001b217cb1bccf97d747408ffe401505c66d93b5d5ecc1900618a71a152b3b39

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12/10/2024, 07:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

001b217cb1bccf97d747408ffe401505c66d93b5d5ecc1900618a71a152b3b39.exe
Size

81KB
MD5

0f8761ddc154cdfc675bfcf28967fe7b
SHA1

3880a7becdb7a0e30fd29d4e0c4923a3261ec55b
SHA256

001b217cb1bccf97d747408ffe401505c66d93b5d5ecc1900618a71a152b3b39
SHA512

3a14fc70e5919b7b766a96fdd8553833a0e1003f05009353d50befa0a3755a3505856c4ec94a7d7f5a24cf34b6da3e1d432472eb3744a0bb72982960204b0e78
SSDEEP

1536:OClfgLdQAQfcfymN7H5UX/40gLVNQdwocztTRttqaNB47HxbG:pftffjmN7ZUA3adQ9tfNB4I

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1240	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2092	Logo1_.exe
2828	001b217cb1bccf97d747408ffe401505c66d93b5d5ecc1900618a71a152b3b39.exe

Loads dropped DLL 1 IoCs

pid	Process
1240	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Chess\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Triedit\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\mux\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Indian\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\km\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\brx\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kab\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\km\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\am\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\GrayCheck\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\cmm\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Mahjong\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sv\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AFTRNOON\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ff\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SELFCERT.EXE	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	001b217cb1bccf97d747408ffe401505c66d93b5d5ecc1900618a71a152b3b39.exe
File created	C:\Windows\Logo1_.exe	001b217cb1bccf97d747408ffe401505c66d93b5d5ecc1900618a71a152b3b39.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	001b217cb1bccf97d747408ffe401505c66d93b5d5ecc1900618a71a152b3b39.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logo1_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2092	Logo1_.exe
2092	Logo1_.exe
2092	Logo1_.exe
2092	Logo1_.exe
2092	Logo1_.exe
2092	Logo1_.exe
2092	Logo1_.exe
2092	Logo1_.exe
2092	Logo1_.exe
2092	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 1240	2268	001b217cb1bccf97d747408ffe401505c66d93b5d5ecc1900618a71a152b3b39.exe	30
PID 2268 wrote to memory of 1240	2268	001b217cb1bccf97d747408ffe401505c66d93b5d5ecc1900618a71a152b3b39.exe	30
PID 2268 wrote to memory of 1240	2268	001b217cb1bccf97d747408ffe401505c66d93b5d5ecc1900618a71a152b3b39.exe	30
PID 2268 wrote to memory of 1240	2268	001b217cb1bccf97d747408ffe401505c66d93b5d5ecc1900618a71a152b3b39.exe	30
PID 2268 wrote to memory of 2092	2268	001b217cb1bccf97d747408ffe401505c66d93b5d5ecc1900618a71a152b3b39.exe	31
PID 2268 wrote to memory of 2092	2268	001b217cb1bccf97d747408ffe401505c66d93b5d5ecc1900618a71a152b3b39.exe	31
PID 2268 wrote to memory of 2092	2268	001b217cb1bccf97d747408ffe401505c66d93b5d5ecc1900618a71a152b3b39.exe	31
PID 2268 wrote to memory of 2092	2268	001b217cb1bccf97d747408ffe401505c66d93b5d5ecc1900618a71a152b3b39.exe	31
PID 2092 wrote to memory of 2188	2092	Logo1_.exe	33
PID 2092 wrote to memory of 2188	2092	Logo1_.exe	33
PID 2092 wrote to memory of 2188	2092	Logo1_.exe	33
PID 2092 wrote to memory of 2188	2092	Logo1_.exe	33
PID 2188 wrote to memory of 2816	2188	net.exe	35
PID 2188 wrote to memory of 2816	2188	net.exe	35
PID 2188 wrote to memory of 2816	2188	net.exe	35
PID 2188 wrote to memory of 2816	2188	net.exe	35
PID 1240 wrote to memory of 2828	1240	cmd.exe	36
PID 1240 wrote to memory of 2828	1240	cmd.exe	36
PID 1240 wrote to memory of 2828	1240	cmd.exe	36
PID 1240 wrote to memory of 2828	1240	cmd.exe	36
PID 2092 wrote to memory of 1112	2092	Logo1_.exe	20
PID 2092 wrote to memory of 1112	2092	Logo1_.exe	20

