36434d4be559dc83858ea451cd83a3d0c1b811224382fe2527764334ee41610d

Analysis

max time kernel
133s
max time network
140s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25/05/2024, 08:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

36434d4be559dc83858ea451cd83a3d0c1b811224382fe2527764334ee41610d.exe
Size

1.6MB
MD5

43507231b3fc97a471dac3ca1a93a0df
SHA1

1d47513ec584c2c99261d743e2e82dd0c5c717b6
SHA256

36434d4be559dc83858ea451cd83a3d0c1b811224382fe2527764334ee41610d
SHA512

ae15bb9228ed1d3029038c717335c13f05f128777c90b621cc9b4c1d36399f165cab90583ad13fd3d2aa4a5ee20e850ceb7c48fbf8f03217795dbcad8dac39d0
SSDEEP

49152:N7sVHFXSFEmqiDqCbS1gickVsPTpuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuTuA:qVHFXSCmqsSgfkVsNuuuuuuuuuuuuuug

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2248	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2584	Logo1_.exe
2504	36434d4be559dc83858ea451cd83a3d0c1b811224382fe2527764334ee41610d.exe

Loads dropped DLL 2 IoCs

pid	Process
2248	cmd.exe
2248	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SpringGreen\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\wa\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Media Player\Skins\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\lg\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PROFILE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ast\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\spu\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EVRGREEN\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\meta_engine\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tl\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\security\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SUMIPNTG\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ga\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\misc\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1046\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LEVEL\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\OneNote.en-us\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Computers\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	36434d4be559dc83858ea451cd83a3d0c1b811224382fe2527764334ee41610d.exe
File created	C:\Windows\Logo1_.exe	36434d4be559dc83858ea451cd83a3d0c1b811224382fe2527764334ee41610d.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	36434d4be559dc83858ea451cd83a3d0c1b811224382fe2527764334ee41610d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	36434d4be559dc83858ea451cd83a3d0c1b811224382fe2527764334ee41610d.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2584	Logo1_.exe
2584	Logo1_.exe
2584	Logo1_.exe
2584	Logo1_.exe
2584	Logo1_.exe
2584	Logo1_.exe
2584	Logo1_.exe
2584	Logo1_.exe
2584	Logo1_.exe
2584	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 2248	2168	36434d4be559dc83858ea451cd83a3d0c1b811224382fe2527764334ee41610d.exe	28
PID 2168 wrote to memory of 2248	2168	36434d4be559dc83858ea451cd83a3d0c1b811224382fe2527764334ee41610d.exe	28
PID 2168 wrote to memory of 2248	2168	36434d4be559dc83858ea451cd83a3d0c1b811224382fe2527764334ee41610d.exe	28
PID 2168 wrote to memory of 2248	2168	36434d4be559dc83858ea451cd83a3d0c1b811224382fe2527764334ee41610d.exe	28
PID 2168 wrote to memory of 2584	2168	36434d4be559dc83858ea451cd83a3d0c1b811224382fe2527764334ee41610d.exe	30
PID 2168 wrote to memory of 2584	2168	36434d4be559dc83858ea451cd83a3d0c1b811224382fe2527764334ee41610d.exe	30
PID 2168 wrote to memory of 2584	2168	36434d4be559dc83858ea451cd83a3d0c1b811224382fe2527764334ee41610d.exe	30
PID 2168 wrote to memory of 2584	2168	36434d4be559dc83858ea451cd83a3d0c1b811224382fe2527764334ee41610d.exe	30
PID 2584 wrote to memory of 2620	2584	Logo1_.exe	31
PID 2584 wrote to memory of 2620	2584	Logo1_.exe	31
PID 2584 wrote to memory of 2620	2584	Logo1_.exe	31
PID 2584 wrote to memory of 2620	2584	Logo1_.exe	31
PID 2248 wrote to memory of 2504	2248	cmd.exe	33
PID 2248 wrote to memory of 2504	2248	cmd.exe	33
PID 2248 wrote to memory of 2504	2248	cmd.exe	33
PID 2248 wrote to memory of 2504	2248	cmd.exe	33
PID 2620 wrote to memory of 2648	2620	net.exe	34
PID 2620 wrote to memory of 2648	2620	net.exe	34
PID 2620 wrote to memory of 2648	2620	net.exe	34
PID 2620 wrote to memory of 2648	2620	net.exe	34
PID 2584 wrote to memory of 1284	2584	Logo1_.exe	21
PID 2584 wrote to memory of 1284	2584	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1284
- C:\Users\Admin\AppData\Local\Temp\36434d4be559dc83858ea451cd83a3d0c1b811224382fe2527764334ee41610d.exe
  "C:\Users\Admin\AppData\Local\Temp\36434d4be559dc83858ea451cd83a3d0c1b811224382fe2527764334ee41610d.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2168
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a85C3.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2248
  - - C:\Users\Admin\AppData\Local\Temp\36434d4be559dc83858ea451cd83a3d0c1b811224382fe2527764334ee41610d.exe
      "C:\Users\Admin\AppData\Local\Temp\36434d4be559dc83858ea451cd83a3d0c1b811224382fe2527764334ee41610d.exe"
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      PID:2504
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2584
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2620
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
cdaab6db8a1fdcf5b18d8c0cacbed8f9

