1d5346b4c7cfc3f3ba126487e84063263462f2d35124f337afb766638fc2ccfe

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08/09/2024, 09:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d5346b4c7cfc3f3ba126487e84063263462f2d35124f337afb766638fc2ccfe.exe
Size

1.3MB
MD5

a61cfc6c4c203311d43ab8b08cd3f087
SHA1

25133ed1bb80ccf9f17b60e09e14de6a79c7b1f2
SHA256

1d5346b4c7cfc3f3ba126487e84063263462f2d35124f337afb766638fc2ccfe
SHA512

66416012e51dce8be66150d0213c8edf5c51c3783cea4c0ee6443178aeaf445bf7d5ea82f83dd920b8e1b65a9dc4e20638ed1ce769913fda40b6cf592b43791c
SSDEEP

24576:M79OdZfkO6+EFFKBqM8C9uU0N4ryz4EAX6pipxX6:M79wEoUZ5N4rREAX64pxX6

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2940	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1804	Logo1_.exe
2756	1d5346b4c7cfc3f3ba126487e84063263462f2d35124f337afb766638fc2ccfe.exe

Loads dropped DLL 1 IoCs

pid	Process
2940	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\am\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\km\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLENDS\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Internet Explorer\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ks_IN\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSTORDB.EXE	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\XLSTART\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bg\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Mozilla Firefox\defaults\pref\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\meta\reader\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\modules\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Desert\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Logo1_.exe	1d5346b4c7cfc3f3ba126487e84063263462f2d35124f337afb766638fc2ccfe.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	1d5346b4c7cfc3f3ba126487e84063263462f2d35124f337afb766638fc2ccfe.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1d5346b4c7cfc3f3ba126487e84063263462f2d35124f337afb766638fc2ccfe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1d5346b4c7cfc3f3ba126487e84063263462f2d35124f337afb766638fc2ccfe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logo1_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1804	Logo1_.exe
1804	Logo1_.exe
1804	Logo1_.exe
1804	Logo1_.exe
1804	Logo1_.exe
1804	Logo1_.exe
1804	Logo1_.exe
1804	Logo1_.exe
1804	Logo1_.exe
1804	Logo1_.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeBackupPrivilege	2756	1d5346b4c7cfc3f3ba126487e84063263462f2d35124f337afb766638fc2ccfe.exe
Token: SeDebugPrivilege	2756	1d5346b4c7cfc3f3ba126487e84063263462f2d35124f337afb766638fc2ccfe.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 2940	2372	1d5346b4c7cfc3f3ba126487e84063263462f2d35124f337afb766638fc2ccfe.exe	30
PID 2372 wrote to memory of 2940	2372	1d5346b4c7cfc3f3ba126487e84063263462f2d35124f337afb766638fc2ccfe.exe	30
PID 2372 wrote to memory of 2940	2372	1d5346b4c7cfc3f3ba126487e84063263462f2d35124f337afb766638fc2ccfe.exe	30
PID 2372 wrote to memory of 2940	2372	1d5346b4c7cfc3f3ba126487e84063263462f2d35124f337afb766638fc2ccfe.exe	30
PID 2372 wrote to memory of 1804	2372	1d5346b4c7cfc3f3ba126487e84063263462f2d35124f337afb766638fc2ccfe.exe	31
PID 2372 wrote to memory of 1804	2372	1d5346b4c7cfc3f3ba126487e84063263462f2d35124f337afb766638fc2ccfe.exe	31
PID 2372 wrote to memory of 1804	2372	1d5346b4c7cfc3f3ba126487e84063263462f2d35124f337afb766638fc2ccfe.exe	31
PID 2372 wrote to memory of 1804	2372	1d5346b4c7cfc3f3ba126487e84063263462f2d35124f337afb766638fc2ccfe.exe	31
PID 1804 wrote to memory of 2008	1804	Logo1_.exe	33
PID 1804 wrote to memory of 2008	1804	Logo1_.exe	33
PID 1804 wrote to memory of 2008	1804	Logo1_.exe	33
PID 1804 wrote to memory of 2008	1804	Logo1_.exe	33
PID 2008 wrote to memory of 2204	2008	net.exe	35
PID 2008 wrote to memory of 2204	2008	net.exe	35
PID 2008 wrote to memory of 2204	2008	net.exe	35
PID 2008 wrote to memory of 2204	2008	net.exe	35
PID 2940 wrote to memory of 2756	2940	cmd.exe	36
PID 2940 wrote to memory of 2756	2940	cmd.exe	36
PID 2940 wrote to memory of 2756	2940	cmd.exe	36
PID 2940 wrote to memory of 2756	2940	cmd.exe	36
PID 1804 wrote to memory of 1208	1804	Logo1_.exe	21
PID 1804 wrote to memory of 1208	1804	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208
- C:\Users\Admin\AppData\Local\Temp\1d5346b4c7cfc3f3ba126487e84063263462f2d35124f337afb766638fc2ccfe.exe
  "C:\Users\Admin\AppData\Local\Temp\1d5346b4c7cfc3f3ba126487e84063263462f2d35124f337afb766638fc2ccfe.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$aC2A3.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2940
  - - C:\Users\Admin\AppData\Local\Temp\1d5346b4c7cfc3f3ba126487e84063263462f2d35124f337afb766638fc2ccfe.exe
      "C:\Users\Admin\AppData\Local\Temp\1d5346b4c7cfc3f3ba126487e84063263462f2d35124f337afb766638fc2ccfe.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2756
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1804
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2008
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
7dab2fc384f8d41ef8b41958df73002c

