fec54214beea7d09d0ccfaba712c320cb86bce6095e351d0d90787005c4dbeae

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08/09/2024, 01:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fec54214beea7d09d0ccfaba712c320cb86bce6095e351d0d90787005c4dbeae.exe
Size

227KB
MD5

e44b50e764edadbefeefabd02d651c9d
SHA1

23a19c728f3833545ecd22d1a6621f39a9f8d2b9
SHA256

fec54214beea7d09d0ccfaba712c320cb86bce6095e351d0d90787005c4dbeae
SHA512

24c9079e4a37b3c8f6e86fae272fb552ed6e4831c427b0c1b3f0d998e30c548466b5a5339dd91cde35a8005267e1de1e457e960b3eedf18ff57047059486ffc1
SSDEEP

3072:p/kuJVLUdeKzC/lzMPySe8DnpeIPipoHbKvXWXz9LRnsaJUS+6wPXD3fxNW7gq5n:yuJWdeKzC/leySe8AIqpoHbnDns1ND9m

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1908	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2788	Logo1_.exe
1624	fec54214beea7d09d0ccfaba712c320cb86bce6095e351d0d90787005c4dbeae.exe

Loads dropped DLL 1 IoCs

pid	Process
1908	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cs\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\af\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\text_renderer\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSOUC.EXE	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\wmpshare.exe	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zh_TW\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ie\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\bin\plugin2\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\ImagingDevices.exe	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Places\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\WMPDMC.exe	Logo1_.exe
File created	C:\Program Files\Windows Journal\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ky\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Triedit\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\skins\fonts\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SUMIPNTG\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{C10A79F8-2372-49E3-801D-73DDEB38AD5B}\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\InfoPathOMFormServicesV12\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	fec54214beea7d09d0ccfaba712c320cb86bce6095e351d0d90787005c4dbeae.exe
File created	C:\Windows\Logo1_.exe	fec54214beea7d09d0ccfaba712c320cb86bce6095e351d0d90787005c4dbeae.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fec54214beea7d09d0ccfaba712c320cb86bce6095e351d0d90787005c4dbeae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logo1_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2788	Logo1_.exe
2788	Logo1_.exe
2788	Logo1_.exe
2788	Logo1_.exe
2788	Logo1_.exe
2788	Logo1_.exe
2788	Logo1_.exe
2788	Logo1_.exe
2788	Logo1_.exe
2788	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2844 wrote to memory of 1908	2844	fec54214beea7d09d0ccfaba712c320cb86bce6095e351d0d90787005c4dbeae.exe	28
PID 2844 wrote to memory of 1908	2844	fec54214beea7d09d0ccfaba712c320cb86bce6095e351d0d90787005c4dbeae.exe	28
PID 2844 wrote to memory of 1908	2844	fec54214beea7d09d0ccfaba712c320cb86bce6095e351d0d90787005c4dbeae.exe	28
PID 2844 wrote to memory of 1908	2844	fec54214beea7d09d0ccfaba712c320cb86bce6095e351d0d90787005c4dbeae.exe	28
PID 2844 wrote to memory of 2788	2844	fec54214beea7d09d0ccfaba712c320cb86bce6095e351d0d90787005c4dbeae.exe	29
PID 2844 wrote to memory of 2788	2844	fec54214beea7d09d0ccfaba712c320cb86bce6095e351d0d90787005c4dbeae.exe	29
PID 2844 wrote to memory of 2788	2844	fec54214beea7d09d0ccfaba712c320cb86bce6095e351d0d90787005c4dbeae.exe	29
PID 2844 wrote to memory of 2788	2844	fec54214beea7d09d0ccfaba712c320cb86bce6095e351d0d90787005c4dbeae.exe	29
PID 2788 wrote to memory of 2072	2788	Logo1_.exe	30
PID 2788 wrote to memory of 2072	2788	Logo1_.exe	30
PID 2788 wrote to memory of 2072	2788	Logo1_.exe	30
PID 2788 wrote to memory of 2072	2788	Logo1_.exe	30
PID 2072 wrote to memory of 2076	2072	net.exe	33
PID 2072 wrote to memory of 2076	2072	net.exe	33
PID 2072 wrote to memory of 2076	2072	net.exe	33
PID 2072 wrote to memory of 2076	2072	net.exe	33
PID 1908 wrote to memory of 1624	1908	cmd.exe	34
PID 1908 wrote to memory of 1624	1908	cmd.exe	34
PID 1908 wrote to memory of 1624	1908	cmd.exe	34
PID 1908 wrote to memory of 1624	1908	cmd.exe	34
PID 2788 wrote to memory of 1116	2788	Logo1_.exe	20
PID 2788 wrote to memory of 1116	2788	Logo1_.exe	20

