730d3b6250d7af3df50eec5f1815e1381c0132559555e1cf351c0b690309a9a1

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25/09/2024, 13:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

730d3b6250d7af3df50eec5f1815e1381c0132559555e1cf351c0b690309a9a1.exe
Size

70KB
MD5

11732056cf19ddcfadb226f5da651e88
SHA1

1b599cecceeac4bfb6c98ab8697884881a784c8a
SHA256

730d3b6250d7af3df50eec5f1815e1381c0132559555e1cf351c0b690309a9a1
SHA512

7ad89716c433460284de3c2c47e12053383614586b8d69e0accc710130b42a9edfdfaadbb03895571d052c2e192cf6dc68f28ddba638d3a01f6503433c32406a
SSDEEP

1536:pmg3SHuJV9NdEToa9D4ZQKbgZi1dst7x9PxQ:pmgkuJVLtlZQKbgZi1St7xQ

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2360	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2364	Logo1_.exe
2848	730d3b6250d7af3df50eec5f1815e1381c0132559555e1cf351c0b690309a9a1.exe

Loads dropped DLL 1 IoCs

pid	Process
2360	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\People\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\MSBuild\Microsoft\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lg\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\DAO\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Triedit\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Wordconv.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\co\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Internet Explorer\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\applet\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ks_IN\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\misc\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\MSBuild\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hi\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SONORA\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Hearts\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Purble Place\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\3082\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ky\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Mail\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	730d3b6250d7af3df50eec5f1815e1381c0132559555e1cf351c0b690309a9a1.exe
File created	C:\Windows\Logo1_.exe	730d3b6250d7af3df50eec5f1815e1381c0132559555e1cf351c0b690309a9a1.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	730d3b6250d7af3df50eec5f1815e1381c0132559555e1cf351c0b690309a9a1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2364	Logo1_.exe
2364	Logo1_.exe
2364	Logo1_.exe
2364	Logo1_.exe
2364	Logo1_.exe
2364	Logo1_.exe
2364	Logo1_.exe
2364	Logo1_.exe
2364	Logo1_.exe
2364	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1224 wrote to memory of 2360	1224	730d3b6250d7af3df50eec5f1815e1381c0132559555e1cf351c0b690309a9a1.exe	31
PID 1224 wrote to memory of 2360	1224	730d3b6250d7af3df50eec5f1815e1381c0132559555e1cf351c0b690309a9a1.exe	31
PID 1224 wrote to memory of 2360	1224	730d3b6250d7af3df50eec5f1815e1381c0132559555e1cf351c0b690309a9a1.exe	31
PID 1224 wrote to memory of 2360	1224	730d3b6250d7af3df50eec5f1815e1381c0132559555e1cf351c0b690309a9a1.exe	31
PID 1224 wrote to memory of 2364	1224	730d3b6250d7af3df50eec5f1815e1381c0132559555e1cf351c0b690309a9a1.exe	32
PID 1224 wrote to memory of 2364	1224	730d3b6250d7af3df50eec5f1815e1381c0132559555e1cf351c0b690309a9a1.exe	32
PID 1224 wrote to memory of 2364	1224	730d3b6250d7af3df50eec5f1815e1381c0132559555e1cf351c0b690309a9a1.exe	32
PID 1224 wrote to memory of 2364	1224	730d3b6250d7af3df50eec5f1815e1381c0132559555e1cf351c0b690309a9a1.exe	32
PID 2364 wrote to memory of 1900	2364	Logo1_.exe	34
PID 2364 wrote to memory of 1900	2364	Logo1_.exe	34
PID 2364 wrote to memory of 1900	2364	Logo1_.exe	34
PID 2364 wrote to memory of 1900	2364	Logo1_.exe	34
PID 2360 wrote to memory of 2848	2360	cmd.exe	37
PID 2360 wrote to memory of 2848	2360	cmd.exe	37
PID 2360 wrote to memory of 2848	2360	cmd.exe	37
PID 2360 wrote to memory of 2848	2360	cmd.exe	37
PID 1900 wrote to memory of 2808	1900	net.exe	36
PID 1900 wrote to memory of 2808	1900	net.exe	36
PID 1900 wrote to memory of 2808	1900	net.exe	36
PID 1900 wrote to memory of 2808	1900	net.exe	36
PID 2364 wrote to memory of 1152	2364	Logo1_.exe	20
PID 2364 wrote to memory of 1152	2364	Logo1_.exe	20

