def2d4632dcb0598c3041ce9831015c2ec0c0fba345e1bde510d7b20f9ee83e0

Analysis

max time kernel
150s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
19/11/2024, 17:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

def2d4632dcb0598c3041ce9831015c2ec0c0fba345e1bde510d7b20f9ee83e0.exe
Size

154KB
MD5

337220ea92a2fd41266f444125d91a3b
SHA1

01472c82ac7ce0de27c816533810def6632d6636
SHA256

def2d4632dcb0598c3041ce9831015c2ec0c0fba345e1bde510d7b20f9ee83e0
SHA512

57b8fd4a2bdefbfc5347abfbe9cfbb0a04847cceaa60ca3d3e2f912f437cd0546222602792ceba6c19b468679fc3793ffaedc18e0e9169e8f292987542f05eed
SSDEEP

3072:GYftffjmNjleQjpgqK0I4rV3Fxi9DiIeolE+:zVfjmNjnxVI4RVxieH+

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
572	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2932	Logo1_.exe
3016	def2d4632dcb0598c3041ce9831015c2ec0c0fba345e1bde510d7b20f9ee83e0.exe

Loads dropped DLL 2 IoCs

pid	Process
572	cmd.exe
572	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CANYON\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\1049\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CAPSULES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SCANPST.EXE	Logo1_.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pa\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\te\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nb\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PAPYRUS\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Google\Update\Offline\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Slate\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bn\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Triedit\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\am_ET\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sm\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightOrange\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	Logo1_.exe
File created	C:\Program Files (x86)\Windows NT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pt_PT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\th\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1046\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BREEZE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Mail\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Mahjong\fr-FR\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Logo1_.exe	def2d4632dcb0598c3041ce9831015c2ec0c0fba345e1bde510d7b20f9ee83e0.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	def2d4632dcb0598c3041ce9831015c2ec0c0fba345e1bde510d7b20f9ee83e0.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	def2d4632dcb0598c3041ce9831015c2ec0c0fba345e1bde510d7b20f9ee83e0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	def2d4632dcb0598c3041ce9831015c2ec0c0fba345e1bde510d7b20f9ee83e0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logo1_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2932	Logo1_.exe
2932	Logo1_.exe
2932	Logo1_.exe
2932	Logo1_.exe
2932	Logo1_.exe
2932	Logo1_.exe
2932	Logo1_.exe
2932	Logo1_.exe
2932	Logo1_.exe
2932	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1492 wrote to memory of 572	1492	def2d4632dcb0598c3041ce9831015c2ec0c0fba345e1bde510d7b20f9ee83e0.exe	29
PID 1492 wrote to memory of 572	1492	def2d4632dcb0598c3041ce9831015c2ec0c0fba345e1bde510d7b20f9ee83e0.exe	29
PID 1492 wrote to memory of 572	1492	def2d4632dcb0598c3041ce9831015c2ec0c0fba345e1bde510d7b20f9ee83e0.exe	29
PID 1492 wrote to memory of 572	1492	def2d4632dcb0598c3041ce9831015c2ec0c0fba345e1bde510d7b20f9ee83e0.exe	29
PID 1492 wrote to memory of 2932	1492	def2d4632dcb0598c3041ce9831015c2ec0c0fba345e1bde510d7b20f9ee83e0.exe	30
PID 1492 wrote to memory of 2932	1492	def2d4632dcb0598c3041ce9831015c2ec0c0fba345e1bde510d7b20f9ee83e0.exe	30
PID 1492 wrote to memory of 2932	1492	def2d4632dcb0598c3041ce9831015c2ec0c0fba345e1bde510d7b20f9ee83e0.exe	30
PID 1492 wrote to memory of 2932	1492	def2d4632dcb0598c3041ce9831015c2ec0c0fba345e1bde510d7b20f9ee83e0.exe	30
PID 2932 wrote to memory of 2872	2932	Logo1_.exe	31
PID 2932 wrote to memory of 2872	2932	Logo1_.exe	31
PID 2932 wrote to memory of 2872	2932	Logo1_.exe	31
PID 2932 wrote to memory of 2872	2932	Logo1_.exe	31
PID 2872 wrote to memory of 2868	2872	net.exe	34
PID 2872 wrote to memory of 2868	2872	net.exe	34
PID 2872 wrote to memory of 2868	2872	net.exe	34
PID 2872 wrote to memory of 2868	2872	net.exe	34
PID 572 wrote to memory of 3016	572	cmd.exe	35
PID 572 wrote to memory of 3016	572	cmd.exe	35
PID 572 wrote to memory of 3016	572	cmd.exe	35
PID 572 wrote to memory of 3016	572	cmd.exe	35
PID 2932 wrote to memory of 1264	2932	Logo1_.exe	20
PID 2932 wrote to memory of 1264	2932	Logo1_.exe	20

