c35935bc666ebfdec5c306508928c29fcc984165166e348a0c6f8db4edb329e8

Analysis

max time kernel
154s
max time network
134s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
13/03/2024, 23:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c35935bc666ebfdec5c306508928c29fcc984165166e348a0c6f8db4edb329e8.exe
Size

182KB
MD5

6bc1a74ad2949cd87554036930689aca
SHA1

da2878bb7b13df1abc4564598a868a347b8b6fa6
SHA256

c35935bc666ebfdec5c306508928c29fcc984165166e348a0c6f8db4edb329e8
SHA512

e734b3ec73c7b3c5a1ab26f4a988f68c2147c95220d5a0c7efbd2884062d0cb8e808953daa7e461decbf12e0949094465a98f97951666bf19ae36ac18fd9ab70
SSDEEP

3072:xftffepVPhsJCQIZHJTpprL8FZjuAZcU6xeZ/swaOL+2aDOI+MzGVNgZb+9EeMK:5VfgPK4QIZHJTAuAZVmeZ/6OLX+vXZC3

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2452	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2896	Logo1_.exe
2620	c35935bc666ebfdec5c306508928c29fcc984165166e348a0c6f8db4edb329e8.exe

Loads dropped DLL 1 IoCs

pid	Process
2452	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DAO\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SubsetList\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Mozilla Firefox\defaults\pref\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kn\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ca\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\el\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\DAO\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ky\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSOUC.EXE	Logo1_.exe
File created	C:\Program Files\Java\jre7\bin\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AFTRNOON\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Shared Gadgets\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\InfoPath.en-us\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SAMPLES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	c35935bc666ebfdec5c306508928c29fcc984165166e348a0c6f8db4edb329e8.exe
File created	C:\Windows\Logo1_.exe	c35935bc666ebfdec5c306508928c29fcc984165166e348a0c6f8db4edb329e8.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2896	Logo1_.exe
2896	Logo1_.exe
2896	Logo1_.exe
2896	Logo1_.exe
2896	Logo1_.exe
2896	Logo1_.exe
2896	Logo1_.exe
2896	Logo1_.exe
2896	Logo1_.exe
2896	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1324 wrote to memory of 2452	1324	c35935bc666ebfdec5c306508928c29fcc984165166e348a0c6f8db4edb329e8.exe	28
PID 1324 wrote to memory of 2452	1324	c35935bc666ebfdec5c306508928c29fcc984165166e348a0c6f8db4edb329e8.exe	28
PID 1324 wrote to memory of 2452	1324	c35935bc666ebfdec5c306508928c29fcc984165166e348a0c6f8db4edb329e8.exe	28
PID 1324 wrote to memory of 2452	1324	c35935bc666ebfdec5c306508928c29fcc984165166e348a0c6f8db4edb329e8.exe	28
PID 1324 wrote to memory of 2896	1324	c35935bc666ebfdec5c306508928c29fcc984165166e348a0c6f8db4edb329e8.exe	29
PID 1324 wrote to memory of 2896	1324	c35935bc666ebfdec5c306508928c29fcc984165166e348a0c6f8db4edb329e8.exe	29
PID 1324 wrote to memory of 2896	1324	c35935bc666ebfdec5c306508928c29fcc984165166e348a0c6f8db4edb329e8.exe	29
PID 1324 wrote to memory of 2896	1324	c35935bc666ebfdec5c306508928c29fcc984165166e348a0c6f8db4edb329e8.exe	29
PID 2896 wrote to memory of 2560	2896	Logo1_.exe	30
PID 2896 wrote to memory of 2560	2896	Logo1_.exe	30
PID 2896 wrote to memory of 2560	2896	Logo1_.exe	30
PID 2896 wrote to memory of 2560	2896	Logo1_.exe	30
PID 2560 wrote to memory of 2612	2560	net.exe	33
PID 2560 wrote to memory of 2612	2560	net.exe	33
PID 2560 wrote to memory of 2612	2560	net.exe	33
PID 2560 wrote to memory of 2612	2560	net.exe	33
PID 2452 wrote to memory of 2620	2452	cmd.exe	34
PID 2452 wrote to memory of 2620	2452	cmd.exe	34
PID 2452 wrote to memory of 2620	2452	cmd.exe	34
PID 2452 wrote to memory of 2620	2452	cmd.exe	34
PID 2896 wrote to memory of 1192	2896	Logo1_.exe	21
PID 2896 wrote to memory of 1192	2896	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1192
- C:\Users\Admin\AppData\Local\Temp\c35935bc666ebfdec5c306508928c29fcc984165166e348a0c6f8db4edb329e8.exe
  "C:\Users\Admin\AppData\Local\Temp\c35935bc666ebfdec5c306508928c29fcc984165166e348a0c6f8db4edb329e8.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1324
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$aC40A.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2452
  - - C:\Users\Admin\AppData\Local\Temp\c35935bc666ebfdec5c306508928c29fcc984165166e348a0c6f8db4edb329e8.exe
      "C:\Users\Admin\AppData\Local\Temp\c35935bc666ebfdec5c306508928c29fcc984165166e348a0c6f8db4edb329e8.exe"
      4⤵
      Executes dropped EXE
      PID:2620
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2560
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
770e80db366145f997b81f8040496869

