2ed36909cdc60f43fd5a01748aac0c827e953197fa62690f7fba823dd6a38ea5

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05-05-2024 11:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ed36909cdc60f43fd5a01748aac0c827e953197fa62690f7fba823dd6a38ea5.exe
Size

88KB
MD5

593f9af6df2dce288713ffa58afabd47
SHA1

b55e28b3f960922ffa02bc05a92d7d4d7ee951d1
SHA256

2ed36909cdc60f43fd5a01748aac0c827e953197fa62690f7fba823dd6a38ea5
SHA512

4fd1fa47e71e8c2ffc7a2e05af22491b575e57d4477321b17c8c103967c63c719b31e34d4acef893d35bece3f2323ac4b121e023fc72e28ffb5e1a8ec7dccd24
SSDEEP

1536:pV3SHuJV9Ntyapmebn4ddJZeY86iLflLJYEIs67rxo:pVkuJVL8LK4ddJMY86ipmns6S

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2308	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2300	Logo1_.exe
2568	2ed36909cdc60f43fd5a01748aac0c827e953197fa62690f7fba823dd6a38ea5.exe

Loads dropped DLL 1 IoCs

pid	Process
2308	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pt_PT\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Internet Explorer\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ka\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sv\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Stationery\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ar\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hi\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_splitter\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn_IN\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\lt\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\AccessWeb\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ESEN\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fy\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\d3d11\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Triedit\ja-JP\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	2ed36909cdc60f43fd5a01748aac0c827e953197fa62690f7fba823dd6a38ea5.exe
File created	C:\Windows\Logo1_.exe	2ed36909cdc60f43fd5a01748aac0c827e953197fa62690f7fba823dd6a38ea5.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2300	Logo1_.exe
2300	Logo1_.exe
2300	Logo1_.exe
2300	Logo1_.exe
2300	Logo1_.exe
2300	Logo1_.exe
2300	Logo1_.exe
2300	Logo1_.exe
2300	Logo1_.exe
2300	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1136 wrote to memory of 2308	1136	2ed36909cdc60f43fd5a01748aac0c827e953197fa62690f7fba823dd6a38ea5.exe	28
PID 1136 wrote to memory of 2308	1136	2ed36909cdc60f43fd5a01748aac0c827e953197fa62690f7fba823dd6a38ea5.exe	28
PID 1136 wrote to memory of 2308	1136	2ed36909cdc60f43fd5a01748aac0c827e953197fa62690f7fba823dd6a38ea5.exe	28
PID 1136 wrote to memory of 2308	1136	2ed36909cdc60f43fd5a01748aac0c827e953197fa62690f7fba823dd6a38ea5.exe	28
PID 1136 wrote to memory of 2300	1136	2ed36909cdc60f43fd5a01748aac0c827e953197fa62690f7fba823dd6a38ea5.exe	29
PID 1136 wrote to memory of 2300	1136	2ed36909cdc60f43fd5a01748aac0c827e953197fa62690f7fba823dd6a38ea5.exe	29
PID 1136 wrote to memory of 2300	1136	2ed36909cdc60f43fd5a01748aac0c827e953197fa62690f7fba823dd6a38ea5.exe	29
PID 1136 wrote to memory of 2300	1136	2ed36909cdc60f43fd5a01748aac0c827e953197fa62690f7fba823dd6a38ea5.exe	29
PID 2300 wrote to memory of 2608	2300	Logo1_.exe	31
PID 2300 wrote to memory of 2608	2300	Logo1_.exe	31
PID 2300 wrote to memory of 2608	2300	Logo1_.exe	31
PID 2300 wrote to memory of 2608	2300	Logo1_.exe	31
PID 2608 wrote to memory of 2460	2608	net.exe	33
PID 2608 wrote to memory of 2460	2608	net.exe	33
PID 2608 wrote to memory of 2460	2608	net.exe	33
PID 2608 wrote to memory of 2460	2608	net.exe	33
PID 2308 wrote to memory of 2568	2308	cmd.exe	34
PID 2308 wrote to memory of 2568	2308	cmd.exe	34
PID 2308 wrote to memory of 2568	2308	cmd.exe	34
PID 2308 wrote to memory of 2568	2308	cmd.exe	34
PID 2300 wrote to memory of 1352	2300	Logo1_.exe	21
PID 2300 wrote to memory of 1352	2300	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1352
- C:\Users\Admin\AppData\Local\Temp\2ed36909cdc60f43fd5a01748aac0c827e953197fa62690f7fba823dd6a38ea5.exe
  "C:\Users\Admin\AppData\Local\Temp\2ed36909cdc60f43fd5a01748aac0c827e953197fa62690f7fba823dd6a38ea5.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1136
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a9425.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2308
  - - C:\Users\Admin\AppData\Local\Temp\2ed36909cdc60f43fd5a01748aac0c827e953197fa62690f7fba823dd6a38ea5.exe
      "C:\Users\Admin\AppData\Local\Temp\2ed36909cdc60f43fd5a01748aac0c827e953197fa62690f7fba823dd6a38ea5.exe"
      4⤵
      Executes dropped EXE
      PID:2568
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2300
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2608
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
474KB

