d35361b3e6661a2efe6daf14180739b68629cb6207388bc7491822ba7cea4c1e

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28-02-2024 20:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d35361b3e6661a2efe6daf14180739b68629cb6207388bc7491822ba7cea4c1e.exe
Size

132KB
MD5

a042a8a24b4075a0e3073f00ec52d539
SHA1

78357d317271978135d362f66da2a77540a189f9
SHA256

d35361b3e6661a2efe6daf14180739b68629cb6207388bc7491822ba7cea4c1e
SHA512

9b3f075a1cf1981bd4e5937dd3aa1966136c6712d2ce242edf8dec6b0922fa216f3c1e2103217ebca99ce1a13aa4bcbb7d2b8bd172d0464061b1074f5064df88
SSDEEP

3072:fftffjmNhPvU2Jk0KPhNqoBjrb4dqBG8yWAZOkh1gwLjLX:HVfjmNhPvpi0K5NNBjrb0kGlbOkhj

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2044	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2640	Logo1_.exe
2600	d35361b3e6661a2efe6daf14180739b68629cb6207388bc7491822ba7cea4c1e.exe

Loads dropped DLL 1 IoCs

pid	Process
2044	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FRAR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Google\CrashReports\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1036\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ky\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SATIN\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\NAMECONTROLSERVER.EXE	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\bin\plugin2\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Mail\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STUDIO\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mr\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\kk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Triedit\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\skins\fonts\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInSideAdapters\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	d35361b3e6661a2efe6daf14180739b68629cb6207388bc7491822ba7cea4c1e.exe
File created	C:\Windows\Logo1_.exe	d35361b3e6661a2efe6daf14180739b68629cb6207388bc7491822ba7cea4c1e.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2640	Logo1_.exe
2640	Logo1_.exe
2640	Logo1_.exe
2640	Logo1_.exe
2640	Logo1_.exe
2640	Logo1_.exe
2640	Logo1_.exe
2640	Logo1_.exe
2640	Logo1_.exe
2640	Logo1_.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 932 wrote to memory of 2044	932	d35361b3e6661a2efe6daf14180739b68629cb6207388bc7491822ba7cea4c1e.exe	28
PID 932 wrote to memory of 2044	932	d35361b3e6661a2efe6daf14180739b68629cb6207388bc7491822ba7cea4c1e.exe	28
PID 932 wrote to memory of 2044	932	d35361b3e6661a2efe6daf14180739b68629cb6207388bc7491822ba7cea4c1e.exe	28
PID 932 wrote to memory of 2044	932	d35361b3e6661a2efe6daf14180739b68629cb6207388bc7491822ba7cea4c1e.exe	28
PID 932 wrote to memory of 2640	932	d35361b3e6661a2efe6daf14180739b68629cb6207388bc7491822ba7cea4c1e.exe	29
PID 932 wrote to memory of 2640	932	d35361b3e6661a2efe6daf14180739b68629cb6207388bc7491822ba7cea4c1e.exe	29
PID 932 wrote to memory of 2640	932	d35361b3e6661a2efe6daf14180739b68629cb6207388bc7491822ba7cea4c1e.exe	29
PID 932 wrote to memory of 2640	932	d35361b3e6661a2efe6daf14180739b68629cb6207388bc7491822ba7cea4c1e.exe	29
PID 2640 wrote to memory of 2620	2640	Logo1_.exe	31
PID 2640 wrote to memory of 2620	2640	Logo1_.exe	31
PID 2640 wrote to memory of 2620	2640	Logo1_.exe	31
PID 2640 wrote to memory of 2620	2640	Logo1_.exe	31
PID 2620 wrote to memory of 2672	2620	net.exe	33
PID 2620 wrote to memory of 2672	2620	net.exe	33
PID 2620 wrote to memory of 2672	2620	net.exe	33
PID 2620 wrote to memory of 2672	2620	net.exe	33
PID 2640 wrote to memory of 1336	2640	Logo1_.exe	10
PID 2640 wrote to memory of 1336	2640	Logo1_.exe	10

