82808da20ad886aecc2a781de1f34e546fc2482f3e8f0a2394b7b8703781f35e

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
31-10-2024 08:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

82808da20ad886aecc2a781de1f34e546fc2482f3e8f0a2394b7b8703781f35e.exe
Size

713KB
MD5

9c70c3ea1d80d91ffcb4535e9bb257a6
SHA1

13d65196a5f6920ee523be184a9f38ab5879089f
SHA256

82808da20ad886aecc2a781de1f34e546fc2482f3e8f0a2394b7b8703781f35e
SHA512

f8c5fab4a556249dd082d679aaa89f2f29e243836201a0b3824005518f776984d0905484a062e177ffd2d3480074c50ff5773a1c3d5cee525586789b02ab40fe
SSDEEP

12288:ZfC6Aj+TN5uixZN+8rKhUdTC/wE1ZD0Ca5ZIXV:5LOS2opPIXV

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1796	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2108	Logo1_.exe
2944	82808da20ad886aecc2a781de1f34e546fc2482f3e8f0a2394b7b8703781f35e.exe
1196	Explorer.EXE

Loads dropped DLL 2 IoCs

pid	Process
1796	cmd.exe
1796	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\plugins\logger\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\wabmig.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Indiana\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1041\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STRTEDGE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\CrashReports\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\3082\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Photo Viewer\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\eo\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\lt\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sm\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\STS2\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Media Player\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ca\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\HostSideAdapters\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Lime\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\text_renderer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\OneNote.en-us\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SpringGreen\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ga\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Logo1_.exe	82808da20ad886aecc2a781de1f34e546fc2482f3e8f0a2394b7b8703781f35e.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	82808da20ad886aecc2a781de1f34e546fc2482f3e8f0a2394b7b8703781f35e.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	82808da20ad886aecc2a781de1f34e546fc2482f3e8f0a2394b7b8703781f35e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logo1_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2108	Logo1_.exe
2108	Logo1_.exe
2108	Logo1_.exe
2108	Logo1_.exe
2108	Logo1_.exe
2108	Logo1_.exe
2108	Logo1_.exe
2108	Logo1_.exe
2108	Logo1_.exe
2108	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 1796	1720	82808da20ad886aecc2a781de1f34e546fc2482f3e8f0a2394b7b8703781f35e.exe	30
PID 1720 wrote to memory of 1796	1720	82808da20ad886aecc2a781de1f34e546fc2482f3e8f0a2394b7b8703781f35e.exe	30
PID 1720 wrote to memory of 1796	1720	82808da20ad886aecc2a781de1f34e546fc2482f3e8f0a2394b7b8703781f35e.exe	30
PID 1720 wrote to memory of 1796	1720	82808da20ad886aecc2a781de1f34e546fc2482f3e8f0a2394b7b8703781f35e.exe	30
PID 1720 wrote to memory of 2108	1720	82808da20ad886aecc2a781de1f34e546fc2482f3e8f0a2394b7b8703781f35e.exe	32
PID 1720 wrote to memory of 2108	1720	82808da20ad886aecc2a781de1f34e546fc2482f3e8f0a2394b7b8703781f35e.exe	32
PID 1720 wrote to memory of 2108	1720	82808da20ad886aecc2a781de1f34e546fc2482f3e8f0a2394b7b8703781f35e.exe	32
PID 1720 wrote to memory of 2108	1720	82808da20ad886aecc2a781de1f34e546fc2482f3e8f0a2394b7b8703781f35e.exe	32
PID 2108 wrote to memory of 2876	2108	Logo1_.exe	33
PID 2108 wrote to memory of 2876	2108	Logo1_.exe	33
PID 2108 wrote to memory of 2876	2108	Logo1_.exe	33
PID 2108 wrote to memory of 2876	2108	Logo1_.exe	33
PID 2876 wrote to memory of 2832	2876	net.exe	35
PID 2876 wrote to memory of 2832	2876	net.exe	35
PID 2876 wrote to memory of 2832	2876	net.exe	35
PID 2876 wrote to memory of 2832	2876	net.exe	35
PID 1796 wrote to memory of 2944	1796	cmd.exe	36
PID 1796 wrote to memory of 2944	1796	cmd.exe	36
PID 1796 wrote to memory of 2944	1796	cmd.exe	36
PID 1796 wrote to memory of 2944	1796	cmd.exe	36
PID 2108 wrote to memory of 1196	2108	Logo1_.exe	21
PID 2108 wrote to memory of 1196	2108	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
PID:1196
- C:\Users\Admin\AppData\Local\Temp\82808da20ad886aecc2a781de1f34e546fc2482f3e8f0a2394b7b8703781f35e.exe
  "C:\Users\Admin\AppData\Local\Temp\82808da20ad886aecc2a781de1f34e546fc2482f3e8f0a2394b7b8703781f35e.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1720
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$aBCD9.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1796
  - - C:\Users\Admin\AppData\Local\Temp\82808da20ad886aecc2a781de1f34e546fc2482f3e8f0a2394b7b8703781f35e.exe
      "C:\Users\Admin\AppData\Local\Temp\82808da20ad886aecc2a781de1f34e546fc2482f3e8f0a2394b7b8703781f35e.exe"
      4⤵
      Executes dropped EXE
      PID:2944
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2108
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2876
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
254KB

