09f4aea859fcd827802f3afc7d1f7de44e8d50d492ecfa0a716bbf97d3365571

Analysis

max time kernel
150s
max time network
18s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
02/10/2024, 01:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

09f4aea859fcd827802f3afc7d1f7de44e8d50d492ecfa0a716bbf97d3365571.exe
Size

5.7MB
MD5

bb296f169ef49ab79f844946803d7e04
SHA1

81da30c7961aa43856f14c7c9b15acc7482a7b8f
SHA256

09f4aea859fcd827802f3afc7d1f7de44e8d50d492ecfa0a716bbf97d3365571
SHA512

0308d27c7e1d332c4c174ca694d85b361f22c110b6c25df929ba46fe444158eaf9bba49292954a21b8845aa24286fc381e999de2b05f1c1bcc94b10b1f628488
SSDEEP

49152:UPv94AEsKU8ggw1g+1CART5eBiyKS3EI3wybn20DCYIHvc8ixuZm9+fWsw6dTPBJ:SKUgTH2M2m9UMpu1QfLczqssnKSk

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2980	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2984	Logo1_.exe
2660	09f4aea859fcd827802f3afc7d1f7de44e8d50d492ecfa0a716bbf97d3365571.exe

Loads dropped DLL 1 IoCs

pid	Process
2980	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Games\Hearts\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Uninstall Information\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\tt\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\INDUST\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Triedit\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\IEContentService.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\security\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Argentina\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\More Games\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\si\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Photo Viewer\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SoftBlue\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\1049\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Outlook.en-us\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\af\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_output\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\keystore\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Lime\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Uninstall Information\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ne\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AFTRNOON\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AXIS\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BREEZE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Chess\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Journal\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\jfr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\DEEPBLUE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	09f4aea859fcd827802f3afc7d1f7de44e8d50d492ecfa0a716bbf97d3365571.exe
File created	C:\Windows\Logo1_.exe	09f4aea859fcd827802f3afc7d1f7de44e8d50d492ecfa0a716bbf97d3365571.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logo1_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	09f4aea859fcd827802f3afc7d1f7de44e8d50d492ecfa0a716bbf97d3365571.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2984	Logo1_.exe
2984	Logo1_.exe
2984	Logo1_.exe
2984	Logo1_.exe
2984	Logo1_.exe
2984	Logo1_.exe
2984	Logo1_.exe
2984	Logo1_.exe
2984	Logo1_.exe
2984	Logo1_.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 2980	2308	09f4aea859fcd827802f3afc7d1f7de44e8d50d492ecfa0a716bbf97d3365571.exe	30
PID 2308 wrote to memory of 2980	2308	09f4aea859fcd827802f3afc7d1f7de44e8d50d492ecfa0a716bbf97d3365571.exe	30
PID 2308 wrote to memory of 2980	2308	09f4aea859fcd827802f3afc7d1f7de44e8d50d492ecfa0a716bbf97d3365571.exe	30
PID 2308 wrote to memory of 2980	2308	09f4aea859fcd827802f3afc7d1f7de44e8d50d492ecfa0a716bbf97d3365571.exe	30
PID 2308 wrote to memory of 2984	2308	09f4aea859fcd827802f3afc7d1f7de44e8d50d492ecfa0a716bbf97d3365571.exe	31
PID 2308 wrote to memory of 2984	2308	09f4aea859fcd827802f3afc7d1f7de44e8d50d492ecfa0a716bbf97d3365571.exe	31
PID 2308 wrote to memory of 2984	2308	09f4aea859fcd827802f3afc7d1f7de44e8d50d492ecfa0a716bbf97d3365571.exe	31
PID 2308 wrote to memory of 2984	2308	09f4aea859fcd827802f3afc7d1f7de44e8d50d492ecfa0a716bbf97d3365571.exe	31
PID 2984 wrote to memory of 2780	2984	Logo1_.exe	32
PID 2984 wrote to memory of 2780	2984	Logo1_.exe	32
PID 2984 wrote to memory of 2780	2984	Logo1_.exe	32
PID 2984 wrote to memory of 2780	2984	Logo1_.exe	32
PID 2780 wrote to memory of 2760	2780	net.exe	35
PID 2780 wrote to memory of 2760	2780	net.exe	35
PID 2780 wrote to memory of 2760	2780	net.exe	35
PID 2780 wrote to memory of 2760	2780	net.exe	35
PID 2984 wrote to memory of 1396	2984	Logo1_.exe	21
PID 2984 wrote to memory of 1396	2984	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1396
- C:\Users\Admin\AppData\Local\Temp\09f4aea859fcd827802f3afc7d1f7de44e8d50d492ecfa0a716bbf97d3365571.exe
  "C:\Users\Admin\AppData\Local\Temp\09f4aea859fcd827802f3afc7d1f7de44e8d50d492ecfa0a716bbf97d3365571.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2308
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$aC726.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2980
  - - C:\Users\Admin\AppData\Local\Temp\09f4aea859fcd827802f3afc7d1f7de44e8d50d492ecfa0a716bbf97d3365571.exe
      "C:\Users\Admin\AppData\Local\Temp\09f4aea859fcd827802f3afc7d1f7de44e8d50d492ecfa0a716bbf97d3365571.exe"
      4⤵
      Executes dropped EXE
      PID:2660
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2984
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2780
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
254KB

