9683f1b075e9d5b4710ef563ba4453a0f58aab8adf9ed215b8fb53c3b45922a6

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
12/09/2024, 07:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9683f1b075e9d5b4710ef563ba4453a0f58aab8adf9ed215b8fb53c3b45922a6.exe
Size

389KB
MD5

a186d26c400d713317cc74d2f9a5de55
SHA1

cfdfa9c81c20c50c747896781091cd0f06bfa26d
SHA256

9683f1b075e9d5b4710ef563ba4453a0f58aab8adf9ed215b8fb53c3b45922a6
SHA512

c9b42b90490256aed4c9eba4c8c5b26ed9750c517f56e9372add4e3217fde8de87e2e515835cfbcfe3a19d3afebd930f57a76d9ce778167a027c53e4b46cd527
SSDEEP

6144:wjuJ6P2zPVz7jUBs8hqcBCi6dbfra4erJlt9A+xX1oOAisEIWmGeNkfGuYF1moH2:w0ahVy41

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2740	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2776	Logo1_.exe
2508	9683f1b075e9d5b4710ef563ba4453a0f58aab8adf9ed215b8fb53c3b45922a6.exe

Loads dropped DLL 1 IoCs

pid	Process
2740	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Mahjong\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pt_PT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Mail\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EXPEDITN\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\ACCWIZ\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\bin\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Outlook.en-us\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\CrashReports\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Mail\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Uninstall Information\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\1033\14\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Mail\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Portal\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RIPPLE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Solitaire\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaire.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VGX\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pa\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\PublicAssemblies\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\modules\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	9683f1b075e9d5b4710ef563ba4453a0f58aab8adf9ed215b8fb53c3b45922a6.exe
File created	C:\Windows\Logo1_.exe	9683f1b075e9d5b4710ef563ba4453a0f58aab8adf9ed215b8fb53c3b45922a6.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9683f1b075e9d5b4710ef563ba4453a0f58aab8adf9ed215b8fb53c3b45922a6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logo1_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2776	Logo1_.exe
2776	Logo1_.exe
2776	Logo1_.exe
2776	Logo1_.exe
2776	Logo1_.exe
2776	Logo1_.exe
2776	Logo1_.exe
2776	Logo1_.exe
2776	Logo1_.exe
2776	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2624 wrote to memory of 2740	2624	9683f1b075e9d5b4710ef563ba4453a0f58aab8adf9ed215b8fb53c3b45922a6.exe	30
PID 2624 wrote to memory of 2740	2624	9683f1b075e9d5b4710ef563ba4453a0f58aab8adf9ed215b8fb53c3b45922a6.exe	30
PID 2624 wrote to memory of 2740	2624	9683f1b075e9d5b4710ef563ba4453a0f58aab8adf9ed215b8fb53c3b45922a6.exe	30
PID 2624 wrote to memory of 2740	2624	9683f1b075e9d5b4710ef563ba4453a0f58aab8adf9ed215b8fb53c3b45922a6.exe	30
PID 2624 wrote to memory of 2776	2624	9683f1b075e9d5b4710ef563ba4453a0f58aab8adf9ed215b8fb53c3b45922a6.exe	31
PID 2624 wrote to memory of 2776	2624	9683f1b075e9d5b4710ef563ba4453a0f58aab8adf9ed215b8fb53c3b45922a6.exe	31
PID 2624 wrote to memory of 2776	2624	9683f1b075e9d5b4710ef563ba4453a0f58aab8adf9ed215b8fb53c3b45922a6.exe	31
PID 2624 wrote to memory of 2776	2624	9683f1b075e9d5b4710ef563ba4453a0f58aab8adf9ed215b8fb53c3b45922a6.exe	31
PID 2776 wrote to memory of 2764	2776	Logo1_.exe	32
PID 2776 wrote to memory of 2764	2776	Logo1_.exe	32
PID 2776 wrote to memory of 2764	2776	Logo1_.exe	32
PID 2776 wrote to memory of 2764	2776	Logo1_.exe	32
PID 2764 wrote to memory of 2856	2764	net.exe	35
PID 2764 wrote to memory of 2856	2764	net.exe	35
PID 2764 wrote to memory of 2856	2764	net.exe	35
PID 2764 wrote to memory of 2856	2764	net.exe	35
PID 2740 wrote to memory of 2508	2740	cmd.exe	36
PID 2740 wrote to memory of 2508	2740	cmd.exe	36
PID 2740 wrote to memory of 2508	2740	cmd.exe	36
PID 2740 wrote to memory of 2508	2740	cmd.exe	36
PID 2776 wrote to memory of 1184	2776	Logo1_.exe	21
PID 2776 wrote to memory of 1184	2776	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1184
- C:\Users\Admin\AppData\Local\Temp\9683f1b075e9d5b4710ef563ba4453a0f58aab8adf9ed215b8fb53c3b45922a6.exe
  "C:\Users\Admin\AppData\Local\Temp\9683f1b075e9d5b4710ef563ba4453a0f58aab8adf9ed215b8fb53c3b45922a6.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2624
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$aF74A.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2740
  - - C:\Users\Admin\AppData\Local\Temp\9683f1b075e9d5b4710ef563ba4453a0f58aab8adf9ed215b8fb53c3b45922a6.exe
      "C:\Users\Admin\AppData\Local\Temp\9683f1b075e9d5b4710ef563ba4453a0f58aab8adf9ed215b8fb53c3b45922a6.exe"
      4⤵
      Executes dropped EXE
      PID:2508
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2764
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
254KB

