2aa9ad4e59b68cde6ade141a1e5d52007cf80c4190a5d2bac544e727fbd62609

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
19/08/2024, 11:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2aa9ad4e59b68cde6ade141a1e5d52007cf80c4190a5d2bac544e727fbd62609.exe
Size

364KB
MD5

2e379f53e5f90a62fd989ee3c689fa54
SHA1

0bbc8383c3bb11247225e151124f4f13f99b01d1
SHA256

2aa9ad4e59b68cde6ade141a1e5d52007cf80c4190a5d2bac544e727fbd62609
SHA512

c7724155a6ef08ddd81bc018e9470ccbce99db0227658427abd4228c4cfed0a6fcca3ee9671204d6dcc0375d0854f65e3caf2317f1bafa2b3c18929d744fa3d1
SSDEEP

6144:QuJPzU66bkWmchVySqkvAH3qo0wWJC6G/SMT4FWqC:RU66b5zhVymA/XSRh

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2776	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2780	Logo1_.exe
2560	2aa9ad4e59b68cde6ade141a1e5d52007cf80c4190a5d2bac544e727fbd62609.exe

Loads dropped DLL 1 IoCs

pid	Process
2776	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\wa\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pt_PT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Mozilla Firefox\browser\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\wa\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgzm.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\lua\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Portable Devices\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\vi\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SAMPLES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\HWRCustomization\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Basic\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ja\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\ManagedObjects\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Purble Place\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\visualization\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\si\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Portal\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SONORA\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1041\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RADIAL\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\it-IT\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	2aa9ad4e59b68cde6ade141a1e5d52007cf80c4190a5d2bac544e727fbd62609.exe
File created	C:\Windows\Logo1_.exe	2aa9ad4e59b68cde6ade141a1e5d52007cf80c4190a5d2bac544e727fbd62609.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2aa9ad4e59b68cde6ade141a1e5d52007cf80c4190a5d2bac544e727fbd62609.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logo1_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2780	Logo1_.exe
2780	Logo1_.exe
2780	Logo1_.exe
2780	Logo1_.exe
2780	Logo1_.exe
2780	Logo1_.exe
2780	Logo1_.exe
2780	Logo1_.exe
2780	Logo1_.exe
2780	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 668 wrote to memory of 2776	668	2aa9ad4e59b68cde6ade141a1e5d52007cf80c4190a5d2bac544e727fbd62609.exe	30
PID 668 wrote to memory of 2776	668	2aa9ad4e59b68cde6ade141a1e5d52007cf80c4190a5d2bac544e727fbd62609.exe	30
PID 668 wrote to memory of 2776	668	2aa9ad4e59b68cde6ade141a1e5d52007cf80c4190a5d2bac544e727fbd62609.exe	30
PID 668 wrote to memory of 2776	668	2aa9ad4e59b68cde6ade141a1e5d52007cf80c4190a5d2bac544e727fbd62609.exe	30
PID 668 wrote to memory of 2780	668	2aa9ad4e59b68cde6ade141a1e5d52007cf80c4190a5d2bac544e727fbd62609.exe	31
PID 668 wrote to memory of 2780	668	2aa9ad4e59b68cde6ade141a1e5d52007cf80c4190a5d2bac544e727fbd62609.exe	31
PID 668 wrote to memory of 2780	668	2aa9ad4e59b68cde6ade141a1e5d52007cf80c4190a5d2bac544e727fbd62609.exe	31
PID 668 wrote to memory of 2780	668	2aa9ad4e59b68cde6ade141a1e5d52007cf80c4190a5d2bac544e727fbd62609.exe	31
PID 2780 wrote to memory of 2540	2780	Logo1_.exe	32
PID 2780 wrote to memory of 2540	2780	Logo1_.exe	32
PID 2780 wrote to memory of 2540	2780	Logo1_.exe	32
PID 2780 wrote to memory of 2540	2780	Logo1_.exe	32
PID 2540 wrote to memory of 2720	2540	net.exe	35
PID 2540 wrote to memory of 2720	2540	net.exe	35
PID 2540 wrote to memory of 2720	2540	net.exe	35
PID 2540 wrote to memory of 2720	2540	net.exe	35
PID 2776 wrote to memory of 2560	2776	cmd.exe	36
PID 2776 wrote to memory of 2560	2776	cmd.exe	36
PID 2776 wrote to memory of 2560	2776	cmd.exe	36
PID 2776 wrote to memory of 2560	2776	cmd.exe	36
PID 2780 wrote to memory of 1228	2780	Logo1_.exe	21
PID 2780 wrote to memory of 1228	2780	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1228
- C:\Users\Admin\AppData\Local\Temp\2aa9ad4e59b68cde6ade141a1e5d52007cf80c4190a5d2bac544e727fbd62609.exe
  "C:\Users\Admin\AppData\Local\Temp\2aa9ad4e59b68cde6ade141a1e5d52007cf80c4190a5d2bac544e727fbd62609.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:668
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a4DE2.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Users\Admin\AppData\Local\Temp\2aa9ad4e59b68cde6ade141a1e5d52007cf80c4190a5d2bac544e727fbd62609.exe
      "C:\Users\Admin\AppData\Local\Temp\2aa9ad4e59b68cde6ade141a1e5d52007cf80c4190a5d2bac544e727fbd62609.exe"
      4⤵
      Executes dropped EXE
      PID:2560
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2780
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2540
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
254KB

