f15a9ad7011655e4f7584ddeb3ab96c46300ecc9a9a24414e68d8108a0a19990

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
15/10/2024, 05:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f15a9ad7011655e4f7584ddeb3ab96c46300ecc9a9a24414e68d8108a0a19990.exe
Size

364KB
MD5

fc323679eaf0d7a50240a359dc0029de
SHA1

04b24ac1cbb056ba2063ee29e16f574a706a94c6
SHA256

f15a9ad7011655e4f7584ddeb3ab96c46300ecc9a9a24414e68d8108a0a19990
SHA512

dbd7e9ea05a7161c771e73a099e884e92dbaf4c16049e80d35afcfd956cae662a1b085a25ee6746e4bd39b3510779515c9b34f8965ea648cea7a4b83a02aae69
SSDEEP

6144:htuJPzU66bkWmchVySqkvAH3qo0wWJC6G/SMT4FWqC:hmU66b5zhVymA/XSRh

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2652	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1064	Logo1_.exe
2836	f15a9ad7011655e4f7584ddeb3ab96c46300ecc9a9a24414e68d8108a0a19990.exe

Loads dropped DLL 1 IoCs

pid	Process
2652	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\brx\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSOUC.EXE	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Purble Place\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\VPREVIEW.EXE	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OIS.EXE	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\wmpshare.exe	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\Hearts.exe	Logo1_.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Journal\PDIALOG.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\lt\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\logger\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\si\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\PublicAssemblies\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Mail\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sq\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\keystore\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ESEN\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\.data\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\fr-FR\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	f15a9ad7011655e4f7584ddeb3ab96c46300ecc9a9a24414e68d8108a0a19990.exe
File created	C:\Windows\Logo1_.exe	f15a9ad7011655e4f7584ddeb3ab96c46300ecc9a9a24414e68d8108a0a19990.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f15a9ad7011655e4f7584ddeb3ab96c46300ecc9a9a24414e68d8108a0a19990.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logo1_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1064	Logo1_.exe
1064	Logo1_.exe
1064	Logo1_.exe
1064	Logo1_.exe
1064	Logo1_.exe
1064	Logo1_.exe
1064	Logo1_.exe
1064	Logo1_.exe
1064	Logo1_.exe
1064	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2468 wrote to memory of 2652	2468	f15a9ad7011655e4f7584ddeb3ab96c46300ecc9a9a24414e68d8108a0a19990.exe	30
PID 2468 wrote to memory of 2652	2468	f15a9ad7011655e4f7584ddeb3ab96c46300ecc9a9a24414e68d8108a0a19990.exe	30
PID 2468 wrote to memory of 2652	2468	f15a9ad7011655e4f7584ddeb3ab96c46300ecc9a9a24414e68d8108a0a19990.exe	30
PID 2468 wrote to memory of 2652	2468	f15a9ad7011655e4f7584ddeb3ab96c46300ecc9a9a24414e68d8108a0a19990.exe	30
PID 2468 wrote to memory of 1064	2468	f15a9ad7011655e4f7584ddeb3ab96c46300ecc9a9a24414e68d8108a0a19990.exe	31
PID 2468 wrote to memory of 1064	2468	f15a9ad7011655e4f7584ddeb3ab96c46300ecc9a9a24414e68d8108a0a19990.exe	31
PID 2468 wrote to memory of 1064	2468	f15a9ad7011655e4f7584ddeb3ab96c46300ecc9a9a24414e68d8108a0a19990.exe	31
PID 2468 wrote to memory of 1064	2468	f15a9ad7011655e4f7584ddeb3ab96c46300ecc9a9a24414e68d8108a0a19990.exe	31
PID 1064 wrote to memory of 2760	1064	Logo1_.exe	32
PID 1064 wrote to memory of 2760	1064	Logo1_.exe	32
PID 1064 wrote to memory of 2760	1064	Logo1_.exe	32
PID 1064 wrote to memory of 2760	1064	Logo1_.exe	32
PID 2760 wrote to memory of 2844	2760	net.exe	35
PID 2760 wrote to memory of 2844	2760	net.exe	35
PID 2760 wrote to memory of 2844	2760	net.exe	35
PID 2760 wrote to memory of 2844	2760	net.exe	35
PID 2652 wrote to memory of 2836	2652	cmd.exe	36
PID 2652 wrote to memory of 2836	2652	cmd.exe	36
PID 2652 wrote to memory of 2836	2652	cmd.exe	36
PID 2652 wrote to memory of 2836	2652	cmd.exe	36
PID 1064 wrote to memory of 1196	1064	Logo1_.exe	21
PID 1064 wrote to memory of 1196	1064	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1196
- C:\Users\Admin\AppData\Local\Temp\f15a9ad7011655e4f7584ddeb3ab96c46300ecc9a9a24414e68d8108a0a19990.exe
  "C:\Users\Admin\AppData\Local\Temp\f15a9ad7011655e4f7584ddeb3ab96c46300ecc9a9a24414e68d8108a0a19990.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a2A0.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2652
  - - C:\Users\Admin\AppData\Local\Temp\f15a9ad7011655e4f7584ddeb3ab96c46300ecc9a9a24414e68d8108a0a19990.exe
      "C:\Users\Admin\AppData\Local\Temp\f15a9ad7011655e4f7584ddeb3ab96c46300ecc9a9a24414e68d8108a0a19990.exe"
      4⤵
      Executes dropped EXE
      PID:2836
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1064
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2760
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
474KB