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1152
- C:\Users\Admin\AppData\Local\Temp\730d3b6250d7af3df50eec5f1815e1381c0132559555e1cf351c0b690309a9a1.exe
  "C:\Users\Admin\AppData\Local\Temp\730d3b6250d7af3df50eec5f1815e1381c0132559555e1cf351c0b690309a9a1.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1224
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$aE244.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2360
  - - C:\Users\Admin\AppData\Local\Temp\730d3b6250d7af3df50eec5f1815e1381c0132559555e1cf351c0b690309a9a1.exe
      "C:\Users\Admin\AppData\Local\Temp\730d3b6250d7af3df50eec5f1815e1381c0132559555e1cf351c0b690309a9a1.exe"
      4⤵
      Executes dropped EXE
      PID:2848
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2364
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1900
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
254KB

MD5
517efefa2e7ef42a115d87fd57158c89

SHA1
9ed67f7e10ecb5727d6d26e5d2076a31833736e9

SHA256
9da33c33118cfcb955692a25b08a8c66375d85177e33b57a51086487747a8cc0

SHA512
ca0a58849e734e8cf463bbc07377f0bc72022aa7ae60b2d9793ae80003bcb51a8b01045f46ef5121642c4b7f42824221c1cb2d478578efb6fbd87e25cd8d9a63

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
474KB

MD5
6eabc463f8025a7e6e65f38cba22f126

SHA1
3e430ee5ec01c5509ed750b88d3473e7990dfe95

SHA256
cc8da3ecd355b519d81415d279ed037c725ba221bf323d250aa92ee2b2b88ca7

SHA512
c8fde7026ac8633403bbefee4b044457184388fb7343d8c46f5f7f272724227976bf485ea91da49e2a85dd0cfb73f260ac705d8007333dd3e5539fe5ed67e3ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aE244.bat

Filesize
722B

MD5
6f262a6c1dd19667c40b8a6cfc13544e

SHA1
88bacd6a696a0ec1a03fc22e7017b302e1727a08

SHA256
4a0b294b920590193460bfea04131116a66231fe6afa8c00fa71ddf430f3e40b

SHA512
900fb5f048d33f4c0071e8540fabe70049e9eb6a67de21aa866db75e13cc88a131729409c9648aeec1722561833091aba0d3f075527417897cef371deefbe3a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\730d3b6250d7af3df50eec5f1815e1381c0132559555e1cf351c0b690309a9a1.exe.exe

Filesize
41KB

MD5
977e405c109268909fd24a94cc23d4f0

SHA1
af5d032c2b6caa2164cf298e95b09060665c4188

SHA256
cd24c61fe7dc3896c6c928c92a2adc58fab0a3ff61ef7ddcac1ba794182ab12f

SHA512
12b4b59c1a8e65e72aa07ee4b6b6cd9fdedead01d5ce8e30f16ca26b5d733655e23a71c1d273a950a5b1a6cce810b696612de4a1148ac5f468ddf05d4549eed5

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
037a1557312e57791bd4eeba7dcc7213

SHA1
1e1a35c4488f9cd09e5e6dad09cc67293712c623

SHA256
4ec9caeaf890c301da3587508883df4337635dc6d24b77345322b8617cd18387

SHA512
49f4c6aa4fc8a344e026e5016f3192396ff01d06f4b5097e58fcba29b84df5d049ac1c053edfcadc0e831dc033e5a6d912bab3a9ada6cf79784e671de5521289

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-312935884-697965778-3955649944-1000\_desktop.ini

Filesize
9B

MD5
e02899454c67c7d6d1af854fdcb53b67

SHA1
26fb213f7c299c2a4d8c4afd234ee0b751d7a30e

SHA256
0e67e90646d3ba7b46f935b205c9f89e8bff2dca7aeda3cd5dfb93868b262315

SHA512
e1519bebf62ab4cb28e630a201312812e04f815ec0663f7b68b478da97c0bf7c7c2238a8632540d3d1f37acbe83919fb198b39ebeb222c19faa2130ab65ffffa

Download Submit
memory/1152-31-0x0000000002980000-0x0000000002981000-memory.dmp

Filesize
4KB

Download
memory/1224-17-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1224-16-0x0000000000220000-0x0000000000256000-memory.dmp

Filesize
216KB

Download
memory/1224-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1224-18-0x0000000000220000-0x0000000000256000-memory.dmp

Filesize
216KB

Download
memory/2364-33-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2364-40-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2364-46-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2364-92-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2364-99-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2364-345-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2364-1875-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2364-3335-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2364-20-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download