MD5
dddf3e9f38c5202e1c9df7449bf992d6

SHA1
61f0a36a10c2dba1b8b172af49057f4e0a927e88

SHA256
4b9446284e5a9ff5083b927d5d862d34eee399550913c325eb0338911d703576

SHA512
34831b8beae0e207d5db04bc98d9f83137e13461fea46831bf7648c92e2b6eab7392c8e34373fc1d561631ad4a8c174ef1a093384625c64ea8e05573b1d0eee2

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aF74A.bat

Filesize
722B

MD5
d8340562863c940ae9027a36cbe4142b

SHA1
80d3d87860cfb5e60e68df3806aa9a79f3528c9e

SHA256
1e485d968958f232267476a77feb53ae91ef2072def2583c9abf4aec9b6494eb

SHA512
1df0b68f3b4b0972c8416041ce9bfdf7d860a51069439998f040dcec953d7a0f631315486bb7ebcc439b5467a629f6e7bc8c26edecb007be2c8905ac202a0c8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\9683f1b075e9d5b4710ef563ba4453a0f58aab8adf9ed215b8fb53c3b45922a6.exe.exe

Filesize
360KB

MD5
5fbd45261a2de3bb42f489e825a9a935

SHA1
ff388f6e9efe651ec62c4152c1739783e7899293

SHA256
9e63701598199d5c47217e23b44d0e3ec5d53f5419166b1b6c68a7e9e8fc47a4

SHA512
7f22b1995a07016adb342c551454d602bfbe511525139aee8581b62116608e9e278fd81c26382f1333c7eccded4474196e73c093bb5cbf8e8f203e865024c058

Download Submit
C:\Windows\rundl132.exe

Filesize
29KB

MD5
6ac428eef76d1945c3dc0031625da53b

SHA1
f2bd6e6e9fee3b344cf11b9c062f31dfe243a63f

SHA256
2c0a36a0fd028938bbeaf080613ae6118137d93bee054e208f4e328e5709ceb5

SHA512
4f13ca5c312d93d21938db31fc60560836db21fc9bc718ff15aa464cfe4e5cdea4ec14aeec3e06b161f41f9aef2e0458b320b828b25f2e27e54f44cb757fb9c5

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3434294380-2554721341-1919518612-1000\_desktop.ini

Filesize
9B

MD5
cd0bf5c2efb8cc7ddbff2ab5d2cb7e87

SHA1
6830a1817f2055b6beba9063b87af16bbef7fa19

SHA256
d00701a279110fcafdaa6a9dcb36385845f9d2aac5b1ac1c52c015c61718dcbd

SHA512
6fabfd6bced63153d3dd6b376a92e824c95b15ef046607b89376a17c7ac863e92c95770ed86d8ecec3639d280dd6256a7ab1ec2d8119799fb3a479fbce96254a

Download Submit
memory/1184-29-0x00000000020A0000-0x00000000020A1000-memory.dmp

Filesize
4KB

Download
memory/2624-16-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2624-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2776-21-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2776-41-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2776-47-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2776-93-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2776-100-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2776-348-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2776-1876-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2776-33-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2776-3336-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download