MD5
f06d75a1fd060cef8208838660818e47

SHA1
cf66579763d06767d07e4d0a704c2f60a64deacc

SHA256
e20f6e8ed02826c589c4cf389adb66e434e724f14047cc7b278cc93ea872de15

SHA512
55a2ec2ec681f363cb3e3b7dff90a10248154ecc715584373aa2fd507ea06b268e950f36f6f33e8983ea217bcb0f5d653d7a9387f18ea216275ef61e8130370b

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
474KB

MD5
c14a5111b798cff20d7d66b0e035d409

SHA1
29f0894552b30815fed6ad231b5721e876869552

SHA256
fd6f57dc1b82f6301cbecbf9db5728a9a69b10e3edbf4f8a1dfef571c77a6cb6

SHA512
a4d8b74216c76fa3d48ab7300452725602bc6d5bcc0e6c23d458d65362cd24751f23755180ae69633090b172e95f18f225c0cb4a71dd1e050d8b3dff466e7f1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aC726.bat

Filesize
722B

MD5
c8d041642da60a5e7a528c393233dbe7

SHA1
b917ef9703723fc9e7e5a0eed36b9548ef69bbdb

SHA256
a506371837d94bfd4f4b1101e3f28956014d42e205ab54ba6ade31b08b8cd7fb

SHA512
10b6666d79fb7bc41b493f5506fc3baf47cf2cfe2baaa0e1cee5b2e879df47e8e5ffdca0e963d5c1d8c5b05ce8794d97c20b5cb981356bda1c9f383827c363ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\09f4aea859fcd827802f3afc7d1f7de44e8d50d492ecfa0a716bbf97d3365571.exe.exe

Filesize
5.7MB

MD5
ba18e99b3e17adb5b029eaebc457dd89

SHA1
ec0458f3c00d35b323f08d4e1cc2e72899429c38

SHA256
f5ee36de8edf9be2ac2752b219cfdcb7ca1677071b8e116cb876306e9f1b6628

SHA512
1f41929e6f5b555b60c411c7810cbf14e3af26100df5ac4533ec3739a278c1b925687284660efb4868e3741305098e2737836229efc9fe46c97a6057c10e677c

Download Submit
C:\Windows\rundl132.exe

Filesize
29KB

MD5
5f500417e27332dda933d80a8f7be593

SHA1
23c1fc538d4e5455ffb5461a66b8fa8516a81e85

SHA256
c0f165f2d00b162fa29c228d26400bd4a3f9366be75f2cc694c01d1e2ef66880

SHA512
542225e692166efed900a4f689eb2c6a1d06acd25206cd498a86ee1915d21732ad06b4d0fab37cf9fdaa0d1b3e3b37e99ea2814fcdc3f9467f921d25ec68174e

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2703099537-420551529-3771253338-1000\_desktop.ini

Filesize
9B

MD5
d06309e93519e57d5287c344a384f6ff

SHA1
b8133d94ab653f905fdcc69f5026a8ec14bedcc7

SHA256
726a2e0d850f5f79845806d92a8cf6c98eb6182ba5098c0aab2d21ac5d5b4e82

SHA512
73392bb20e7c7300e4f6bdd271890a4164dfc895ac091e80787b53c745e153e6417bf18c44fe378716b35252cd164a64d9dae7b538a89bce7d6cdbdd5b4608a1

Download Submit
memory/1396-29-0x00000000024C0000-0x00000000024C1000-memory.dmp

Filesize
4KB

Download
memory/2308-16-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2308-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2984-31-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2984-38-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2984-44-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2984-90-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2984-96-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2984-559-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2984-1873-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2984-3333-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2984-21-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download