2d0936fbc0a39c203b3d11423eacfed9056c11ac8d29184fa7750a7b628064c3

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
18-04-2024 07:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2d0936fbc0a39c203b3d11423eacfed9056c11ac8d29184fa7750a7b628064c3.exe
Size

70KB
MD5

3676ce9e867204f2f4e14760030bad98
SHA1

7ff1bb7fc9ddcd858698183348e7e592b0b648bd
SHA256

2d0936fbc0a39c203b3d11423eacfed9056c11ac8d29184fa7750a7b628064c3
SHA512

ed8d7ac470c08f9ced6db3c0d6e81f46420bb6c631e2432606238f5be80930534ead45a28055642a58b79fc767289322ef9a8785099c2d3f72bc3f968570e801
SSDEEP

1536:T43SHuJV9QaxIEToa9D4ZQKbgZi1dst7x9PxQ:T4kuJVFglZQKbgZi1St7xQ

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2508	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2504	Logo1_.exe
2436	2d0936fbc0a39c203b3d11423eacfed9056c11ac8d29184fa7750a7b628064c3.exe

Loads dropped DLL 1 IoCs

pid	Process
2508	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EVRGREEN\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Filters\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\eu\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CAPSULES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PAPYRUS\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Purble Place\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\PublicAssemblies\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\be\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\cmm\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Defender\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Triedit\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ru\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SELFCERT.EXE	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Sort\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\zi\SystemV\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_splitter\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Defender\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Oasis\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\or\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\DESIGNER\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	2d0936fbc0a39c203b3d11423eacfed9056c11ac8d29184fa7750a7b628064c3.exe
File created	C:\Windows\Logo1_.exe	2d0936fbc0a39c203b3d11423eacfed9056c11ac8d29184fa7750a7b628064c3.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2504	Logo1_.exe
2504	Logo1_.exe
2504	Logo1_.exe
2504	Logo1_.exe
2504	Logo1_.exe
2504	Logo1_.exe
2504	Logo1_.exe
2504	Logo1_.exe
2504	Logo1_.exe
2504	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 2508	2700	2d0936fbc0a39c203b3d11423eacfed9056c11ac8d29184fa7750a7b628064c3.exe	28
PID 2700 wrote to memory of 2508	2700	2d0936fbc0a39c203b3d11423eacfed9056c11ac8d29184fa7750a7b628064c3.exe	28
PID 2700 wrote to memory of 2508	2700	2d0936fbc0a39c203b3d11423eacfed9056c11ac8d29184fa7750a7b628064c3.exe	28
PID 2700 wrote to memory of 2508	2700	2d0936fbc0a39c203b3d11423eacfed9056c11ac8d29184fa7750a7b628064c3.exe	28
PID 2700 wrote to memory of 2504	2700	2d0936fbc0a39c203b3d11423eacfed9056c11ac8d29184fa7750a7b628064c3.exe	29
PID 2700 wrote to memory of 2504	2700	2d0936fbc0a39c203b3d11423eacfed9056c11ac8d29184fa7750a7b628064c3.exe	29
PID 2700 wrote to memory of 2504	2700	2d0936fbc0a39c203b3d11423eacfed9056c11ac8d29184fa7750a7b628064c3.exe	29
PID 2700 wrote to memory of 2504	2700	2d0936fbc0a39c203b3d11423eacfed9056c11ac8d29184fa7750a7b628064c3.exe	29
PID 2504 wrote to memory of 2684	2504	Logo1_.exe	30
PID 2504 wrote to memory of 2684	2504	Logo1_.exe	30
PID 2504 wrote to memory of 2684	2504	Logo1_.exe	30
PID 2504 wrote to memory of 2684	2504	Logo1_.exe	30
PID 2684 wrote to memory of 2516	2684	net.exe	33
PID 2684 wrote to memory of 2516	2684	net.exe	33
PID 2684 wrote to memory of 2516	2684	net.exe	33
PID 2684 wrote to memory of 2516	2684	net.exe	33
PID 2508 wrote to memory of 2436	2508	cmd.exe	34
PID 2508 wrote to memory of 2436	2508	cmd.exe	34
PID 2508 wrote to memory of 2436	2508	cmd.exe	34
PID 2508 wrote to memory of 2436	2508	cmd.exe	34
PID 2504 wrote to memory of 1196	2504	Logo1_.exe	21
PID 2504 wrote to memory of 1196	2504	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1196
- C:\Users\Admin\AppData\Local\Temp\2d0936fbc0a39c203b3d11423eacfed9056c11ac8d29184fa7750a7b628064c3.exe
  "C:\Users\Admin\AppData\Local\Temp\2d0936fbc0a39c203b3d11423eacfed9056c11ac8d29184fa7750a7b628064c3.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a25C9.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2508
  - - C:\Users\Admin\AppData\Local\Temp\2d0936fbc0a39c203b3d11423eacfed9056c11ac8d29184fa7750a7b628064c3.exe
      "C:\Users\Admin\AppData\Local\Temp\2d0936fbc0a39c203b3d11423eacfed9056c11ac8d29184fa7750a7b628064c3.exe"
      4⤵
      Executes dropped EXE
      PID:2436
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2504
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2684
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
254KB