MD5
40429fbe4769cde892d72cde845b3df8

SHA1
f5c804acf1e4659b85010ca8926f2eee4ee4ae62

SHA256
00c3830d8357fbd8e92cd7e440a848424bf94a68784664dcf469707b448b42d6

SHA512
e774273101c90343328379a114ba7349fe532145b0beff7c62f0702ad762502b9823da3d2397c55a7040c80e42c2b5562a8021d3663c7621de05dba03cb2ef51

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a2A0.bat

Filesize
721B

MD5
5af6bb66dbab0f3a222601c4c78699fb

SHA1
d81172b32031505ae36b1d90a85f0e34de678d7b

SHA256
d3e99d82e1b913313009cc69238bcbc6cba8ed139dca6129b3f0171f7850afc3

SHA512
dd09d595855399931852beae65f00b72df13f255eca0989223aeab3a2bc10345edf49e59b22b579cb6a2672232ec9b59ccea1e39874304ec9c40b7e09213cd4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\f15a9ad7011655e4f7584ddeb3ab96c46300ecc9a9a24414e68d8108a0a19990.exe.exe

Filesize
335KB

MD5
40ac62c087648ccc2c58dae066d34c98

SHA1
0e87efb6ddfe59e534ea9e829cad35be8563e5f7

SHA256
482c4c1562490e164d5f17990253373691aa5eab55a81c7f890fe9583a9ea916

SHA512
0c1ff13ff88409d54fee2ceb07fe65135ce2a9aa6f8da51ac0158abb2cfbb3a898ef26f476931986f1367622f21a7c0b0e742d0f4de8be6e215596b0d88c518f

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
b226da6f4c36e502246ef0a7f6d9c86b

SHA1
9e7bb57d3c069def52bae3b034214a32083ec35d

SHA256
3a265cb3b363600c261f4819044f2506dd9b57df1b23cd7ff5d25a9ae8291c27

SHA512
9e6d21a0a9c53ce95804fa5f312a9d11a3311763e84cbb0b6d10562adc204127ea232ee9c712c0ca0805f9b021c57f521220cd130cbe6301d473c29b8075cd09

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3551809350-4263495960-1443967649-1000\_desktop.ini

Filesize
10B

MD5
52a225cec34530c05c340f9ae894aa31

SHA1
d6553bc25b5bc40447184e9dd520dd7c88f5c2aa

SHA256
bddf98f152ff77575c277b91c8f7aa5f69973cd3bfe7aa55ebe61b7d3df17fab

SHA512
726f8a96e3dab9ec548bda81a01dc3e0d93afa2363c76c4bf639de4b0471f8a43a8e32e90b230b95639e82b7daa8da3e8d9c848755e2b58398aa48e46e5ba5b5

Download Submit
memory/1064-21-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1064-31-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1064-38-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1064-44-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1064-90-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1064-92-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1064-97-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1064-425-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1064-1873-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1064-3333-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1196-29-0x00000000024E0000-0x00000000024E1000-memory.dmp

Filesize
4KB

Download
memory/2468-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2468-16-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download