a4f6bac28ce905dcf1c5a4c3d07a1b5edc3c5a412db15463e9980c8223b37157

Analysis

max time kernel
119s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-01-2025 09:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a4f6bac28ce905dcf1c5a4c3d07a1b5edc3c5a412db15463e9980c8223b37157.exe
Size

337KB
MD5

49d0eacdd73f421461da2c5529464d1c
SHA1

698449fbd9426a9e839493d4a1966f746e7d3e1e
SHA256

a4f6bac28ce905dcf1c5a4c3d07a1b5edc3c5a412db15463e9980c8223b37157
SHA512

20402c7a7b63d34e001757a9571ccc9b818603b44ad2077af2fea49e8b427032eae058f4f0e8f3747bba5205e3f78f90d57d655d69b00c23e7b3ef4215942edc
SSDEEP

6144:nVfjmNa3QxfAjg8CSFwq++b+s8snHA+ZwUKkfCSFwq++b+s8s:V7+ioX+b+sBngywEoX+b+sp

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2452	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2400	Logo1_.exe
2856	a4f6bac28ce905dcf1c5a4c3d07a1b5edc3c5a412db15463e9980c8223b37157.exe

Loads dropped DLL 1 IoCs

pid	Process
2452	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Mail\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ne\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\nl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_output\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Mozilla Firefox\defaults\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\es_MX\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sl\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mk\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lo\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sl\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\km\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Logo1_.exe	a4f6bac28ce905dcf1c5a4c3d07a1b5edc3c5a412db15463e9980c8223b37157.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	a4f6bac28ce905dcf1c5a4c3d07a1b5edc3c5a412db15463e9980c8223b37157.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a4f6bac28ce905dcf1c5a4c3d07a1b5edc3c5a412db15463e9980c8223b37157.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logo1_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a4f6bac28ce905dcf1c5a4c3d07a1b5edc3c5a412db15463e9980c8223b37157.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2400	Logo1_.exe
2400	Logo1_.exe
2400	Logo1_.exe
2400	Logo1_.exe
2400	Logo1_.exe
2400	Logo1_.exe
2400	Logo1_.exe
2400	Logo1_.exe
2400	Logo1_.exe
2400	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 2452	1720	a4f6bac28ce905dcf1c5a4c3d07a1b5edc3c5a412db15463e9980c8223b37157.exe	30
PID 1720 wrote to memory of 2452	1720	a4f6bac28ce905dcf1c5a4c3d07a1b5edc3c5a412db15463e9980c8223b37157.exe	30
PID 1720 wrote to memory of 2452	1720	a4f6bac28ce905dcf1c5a4c3d07a1b5edc3c5a412db15463e9980c8223b37157.exe	30
PID 1720 wrote to memory of 2452	1720	a4f6bac28ce905dcf1c5a4c3d07a1b5edc3c5a412db15463e9980c8223b37157.exe	30
PID 1720 wrote to memory of 2400	1720	a4f6bac28ce905dcf1c5a4c3d07a1b5edc3c5a412db15463e9980c8223b37157.exe	32
PID 1720 wrote to memory of 2400	1720	a4f6bac28ce905dcf1c5a4c3d07a1b5edc3c5a412db15463e9980c8223b37157.exe	32
PID 1720 wrote to memory of 2400	1720	a4f6bac28ce905dcf1c5a4c3d07a1b5edc3c5a412db15463e9980c8223b37157.exe	32
PID 1720 wrote to memory of 2400	1720	a4f6bac28ce905dcf1c5a4c3d07a1b5edc3c5a412db15463e9980c8223b37157.exe	32
PID 2400 wrote to memory of 2092	2400	Logo1_.exe	33
PID 2400 wrote to memory of 2092	2400	Logo1_.exe	33
PID 2400 wrote to memory of 2092	2400	Logo1_.exe	33
PID 2400 wrote to memory of 2092	2400	Logo1_.exe	33
PID 2092 wrote to memory of 1864	2092	net.exe	35
PID 2092 wrote to memory of 1864	2092	net.exe	35
PID 2092 wrote to memory of 1864	2092	net.exe	35
PID 2092 wrote to memory of 1864	2092	net.exe	35
PID 2452 wrote to memory of 2856	2452	cmd.exe	36
PID 2452 wrote to memory of 2856	2452	cmd.exe	36
PID 2452 wrote to memory of 2856	2452	cmd.exe	36
PID 2452 wrote to memory of 2856	2452	cmd.exe	36
PID 2400 wrote to memory of 1196	2400	Logo1_.exe	21
PID 2400 wrote to memory of 1196	2400	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1196
- C:\Users\Admin\AppData\Local\Temp\a4f6bac28ce905dcf1c5a4c3d07a1b5edc3c5a412db15463e9980c8223b37157.exe
  "C:\Users\Admin\AppData\Local\Temp\a4f6bac28ce905dcf1c5a4c3d07a1b5edc3c5a412db15463e9980c8223b37157.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1720
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a9BF1.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2452
  - - C:\Users\Admin\AppData\Local\Temp\a4f6bac28ce905dcf1c5a4c3d07a1b5edc3c5a412db15463e9980c8223b37157.exe
      "C:\Users\Admin\AppData\Local\Temp\a4f6bac28ce905dcf1c5a4c3d07a1b5edc3c5a412db15463e9980c8223b37157.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2856
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2400
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2092
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$a9BF1.bat