MD5
bbcfaf53da8f61f12ef4971c82012725

SHA1
aeaa298203ea620123fd8c941fcbaae4eae509a0

SHA256
0638cc2e74c029520fec65c92bfce178b9355537bb383ba6f2d49d990ac9c803

SHA512
95cfca7806744accc9b4654cfb82458b7b482ac9842365fc0e4a069b6de20306f52d36bac66b2bade2f31815175d4a403ff230fc1918bf14301b3c361821a41e

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
474KB

MD5
6eabc463f8025a7e6e65f38cba22f126

SHA1
3e430ee5ec01c5509ed750b88d3473e7990dfe95

SHA256
cc8da3ecd355b519d81415d279ed037c725ba221bf323d250aa92ee2b2b88ca7

SHA512
c8fde7026ac8633403bbefee4b044457184388fb7343d8c46f5f7f272724227976bf485ea91da49e2a85dd0cfb73f260ac705d8007333dd3e5539fe5ed67e3ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aBCD9.bat

Filesize
722B

MD5
e3016dc5ccb7d13ba54a362c67b12447

SHA1
afe2fb3a62dfc4e5a7612ed684c3e4f81bc17407

SHA256
6db80e76ea747acd09e9b1486f633c41167c881321d2d57397157864f442fd03

SHA512
8a3db1b13c2e13a545ba10b8342f1b8032da70792277f2e93c0484a1459581c776d77881d04dfa79199a69036f2600ce26aa0e94466a2bac1eaac674311027c1

Download Submit
C:\Windows\rundl132.exe

Filesize
29KB

MD5
152ab8f0455dd31f0e63fff4283ea17d

SHA1
5f111c77acb6bd29d15a4e2f868fdbee0db11a82

SHA256
67b0bce9f75235502f22de2d7db30e81189136ec614464ffdf7e8d2d33b87fae

SHA512
5226d1f11aa27c777f28a915d2073b1b864eeebacb97a51ed8dd81044f2d870e13b242722f23ea9643732ccd1c7f99ac1df4e237019c966d6d16179c2cf853ba

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1163522206-1469769407-485553996-1000\_desktop.ini

Filesize
10B

MD5
688d58fa5756a393f9472937ef284c25

SHA1
18ee07a5ee8de4fbd046763cd4a55ef2e6c3f808

SHA256
e21f27bdf2d90c77d75658b5217d5af4519a6c1bfc326a109eb4a085a2b83302

SHA512
c84930eb323c71ffc1edac543a2f60e366de40b39a88b18dba09c1272fae0b12262f4fae496bc9546598507fc37729d829f93b101bbec4739a05be33e0010a3f

Download Submit
\Users\Admin\AppData\Local\Temp\82808da20ad886aecc2a781de1f34e546fc2482f3e8f0a2394b7b8703781f35e.exe

Filesize
684KB

MD5
50f289df0c19484e970849aac4e6f977

SHA1
3dc77c8830836ab844975eb002149b66da2e10be

SHA256
b9b179b305c5268ad428b6ae59de10b4fe99cf0199bbc89b7017181905e97305

SHA512
877d852ea1062b90e2fd2f3c4dc7d05d9697e9a9b2929c830a770b62741f6a11e06de73275eb871113f11143faf1cb40d99f7c247862ffb778d26833ed5d7e38

Download Submit
memory/1196-33-0x0000000002E50000-0x0000000002E51000-memory.dmp

Filesize
4KB

Download
memory/1720-19-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1720-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1720-15-0x00000000003A0000-0x00000000003D6000-memory.dmp

Filesize
216KB

Download
memory/1720-17-0x00000000003A0000-0x00000000003D6000-memory.dmp

Filesize
216KB

Download
memory/2108-35-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2108-42-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2108-48-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2108-94-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2108-101-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2108-219-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2108-1877-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2108-3337-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2108-22-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download