36aff1db391ee697897996c69ccdc1a76c9d27f16b62378b2ec9671caa703c60

Analysis

max time kernel
153s
max time network
135s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28-02-2024 18:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36aff1db391ee697897996c69ccdc1a76c9d27f16b62378b2ec9671caa703c60.exe
Size

26KB
MD5

2d56a961d255da87aaf4362199cbc816
SHA1

5de3bd0a605e586754b8901f39b0b210f2ee6e21
SHA256

36aff1db391ee697897996c69ccdc1a76c9d27f16b62378b2ec9671caa703c60
SHA512

50bd0773a1695278724fd7ef75321bb73114b92dc46c0feb1c172f2e549a4113fa9faef506788cf4c05a019a1d59cf1ceb3916f0b02bd7e9c09da37dcb34779b
SSDEEP

768:p41ODKAaDMG8H92RwZNQSwcfymNBg+g61GoL/:AfgLdQAQfcfymNr

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2548	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2640	Logo1_.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Triedit\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\my\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ne\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\modules\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tet\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EVRGREEN\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Chess\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\services_discovery\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Filters\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ast\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Google\Temp\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Mail\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Photo Viewer\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUECALM\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VBA\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ach\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	36aff1db391ee697897996c69ccdc1a76c9d27f16b62378b2ec9671caa703c60.exe
File created	C:\Windows\Logo1_.exe	36aff1db391ee697897996c69ccdc1a76c9d27f16b62378b2ec9671caa703c60.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2640	Logo1_.exe
2640	Logo1_.exe
2640	Logo1_.exe
2640	Logo1_.exe
2640	Logo1_.exe
2640	Logo1_.exe
2640	Logo1_.exe
2640	Logo1_.exe
2640	Logo1_.exe
2640	Logo1_.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 2548	2016	36aff1db391ee697897996c69ccdc1a76c9d27f16b62378b2ec9671caa703c60.exe	28
PID 2016 wrote to memory of 2548	2016	36aff1db391ee697897996c69ccdc1a76c9d27f16b62378b2ec9671caa703c60.exe	28
PID 2016 wrote to memory of 2548	2016	36aff1db391ee697897996c69ccdc1a76c9d27f16b62378b2ec9671caa703c60.exe	28
PID 2016 wrote to memory of 2548	2016	36aff1db391ee697897996c69ccdc1a76c9d27f16b62378b2ec9671caa703c60.exe	28
PID 2016 wrote to memory of 2640	2016	36aff1db391ee697897996c69ccdc1a76c9d27f16b62378b2ec9671caa703c60.exe	30
PID 2016 wrote to memory of 2640	2016	36aff1db391ee697897996c69ccdc1a76c9d27f16b62378b2ec9671caa703c60.exe	30
PID 2016 wrote to memory of 2640	2016	36aff1db391ee697897996c69ccdc1a76c9d27f16b62378b2ec9671caa703c60.exe	30
PID 2016 wrote to memory of 2640	2016	36aff1db391ee697897996c69ccdc1a76c9d27f16b62378b2ec9671caa703c60.exe	30
PID 2640 wrote to memory of 2676	2640	Logo1_.exe	31
PID 2640 wrote to memory of 2676	2640	Logo1_.exe	31
PID 2640 wrote to memory of 2676	2640	Logo1_.exe	31
PID 2640 wrote to memory of 2676	2640	Logo1_.exe	31
PID 2676 wrote to memory of 2940	2676	net.exe	33
PID 2676 wrote to memory of 2940	2676	net.exe	33
PID 2676 wrote to memory of 2940	2676	net.exe	33
PID 2676 wrote to memory of 2940	2676	net.exe	33
PID 2640 wrote to memory of 1228	2640	Logo1_.exe	9
PID 2640 wrote to memory of 1228	2640	Logo1_.exe	9

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1228
- C:\Users\Admin\AppData\Local\Temp\36aff1db391ee697897996c69ccdc1a76c9d27f16b62378b2ec9671caa703c60.exe
  "C:\Users\Admin\AppData\Local\Temp\36aff1db391ee697897996c69ccdc1a76c9d27f16b62378b2ec9671caa703c60.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a8AA3.bat
    3⤵
    - Deletes itself
    PID:2548
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2640
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2676
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
d71c890d8041aa5f8fcc10e9278afc68

SHA1
26953285cf84630243be86b92fca3c387361f34f

SHA256
a84672808cd89a7a153ee2120799dd4d162be02fa136cc7d1fac501d1659a471

SHA512
194f42deb1a9401f6aa0c596d71707de465eddb86498040b64f9c94be5667b11f454d05d42ab03386a359e39405dbe15a4f475eb7057e85760800b0c8b86ba49

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
471KB

MD5
4cfdb20b04aa239d6f9e83084d5d0a77

SHA1
f22863e04cc1fd4435f785993ede165bd8245ac6

SHA256
30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

SHA512
35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a8AA3.bat

Filesize
722B

MD5
afe3495aed291c4016b40009478c53a4

SHA1
55a63e46e4c3d63e4697cf6c60ecf7e77687e873

SHA256
87bb23ecd1ba6aa20f1b6d7ec8b73595a35019be3a146ade32d9620cfb26cea6

SHA512
8862ff7898cdf7b9813223421022dcee14109be219185be32d78a1c8da165fca6ed37673af7cf34d77dcb89b705f8aabc6f6acdc47277a24cda6421a0b18c258

Download Submit
C:\Users\Admin\AppData\Local\Temp\36aff1db391ee697897996c69ccdc1a76c9d27f16b62378b2ec9671caa703c60.exe.exe

Filesize
25B

MD5
fd52a26cc53d5dfce3bfaf0aca96d85a

SHA1
295cb026b9fc87fb41fcb5911831cf7ec8986aa0

SHA256
9e7be5dc178aa7a50c756baf297b0c5a5b3c13ce35a3723af5dba8ee5eb39b2e

SHA512
b2f83892ab09d73d36a8d28e6f53b88ba4f0c4632143b7f84e4da333960cac6969719bda23c173cf03665ce8bc36c533a41080240aa53bac3975c94d79403d26

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
4f100cba849d788770ac90cd66c97120

SHA1
ebb9cbf021afc23121a8c682a4a5b80240bddc37

SHA256
ae843e93ea4355adff60e584fc7186e05eaa40468b64510cc3dc501fc1db1fdd

SHA512
69f3c5f1efd10053e8debd76143a88755d5a035882b69c3bca7ebc93aa040e3ef0aede3e7691089485850dd3212abcc02b23acdc396878a6d2658419cec8a0ee

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-778096762-2241304387-192235952-1000\_desktop.ini

Filesize
9B

MD5
20579de1c6702ea14f25df921a00274b

SHA1
fc7299007b5fb0580c7a3ef6ae0efd8aaf80a35f

SHA256
3eb24c26a19e67d7f499ccb30f78fc29bee126bafd13f41470223c1b8f2e1e4e

SHA512
e9a21ede4321b86e5d215d41321741f8db22b9eb92c1325026182c688311d5134041102a194d670abcbd182d2c91d5180ac9b7c9daaf9e41109a3b3d8e3c3d81

Download Submit
memory/1228-27-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/2016-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2016-12-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2016-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2640-29-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2640-42-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2640-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2640-94-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2640-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2640-1847-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2640-36-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2640-3307-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2640-21-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download