Filesize
722B

MD5
4a54ce9d39ec92ba999bce46afea44cc

SHA1
8e0cc059f27d0fb01cc3e31a1f24cc1036deb743

SHA256
cdaf75340adcc90407c5c4a724c5784a98fb3581b31074824070fce164902ac9

SHA512
b34c288bba113da19d4f7f7d3fd34c1343aedb34c5708f9a6bca7dd91c737714f28a8ca5086cbf87c67ee65841bad115fed38891bfacb7ca755ec373789982ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\a4f6bac28ce905dcf1c5a4c3d07a1b5edc3c5a412db15463e9980c8223b37157.exe.exe

Filesize
311KB

MD5
4fb7bab8644e827b14185267102161af

SHA1
9621c1a86dbd7f9f80c5c4feddce60044224d097

SHA256
cf7d06ed150dafb79bd893c49398e6bcd4251989d638c15d9f4a19872f79e8da

SHA512
28c44808bd9c86aae4e98c8c7f115487adc14252448c2eb1ca2abd78cd368aa3223221e3a6fd60cc8586d6a36e0e80cfdf72eb97e7eb35a533d867156951e9f2

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
2da5a57d1ba2ed4b46bc3c9817948557

SHA1
8b28792220f874e0abd68de5d946c3ae111f6abb

SHA256
e3c3821d97d831fe32ef85bf7e78b397eba5cd839568aeae330e28e702eb662f

SHA512
29940a2b80714d8f816a0d6b4f5d93cfb4aeae5e0303f6f06d5091a3e0dc405ae1a1def41ea5e2e709ed6c20d4f4fd8f1d9527ca6eb4eb6d6cf1bc5fce4a7e91

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2872745919-2748461613-2989606286-1000\_desktop.ini

Filesize
9B

MD5
d04a2c5969edc73e31046150e6e48b05

SHA1
2785510be3ab399ade3b33d2f1318e76e81ae4e1

SHA256
7360d26161d1066f0ba367ee7abc4f1ba6dd99765f6eceb0babad6563fbfaf0b

SHA512
e1712b114dac60d616f9c01ea219d254103ee338c60fa991ab0b79f0ce2e7082b68e9b75226cf6f1702d8fdedb72f2e13631f0c7a263add00f726dcfa62ecdd9

Download Submit
memory/1196-35-0x0000000002D20000-0x0000000002D21000-memory.dmp

Filesize
4KB

Download
memory/1720-18-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1720-19-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/1720-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1720-12-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2400-1882-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2400-472-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2400-105-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2400-99-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2400-37-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2400-53-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2400-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2856-32-0x0000000074620000-0x0000000074D0E000-memory.dmp

Filesize
6.9MB

Download
memory/2856-39-0x0000000074620000-0x0000000074D0E000-memory.dmp

Filesize
6.9MB

Download
memory/2856-38-0x000000007462E000-0x000000007462F000-memory.dmp

Filesize
4KB

Download
memory/2856-33-0x0000000074620000-0x0000000074D0E000-memory.dmp

Filesize
6.9MB

Download
memory/2856-31-0x0000000074620000-0x0000000074D0E000-memory.dmp

Filesize
6.9MB

Download
memory/2856-30-0x00000000003D0000-0x0000000000424000-memory.dmp

Filesize
336KB

Download
memory/2856-29-0x000000007462E000-0x000000007462F000-memory.dmp

Filesize
4KB

Download