b01021d07c1a21cc50ca0cf178c5d185794251e9b1bfb0698237984529c6fbfa

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08/09/2024, 01:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b01021d07c1a21cc50ca0cf178c5d185794251e9b1bfb0698237984529c6fbfa.exe
Size

573KB
MD5

ddefc550defc29a5c9165b3f230d0bd5
SHA1

932fdabe416079feb2df28d4919eb49a9d2b4d55
SHA256

b01021d07c1a21cc50ca0cf178c5d185794251e9b1bfb0698237984529c6fbfa
SHA512

9e28feb153c62b79a65b9cf80bb9b348fe577bcdeb26ba05c94bfcec7ce8cbcda8e0b65b0bdef32245d48bc19ec8ff3f7bb78030a528f222d154436d8d9daa28
SSDEEP

6144:cuJpE7cV3iwbAFRWAbd4nf0H05yqE6Hl0ChW0+ksllAXBu0lWGWUJJQ4t0BHQQfu:I7a3iwbihym2g7XO3LWUQfh4Co

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2196	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2184	Logo1_.exe
3032	b01021d07c1a21cc50ca0cf178c5d185794251e9b1bfb0698237984529c6fbfa.exe

Loads dropped DLL 1 IoCs

pid	Process
2196	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Word.en-us\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fa\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Journal\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.es\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PIXEL\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\shvlzm.exe	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Swirl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_output\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EDGE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Portable Devices\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Media Player\Icons\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SpringGreen\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\mux\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Mail\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Hearts\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ug\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FRAR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	b01021d07c1a21cc50ca0cf178c5d185794251e9b1bfb0698237984529c6fbfa.exe
File created	C:\Windows\Logo1_.exe	b01021d07c1a21cc50ca0cf178c5d185794251e9b1bfb0698237984529c6fbfa.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b01021d07c1a21cc50ca0cf178c5d185794251e9b1bfb0698237984529c6fbfa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logo1_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2184	Logo1_.exe
2184	Logo1_.exe
2184	Logo1_.exe
2184	Logo1_.exe
2184	Logo1_.exe
2184	Logo1_.exe
2184	Logo1_.exe
2184	Logo1_.exe
2184	Logo1_.exe
2184	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 948 wrote to memory of 2196	948	b01021d07c1a21cc50ca0cf178c5d185794251e9b1bfb0698237984529c6fbfa.exe	31
PID 948 wrote to memory of 2196	948	b01021d07c1a21cc50ca0cf178c5d185794251e9b1bfb0698237984529c6fbfa.exe	31
PID 948 wrote to memory of 2196	948	b01021d07c1a21cc50ca0cf178c5d185794251e9b1bfb0698237984529c6fbfa.exe	31
PID 948 wrote to memory of 2196	948	b01021d07c1a21cc50ca0cf178c5d185794251e9b1bfb0698237984529c6fbfa.exe	31
PID 948 wrote to memory of 2184	948	b01021d07c1a21cc50ca0cf178c5d185794251e9b1bfb0698237984529c6fbfa.exe	33
PID 948 wrote to memory of 2184	948	b01021d07c1a21cc50ca0cf178c5d185794251e9b1bfb0698237984529c6fbfa.exe	33
PID 948 wrote to memory of 2184	948	b01021d07c1a21cc50ca0cf178c5d185794251e9b1bfb0698237984529c6fbfa.exe	33
PID 948 wrote to memory of 2184	948	b01021d07c1a21cc50ca0cf178c5d185794251e9b1bfb0698237984529c6fbfa.exe	33
PID 2184 wrote to memory of 2740	2184	Logo1_.exe	34
PID 2184 wrote to memory of 2740	2184	Logo1_.exe	34
PID 2184 wrote to memory of 2740	2184	Logo1_.exe	34
PID 2184 wrote to memory of 2740	2184	Logo1_.exe	34
PID 2740 wrote to memory of 2824	2740	net.exe	36
PID 2740 wrote to memory of 2824	2740	net.exe	36
PID 2740 wrote to memory of 2824	2740	net.exe	36
PID 2740 wrote to memory of 2824	2740	net.exe	36
PID 2196 wrote to memory of 3032	2196	cmd.exe	37
PID 2196 wrote to memory of 3032	2196	cmd.exe	37
PID 2196 wrote to memory of 3032	2196	cmd.exe	37
PID 2196 wrote to memory of 3032	2196	cmd.exe	37
PID 2184 wrote to memory of 1392	2184	Logo1_.exe	21
PID 2184 wrote to memory of 1392	2184	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1392
- C:\Users\Admin\AppData\Local\Temp\b01021d07c1a21cc50ca0cf178c5d185794251e9b1bfb0698237984529c6fbfa.exe
  "C:\Users\Admin\AppData\Local\Temp\b01021d07c1a21cc50ca0cf178c5d185794251e9b1bfb0698237984529c6fbfa.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:948
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$aEA20.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2196
  - - C:\Users\Admin\AppData\Local\Temp\b01021d07c1a21cc50ca0cf178c5d185794251e9b1bfb0698237984529c6fbfa.exe
      "C:\Users\Admin\AppData\Local\Temp\b01021d07c1a21cc50ca0cf178c5d185794251e9b1bfb0698237984529c6fbfa.exe"
      4⤵
      Executes dropped EXE
      PID:3032
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2184
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2740
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
254KB

