e240c0085fd6c93c870aa434817ebe52a67b38e858fc03e94f9dadb11c909f2b

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
31-10-2024 08:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e240c0085fd6c93c870aa434817ebe52a67b38e858fc03e94f9dadb11c909f2b.exe
Size

227KB
MD5

946248cd1d289a02003624c2055c82a1
SHA1

85891dec89bce30220fd9672136e55ca3a59f479
SHA256

e240c0085fd6c93c870aa434817ebe52a67b38e858fc03e94f9dadb11c909f2b
SHA512

481d822abaa566a0014e3f4490b28602ef127dc1c3b16a0a610ee3747e2b2b6cca403c09ee95bc26db0b2df299a5dbef0cc477c8a3a760dbd3b252bfc9434d06
SSDEEP

3072:pwrkuJVLUdeKzC/lzMPySe8DnpeIPipoHbKvXWXz9LRnsaJUS+6wPXD3fxNW7gq9:RuJWdeKzC/leySe8AIqpoHbnDns1ND9m

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2564	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1692	Logo1_.exe
2748	e240c0085fd6c93c870aa434817ebe52a67b38e858fc03e94f9dadb11c909f2b.exe

Loads dropped DLL 1 IoCs

pid	Process
2564	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Sidebar\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\1031\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1042\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cs\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\meta\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	Logo1_.exe
File created	C:\Program Files\Google\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\management\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Defender\MSASCui.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\STS2\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\id\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\oc\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\DAO\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bg\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\meta_engine\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInViews\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1036\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Photo Viewer\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Places\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\kn\LC_MESSAGES\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	e240c0085fd6c93c870aa434817ebe52a67b38e858fc03e94f9dadb11c909f2b.exe
File created	C:\Windows\Logo1_.exe	e240c0085fd6c93c870aa434817ebe52a67b38e858fc03e94f9dadb11c909f2b.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e240c0085fd6c93c870aa434817ebe52a67b38e858fc03e94f9dadb11c909f2b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logo1_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1692	Logo1_.exe
1692	Logo1_.exe
1692	Logo1_.exe
1692	Logo1_.exe
1692	Logo1_.exe
1692	Logo1_.exe
1692	Logo1_.exe
1692	Logo1_.exe
1692	Logo1_.exe
1692	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 2564	2484	e240c0085fd6c93c870aa434817ebe52a67b38e858fc03e94f9dadb11c909f2b.exe	30
PID 2484 wrote to memory of 2564	2484	e240c0085fd6c93c870aa434817ebe52a67b38e858fc03e94f9dadb11c909f2b.exe	30
PID 2484 wrote to memory of 2564	2484	e240c0085fd6c93c870aa434817ebe52a67b38e858fc03e94f9dadb11c909f2b.exe	30
PID 2484 wrote to memory of 2564	2484	e240c0085fd6c93c870aa434817ebe52a67b38e858fc03e94f9dadb11c909f2b.exe	30
PID 2484 wrote to memory of 1692	2484	e240c0085fd6c93c870aa434817ebe52a67b38e858fc03e94f9dadb11c909f2b.exe	32
PID 2484 wrote to memory of 1692	2484	e240c0085fd6c93c870aa434817ebe52a67b38e858fc03e94f9dadb11c909f2b.exe	32
PID 2484 wrote to memory of 1692	2484	e240c0085fd6c93c870aa434817ebe52a67b38e858fc03e94f9dadb11c909f2b.exe	32
PID 2484 wrote to memory of 1692	2484	e240c0085fd6c93c870aa434817ebe52a67b38e858fc03e94f9dadb11c909f2b.exe	32
PID 1692 wrote to memory of 2692	1692	Logo1_.exe	33
PID 1692 wrote to memory of 2692	1692	Logo1_.exe	33
PID 1692 wrote to memory of 2692	1692	Logo1_.exe	33
PID 1692 wrote to memory of 2692	1692	Logo1_.exe	33
PID 2564 wrote to memory of 2748	2564	cmd.exe	35
PID 2564 wrote to memory of 2748	2564	cmd.exe	35
PID 2564 wrote to memory of 2748	2564	cmd.exe	35
PID 2564 wrote to memory of 2748	2564	cmd.exe	35
PID 2692 wrote to memory of 2812	2692	net.exe	36
PID 2692 wrote to memory of 2812	2692	net.exe	36
PID 2692 wrote to memory of 2812	2692	net.exe	36
PID 2692 wrote to memory of 2812	2692	net.exe	36
PID 1692 wrote to memory of 1200	1692	Logo1_.exe	21
PID 1692 wrote to memory of 1200	1692	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200
- C:\Users\Admin\AppData\Local\Temp\e240c0085fd6c93c870aa434817ebe52a67b38e858fc03e94f9dadb11c909f2b.exe
  "C:\Users\Admin\AppData\Local\Temp\e240c0085fd6c93c870aa434817ebe52a67b38e858fc03e94f9dadb11c909f2b.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2484
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a9B36.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2564
  - - C:\Users\Admin\AppData\Local\Temp\e240c0085fd6c93c870aa434817ebe52a67b38e858fc03e94f9dadb11c909f2b.exe
      "C:\Users\Admin\AppData\Local\Temp\e240c0085fd6c93c870aa434817ebe52a67b38e858fc03e94f9dadb11c909f2b.exe"
      4⤵
      Executes dropped EXE
      PID:2748
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1692
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2692
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
254KB