MD5
5a887afc6fa43b25aeb68fcb37d2c463

SHA1
4fe960277de2ed39278617f11b88b9e86fc6d8dd

SHA256
0ed5a8f1e2ab359d413551808abcf23c162ee9f66a8981c73277016b930d0a18

SHA512
40f0fed3c6b5d90264eace02005fb90404a9191678e61bb6f91bd1208c0708a30cab28f12de1f821bff7ea90481ebaaaf35cfce5e422b4a17d08cc686f9901ba

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
474KB

MD5
17e5de36cf448d652adab881a4557ec2

SHA1
c45337444120f4cc4a9a65b2bee63cd61618ca2a

SHA256
32568fb07078e0d4e77efac9ad862454dba63de5c5f920d9a14de709372f2430

SHA512
22678c9ca2d70d9a3377d1f2c6c91d7649adcaccee564acdf1bd6373e60f13f6e21fc09feed5b590475889996287961a1450542741ef0888a4a0b5e9c9812b92

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a4DE2.bat

Filesize
722B

MD5
0dab095ecf88a203732dd8f0907abf6b

SHA1
fdeddb321915c20b3a3e663cddb7b7fa8d4025f3

SHA256
51f21044817749c8df784cfc562fac1a96959cc9faaf19c8207de70e3f19b118

SHA512
0c573398d1eaaa24530f647e9484425fdeaebae64185704dfd250a3d63d420c5b0b8e5184e35011b5340dd5799ab18b8a816671ca43014d7d54e1ed412ea1d2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2aa9ad4e59b68cde6ade141a1e5d52007cf80c4190a5d2bac544e727fbd62609.exe.exe

Filesize
335KB

MD5
40ac62c087648ccc2c58dae066d34c98

SHA1
0e87efb6ddfe59e534ea9e829cad35be8563e5f7

SHA256
482c4c1562490e164d5f17990253373691aa5eab55a81c7f890fe9583a9ea916

SHA512
0c1ff13ff88409d54fee2ceb07fe65135ce2a9aa6f8da51ac0158abb2cfbb3a898ef26f476931986f1367622f21a7c0b0e742d0f4de8be6e215596b0d88c518f

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
301549b375be573ae362680e5f5dc5d5

SHA1
36dca577b0b2ba9003094a700d1bacfb753114e9

SHA256
8be0684e142c773db51ff506afeb18d93b0e35b5a544d840dea6e356a15f2730

SHA512
76b0868cc4a8f097b433f754e1f83fda94392f739df955c6bfffdb3f5e3f39cbd9a3e01e21ae3c10feddcb3cca18a04c0f46b3da1eba61a43e3eb9a41f05a745

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2172136094-3310281978-782691160-1000\_desktop.ini

Filesize
9B

MD5
01a8a4ee3580d4da5c60557485bef735

SHA1
f792412989fd2ce56b5d859cceef65819bf0ddf0

SHA256
e2897bad6bc31a67e597a2ef77fce6939385cf6bd64587f2cc006436c43a4f2b

SHA512
8ae193b79f1861b54d2a26031b161bf9aa6929661871de0f2c1cd1db91c5384244332bafc72bea107045eb0b41d876053ce11f5ce70147832f1871816c641145

Download Submit
memory/668-16-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/668-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1228-29-0x00000000025D0000-0x00000000025D1000-memory.dmp

Filesize
4KB

Download
memory/2780-18-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2780-45-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2780-91-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2780-98-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2780-440-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2780-1874-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2780-39-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2780-3334-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2780-31-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download