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1264
- C:\Users\Admin\AppData\Local\Temp\def2d4632dcb0598c3041ce9831015c2ec0c0fba345e1bde510d7b20f9ee83e0.exe
  "C:\Users\Admin\AppData\Local\Temp\def2d4632dcb0598c3041ce9831015c2ec0c0fba345e1bde510d7b20f9ee83e0.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1492
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$aEC81.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:572
  - - C:\Users\Admin\AppData\Local\Temp\def2d4632dcb0598c3041ce9831015c2ec0c0fba345e1bde510d7b20f9ee83e0.exe
      "C:\Users\Admin\AppData\Local\Temp\def2d4632dcb0598c3041ce9831015c2ec0c0fba345e1bde510d7b20f9ee83e0.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3016
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2932
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2872
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
a9722691468e94260db60952e9259574

SHA1
3a02b21e9e1803c5e373adb69a8be22da334d9a8

SHA256
06264408c50248dd56585f7115c0e5e449a8f1f6d6dec7a4479b4df8fea2deff

SHA512
f22f0912dcb333cd3fdd0ad7f6f7ec90f3cca108f8f20aab9680a9d705f84739db0034efa953a1c9aec062b90a0f87f5c5e1ca9ab1ee57d957fb1abb8f2ee580

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
471KB

MD5
4cfdb20b04aa239d6f9e83084d5d0a77

SHA1
f22863e04cc1fd4435f785993ede165bd8245ac6

SHA256
30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

SHA512
35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aEC81.bat

Filesize
722B

MD5
40e8d1568f3fbabb16e0ec092487efae

SHA1
ccdfd98bb6ecba1e19cb758a3ddb8e7375d866b2

SHA256
493a2745df3de52309b348b3f45166102cdf374b1c91cc4bdaf548923f638005

SHA512
3be513a572034b18e0ef76211725c060a12b1a336df8b5ac50ef01bbff39292195a98b36ae13513e066ca4f1925e0552a69904b777b12ad7efdbbec0a3410cad

Download Submit
C:\Users\Admin\AppData\Local\Temp\def2d4632dcb0598c3041ce9831015c2ec0c0fba345e1bde510d7b20f9ee83e0.exe.exe

Filesize
128KB

MD5
fad151747d725ea6717d79882a98f620

SHA1
9ed2868f61162294e43374033ad299621c0cbfd1

SHA256
72c913358b4381dc9a0009489643f08d01b18b31c5e9a24b952e2ebf4e10f51e

SHA512
4d60d21147e5772e88d43bf5ce82ec4f2e6db27c62ac2239dd3bae394f4f03b1b12ef7d96ca01eeff5808e8c484cd55b16f05ad84414fa78ecf1da731479de8a

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
547146e45f74dfa927c1794fa1164a18

SHA1
294b6a028105b71d8c0c90d2af8df1c51ba90589

SHA256
681cc9e4d37a3773c1010d96e1cba5dcb2d6bf59194fe80a8e64363b7ff7c442

SHA512
f1627091ba355a017f07443aa9e362681420d38bdc32f8951407d55ca25c7f4c4a958e2295ce2d508d2ffd931526591c0014920f0f5421dbc1be65c3455b80cc

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3692679935-4019334568-335155002-1000\_desktop.ini

Filesize
10B

MD5
c010c0979cba897776a39e2e35bfc809

SHA1
7e0ccb8430720ad504bf2a9a297ca0e54cc54823

SHA256
98fea56fa777b850c509595156b95cad5645c6834f47288aed19a8828379a569

SHA512
6c398cd179ce726c1d376a6b7b08f1b7796319d3cb8f22378ba25b67aab6f58b0e2299286a08e070a9ff6c38ec72a80a7eab749b0f8f558592082de236260932

Download Submit
memory/572-31-0x0000000000310000-0x0000000000330000-memory.dmp

Filesize
128KB

Download
memory/572-29-0x0000000000310000-0x0000000000330000-memory.dmp

Filesize
128KB

Download
memory/1264-35-0x0000000002B00000-0x0000000002B01000-memory.dmp

Filesize
4KB

Download
memory/1492-12-0x00000000002B0000-0x00000000002E4000-memory.dmp

Filesize
208KB

Download
memory/1492-16-0x00000000002B0000-0x00000000002E4000-memory.dmp

Filesize
208KB

Download
memory/1492-18-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1492-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2932-99-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2932-38-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2932-46-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2932-53-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2932-89-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2932-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2932-297-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2932-1881-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2932-3341-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2932-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3016-37-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3016-33-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download