SHA1
fb2f0e3e76c533f49e78a082d4c5843bda684f47

SHA256
d47e9db634c1862fb985f8d3dad2a544962ecd065cbb229a4105a100ce07dacc

SHA512
4bddbe878fd3b42ea748384b41c0a73ca50aae0e7dd6b792332d60ef9ad1660c931090fc1c0a5b2d0f370caa765295578d934c30a17840d495568efef72f2ba1

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a85C3.bat

Filesize
722B

MD5
52520c979ae6af39ec9544b7a5332350

SHA1
b60fd7906beb1d1e564017ac1cc8a81ad15d4412

SHA256
be2e4785a031a609fe47093fa3f9c62818de9db59f79598d4cd6c0d99f9a8f52

SHA512
a97740b30b26ec67f393e04fbc14b04876e708b6e2c8a098611639a837484a1478892bbb513e11bdea3727b283f13503c9b83233d8dbd8b56b1d9f9f359c22db

Download Submit
C:\Users\Admin\AppData\Local\Temp\36434d4be559dc83858ea451cd83a3d0c1b811224382fe2527764334ee41610d.exe.exe

Filesize
1.5MB

MD5
c75b0d339a0d9aac8c5986a6867d2794

SHA1
dbe6b72fc1cd2fe3138046c0b75d2e5baac098d5

SHA256
908d886b0a8c1b3ac4aa1cd5f5778f61850dbd55474c0bb81af83c16ae4da563

SHA512
945945e15d25c0d64340cf68affa8dc0828fb74ae4d09fa42409154911e2df1e521258505e03772891c6fbffe95f9d8949dcf2deaa82a2533792e4da2903afe3

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
6416398a5c4808f579f35dc710ace2cf

SHA1
4a75f417e77116b3b0d8d9e80d5103e32868af6b

SHA256
6985b8edc545dbf4f498668647ee65758027a5eb974938eba148634a19cd737e

SHA512
77a151d06d9799c0a47561e4c939fb6639531bdc24821b38d4ac6460db0d63c8fd2c6aeb811f51847a3d52ae095716e7b97d68f9a00d4622bbfaf186d5589f32

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-330940541-141609230-1670313778-1000\_desktop.ini

Filesize
9B

MD5
7619ead719f9163af9f64f79eeff7c36

SHA1
7b956c82fba1f4a0ea8b09ca2e39d89159e21b75

SHA256
da9af76d7e3938d1bd300436de0d394ef0453f260a69c94905084222eb3fbb45

SHA512
29dd3ef54766931036c2f0d755bb3fc89619e548c95658577930a5a748ac2b2855a9e5ee5601697ebbac8a7d435abd4c9e9e2255b0e455e267e0d95358fa86df

Download Submit
memory/1284-34-0x0000000002620000-0x0000000002621000-memory.dmp

Filesize
4KB

Download
memory/2168-12-0x00000000003A0000-0x00000000003D4000-memory.dmp

Filesize
208KB

Download
memory/2168-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2168-17-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2248-30-0x00000000020B0000-0x0000000002307000-memory.dmp

Filesize
2.3MB

Download
memory/2248-32-0x00000000020B0000-0x0000000002307000-memory.dmp

Filesize
2.3MB

Download
memory/2504-31-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/2504-97-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/2584-36-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2584-44-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2584-51-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2584-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2584-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2584-245-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2584-1856-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2584-19-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2584-3316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download