de87d0961d3c0f970736fd81fa110aab1ee71261de1c779f87b6f77d4f4e48c9

Analysis

max time kernel
120s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06-09-2024 14:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6b0634ca5fa9ee590e14d1553f4dece0N.exe
Size

220KB
MD5

6b0634ca5fa9ee590e14d1553f4dece0
SHA1

9cf869e4e0052f3c225d25426f5e8e1d7660d146
SHA256

de87d0961d3c0f970736fd81fa110aab1ee71261de1c779f87b6f77d4f4e48c9
SHA512

517019133fb887f679a56bbcc2ccdbb78b1e243c7ca458ef0b3a30fe67b6b9cf30bac41fcb0126e732ded794a6812e8ea93636664fd012c64a20c076cca22553
SSDEEP

3072:prkuJVL+9b8jd0XQhAZpl3FccYstwZzk/RM/YmiLT5KbcRy2u8oFy2uwM91JKZWm:iuJTbzsCcjZ9u8oFy2uwM9bKfpl/4

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2696	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2712	Logo1_.exe
2440	6b0634ca5fa9ee590e14d1553f4dece0N.exe

Loads dropped DLL 1 IoCs

pid	Process
2696	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\locale\et\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zh_CN\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	Logo1_.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\extensions\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\id\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Solitaire\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\be\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Journal\Templates\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hi\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_filter\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\lua\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Mail\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sl\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\keystore\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lo\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mk\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Journal\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sm\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\More Games\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fi\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\zi\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zh_TW\LC_MESSAGES\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	6b0634ca5fa9ee590e14d1553f4dece0N.exe
File created	C:\Windows\Logo1_.exe	6b0634ca5fa9ee590e14d1553f4dece0N.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6b0634ca5fa9ee590e14d1553f4dece0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logo1_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2712	Logo1_.exe
2712	Logo1_.exe
2712	Logo1_.exe
2712	Logo1_.exe
2712	Logo1_.exe
2712	Logo1_.exe
2712	Logo1_.exe
2712	Logo1_.exe
2712	Logo1_.exe
2712	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 2696	2980	6b0634ca5fa9ee590e14d1553f4dece0N.exe	30
PID 2980 wrote to memory of 2696	2980	6b0634ca5fa9ee590e14d1553f4dece0N.exe	30
PID 2980 wrote to memory of 2696	2980	6b0634ca5fa9ee590e14d1553f4dece0N.exe	30
PID 2980 wrote to memory of 2696	2980	6b0634ca5fa9ee590e14d1553f4dece0N.exe	30
PID 2980 wrote to memory of 2712	2980	6b0634ca5fa9ee590e14d1553f4dece0N.exe	31
PID 2980 wrote to memory of 2712	2980	6b0634ca5fa9ee590e14d1553f4dece0N.exe	31
PID 2980 wrote to memory of 2712	2980	6b0634ca5fa9ee590e14d1553f4dece0N.exe	31
PID 2980 wrote to memory of 2712	2980	6b0634ca5fa9ee590e14d1553f4dece0N.exe	31
PID 2712 wrote to memory of 2516	2712	Logo1_.exe	33
PID 2712 wrote to memory of 2516	2712	Logo1_.exe	33
PID 2712 wrote to memory of 2516	2712	Logo1_.exe	33
PID 2712 wrote to memory of 2516	2712	Logo1_.exe	33
PID 2516 wrote to memory of 2824	2516	net.exe	35
PID 2516 wrote to memory of 2824	2516	net.exe	35
PID 2516 wrote to memory of 2824	2516	net.exe	35
PID 2516 wrote to memory of 2824	2516	net.exe	35
PID 2696 wrote to memory of 2440	2696	cmd.exe	36
PID 2696 wrote to memory of 2440	2696	cmd.exe	36
PID 2696 wrote to memory of 2440	2696	cmd.exe	36
PID 2696 wrote to memory of 2440	2696	cmd.exe	36
PID 2712 wrote to memory of 1196	2712	Logo1_.exe	21
PID 2712 wrote to memory of 1196	2712	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1196
- C:\Users\Admin\AppData\Local\Temp\6b0634ca5fa9ee590e14d1553f4dece0N.exe
  "C:\Users\Admin\AppData\Local\Temp\6b0634ca5fa9ee590e14d1553f4dece0N.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2980
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$aF69E.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\Users\Admin\AppData\Local\Temp\6b0634ca5fa9ee590e14d1553f4dece0N.exe
      "C:\Users\Admin\AppData\Local\Temp\6b0634ca5fa9ee590e14d1553f4dece0N.exe"
      4⤵
      Executes dropped EXE
      PID:2440
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2516
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$aF69E.bat

