71c03bb422ed2fd8c46f0739201d53bcd6eb146b733735d7d612a8acc3296683

Analysis

max time kernel
149s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11/09/2024, 19:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

71c03bb422ed2fd8c46f0739201d53bcd6eb146b733735d7d612a8acc3296683.exe
Size

210KB
MD5

d89a12d0d3ef80a4b6f5de80a0dacc41
SHA1

b3ee2093ef9c2bc882661ba567535b5821a03bd6
SHA256

71c03bb422ed2fd8c46f0739201d53bcd6eb146b733735d7d612a8acc3296683
SHA512

f1d96eab1fa870d3c5cfd16cae05832d405dddd847e95bb1e9d0906b02a74baaefc0f1af315677ac4ed4cbb5570bec0f41514aeda0a23bff6a24f11849102fa2
SSDEEP

3072:uftffjmNHMCCuhz3Fxpt+uv/1ZabfuoUQ:WVfjmNHMahz3b/+uv/DabfmQ

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3004	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2648	Logo1_.exe
2560	71c03bb422ed2fd8c46f0739201d53bcd6eb146b733735d7d612a8acc3296683.exe

Loads dropped DLL 2 IoCs

pid	Process
3004	cmd.exe
3004	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\MSBuild\Microsoft\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\chkrzm.exe	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSClientDataMgr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Fancy\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\tt\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\STS2\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\misc\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	Logo1_.exe
File created	C:\Program Files\Windows Photo Viewer\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ml\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sv\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SATIN\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Journal\Templates\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\or_IN\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\gu\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STUDIO\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	71c03bb422ed2fd8c46f0739201d53bcd6eb146b733735d7d612a8acc3296683.exe
File created	C:\Windows\Logo1_.exe	71c03bb422ed2fd8c46f0739201d53bcd6eb146b733735d7d612a8acc3296683.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	71c03bb422ed2fd8c46f0739201d53bcd6eb146b733735d7d612a8acc3296683.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logo1_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2648	Logo1_.exe
2648	Logo1_.exe
2648	Logo1_.exe
2648	Logo1_.exe
2648	Logo1_.exe
2648	Logo1_.exe
2648	Logo1_.exe
2648	Logo1_.exe
2648	Logo1_.exe
2648	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2784 wrote to memory of 3004	2784	71c03bb422ed2fd8c46f0739201d53bcd6eb146b733735d7d612a8acc3296683.exe	30
PID 2784 wrote to memory of 3004	2784	71c03bb422ed2fd8c46f0739201d53bcd6eb146b733735d7d612a8acc3296683.exe	30
PID 2784 wrote to memory of 3004	2784	71c03bb422ed2fd8c46f0739201d53bcd6eb146b733735d7d612a8acc3296683.exe	30
PID 2784 wrote to memory of 3004	2784	71c03bb422ed2fd8c46f0739201d53bcd6eb146b733735d7d612a8acc3296683.exe	30
PID 2784 wrote to memory of 2648	2784	71c03bb422ed2fd8c46f0739201d53bcd6eb146b733735d7d612a8acc3296683.exe	31
PID 2784 wrote to memory of 2648	2784	71c03bb422ed2fd8c46f0739201d53bcd6eb146b733735d7d612a8acc3296683.exe	31
PID 2784 wrote to memory of 2648	2784	71c03bb422ed2fd8c46f0739201d53bcd6eb146b733735d7d612a8acc3296683.exe	31
PID 2784 wrote to memory of 2648	2784	71c03bb422ed2fd8c46f0739201d53bcd6eb146b733735d7d612a8acc3296683.exe	31
PID 2648 wrote to memory of 2820	2648	Logo1_.exe	32
PID 2648 wrote to memory of 2820	2648	Logo1_.exe	32
PID 2648 wrote to memory of 2820	2648	Logo1_.exe	32
PID 2648 wrote to memory of 2820	2648	Logo1_.exe	32
PID 2820 wrote to memory of 2524	2820	net.exe	35
PID 2820 wrote to memory of 2524	2820	net.exe	35
PID 2820 wrote to memory of 2524	2820	net.exe	35
PID 2820 wrote to memory of 2524	2820	net.exe	35
PID 3004 wrote to memory of 2560	3004	cmd.exe	36
PID 3004 wrote to memory of 2560	3004	cmd.exe	36
PID 3004 wrote to memory of 2560	3004	cmd.exe	36
PID 3004 wrote to memory of 2560	3004	cmd.exe	36
PID 2648 wrote to memory of 1344	2648	Logo1_.exe	21
PID 2648 wrote to memory of 1344	2648	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1344
- C:\Users\Admin\AppData\Local\Temp\71c03bb422ed2fd8c46f0739201d53bcd6eb146b733735d7d612a8acc3296683.exe
  "C:\Users\Admin\AppData\Local\Temp\71c03bb422ed2fd8c46f0739201d53bcd6eb146b733735d7d612a8acc3296683.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a3C16.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3004
  - - C:\Users\Admin\AppData\Local\Temp\71c03bb422ed2fd8c46f0739201d53bcd6eb146b733735d7d612a8acc3296683.exe
      "C:\Users\Admin\AppData\Local\Temp\71c03bb422ed2fd8c46f0739201d53bcd6eb146b733735d7d612a8acc3296683.exe"
      4⤵
      Executes dropped EXE
      PID:2560
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2648
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2820
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
aba7cd5f472c07bb0cab3f9352028afa

