84e227d9961f1cf5db7032fdb3733a65da0994a5d408c3ea7f4c9616369112fb

Analysis

max time kernel
149s
max time network
128s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13/09/2024, 00:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

84e227d9961f1cf5db7032fdb3733a65da0994a5d408c3ea7f4c9616369112fb.exe
Size

393KB
MD5

bcd56d78f173fb0724699444a7429dec
SHA1

2b45440e17f73e6162c4374bd911c6a90d170541
SHA256

84e227d9961f1cf5db7032fdb3733a65da0994a5d408c3ea7f4c9616369112fb
SHA512

d2fb3034d01b702463e0d4ca9d187cb0a24843f7ad506718dd9f8e0eeeaab5e1f5db82f5ab88f06fa1ef403b41bbb1d226276288ec69e9565a00d9c116cb36ec
SSDEEP

6144:fuJOnDXYQ/BWJjmpgtBZQZKQj8p3jyb7HREd4SZ1tzLbF:NDXYJmSTZwYp32bY4qtDF

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2612	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2616	Logo1_.exe
2828	84e227d9961f1cf5db7032fdb3733a65da0994a5d408c3ea7f4c9616369112fb.exe

Loads dropped DLL 1 IoCs

pid	Process
2612	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows Mail\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\es_MX\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSTORE.EXE	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\is\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Skins\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\STS2\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Mail\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VC\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SONORA\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\MineSweeper.exe	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Defender\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\fonts\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Google\Update\Install\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\VPREVIEW.EXE	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mn\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\mux\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\FreeCell\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Oasis\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\REFINED\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\FAX\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\gd\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1041\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BREEZE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Logo1_.exe	84e227d9961f1cf5db7032fdb3733a65da0994a5d408c3ea7f4c9616369112fb.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	84e227d9961f1cf5db7032fdb3733a65da0994a5d408c3ea7f4c9616369112fb.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	84e227d9961f1cf5db7032fdb3733a65da0994a5d408c3ea7f4c9616369112fb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logo1_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2616	Logo1_.exe
2616	Logo1_.exe
2616	Logo1_.exe
2616	Logo1_.exe
2616	Logo1_.exe
2616	Logo1_.exe
2616	Logo1_.exe
2616	Logo1_.exe
2616	Logo1_.exe
2616	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 2612	2656	84e227d9961f1cf5db7032fdb3733a65da0994a5d408c3ea7f4c9616369112fb.exe	30
PID 2656 wrote to memory of 2612	2656	84e227d9961f1cf5db7032fdb3733a65da0994a5d408c3ea7f4c9616369112fb.exe	30
PID 2656 wrote to memory of 2612	2656	84e227d9961f1cf5db7032fdb3733a65da0994a5d408c3ea7f4c9616369112fb.exe	30
PID 2656 wrote to memory of 2612	2656	84e227d9961f1cf5db7032fdb3733a65da0994a5d408c3ea7f4c9616369112fb.exe	30
PID 2656 wrote to memory of 2616	2656	84e227d9961f1cf5db7032fdb3733a65da0994a5d408c3ea7f4c9616369112fb.exe	31
PID 2656 wrote to memory of 2616	2656	84e227d9961f1cf5db7032fdb3733a65da0994a5d408c3ea7f4c9616369112fb.exe	31
PID 2656 wrote to memory of 2616	2656	84e227d9961f1cf5db7032fdb3733a65da0994a5d408c3ea7f4c9616369112fb.exe	31
PID 2656 wrote to memory of 2616	2656	84e227d9961f1cf5db7032fdb3733a65da0994a5d408c3ea7f4c9616369112fb.exe	31
PID 2616 wrote to memory of 2936	2616	Logo1_.exe	32
PID 2616 wrote to memory of 2936	2616	Logo1_.exe	32
PID 2616 wrote to memory of 2936	2616	Logo1_.exe	32
PID 2616 wrote to memory of 2936	2616	Logo1_.exe	32
PID 2936 wrote to memory of 2584	2936	net.exe	35
PID 2936 wrote to memory of 2584	2936	net.exe	35
PID 2936 wrote to memory of 2584	2936	net.exe	35
PID 2936 wrote to memory of 2584	2936	net.exe	35
PID 2612 wrote to memory of 2828	2612	cmd.exe	36
PID 2612 wrote to memory of 2828	2612	cmd.exe	36
PID 2612 wrote to memory of 2828	2612	cmd.exe	36
PID 2612 wrote to memory of 2828	2612	cmd.exe	36
PID 2616 wrote to memory of 1184	2616	Logo1_.exe	21
PID 2616 wrote to memory of 1184	2616	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1184
- C:\Users\Admin\AppData\Local\Temp\84e227d9961f1cf5db7032fdb3733a65da0994a5d408c3ea7f4c9616369112fb.exe
  "C:\Users\Admin\AppData\Local\Temp\84e227d9961f1cf5db7032fdb3733a65da0994a5d408c3ea7f4c9616369112fb.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a4D46.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Users\Admin\AppData\Local\Temp\84e227d9961f1cf5db7032fdb3733a65da0994a5d408c3ea7f4c9616369112fb.exe
      "C:\Users\Admin\AppData\Local\Temp\84e227d9961f1cf5db7032fdb3733a65da0994a5d408c3ea7f4c9616369112fb.exe"
      4⤵
      Executes dropped EXE
      PID:2828
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2936
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
254KB

