7c6993fffea16f2457529bae097db0dacedea6e7b5caf980953ae61b400b6144

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-09-2024 16:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7c6993fffea16f2457529bae097db0dacedea6e7b5caf980953ae61b400b6144.exe
Size

713KB
MD5

0a020533b2e8e349f98cdbe6c3d60cf3
SHA1

330726d1d81d3bd75cef197108a2ca2fd05cc227
SHA256

7c6993fffea16f2457529bae097db0dacedea6e7b5caf980953ae61b400b6144
SHA512

65bcb80bf1831710938236f95e3c50c7f0dbf38fa680bb916ebecb7d23c61d231d0647bd3acc9f665b4bd4434a7698c25687557053c46ebcaa8ae980ae22192c
SSDEEP

12288:yfC6Aj+TN5uixZN+8rKhUdTC/wE1ZD0Ca5ZIXV:uLOS2opPIXV

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2964	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
1928	Logo1_.exe
3000	7c6993fffea16f2457529bae097db0dacedea6e7b5caf980953ae61b400b6144.exe
1132	Explorer.EXE

Loads dropped DLL 3 IoCs

pid	Process
2964	cmd.exe
2964	cmd.exe
1132	Explorer.EXE

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre7\bin\server\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ms\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\fonts\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\cmm\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pa\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BREEZE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Indiana\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\am_ET\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ms\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\OneNote.en-us\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\meta_engine\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\InfoPath.en-us\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ast\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lg\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\nl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\EURO\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Places\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Solitaire\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ca@valencia\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PowerPoint.en-us\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Triedit\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\1046\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Portal\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Portable Devices\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Logo1_.exe	7c6993fffea16f2457529bae097db0dacedea6e7b5caf980953ae61b400b6144.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	7c6993fffea16f2457529bae097db0dacedea6e7b5caf980953ae61b400b6144.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logo1_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7c6993fffea16f2457529bae097db0dacedea6e7b5caf980953ae61b400b6144.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1928	Logo1_.exe
1928	Logo1_.exe
1928	Logo1_.exe
1928	Logo1_.exe
1928	Logo1_.exe
1928	Logo1_.exe
1928	Logo1_.exe
1928	Logo1_.exe
1928	Logo1_.exe
1928	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 2964	2092	7c6993fffea16f2457529bae097db0dacedea6e7b5caf980953ae61b400b6144.exe	30
PID 2092 wrote to memory of 2964	2092	7c6993fffea16f2457529bae097db0dacedea6e7b5caf980953ae61b400b6144.exe	30
PID 2092 wrote to memory of 2964	2092	7c6993fffea16f2457529bae097db0dacedea6e7b5caf980953ae61b400b6144.exe	30
PID 2092 wrote to memory of 2964	2092	7c6993fffea16f2457529bae097db0dacedea6e7b5caf980953ae61b400b6144.exe	30
PID 2092 wrote to memory of 1928	2092	7c6993fffea16f2457529bae097db0dacedea6e7b5caf980953ae61b400b6144.exe	31
PID 2092 wrote to memory of 1928	2092	7c6993fffea16f2457529bae097db0dacedea6e7b5caf980953ae61b400b6144.exe	31
PID 2092 wrote to memory of 1928	2092	7c6993fffea16f2457529bae097db0dacedea6e7b5caf980953ae61b400b6144.exe	31
PID 2092 wrote to memory of 1928	2092	7c6993fffea16f2457529bae097db0dacedea6e7b5caf980953ae61b400b6144.exe	31
PID 1928 wrote to memory of 2976	1928	Logo1_.exe	33
PID 1928 wrote to memory of 2976	1928	Logo1_.exe	33
PID 1928 wrote to memory of 2976	1928	Logo1_.exe	33
PID 1928 wrote to memory of 2976	1928	Logo1_.exe	33
PID 2964 wrote to memory of 3000	2964	cmd.exe	35
PID 2964 wrote to memory of 3000	2964	cmd.exe	35
PID 2964 wrote to memory of 3000	2964	cmd.exe	35
PID 2964 wrote to memory of 3000	2964	cmd.exe	35
PID 2976 wrote to memory of 2688	2976	net.exe	36
PID 2976 wrote to memory of 2688	2976	net.exe	36
PID 2976 wrote to memory of 2688	2976	net.exe	36
PID 2976 wrote to memory of 2688	2976	net.exe	36
PID 1928 wrote to memory of 1132	1928	Logo1_.exe	20
PID 1928 wrote to memory of 1132	1928	Logo1_.exe	20