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1112
- C:\Users\Admin\AppData\Local\Temp\001b217cb1bccf97d747408ffe401505c66d93b5d5ecc1900618a71a152b3b39.exe
  "C:\Users\Admin\AppData\Local\Temp\001b217cb1bccf97d747408ffe401505c66d93b5d5ecc1900618a71a152b3b39.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2268
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a9CAD.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1240
  - - C:\Users\Admin\AppData\Local\Temp\001b217cb1bccf97d747408ffe401505c66d93b5d5ecc1900618a71a152b3b39.exe
      "C:\Users\Admin\AppData\Local\Temp\001b217cb1bccf97d747408ffe401505c66d93b5d5ecc1900618a71a152b3b39.exe"
      4⤵
      Executes dropped EXE
      PID:2828
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2092
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2188
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
091638a1d09cdb5be93c525ba048bb17

SHA1
3025cea2e4807915709a30c5f319f52a16075e92

SHA256
6ff715876c6a707b356a1f0ff557c04aa7a909b7e19d5dc933bc108090e9a46d

SHA512
65425fb477a7284a940a647aa7a4464484b371f61f2751bd6dbcaec16d130c710ebed4b20a31e28a96b1a077ed09f3a4e64e9a0c18d836424137f728c336245b

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
471KB

MD5
4cfdb20b04aa239d6f9e83084d5d0a77

SHA1
f22863e04cc1fd4435f785993ede165bd8245ac6

SHA256
30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

SHA512
35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a9CAD.bat

Filesize
722B

MD5
dcc6bbe18a7cb7ec58fb460e8ccf8550

SHA1
b9d55da892054c4d6a91ca51853be9415674801e

SHA256
25b606e59a91a2aba7468f76b970d1f6c6441894af1fa763f1d9c8d8d88ce61b

SHA512
6d029525d4516bc8417bf2511cac2328a5a799054c05da3beae593e343b43691fc6443f685b5e219085278ad78eee02207fe99c86a1b97be6d19b107f96d467c

Download Submit
C:\Users\Admin\AppData\Local\Temp\001b217cb1bccf97d747408ffe401505c66d93b5d5ecc1900618a71a152b3b39.exe.exe

Filesize
54KB

MD5
6eb87bdfacf08d072ec1833f6b01ec80

SHA1
bd7431be47845645512fbc3f24a1f00e4e5dfa80

SHA256
cfd622d55dd921cb298359d116f72bceb0685359fe48537ffb07406468d2effc

SHA512
f13d8f26ec03367b0c38c7098793aed9fb7ff0bf156994ab4d6aa917cf40ee7eb300c3a6eb9a10252782cca1213f600466fed003a7f29f555d9ce04ac5a2f193

Download Submit
C:\Windows\rundl132.exe

Filesize
26KB

MD5
7f68a170ba8add175821c75ea4de3ca9

SHA1
a81b90bcd8961d2d9bc063273298602eadabce97

SHA256
e4da26a8d7b275a600e6ff79cd190bb880472b10a2969efc2949085875184518

SHA512
9e5248be09a6e13c0cf5e6baded7e40fa6a880964a22c489c02607dda14cf92d3f5441ed9e884aa55648ca96fca7d9b65a29c74088615b955780143e151cf7f7

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2872745919-2748461613-2989606286-1000\_desktop.ini

Filesize
10B

MD5
291aa08828faa68893c7f89a0dfc158b

SHA1
fcae3d190f0d8c14b44dc2be0b627b0680d2eab9

SHA256
f9e79f635e09441b5a073e6263a1d1de881c2105d7637650b5ec2d20f6a7c841

SHA512
9c80a5e3e37731eb0eba85b496e512dbfe08c77c207bcb41ad429d289e3d348e8e7b83ef00052c445581df37aa60729a4f0c2dd3ed0ed2e5d05a8758a23f1f38

Download Submit
memory/1112-29-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/2092-97-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2092-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2092-38-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2092-44-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2092-90-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2092-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2092-1873-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2092-3333-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2092-18-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2268-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2268-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download