SHA1
4ad95533e84c5f27bf770c489b113c2c18b95706

SHA256
67bececafd2ba8afeb83c259a7f61525ad7d6a9c0d56fea2fcf7bc0ab0331df6

SHA512
582edeff231a28f36375d096d6e81970a350ba48da3161a206edecb0717e55c0b7df997d6ca803c8ebff6ebb9d46186660c399c13ac4ca0271e3dc60a305e895

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
471KB

MD5
4cfdb20b04aa239d6f9e83084d5d0a77

SHA1
f22863e04cc1fd4435f785993ede165bd8245ac6

SHA256
30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

SHA512
35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a3C16.bat

Filesize
722B

MD5
a0c98f78c5cc0d746f44d71dc0d67da9

SHA1
3676788bee5cba65dd01fefba6716716cf351727

SHA256
e79ab52dcea3b60e62a4c7205f249559176e4ce05cfa0020394c3a08e691156a

SHA512
12428bf3a40a48c14a4afcc2ddad870796e6c72d954ee3734b652d0cb536019bb471c6de797ff85b2d9ca5d8d2664badda96fb864307daf4377e6174f7e9e627

Download Submit
C:\Users\Admin\AppData\Local\Temp\71c03bb422ed2fd8c46f0739201d53bcd6eb146b733735d7d612a8acc3296683.exe.exe

Filesize
184KB

MD5
e343a9a2c3291890b1591c160889b103

SHA1
c26418cff3a60200e25a974595896b0f02888098

SHA256
22b022f15ccfeb49b55ae717ebfb6ba69cbb71ae84bf298cf3263f79a6a60ba6

SHA512
8e892cd41f13ccc696709a85797e5c771a7e3c27cda9c83f9bc69c2315fc11eaa0fca63ce14c20b27f841ade3da4a5cccb95b41c44eb39f80cc85aeafeb61d98

Download Submit
C:\Windows\rundl132.exe

Filesize
26KB

MD5
50615f5fa00456254ebb6d46ee731826

SHA1
ee1de52342c1a970585f579121d7b23623b31610

SHA256
75ccb5559089a9e466793392a5bf157c1cbe24cd2076612652f9faa33da69fb0

SHA512
4a88feb9c42f3e6736ae261309552ebd90bcc3d309d5bd0e918d1c261a6d5c8b41e86df2f01171d44c013f643860b91da4482f0efd1c4f5df5554c6668bd0ab2

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-457978338-2990298471-2379561640-1000\_desktop.ini

Filesize
9B

MD5
f74f4ac317419affe59fa4d389dd7e7c

SHA1
010f494382d5a64298702fe3732c9b96f438c653

SHA256
74fafb0f14fb17a8a4963d5f46fc50b3517e7aa13414ac5f42edfdf212a9bb01

SHA512
f82fea1632b97d2b6771f43a6941c84d7fbb86f4c4f69e9b4335aa0e166e2670f09d451da61b13cb16994b9294e99b1cfa27f2447579645b3886b7bd014cc00f

Download Submit
memory/1344-32-0x0000000002710000-0x0000000002711000-memory.dmp

Filesize
4KB

Download
memory/2648-188-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2648-34-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2648-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2648-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2648-93-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2648-100-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2648-1876-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2648-3336-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2648-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2784-12-0x00000000003B0000-0x00000000003E4000-memory.dmp

Filesize
208KB

Download
memory/2784-17-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2784-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2784-18-0x00000000003B0000-0x00000000003E4000-memory.dmp

Filesize
208KB

Download