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1132
- C:\Users\Admin\AppData\Local\Temp\7c6993fffea16f2457529bae097db0dacedea6e7b5caf980953ae61b400b6144.exe
  "C:\Users\Admin\AppData\Local\Temp\7c6993fffea16f2457529bae097db0dacedea6e7b5caf980953ae61b400b6144.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2092
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$aC726.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2964
  - - C:\Users\Admin\AppData\Local\Temp\7c6993fffea16f2457529bae097db0dacedea6e7b5caf980953ae61b400b6144.exe
      "C:\Users\Admin\AppData\Local\Temp\7c6993fffea16f2457529bae097db0dacedea6e7b5caf980953ae61b400b6144.exe"
      4⤵
      Executes dropped EXE
      PID:3000
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1928
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2976
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
254KB

MD5
f5739d3c242559b8b954e3b85400aff1

SHA1
14d23504d32fa1c90837643236cea39781d9bfb8

SHA256
8ee372b9472575734df482bc4f7e1299cc086e610f9ea01f9f1bf6fe0026dc6d

SHA512
664979c35a417f554fb05fc4a9c14b90fce36fd2fa04db29bd400aeb7eb9d29fd6d4195be13eb02a805795e98a62787daa1be8b11d388d36ab5c30eb55629364

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
474KB

MD5
39c5a9489ed322953eb7a6b19e76fd6e

SHA1
79cae6e0d91eb10b9f5d85eb553f2431eb80f4b2

SHA256
cc7d0e41e68d59ec4000817d4effabd46a1806fb2e1a56045d983015e79f4224

SHA512
8cf752bf542ff6ca99725f897e73457242486cb4698ae57a19966580a85be19b49775282dd3e3c67899d11e15c3ce213053220ee0a3bb6d35220405b56949004

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aC726.bat

Filesize
722B

MD5
af3fb7bd3dc3f205e168ede65fcfc3f3

SHA1
1880ab7645033f3efcad6d412fd14aee75a2179a

SHA256
7e4ff1d9a4e1f5e553138fd637d06365b40ec1ea7ebd4a7474590f8fda8bc84a

SHA512
460e278761d036355255477b2c2e9901ff729ae27a225055678370697a0add1056c45466976b9eae46c95e6173bd252e783ef38ee4cd4a5b16f066c0ffc357f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7c6993fffea16f2457529bae097db0dacedea6e7b5caf980953ae61b400b6144.exe.exe

Filesize
684KB

MD5
50f289df0c19484e970849aac4e6f977

SHA1
3dc77c8830836ab844975eb002149b66da2e10be

SHA256
b9b179b305c5268ad428b6ae59de10b4fe99cf0199bbc89b7017181905e97305

SHA512
877d852ea1062b90e2fd2f3c4dc7d05d9697e9a9b2929c830a770b62741f6a11e06de73275eb871113f11143faf1cb40d99f7c247862ffb778d26833ed5d7e38

Download Submit
C:\Windows\rundl132.exe

Filesize
29KB

MD5
bda238d5a7c8c1f0f68de10c6c73ae42

SHA1
8080cc3d886bafb7c98f1535426ab5964a56333c

SHA256
c19ee12e82232625184c0161fdf481fe356b0284e8ab29df28cafd574df51aa7

SHA512
3ddb7762d5410561d5896a9a29298de4a7065a20059669def1ad9b3819276f83fe96b1ce0e1857a8f3ddfa0d8b03166ec3ebbebc950d34edf5d21881f6635bba

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-4177215427-74451935-3209572229-1000\_desktop.ini

Filesize
8B

MD5
24cfb7e9169e3ecbcdf34395dff5aed0

SHA1
64061d8b0afd788fb3d2990e90e61f14010896dd

SHA256
e11477f26e6139dabba6ad5dab927732c6a3785db78f82194ad7ae20323c6578

SHA512
a315d4ab14f15f8df115e35134f0a1eff8018b0c35c5a0283928f2d3f3014215d683973b9aeba1bc74c49437cc929ea4e2fb847b4305da6d5abca235c750e299

Download Submit
memory/1132-33-0x0000000002DB0000-0x0000000002DB1000-memory.dmp

Filesize
4KB

Download
memory/1928-95-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1928-35-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1928-43-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1928-49-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1928-102-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1928-412-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1928-1878-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1928-3338-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1928-19-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2092-12-0x0000000000220000-0x0000000000256000-memory.dmp

Filesize
216KB

Download
memory/2092-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2092-17-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download