	Logo1_.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2632 wrote to memory of 2476	2632	a31291ed0c125210458a2b6992bb29537c42b5e0f400c20520430e5110854c41.exe	31
PID 2632 wrote to memory of 2476	2632	a31291ed0c125210458a2b6992bb29537c42b5e0f400c20520430e5110854c41.exe	31
PID 2632 wrote to memory of 2476	2632	a31291ed0c125210458a2b6992bb29537c42b5e0f400c20520430e5110854c41.exe	31
PID 2632 wrote to memory of 2476	2632	a31291ed0c125210458a2b6992bb29537c42b5e0f400c20520430e5110854c41.exe	31
PID 2632 wrote to memory of 2328	2632	a31291ed0c125210458a2b6992bb29537c42b5e0f400c20520430e5110854c41.exe	32
PID 2632 wrote to memory of 2328	2632	a31291ed0c125210458a2b6992bb29537c42b5e0f400c20520430e5110854c41.exe	32
PID 2632 wrote to memory of 2328	2632	a31291ed0c125210458a2b6992bb29537c42b5e0f400c20520430e5110854c41.exe	32
PID 2632 wrote to memory of 2328	2632	a31291ed0c125210458a2b6992bb29537c42b5e0f400c20520430e5110854c41.exe	32
PID 2328 wrote to memory of 2840	2328	Logo1_.exe	33
PID 2328 wrote to memory of 2840	2328	Logo1_.exe	33
PID 2328 wrote to memory of 2840	2328	Logo1_.exe	33
PID 2328 wrote to memory of 2840	2328	Logo1_.exe	33
PID 2840 wrote to memory of 2744	2840	net.exe	36
PID 2840 wrote to memory of 2744	2840	net.exe	36
PID 2840 wrote to memory of 2744	2840	net.exe	36
PID 2840 wrote to memory of 2744	2840	net.exe	36
PID 2476 wrote to memory of 2980	2476	cmd.exe	37
PID 2476 wrote to memory of 2980	2476	cmd.exe	37
PID 2476 wrote to memory of 2980	2476	cmd.exe	37
PID 2476 wrote to memory of 2980	2476	cmd.exe	37
PID 2980 wrote to memory of 2660	2980	a31291ed0c125210458a2b6992bb29537c42b5e0f400c20520430e5110854c41.exe	38
PID 2980 wrote to memory of 2660	2980	a31291ed0c125210458a2b6992bb29537c42b5e0f400c20520430e5110854c41.exe	38
PID 2980 wrote to memory of 2660	2980	a31291ed0c125210458a2b6992bb29537c42b5e0f400c20520430e5110854c41.exe	38
PID 2328 wrote to memory of 1188	2328	Logo1_.exe	21
PID 2328 wrote to memory of 1188	2328	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1188
- C:\Users\Admin\AppData\Local\Temp\a31291ed0c125210458a2b6992bb29537c42b5e0f400c20520430e5110854c41.exe
  "C:\Users\Admin\AppData\Local\Temp\a31291ed0c125210458a2b6992bb29537c42b5e0f400c20520430e5110854c41.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$aDB32.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2476
  - - C:\Users\Admin\AppData\Local\Temp\a31291ed0c125210458a2b6992bb29537c42b5e0f400c20520430e5110854c41.exe
      "C:\Users\Admin\AppData\Local\Temp\a31291ed0c125210458a2b6992bb29537c42b5e0f400c20520430e5110854c41.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2980
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2980 -s 124
        5⤵
        Loads dropped DLL
        
        PID:2660
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2328
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2840
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
254KB

MD5
586340b58f02ffb1b754d46c776ecaa9

SHA1
d860ee44aedafb70befe321b936c5eba49dbdda3

SHA256
3f2a34592999a9ed095c898b45cb55f54712ed0486bda1f3bb54ae798516639b

SHA512
8c3b824fa1462406a81f60ffaa1ff8f517d3d0503e6653eee5b1d5f312ee0e13d2b9d2767f5b1f3f8644f28e5c40da1956a781551752c056332ed76ef62dbe58

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
474KB

MD5
c14a5111b798cff20d7d66b0e035d409

SHA1
29f0894552b30815fed6ad231b5721e876869552

SHA256
fd6f57dc1b82f6301cbecbf9db5728a9a69b10e3edbf4f8a1dfef571c77a6cb6

SHA512
a4d8b74216c76fa3d48ab7300452725602bc6d5bcc0e6c23d458d65362cd24751f23755180ae69633090b172e95f18f225c0cb4a71dd1e050d8b3dff466e7f1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aDB32.bat

Filesize
722B

MD5
d6416d97f879f9c7211b2cd9a0c0f22c

SHA1
8f189a1d5868deaa473e116549075a64e21e0178

SHA256
279566637bf55518af74831334af6637e3fde90d68e874f39ca88bd5a56af96e

SHA512
4ebd9a1e9d82bb5d4abc45ff33c66b3970a130ec8a294e85dea5d7dc2df61683031e4093b09fd7da19baf3b52966f46ee2866d280b888e7d9f8804d5f64eafa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\a31291ed0c125210458a2b6992bb29537c42b5e0f400c20520430e5110854c41.exe.exe

Filesize
23KB

MD5
3f9dbfee668294872ef01b90740b01d0

SHA1
99a4702b65485cd14736b1c2cdfb81b455dda01c

SHA256
40b32fea1fcadcb2db369475e2bba58b0b83f5c3bb647e2e63877726c35a9f86

SHA512
0113cec160d97ea0cce70860cc5b79b502d16191ee237a3abb84309499be193aa0127dbcb41fc05a90fa61484b061ec4332ad29a918db598e32fe832b74bd1e3

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
e204efa82c4df71160c451caec4787e5

SHA1
e56ddb6d0afdb9aa1bf4808765b25cf4a2fdc279

SHA256
4ff7272e95a79354eb6d72c784593bd6a0820fe9e512ff176a51fef8929b5bd9

SHA512
6ee14cc010de5b04eee707242a6f4471739cc62bf86a332d5c0e90f15a778fe2ef1d8e1bf7f86a603cbf00fa8e302c09f533f837f5d67f62743396074ed030c9

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-940600906-3464502421-4240639183-1000\_desktop.ini

Filesize
9B

MD5
fa81249b1f991386d1e1de2a5a03499e

SHA1
70e9b6e238a42e7472c1f5f2f4ea3f86f8352185

SHA256
5421d45a710074ffe77329c2300e528ce8feceb0748aacbd89ef2ed0aae5a87f

SHA512
bc652d20db7ab6bde42b15f5639c2b36e000179c232c4b9e3e218e670b93a6d7b73530b3bd6fdfca5d61c5a578c1e7508fb97f9bffdfa17dff214359b094e409

Download Submit
memory/1188-32-0x0000000002560000-0x0000000002561000-memory.dmp

Filesize
4KB

Download
memory/2328-100-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2328-42-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2328-48-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2328-94-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2328-34-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2328-763-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2328-1877-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2328-20-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2328-2832-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2328-3337-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2632-35-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2632-15-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download