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1336
- C:\Users\Admin\AppData\Local\Temp\d35361b3e6661a2efe6daf14180739b68629cb6207388bc7491822ba7cea4c1e.exe
  "C:\Users\Admin\AppData\Local\Temp\d35361b3e6661a2efe6daf14180739b68629cb6207388bc7491822ba7cea4c1e.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:932
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a51A9.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    PID:2044
  - - C:\Users\Admin\AppData\Local\Temp\d35361b3e6661a2efe6daf14180739b68629cb6207388bc7491822ba7cea4c1e.exe
      "C:\Users\Admin\AppData\Local\Temp\d35361b3e6661a2efe6daf14180739b68629cb6207388bc7491822ba7cea4c1e.exe"
      4⤵
      Executes dropped EXE
      PID:2600
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2640
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2620
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
67cea803d6c2a00ff341b78941e322de

SHA1
f9ddb2a6ce4bbcbba9fbbd5dce331b59852af1f8

SHA256
66353cc5e95c5e17f6d3805a740f35ba2d7a2f01cd29a28013180f38e46b0d85

SHA512
c5f70bcdbafd2c49a20e073a184726d5aa9629e4a0545b2c261df23fc92da7438e11587abdf9f74f62ea3bbb3b14ae71ee42173f2783014266e756a96ba137d1

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
471KB

MD5
4cfdb20b04aa239d6f9e83084d5d0a77

SHA1
f22863e04cc1fd4435f785993ede165bd8245ac6

SHA256
30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

SHA512
35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a51A9.bat

Filesize
722B

MD5
f744a9122610669c84c1504286524f2e

SHA1
e5e52eb8a3a6a972f27e6cea7e2267db3f20e99c

SHA256
87a13a3644f0a8e5a0f83bc76ad995ba8297c5ef3278417f132cda6274189beb

SHA512
587066e8a160a86d71b92030115553345b0f7e0ed8b817d135f6d054bf6aab29c4f49e5d8ff1d78eb03035d1a4adae79d291e940de1ec6748e23dc0b0bfd805c

Download Submit
C:\Users\Admin\AppData\Local\Temp\d35361b3e6661a2efe6daf14180739b68629cb6207388bc7491822ba7cea4c1e.exe.exe

Filesize
105KB

MD5
197f1a983f99dd310af7dfa5f15684df

SHA1
8fdea8f2aefeb1bfbf0e4b4c0522bae0e7090ebd

SHA256
b3bbb4f25aa6285e903723c4442001d388fc6a0fb8895b8fb76392fd6b784e8e

SHA512
897958c19bce3e7d6f526e04390ab82fd3c0752e4f2548a79f61bc6d65ff014044c67a7114ff25839694d3bba058982e653dbd6677fbfdc7b96314a3ea0705e4

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
beae7b0865498a6dd408ea3b662c278a

SHA1
fce7c76e80750d935c9180be0a3b1099b00ce9f6

SHA256
a1554880080f0487381720f23157863c0b4036a6667de946771f433e2abd54a0

SHA512
4d3917e8c31d089cdd327a0714bc6bf700dc50fdfd4b30acd5a97ead8f71b87b87168afca8ee7b95748492ee378e6e531e441894caa81f8fe5c7f2fff733f377

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-778096762-2241304387-192235952-1000\_desktop.ini

Filesize
9B

MD5
20579de1c6702ea14f25df921a00274b

SHA1
fc7299007b5fb0580c7a3ef6ae0efd8aaf80a35f

SHA256
3eb24c26a19e67d7f499ccb30f78fc29bee126bafd13f41470223c1b8f2e1e4e

SHA512
e9a21ede4321b86e5d215d41321741f8db22b9eb92c1325026182c688311d5134041102a194d670abcbd182d2c91d5180ac9b7c9daaf9e41109a3b3d8e3c3d81

Download Submit
memory/932-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/932-12-0x00000000003C0000-0x00000000003F4000-memory.dmp

Filesize
208KB

Download
memory/932-2180-0x00000000003C0000-0x00000000003F4000-memory.dmp

Filesize
208KB

Download
memory/932-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/932-18-0x00000000003C0000-0x00000000003F4000-memory.dmp

Filesize
208KB

Download
memory/1336-29-0x00000000026D0000-0x00000000026D1000-memory.dmp

Filesize
4KB

Download
memory/2640-101-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2640-164-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2640-1641-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2640-1657-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2640-1844-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2640-3310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download