MD5
3ca1bf22fc4c86f1ffd00a866ab6ff39

SHA1
059063c11ade4cafeb9eea49592aa4a049ee9269

SHA256
1123254ef1434c7002e054e89afbbb5a47cba9aff92916c03203e3dff7704220

SHA512
5ff6e33ff4e45571b0684ddc95e4ffaf8260151b2fcd2ae9be2bd72be27ee8e8364e2185e1df5f1019e9d9d937b757bcd538483ca12d0eca6cc7f36bd88d81b0

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
474KB

MD5
6eabc463f8025a7e6e65f38cba22f126

SHA1
3e430ee5ec01c5509ed750b88d3473e7990dfe95

SHA256
cc8da3ecd355b519d81415d279ed037c725ba221bf323d250aa92ee2b2b88ca7

SHA512
c8fde7026ac8633403bbefee4b044457184388fb7343d8c46f5f7f272724227976bf485ea91da49e2a85dd0cfb73f260ac705d8007333dd3e5539fe5ed67e3ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a4D46.bat

Filesize
722B

MD5
b73dae8052d24a9873bf1820033110c0

SHA1
fa36683e4fb65d728f10f5d15d536f4c0e5754ed

SHA256
8c921e272d7706b703e30715ffddf361eab96802b329b283ecaf35d3a9d255a6

SHA512
1e2fd5692126933b888844596ed0412001e082bde40e64dfb200553ad6fead18cd76cb65664f53baf9ed62a7b4f160be6f63584ee16b768385de21038ed3e6aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\84e227d9961f1cf5db7032fdb3733a65da0994a5d408c3ea7f4c9616369112fb.exe.exe

Filesize
364KB

MD5
213eeb5e8f54231f68e5b26a0fc81bd1

SHA1
1bc31a42536eacbb57d1cd92ec4b5524a82264d2

SHA256
b309045509efc205eb35d6037d64640093fde6c54ec5934e329b447417005a50

SHA512
ce35c5f453126c98329df141f821c55692f9252549c76921c231d8170df356cda1689e636758519c0b6898f11b5c836cdb4967d296b99f915e4d1980470a083b

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
8e134732e471b77cbaecf5d11f8d6949

SHA1
62db8b6ef2f8ff0893f692fd3fd36d704fc43c67

SHA256
0f65cfb0d4c3fda3b0c30629eee04caa0341dcb465a585c07f9f43652bd9bc71

SHA512
30e7ebf198886879a59515016dbc5c752594b18e27de067871a17dacdb478cfc02327e77e8a699c292fa8620c7ca4af230d37d76ed92621c3807c882ba42f6bc

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-457978338-2990298471-2379561640-1000\_desktop.ini

Filesize
9B

MD5
475984718232cf008bb73666d834f1f4

SHA1
12f23c9301c222f599a279e02a811d274d0f4abc

SHA256
a5b32591119f87eb3c8a00c0c39e26ea6d6414aa9887d85fcb4903e1c14921b5

SHA512
80235dc2560b7991d79f9550cdeca6ac02c00cee6bf186f8f20d4ff3fbd7718be937b73ab768d71c4027e153557b08bbfd95ea88d2e0857a7c70cf1da6fa9937

Download Submit
memory/1184-29-0x0000000002750000-0x0000000002751000-memory.dmp

Filesize
4KB

Download
memory/2616-98-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2616-31-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2616-39-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2616-45-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2616-91-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2616-179-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2616-1874-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2616-3334-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2616-18-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2656-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2656-16-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download