SHA1
fb7576215ba9b611262bfe3dab08cc6b0007153f

SHA256
e1d902c9c175cb6e8a43260aaebc414b63624a0d2009aa7fff03b6c4f8506668

SHA512
dd059b950d874eaa83408188f9095e0e20b05d1190e25cd32bc9abab46b2dfa18e481529a90f2faf41449fa6cbbbaafc024f482ca76d40a45037f717abae243b

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
471KB

MD5
28f6479e5c0b7a32e8ae773b9221a22a

SHA1
882e24734f4d42c4e0b95bb695c921ee66ae2042

SHA256
5ec41e0b29c00dd288859df2f583b0e771c11c01d8fd519fe2bd8921b3bed4f3

SHA512
d27c5c01bfe526652af0083bc17c4a3212fc00d594344b6a1a39999248623fba1ae14c79ec849c3567d1bf952cdf7e1e4fd5b22fde938227d89338529fb43685

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aC2A3.bat

Filesize
722B

MD5
7c37f846757d91aa3e4df1ae7c695846

SHA1
dac99b0f201596b9f919042408ee81c1de51a9a0

SHA256
acf781cacc525c36016bdb5ad9a950c219da903ea9b3a67890d0703f3aa99ceb

SHA512
5bcb8eb4f29fe1457428a33113723320dd7549bc0b687c411614f24a4331e133ada919f7649a785cd0deb8ea07308a5973b378ea2df9a0fc51ed4f1c8cc409aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\1d5346b4c7cfc3f3ba126487e84063263462f2d35124f337afb766638fc2ccfe.exe.exe

Filesize
1.3MB

MD5
ce73e5b504434e95869a276c0b908a6e

SHA1
abadfe6f48fcbca375021b34bd7483bb6428b699

SHA256
6bf251b9615a53f84b2ecbd19f146b8b977aae3bc6a7abadfefe30eca6ec64e2

SHA512
395066d444ef8bdb9d6bfb56e729b75517855ec5e8ec123e2f0fd6d4994aa26b126dc5f6c733767880063c599d270c9e26499f2d41fd2eef9062127bbaffc2ad

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
dd889a3e0c7516d8e3ba89a8b6b98232

SHA1
5a7733c34782590a34e9931221cdf8654c3e465e

SHA256
21af4733e7b12937ef11a44607a9dbe649d6ab3af8b296eef08f0a42c4802f2f

SHA512
a9ce858ca0b5972bcdadf3bc06dd6fcc323cd0178dc2a24949f736b947832de0a629a7f63a171823377d49e391fc8beb5f0d9b73358ac931c8273d8e3cfbf266

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3290804112-2823094203-3137964600-1000\_desktop.ini

Filesize
8B

MD5
646a1be8fae9210cfba53ee1aab14c96

SHA1
8677ff347131a9c8304f10b48012ebd8b075030c

SHA256
660d57a3dc71884e70a9cbd6ca26d02872f4706abeb098c6d35f6b217462edf5

SHA512
812b716a422628d486a4c78c66a85c641f13976537fbd452e14fab9a6c440b442632df04de8437c485c9c8164e3b3499201d3dbe681b36fe6bec749df1ab75e4

Download Submit
memory/1208-29-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/1804-18-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1804-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1804-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1804-45-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1804-91-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1804-98-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1804-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1804-1874-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1804-3334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2372-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2372-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download