MD5
bbcfaf53da8f61f12ef4971c82012725

SHA1
aeaa298203ea620123fd8c941fcbaae4eae509a0

SHA256
0638cc2e74c029520fec65c92bfce178b9355537bb383ba6f2d49d990ac9c803

SHA512
95cfca7806744accc9b4654cfb82458b7b482ac9842365fc0e4a069b6de20306f52d36bac66b2bade2f31815175d4a403ff230fc1918bf14301b3c361821a41e

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
474KB

MD5
6eabc463f8025a7e6e65f38cba22f126

SHA1
3e430ee5ec01c5509ed750b88d3473e7990dfe95

SHA256
cc8da3ecd355b519d81415d279ed037c725ba221bf323d250aa92ee2b2b88ca7

SHA512
c8fde7026ac8633403bbefee4b044457184388fb7343d8c46f5f7f272724227976bf485ea91da49e2a85dd0cfb73f260ac705d8007333dd3e5539fe5ed67e3ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a9B36.bat

Filesize
722B

MD5
7697e42d21081ea299535f4b5a0e06af

SHA1
dd824ed2f6150d62642a7132cd03529980ef1617

SHA256
6b4cb87c3d19297711b4f68074515a1ce9849438cee0aa727fb45eacd2fbf5f0

SHA512
64503eb61241147e87eab744c797d8e2bf71146bd29baf59c58384918ec8cfb850d6992d180f8f1fd6284977d1997427ffcb3bf2385a04034de8cb0ec4e7216c

Download Submit
C:\Users\Admin\AppData\Local\Temp\e240c0085fd6c93c870aa434817ebe52a67b38e858fc03e94f9dadb11c909f2b.exe.exe

Filesize
198KB

MD5
e133c2d85cff4edd7fe8e8f0f8be6cdb

SHA1
b8269209ebb6fe44bc50dab35f97b0ae244701b4

SHA256
6c5e7d9c81a409e67c143cd3aed33bddc3967fa4c9ab3b98560b7d3bf57d093d

SHA512
701b7d1c7e154519d77043f7de09d60c1ff76c95f820fc1c9afca19724efb0847d646686053354156fd4e8a9dab1f29a79d3223f939a3ff1b3613770dc8603b1

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
152ab8f0455dd31f0e63fff4283ea17d

SHA1
5f111c77acb6bd29d15a4e2f868fdbee0db11a82

SHA256
67b0bce9f75235502f22de2d7db30e81189136ec614464ffdf7e8d2d33b87fae

SHA512
5226d1f11aa27c777f28a915d2073b1b864eeebacb97a51ed8dd81044f2d870e13b242722f23ea9643732ccd1c7f99ac1df4e237019c966d6d16179c2cf853ba

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-312935884-697965778-3955649944-1000\_desktop.ini

Filesize
10B

MD5
688d58fa5756a393f9472937ef284c25

SHA1
18ee07a5ee8de4fbd046763cd4a55ef2e6c3f808

SHA256
e21f27bdf2d90c77d75658b5217d5af4519a6c1bfc326a109eb4a085a2b83302

SHA512
c84930eb323c71ffc1edac543a2f60e366de40b39a88b18dba09c1272fae0b12262f4fae496bc9546598507fc37729d829f93b101bbec4739a05be33e0010a3f

Download Submit
memory/1200-31-0x0000000002D00000-0x0000000002D01000-memory.dmp

Filesize
4KB

Download
memory/1692-279-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1692-33-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1692-20-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1692-40-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1692-46-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1692-92-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1692-99-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1692-1875-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1692-3335-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2484-17-0x0000000000220000-0x0000000000256000-memory.dmp

Filesize
216KB

Download
memory/2484-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2484-19-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2484-15-0x0000000000220000-0x0000000000256000-memory.dmp

Filesize
216KB

Download