MD5
90ce7d7bbcb931da010a9570d0d6529b

SHA1
8430c9e40c3308ed6b68fe06206ddc8fe1f0682f

SHA256
5dc6799d3a8e98d4a04761df7bad18c6109983b86007b51e8f642dcd6695a5ac

SHA512
3af2fae3d58268c427db2e29436b8e7e10a08104e7b9c0b39ee5e11084a4df05d6c76be20157f6780b4f18573633d12670e0c7cab3e685203a6eaf3396b723ef

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
474KB

MD5
c00c10d640d17d701e266a6fcc683ec1

SHA1
fbd5b53c7f0e22f52d8201b738e9ec1cc7b953f3

SHA256
8626b01936d75fb83021910d1c8d27539fca7a6ca5e2fdc8a63808075674fcbf

SHA512
36162a1921eaaaf6bc9360e7cca63e909ec0a29d30019929787c5c07e80d73822f721c4af417609081c588b66d09035f968b86c0bc4348a86101e83f65e87db6

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aEA20.bat

Filesize
722B

MD5
f74dcec8e46ad7be23ff4b0c1224bd52

SHA1
6d8adf7c3816a0afeef2d4d5849a89774aca833e

SHA256
30d6763579eb285bc563cf58cb01edc337110faaaf3045eb99b64b2c13a265eb

SHA512
b5dc126ea8f5e38c16e9fd4bc6f1005dcb4223d2c1a6b86c867bb41431baf7e65ff6d5f14e6b91f08f83ab53849a38b7b44d9fb252ca04fcffc2ebe84ee8cc39

Download Submit
C:\Users\Admin\AppData\Local\Temp\b01021d07c1a21cc50ca0cf178c5d185794251e9b1bfb0698237984529c6fbfa.exe.exe

Filesize
544KB

MD5
9a1dd1d96481d61934dcc2d568971d06

SHA1
f136ef9bf8bd2fc753292fb5b7cf173a22675fb3

SHA256
8cebb25e240db3b6986fcaed6bc0b900fa09dad763a56fb71273529266c5c525

SHA512
7ac1581f8a29e778ba1a1220670796c47fa5b838417f8f635e2cb1998a01515cff3ee57045dacb78a8ec70d43754b970743aba600379fe6d9481958d32d8a5aa

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
f387ffee851cb89909f398efad649424

SHA1
0e4943052ac21048b38c0dbdcc747b9bef7266e1

SHA256
a8e4748a903fdd6f8044c73ee7f47199b3fa95271904f01dcb2db9ceb800e2ee

SHA512
79f901a1424456a640e46f2bdb4e67ecef200a667fe7f179849779fe65efad697d90ecd6eba479e4ccfed82d957d0e12c94acbe3c8b980f80a6ae6ca7e84b431

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-457978338-2990298471-2379561640-1000\_desktop.ini

Filesize
8B

MD5
646a1be8fae9210cfba53ee1aab14c96

SHA1
8677ff347131a9c8304f10b48012ebd8b075030c

SHA256
660d57a3dc71884e70a9cbd6ca26d02872f4706abeb098c6d35f6b217462edf5

SHA512
812b716a422628d486a4c78c66a85c641f13976537fbd452e14fab9a6c440b442632df04de8437c485c9c8164e3b3499201d3dbe681b36fe6bec749df1ab75e4

Download Submit
memory/948-12-0x0000000000270000-0x00000000002A6000-memory.dmp

Filesize
216KB

Download
memory/948-17-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/948-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/948-32-0x0000000000270000-0x00000000002A6000-memory.dmp

Filesize
216KB

Download
memory/1392-30-0x0000000001E00000-0x0000000001E01000-memory.dmp

Filesize
4KB

Download
memory/2184-22-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2184-46-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2184-92-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2184-94-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2184-99-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2184-188-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2184-1876-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2184-40-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2184-3336-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2184-33-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download