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1116
- C:\Users\Admin\AppData\Local\Temp\fec54214beea7d09d0ccfaba712c320cb86bce6095e351d0d90787005c4dbeae.exe
  "C:\Users\Admin\AppData\Local\Temp\fec54214beea7d09d0ccfaba712c320cb86bce6095e351d0d90787005c4dbeae.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a8A36.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1908
  - - C:\Users\Admin\AppData\Local\Temp\fec54214beea7d09d0ccfaba712c320cb86bce6095e351d0d90787005c4dbeae.exe
      "C:\Users\Admin\AppData\Local\Temp\fec54214beea7d09d0ccfaba712c320cb86bce6095e351d0d90787005c4dbeae.exe"
      4⤵
      Executes dropped EXE
      PID:1624
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2788
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2072
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
474KB

MD5
6eabc463f8025a7e6e65f38cba22f126

SHA1
3e430ee5ec01c5509ed750b88d3473e7990dfe95

SHA256
cc8da3ecd355b519d81415d279ed037c725ba221bf323d250aa92ee2b2b88ca7

SHA512
c8fde7026ac8633403bbefee4b044457184388fb7343d8c46f5f7f272724227976bf485ea91da49e2a85dd0cfb73f260ac705d8007333dd3e5539fe5ed67e3ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a8A36.bat

Filesize
722B

MD5
6501e92853f5d3961a608534f150bd94

SHA1
20d839b615e0f589605def85363b62519394a446

SHA256
aff74342ba8723540186a4e617ceac1cd7d63a14d5d1ed6e97ca5df205844413

SHA512
c89d5cee338dda03d94cf8dfd230d1d2e081065041e2e802af049ff26134571485f18a4853861055d5b6c6ba5b40f8ebfd71db25f092107fbf5329c40be37f06

Download Submit
C:\Users\Admin\AppData\Local\Temp\fec54214beea7d09d0ccfaba712c320cb86bce6095e351d0d90787005c4dbeae.exe.exe

Filesize
198KB

MD5
e133c2d85cff4edd7fe8e8f0f8be6cdb

SHA1
b8269209ebb6fe44bc50dab35f97b0ae244701b4

SHA256
6c5e7d9c81a409e67c143cd3aed33bddc3967fa4c9ab3b98560b7d3bf57d093d

SHA512
701b7d1c7e154519d77043f7de09d60c1ff76c95f820fc1c9afca19724efb0847d646686053354156fd4e8a9dab1f29a79d3223f939a3ff1b3613770dc8603b1

Download Submit
C:\Windows\rundl132.exe

Filesize
29KB

MD5
0a22c1ea4b867a82271e2173bbb7ccfb

SHA1
cae0f4ee49b426c3eefe5af8da008be2d09e2b6d

SHA256
e01d2dfa8289fb6d4483e18e8f3f8eecea75b783e401908c227f87078195eddf

SHA512
b940cb99532fb7830dcd6f6b52fd933ca1431b21b4233703c48013fb612246300029b725aecfcfae33879581d59e6f5f7c033db084c65e848c4b8b5c97cb2e77

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3533259084-2542256011-65585152-1000\_desktop.ini

Filesize
8B

MD5
646a1be8fae9210cfba53ee1aab14c96

SHA1
8677ff347131a9c8304f10b48012ebd8b075030c

SHA256
660d57a3dc71884e70a9cbd6ca26d02872f4706abeb098c6d35f6b217462edf5

SHA512
812b716a422628d486a4c78c66a85c641f13976537fbd452e14fab9a6c440b442632df04de8437c485c9c8164e3b3499201d3dbe681b36fe6bec749df1ab75e4

Download Submit
memory/1116-29-0x0000000002D20000-0x0000000002D21000-memory.dmp

Filesize
4KB

Download
memory/2788-97-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2788-31-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2788-38-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2788-44-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2788-90-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2788-479-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2788-1873-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2788-3333-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2788-18-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2844-16-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2844-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download