e52e53d01b28b219e4d73968ab622bcdaa75bbdf6d5d664c479e133041edec52

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
13/09/2024, 23:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e52e53d01b28b219e4d73968ab622bcdaa75bbdf6d5d664c479e133041edec52.exe
Size

893KB
MD5

7ec8a9f45d3bdc8d6a4f0136395bd07c
SHA1

937a00b209de16bd35061796899fac691058b88f
SHA256

e52e53d01b28b219e4d73968ab622bcdaa75bbdf6d5d664c479e133041edec52
SHA512

7d58b572067b57315f4d6cce88a6cad147a8a6b9e247356b0a2cec67f119b70eec0baeb25f5f82d4dde3867bfe6ff3b2ee40cf83b4e1b194684aa782c8cb8bd6
SSDEEP

12288:tQcDD6i1zuxxZWm+ljKWaladVakMl9TT1fLeH2e4TQnKoCRagc:Ky6i1zuxw7ljsarakkqt4jtwR

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2776	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2780	Logo1_.exe
2744	e52e53d01b28b219e4d73968ab622bcdaa75bbdf6d5d664c479e133041edec52.exe

Loads dropped DLL 1 IoCs

pid	Process
2776	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Games\More Games\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\si\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\People\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FREN\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\amd64\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_output\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\chkrzm.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Portable Devices\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1042\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\3082\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CANYON\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\es\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sl\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\lt\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA6\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Mozilla Firefox\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hi\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bg\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\d3d9\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cgg\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fur\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_output\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\kab\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	e52e53d01b28b219e4d73968ab622bcdaa75bbdf6d5d664c479e133041edec52.exe
File created	C:\Windows\Logo1_.exe	e52e53d01b28b219e4d73968ab622bcdaa75bbdf6d5d664c479e133041edec52.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logo1_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e52e53d01b28b219e4d73968ab622bcdaa75bbdf6d5d664c479e133041edec52.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2780	Logo1_.exe
2780	Logo1_.exe
2780	Logo1_.exe
2780	Logo1_.exe
2780	Logo1_.exe
2780	Logo1_.exe
2780	Logo1_.exe
2780	Logo1_.exe
2780	Logo1_.exe
2780	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 2776	1976	e52e53d01b28b219e4d73968ab622bcdaa75bbdf6d5d664c479e133041edec52.exe	30
PID 1976 wrote to memory of 2776	1976	e52e53d01b28b219e4d73968ab622bcdaa75bbdf6d5d664c479e133041edec52.exe	30
PID 1976 wrote to memory of 2776	1976	e52e53d01b28b219e4d73968ab622bcdaa75bbdf6d5d664c479e133041edec52.exe	30
PID 1976 wrote to memory of 2776	1976	e52e53d01b28b219e4d73968ab622bcdaa75bbdf6d5d664c479e133041edec52.exe	30
PID 1976 wrote to memory of 2780	1976	e52e53d01b28b219e4d73968ab622bcdaa75bbdf6d5d664c479e133041edec52.exe	31
PID 1976 wrote to memory of 2780	1976	e52e53d01b28b219e4d73968ab622bcdaa75bbdf6d5d664c479e133041edec52.exe	31
PID 1976 wrote to memory of 2780	1976	e52e53d01b28b219e4d73968ab622bcdaa75bbdf6d5d664c479e133041edec52.exe	31
PID 1976 wrote to memory of 2780	1976	e52e53d01b28b219e4d73968ab622bcdaa75bbdf6d5d664c479e133041edec52.exe	31
PID 2780 wrote to memory of 2688	2780	Logo1_.exe	33
PID 2780 wrote to memory of 2688	2780	Logo1_.exe	33
PID 2780 wrote to memory of 2688	2780	Logo1_.exe	33
PID 2780 wrote to memory of 2688	2780	Logo1_.exe	33
PID 2776 wrote to memory of 2744	2776	cmd.exe	35
PID 2776 wrote to memory of 2744	2776	cmd.exe	35
PID 2776 wrote to memory of 2744	2776	cmd.exe	35
PID 2776 wrote to memory of 2744	2776	cmd.exe	35
PID 2688 wrote to memory of 2752	2688	net.exe	36
PID 2688 wrote to memory of 2752	2688	net.exe	36
PID 2688 wrote to memory of 2752	2688	net.exe	36
PID 2688 wrote to memory of 2752	2688	net.exe	36
PID 2780 wrote to memory of 1192	2780	Logo1_.exe	21
PID 2780 wrote to memory of 1192	2780	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1192
- C:\Users\Admin\AppData\Local\Temp\e52e53d01b28b219e4d73968ab622bcdaa75bbdf6d5d664c479e133041edec52.exe
  "C:\Users\Admin\AppData\Local\Temp\e52e53d01b28b219e4d73968ab622bcdaa75bbdf6d5d664c479e133041edec52.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a703.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Users\Admin\AppData\Local\Temp\e52e53d01b28b219e4d73968ab622bcdaa75bbdf6d5d664c479e133041edec52.exe
      "C:\Users\Admin\AppData\Local\Temp\e52e53d01b28b219e4d73968ab622bcdaa75bbdf6d5d664c479e133041edec52.exe"
      4⤵
      Executes dropped EXE
      PID:2744
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2780
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2688
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
254KB