Filesize
536B

MD5
a00041c33e493d4400e7662de4926e2d

SHA1
51dad56d6f632823e6420ec3cd5ce1e9cafc0b4e

SHA256
04b0bc6a0c0cf51556633a48d30bc881f9c94477cdc40bd0e0fc690f4ee954f7

SHA512
ad1bfd8008e9a5be5f4df35b73bbcad959f303186045ef89a3110a642496cc8c8f92c30d58295b600b3924643954bd5e96f826c55876ad0a27246dbb443b224d

Download Submit
C:\Windows\rundl132.exe

Filesize
29KB

MD5
545842cf20bce8c8aeb87acfb6035d25

SHA1
a8b19b835371050de872bebdab069b96f92d01a2

SHA256
fc0f929a64e8c9657111afac8350715186363d5763372d9fe32f2de8b71985a3

SHA512
22c6372241b7ca283138eb8ff0bf6c526f8f9123eb15618a34b70915fa9a2a84db7988a8a9de6d1da642e0e4d1e4e34ce9c0a24bdf774e138b97ea89a943c40e

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1488793075-819845221-1497111674-1000\_desktop.ini

Filesize
8B

MD5
7381b93926089f5aafe539224a3a9d78

SHA1
48a09dd6852ad21d2ce840014f5649990a9c2994

SHA256
79332167105afd665185cb842c383fc13d55ad671d7ba28458f9440712e046fe

SHA512
a5c5f9b4de3ce391f778d3aa9a3963870fa85c9363d593666737f255ca198a6412c6ff8c61bf235201abec5160656f9fc226504dc37c6b48b20e3f362939c17a

Download Submit
\Users\Admin\AppData\Local\Temp\6b0634ca5fa9ee590e14d1553f4dece0N.exe

Filesize
191KB

MD5
0f0bb44b608c7c7cff80b4408adbf0bc

SHA1
d6c194aa6be52b09b924d10a08a30e34f55cfa09

SHA256
2dde88676caf4eb7bb65eeee773dacd0d25f7308a7888e276eb2548db1505132

SHA512
367fbfd1af4c4293a592b159d9da653ae56af489fd5c7f9e446daa9cdb2c8540b9aca0cf90a2af3ec6455f14f6bc47edc05d29baf6c8061fac6d835c30d58f80

Download Submit
memory/1196-34-0x0000000002CE0000-0x0000000002CE1000-memory.dmp

Filesize
4KB

Download
memory/2440-38-0x000007FEF4F63000-0x000007FEF4F64000-memory.dmp

Filesize
4KB

Download
memory/2440-31-0x00000000000A0000-0x00000000000D8000-memory.dmp

Filesize
224KB

Download
memory/2440-30-0x000007FEF4F63000-0x000007FEF4F64000-memory.dmp

Filesize
4KB

Download
memory/2440-32-0x000007FEF4F60000-0x000007FEF594C000-memory.dmp

Filesize
9.9MB

Download
memory/2440-40-0x000007FEF4F60000-0x000007FEF594C000-memory.dmp

Filesize
9.9MB

Download
memory/2712-23-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2712-37-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2712-47-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2712-54-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2712-99-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2712-105-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2712-937-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2712-1882-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2980-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2980-12-0x00000000001B0000-0x00000000001E6000-memory.dmp

Filesize
216KB

Download
memory/2980-18-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2980-17-0x00000000001B0000-0x00000000001E6000-memory.dmp

Filesize
216KB

Download