MD5
5427c8355686e9236966d4dcd2119f7d

SHA1
441677316f5b657a05982f73fce0c439e7155a44

SHA256
678007290f0ed12852fcdeb88dd9cdb7b40913508d8cc9772cfcb40a7e217936

SHA512
67cdc1309d3e076088b3d16875b92f2bd0f060576441319e325560eca7d7c5f0afd15165cc76f49887fff67c869c5c835925d81288ad2add23d0d89a5647f97b

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
474KB

MD5
45ba25b4e6fe57152a1966bdea786d3c

SHA1
b79b3a4f2d3b525688edf4b7818a400822834361

SHA256
d309f5130994c60441620daef072bc849b8a4e8af881f25946ecbe8761448834

SHA512
8ddb1e63c9454ae572f25d9353cafcffc238d5be3b6ddec87cefcf8280fcbaa3e7c59db2cff67a458c55bb0da9c07cee3c972f7ab18cee8dcbfcf3b5b1a5d699

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a25C9.bat

Filesize
722B

MD5
33b9979bbe82ee3614a2e2584acf5519

SHA1
6398130cb5a58f78e2c322ec09dffb3af18e7b26

SHA256
7c51173ddc7d5e2730d56ee14707be4dfd7b8fd33059d8e59402aff9aecd8ef9

SHA512
5fb06248c0b2b5aeb5cf464e30a9788e0d5bd739ef79b89a73a0b999d8b88ee056e6e1f6220950cc156694cdf5eac98d346b7d23119bd1ad0da5eeb7e606e77e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2d0936fbc0a39c203b3d11423eacfed9056c11ac8d29184fa7750a7b628064c3.exe.exe

Filesize
41KB

MD5
977e405c109268909fd24a94cc23d4f0

SHA1
af5d032c2b6caa2164cf298e95b09060665c4188

SHA256
cd24c61fe7dc3896c6c928c92a2adc58fab0a3ff61ef7ddcac1ba794182ab12f

SHA512
12b4b59c1a8e65e72aa07ee4b6b6cd9fdedead01d5ce8e30f16ca26b5d733655e23a71c1d273a950a5b1a6cce810b696612de4a1148ac5f468ddf05d4549eed5

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
243b2978a3e87c6a237767247bbbf6ef

SHA1
b592a11def8ab37d926ab4bc5601aaf1fc852c2a

SHA256
ea5e030c047d36a2bd930bd50153e3bf228e7644a3e30ce24bc9cb0f92f48a9c

SHA512
f8a617e6c1b790984b8df091938966b68916033b596b0fad51e2c19e0f33ccead7fe35032d0b8db2747fa20f065b87b36226c15e7e46eef73686699f142d71f6

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2721934792-624042501-2768869379-1000\_desktop.ini

Filesize
9B

MD5
72b7e38c6ba037d117f32b55c07b1a9c

SHA1
35e2435e512e17ca2be885e17d75913f06b90361

SHA256
e9719e3c653627668046bac84b77097bfb0cd018d68465c17130ed31d6d6eca6

SHA512
2bebd814b81ad2dc547802d42891d833caaad81d004758ec4373f9c7af2971eb822f0a559d2d5d4fca499912fea95e25bab22e92cb0c149d6a4c692eee6ee46a

Download Submit
memory/1196-30-0x0000000002570000-0x0000000002571000-memory.dmp

Filesize
4KB

Download
memory/2504-851-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2504-97-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2504-32-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2504-3311-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2504-39-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2504-45-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2504-91-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2504-22-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2504-2604-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2504-1851-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2700-16-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2700-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2700-12-0x0000000000340000-0x0000000000376000-memory.dmp

Filesize
216KB

Download
memory/2700-17-0x0000000000340000-0x0000000000376000-memory.dmp

Filesize
216KB

Download