MD5
586340b58f02ffb1b754d46c776ecaa9

SHA1
d860ee44aedafb70befe321b936c5eba49dbdda3

SHA256
3f2a34592999a9ed095c898b45cb55f54712ed0486bda1f3bb54ae798516639b

SHA512
8c3b824fa1462406a81f60ffaa1ff8f517d3d0503e6653eee5b1d5f312ee0e13d2b9d2767f5b1f3f8644f28e5c40da1956a781551752c056332ed76ef62dbe58

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
474KB

MD5
c14a5111b798cff20d7d66b0e035d409

SHA1
29f0894552b30815fed6ad231b5721e876869552

SHA256
fd6f57dc1b82f6301cbecbf9db5728a9a69b10e3edbf4f8a1dfef571c77a6cb6

SHA512
a4d8b74216c76fa3d48ab7300452725602bc6d5bcc0e6c23d458d65362cd24751f23755180ae69633090b172e95f18f225c0cb4a71dd1e050d8b3dff466e7f1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a703.bat

Filesize
721B

MD5
64ec5bd1289809394a53a3c86b09646d

SHA1
134eacfe33b1fb63456e4e05cbbd559f45f68fec

SHA256
6d25d054ea54ed9bd267770040ddf4ebaeae8906c59e7c9a5caaf0c03f47eb53

SHA512
f6f34334a4a2defb9813a50becfd263e8da5e84753292c34c6799ac978063889347633aa39ce5e7bc70978d8ea0c018c16ec5208d208ba1e77478de83e1bb971

Download Submit
C:\Users\Admin\AppData\Local\Temp\e52e53d01b28b219e4d73968ab622bcdaa75bbdf6d5d664c479e133041edec52.exe.exe

Filesize
864KB

MD5
36f5184e70e96529ee2273fd22e769d7

SHA1
0657d9d4eb0a2984ad472f2836af61f3108fef2c

SHA256
c6bf34306539cb5a72392a1d1299e1d90a52f3d1f074c9475732ca8354d048bf

SHA512
bab68dcc8f94722cec4ba4b3001754b767f8a9836f07e6aef0d6f3c82e0cd9a8aa073b4dd92df6b6039e800028fb508f97bfd8b1699c0656033245dc591aecc2

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
e204efa82c4df71160c451caec4787e5

SHA1
e56ddb6d0afdb9aa1bf4808765b25cf4a2fdc279

SHA256
4ff7272e95a79354eb6d72c784593bd6a0820fe9e512ff176a51fef8929b5bd9

SHA512
6ee14cc010de5b04eee707242a6f4471739cc62bf86a332d5c0e90f15a778fe2ef1d8e1bf7f86a603cbf00fa8e302c09f533f837f5d67f62743396074ed030c9

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3434294380-2554721341-1919518612-1000\_desktop.ini

Filesize
9B

MD5
475984718232cf008bb73666d834f1f4

SHA1
12f23c9301c222f599a279e02a811d274d0f4abc

SHA256
a5b32591119f87eb3c8a00c0c39e26ea6d6414aa9887d85fcb4903e1c14921b5

SHA512
80235dc2560b7991d79f9550cdeca6ac02c00cee6bf186f8f20d4ff3fbd7718be937b73ab768d71c4027e153557b08bbfd95ea88d2e0857a7c70cf1da6fa9937

Download Submit
memory/1192-33-0x0000000002610000-0x0000000002611000-memory.dmp

Filesize
4KB

Download
memory/1976-16-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1976-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2780-35-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2780-48-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2780-94-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2780-101-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2780-207-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2780-1877-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2780-42-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2780-3337-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2780-18-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download