320e838a46df9f5f7d77d984b671e508c9b21c2e13d1ec85fb685e786be1d0ac

Analysis

max time kernel
150s
max time network
117s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
01/10/2024, 09:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

320e838a46df9f5f7d77d984b671e508c9b21c2e13d1ec85fb685e786be1d0ac.exe
Size

573KB
MD5

d11cac0363080a9ff695dda0a92750de
SHA1

ffb2e8e275168cc36e86e21c6295554bb7fc3b3d
SHA256

320e838a46df9f5f7d77d984b671e508c9b21c2e13d1ec85fb685e786be1d0ac
SHA512

4d441ac17fe8425d7eee4e9f214b6b57bc9d53f7756c4f5c0b344788979e50c41954a5165c12435c114309ab03c7030b1ce326216be89222a67849a56e5a19b3
SSDEEP

6144:SM2uJXYE7cV3iwbAFRWAbd4nf0H05yqE6Hl0ChW0+ksllAXBu0lWGWUJJQ4t0BHk:SMf7a3iwbihym2g7XO3LWUQfh4Co

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1568	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
868	Logo1_.exe
2764	320e838a46df9f5f7d77d984b671e508c9b21c2e13d1ec85fb685e786be1d0ac.exe

Loads dropped DLL 1 IoCs

pid	Process
1568	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	Logo1_.exe
File created	C:\Program Files (x86)\Internet Explorer\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Indiana\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\control\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ca@valencia\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Defender\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Photo Viewer\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Uninstall Information\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Mail\WinMail.exe	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Help\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\security\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\ManagedObjects\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sr\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Triedit\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kn\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mai\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ICE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\FAX\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	320e838a46df9f5f7d77d984b671e508c9b21c2e13d1ec85fb685e786be1d0ac.exe
File created	C:\Windows\Logo1_.exe	320e838a46df9f5f7d77d984b671e508c9b21c2e13d1ec85fb685e786be1d0ac.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	320e838a46df9f5f7d77d984b671e508c9b21c2e13d1ec85fb685e786be1d0ac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logo1_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
868	Logo1_.exe
868	Logo1_.exe
868	Logo1_.exe
868	Logo1_.exe
868	Logo1_.exe
868	Logo1_.exe
868	Logo1_.exe
868	Logo1_.exe
868	Logo1_.exe
868	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 1568	3032	320e838a46df9f5f7d77d984b671e508c9b21c2e13d1ec85fb685e786be1d0ac.exe	31
PID 3032 wrote to memory of 1568	3032	320e838a46df9f5f7d77d984b671e508c9b21c2e13d1ec85fb685e786be1d0ac.exe	31
PID 3032 wrote to memory of 1568	3032	320e838a46df9f5f7d77d984b671e508c9b21c2e13d1ec85fb685e786be1d0ac.exe	31
PID 3032 wrote to memory of 1568	3032	320e838a46df9f5f7d77d984b671e508c9b21c2e13d1ec85fb685e786be1d0ac.exe	31
PID 3032 wrote to memory of 868	3032	320e838a46df9f5f7d77d984b671e508c9b21c2e13d1ec85fb685e786be1d0ac.exe	33
PID 3032 wrote to memory of 868	3032	320e838a46df9f5f7d77d984b671e508c9b21c2e13d1ec85fb685e786be1d0ac.exe	33
PID 3032 wrote to memory of 868	3032	320e838a46df9f5f7d77d984b671e508c9b21c2e13d1ec85fb685e786be1d0ac.exe	33
PID 3032 wrote to memory of 868	3032	320e838a46df9f5f7d77d984b671e508c9b21c2e13d1ec85fb685e786be1d0ac.exe	33
PID 868 wrote to memory of 1728	868	Logo1_.exe	34
PID 868 wrote to memory of 1728	868	Logo1_.exe	34
PID 868 wrote to memory of 1728	868	Logo1_.exe	34
PID 868 wrote to memory of 1728	868	Logo1_.exe	34
PID 1728 wrote to memory of 2676	1728	net.exe	36
PID 1728 wrote to memory of 2676	1728	net.exe	36
PID 1728 wrote to memory of 2676	1728	net.exe	36
PID 1728 wrote to memory of 2676	1728	net.exe	36
PID 1568 wrote to memory of 2764	1568	cmd.exe	37
PID 1568 wrote to memory of 2764	1568	cmd.exe	37
PID 1568 wrote to memory of 2764	1568	cmd.exe	37
PID 1568 wrote to memory of 2764	1568	cmd.exe	37
PID 868 wrote to memory of 1184	868	Logo1_.exe	21
PID 868 wrote to memory of 1184	868	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1184
- C:\Users\Admin\AppData\Local\Temp\320e838a46df9f5f7d77d984b671e508c9b21c2e13d1ec85fb685e786be1d0ac.exe
  "C:\Users\Admin\AppData\Local\Temp\320e838a46df9f5f7d77d984b671e508c9b21c2e13d1ec85fb685e786be1d0ac.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3032
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$aD115.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1568
  - - C:\Users\Admin\AppData\Local\Temp\320e838a46df9f5f7d77d984b671e508c9b21c2e13d1ec85fb685e786be1d0ac.exe
      "C:\Users\Admin\AppData\Local\Temp\320e838a46df9f5f7d77d984b671e508c9b21c2e13d1ec85fb685e786be1d0ac.exe"
      4⤵
      Executes dropped EXE
      PID:2764
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:868
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1728
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
254KB