SHA1
4d924c50b0c714b97047df34a0bd4adaf2de6a83

SHA256
dccf1246394aab3657a9ebd19ebd4150b9420f438bd50e40aafbc8ac8d51ebdb

SHA512
754b5ee9fdcc4614ad626ece4d684fdc2f4b20d5c20042dba268f4c7b1c913b2b707ac1903bfb85a79598975e4b6ab4eb508660a242cb9feb2196d6368a6ff8d

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
471KB

MD5
1a0dbecba0dbb963c2f3b0448796d47a

SHA1
5c0b5d378d3614fe984ce2915b5720886992da0c

SHA256
1ea2fb84177a921bc3df4763c3da53a970e192f93f6175d09696ded019e50cf8

SHA512
8e25dc08fa6f280a6bc1ccacb1ce665ab055b5d539f8915915fc7536c90185a221cb0c50a02d34b521b871b8487a155b9c40a5f25df87306e1df24ca7e96da25

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aC40A.bat

Filesize
722B

MD5
9598b277ceab2830b02cbe5610746b1f

SHA1
4d5f983ed2f42670e9acf3bcc7dfd3836f0741bf

SHA256
1a0c55d35e8c784e38ab8b709af3ed1593634f9ca31b7a304032c3cd9ecf7f40

SHA512
90d57ca9b6fd494549e4a55622700f271f219ef5b32ef0ca7c33a860ebf93c24d4c1b0eb9a598bef4be4271c8468504a6929ffa2ed94cfc992e8a9fea5097410

Download Submit
C:\Users\Admin\AppData\Local\Temp\c35935bc666ebfdec5c306508928c29fcc984165166e348a0c6f8db4edb329e8.exe.exe

Filesize
156KB

MD5
39e25fdcbc0fe52d96da002d453561fd

SHA1
45ff4ac06ed22d72700b17463c798b7a7133d048

SHA256
e77946b429093c874157b1dbc11cc69a137747ef1eab9bd3c2fb3d8e991934c3

SHA512
48add6448f3da3336fbf0efeee7b199f6d9508da31911df82f22ef0f6b8408e3100d4c21390cb420e45ee7eb037231e6e5a2c84b8a4022239053521c92bf0d30

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
8758044db9fce67ea2ad542f86e69e57

SHA1
60cc4d25ea4e17f676e8ac8be10b9dfe2f7ed67d

SHA256
0c91b552dc6db19b6711e32cb8c9c604b60dc9d674be06cccb6adf08b4dbd82d

SHA512
411737be53feaef0829190b6610c729b925949bcc0b4a65063ab393acb1a92c577093e6377a373704ce54d27a593f2faddc23c80c660638f7c304a93f1972c93

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3787592910-3720486031-2929222812-1000\_desktop.ini

Filesize
9B

MD5
6304f6cd23949a0e203abd81fc93bcfd

SHA1
260299dcdd7b9af6298e036322e7493d3598ab44

SHA256
6e249dd60655637cf4a7f940b41cfc3b70dc36b986a37babad9180d29d22adb8

SHA512
ce9d77f19554bdfdf7bc99adc9a9cdbc79c3d30f901b9f47ffb8e2d737c7a3fceb059de56993f9092c4ba0276b9d6ebc035fd48298dc62e11a9ef05bb9e00ab5

Download Submit
memory/1192-28-0x0000000002A30000-0x0000000002A31000-memory.dmp

Filesize
4KB

Download
memory/1324-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1324-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2896-20-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2896-43-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2896-89-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2896-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2896-228-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2896-1848-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2896-37-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2896-3308-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2896-30-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download