MD5
8916a72b93d5fd4c6e63c8b36279b230

SHA1
83e3b1bfd579fbf998b2db5428819a10b25d0ad5

SHA256
537975086833d580dd97beff9e712f64cc41d0bf20cac16c1a04be24ed3af27b

SHA512
2c61138cc8800649890179c080c228da22ab9fe27f3fc1a83c52f57b349a5d3c61fc9d4a64ab53e362376f63edf99d30f0994b6070f97d09ec4868efaf8293b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a9425.bat

Filesize
722B

MD5
6187c55ca6d27a5041da830d59cb712f

SHA1
436df133d5ad59aa4e6c5b5f07c8f17bbc41647d

SHA256
cf161fcbb68eab24e38ca9cbaa50ae5433f1b32ae74df4d2ceafb7b198f0f5e7

SHA512
a2f9fb0c3b9641bd094011c56cbffa3e647b4923f197e2df61eb0426e896f27973e96a9f3791659c33e34e4a303af4c454eee399a024799aabd8b4e193e8ddcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\2ed36909cdc60f43fd5a01748aac0c827e953197fa62690f7fba823dd6a38ea5.exe.exe

Filesize
59KB

MD5
dfc18f7068913dde25742b856788d7ca

SHA1
cbaa23f782c2ddcd7c9ff024fd0b096952a2b387

SHA256
ff4ac75c02247000da084de006c214d3dd3583867bd3533ba788e22734c7a2bf

SHA512
d0c7ec1dae41a803325b51c12490c355ed779d297daa35247889950491e52427810132f0829fc7ffa3022f1a106f4e4ba78ed612223395313a6f267e9ab24945

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
311ca249c48658b3e01f82176b59a8cc

SHA1
b9567a029fde5763ec13b19c18f68f81e66d96ba

SHA256
1f8cc114bc9da14c15878f56128449a1a1c187d60f06fd539cc9dc94a263d5a9

SHA512
1dbd410bdbe3fc1f845bf41292e09cda11d04ef04b06794e625e13dac8b45d22b136d22a8dc4eea41bb28e7c222c525986ebda093c8e6a003714d98618d729d2

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-330940541-141609230-1670313778-1000\_desktop.ini

Filesize
8B

MD5
1b16d2dbd4281ce4e4e5729c608dcb0b

SHA1
851e624080ba5598edb808d4b30fe2d74999ce18

SHA256
c9e46fb51d0588ca1e48ca66731e11992770b9b74a982f9bdbb6ce5b5b75d549

SHA512
cd1c4cf7c7871cb48ce735226b25f689b340037e6c992441e566161de7fca7410762d1a0c2670ee4b6546f7ee854d3219e0e2315c3e0387d9bbe3f08076b5a59

Download Submit
memory/1136-34-0x0000000000220000-0x0000000000256000-memory.dmp

Filesize
216KB

Download
memory/1136-19-0x0000000000220000-0x0000000000256000-memory.dmp

Filesize
216KB

Download
memory/1136-17-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1136-16-0x0000000000220000-0x0000000000256000-memory.dmp

Filesize
216KB

Download
memory/1136-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1352-31-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/2300-41-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2300-33-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2300-47-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2300-93-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2300-99-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2300-227-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2300-1853-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2300-3313-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2300-20-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download