MD5
3e3adb8e4b50277e3335ca4f141b1a1d

SHA1
3cd90c89ef2fb5a4ad405148c80c5728054afd15

SHA256
1097364e543d3e1289d03ce19251f1f81e309753b78ebf7dba7bffa24293af1d

SHA512
4d084f4870debf8dfb992080cd500245cb9b775036f6f8d530ac18d91988dc855faf681f802c14fac2af3d55592d7639e3003a8ee05d9a623101f5a1e6fab9b7

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
474KB

MD5
a129ff6e8fb70f53efa3d7ffa661a6c7

SHA1
08cb3f944ac454c45fa7c5dc7b4f3baa676aa427

SHA256
c807165aee414ab50b72e5497f2bfa612636dc7d2596c2e947c0a2985dadeab5

SHA512
93c3a31b918d586c845dbadd7e40ffb991445ec21e9bfe57c375d772d41e35d090ffd6d96718e21f7bae4a760a3895c4584d21f0c71919a031d287ea5f407f73

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aD115.bat

Filesize
722B

MD5
e9090d0e5afc8b30d12251b3e2451844

SHA1
40238ab7160d9529bbdf2642b98f6e86f59a53f1

SHA256
162f5b92efb606f40fcf95c44e36a8fc09a423f11afc0cc3380b1200693f3a65

SHA512
168258100487b65ff154192cc0e372139f98f17e2c741106585abfc7ab8da5cca39179b5c38eaa769c9ab7c4d7ea8323aad2a7f8d72755ca728adf5e96ed22ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\320e838a46df9f5f7d77d984b671e508c9b21c2e13d1ec85fb685e786be1d0ac.exe.exe

Filesize
544KB

MD5
9a1dd1d96481d61934dcc2d568971d06

SHA1
f136ef9bf8bd2fc753292fb5b7cf173a22675fb3

SHA256
8cebb25e240db3b6986fcaed6bc0b900fa09dad763a56fb71273529266c5c525

SHA512
7ac1581f8a29e778ba1a1220670796c47fa5b838417f8f635e2cb1998a01515cff3ee57045dacb78a8ec70d43754b970743aba600379fe6d9481958d32d8a5aa

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
4fa81886de1e800c373f83420b798879

SHA1
c6170438839a40cae91a812654eec65390606075

SHA256
729027820403e4ad791f8862a49ee1a5d1d3eba33fc4e47894f12464baa53054

SHA512
81b907574a1a7699cfac7e131a4144b3aacc99f899f9a944c6c44034a6ae4d5288dacb5d164b3fd6ee3545077ec6aa7fbe5da9ff25d914cedeebbb8bbd55cd0b

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3434294380-2554721341-1919518612-1000\_desktop.ini

Filesize
9B

MD5
e92b0dcf7d27eb997606ca871d866c93

SHA1
69b76ef532ec922985b95329dbc5133f8d9fa994

SHA256
d0caa78610c77bb9fda1e6430ae7d9859d955dd9b19d26d12e409c8a39e24053

SHA512
8ea4006e99155f3821e05771cd80a7b2172078f77f2d1fe5daac4089809d94bad706d11a1af95ee3ea8d66959e65fe415dee8199ea7e1bf17d0b9f578cdb25ee

Download Submit
memory/868-253-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/868-1876-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/868-19-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/868-32-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/868-3336-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/868-40-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/868-46-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/868-92-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/868-99-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1184-30-0x0000000002D60000-0x0000000002D61000-memory.dmp

Filesize
4KB

Download
memory/3032-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3032-15-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3032-18-0x0000000000220000-0x0000000000256000-memory.dmp

Filesize
216KB

Download
memory/3032-17-0x0000000000220000-0x0000000000256000-memory.dmp

Filesize
216KB

Download