35aa03fd732362496469eed0fc61295b2960a0f5e8fcacc0a34345ab764fc530

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
19/07/2024, 23:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

35aa03fd732362496469eed0fc61295b2960a0f5e8fcacc0a34345ab764fc530.exe
Size

69KB
MD5

137638684e2668cd13acc772fc1ccef3
SHA1

899ee1f1649758eb929a0dbf09bcfecd0b7515f3
SHA256

35aa03fd732362496469eed0fc61295b2960a0f5e8fcacc0a34345ab764fc530
SHA512

2b0fa720db07f1f36796eb0cfd3a3e6643bc38312297b59ddbf8ec38305adf712b47ef1fe2d082b46cc3aeedc6f221923b43e7d0f5ac00d4f3e08280832667bc
SSDEEP

768:pI16GVRu1yK9fMnJG2V9dHS8FKPh5Rda4FYa5gXtxISlzAyLDbDryViaPm7cg:pa3SHuJV9NY5jaJa2DISl8yLh57cg

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2688	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2972	Logo1_.exe
1996	35aa03fd732362496469eed0fc61295b2960a0f5e8fcacc0a34345ab764fc530.exe

Loads dropped DLL 2 IoCs

pid	Process
2688	cmd.exe
2688	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\zi\Antarctica\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pt_PT\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Journal\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Mahjong\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\fonts\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AXIS\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Google\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ks_IN\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sk\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\More Games\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Welcome Tool\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\1.0\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	35aa03fd732362496469eed0fc61295b2960a0f5e8fcacc0a34345ab764fc530.exe
File created	C:\Windows\Logo1_.exe	35aa03fd732362496469eed0fc61295b2960a0f5e8fcacc0a34345ab764fc530.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2972	Logo1_.exe
2972	Logo1_.exe
2972	Logo1_.exe
2972	Logo1_.exe
2972	Logo1_.exe
2972	Logo1_.exe
2972	Logo1_.exe
2972	Logo1_.exe
2972	Logo1_.exe
2972	Logo1_.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1996	35aa03fd732362496469eed0fc61295b2960a0f5e8fcacc0a34345ab764fc530.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2772 wrote to memory of 2688	2772	35aa03fd732362496469eed0fc61295b2960a0f5e8fcacc0a34345ab764fc530.exe	30
PID 2772 wrote to memory of 2688	2772	35aa03fd732362496469eed0fc61295b2960a0f5e8fcacc0a34345ab764fc530.exe	30
PID 2772 wrote to memory of 2688	2772	35aa03fd732362496469eed0fc61295b2960a0f5e8fcacc0a34345ab764fc530.exe	30
PID 2772 wrote to memory of 2688	2772	35aa03fd732362496469eed0fc61295b2960a0f5e8fcacc0a34345ab764fc530.exe	30
PID 2772 wrote to memory of 2972	2772	35aa03fd732362496469eed0fc61295b2960a0f5e8fcacc0a34345ab764fc530.exe	31
PID 2772 wrote to memory of 2972	2772	35aa03fd732362496469eed0fc61295b2960a0f5e8fcacc0a34345ab764fc530.exe	31
PID 2772 wrote to memory of 2972	2772	35aa03fd732362496469eed0fc61295b2960a0f5e8fcacc0a34345ab764fc530.exe	31
PID 2772 wrote to memory of 2972	2772	35aa03fd732362496469eed0fc61295b2960a0f5e8fcacc0a34345ab764fc530.exe	31
PID 2972 wrote to memory of 2724	2972	Logo1_.exe	32
PID 2972 wrote to memory of 2724	2972	Logo1_.exe	32
PID 2972 wrote to memory of 2724	2972	Logo1_.exe	32
PID 2972 wrote to memory of 2724	2972	Logo1_.exe	32
PID 2724 wrote to memory of 2616	2724	net.exe	35
PID 2724 wrote to memory of 2616	2724	net.exe	35
PID 2724 wrote to memory of 2616	2724	net.exe	35
PID 2724 wrote to memory of 2616	2724	net.exe	35
PID 2688 wrote to memory of 1996	2688	cmd.exe	36
PID 2688 wrote to memory of 1996	2688	cmd.exe	36
PID 2688 wrote to memory of 1996	2688	cmd.exe	36
PID 2688 wrote to memory of 1996	2688	cmd.exe	36
PID 2972 wrote to memory of 1324	2972	Logo1_.exe	21
PID 2972 wrote to memory of 1324	2972	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1324
- C:\Users\Admin\AppData\Local\Temp\35aa03fd732362496469eed0fc61295b2960a0f5e8fcacc0a34345ab764fc530.exe
  "C:\Users\Admin\AppData\Local\Temp\35aa03fd732362496469eed0fc61295b2960a0f5e8fcacc0a34345ab764fc530.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a2B54.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - C:\Users\Admin\AppData\Local\Temp\35aa03fd732362496469eed0fc61295b2960a0f5e8fcacc0a34345ab764fc530.exe
      "C:\Users\Admin\AppData\Local\Temp\35aa03fd732362496469eed0fc61295b2960a0f5e8fcacc0a34345ab764fc530.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1996
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2972
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2724
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
254KB

MD5
2f23f4e1efacb0e10c93de18de903b15

SHA1
c8003971a3eb07aa2f63fd4cb80582c2f6c5a895

SHA256
c11bbf970a4f483f0e5beeaefb8afb247abe6133b1c42c9f2f6b51ed13f52b93

SHA512
a9526b065dd729db5555826c35da470e546ac2a40f555ef40f5a415d5e90349b6d2099f700fd385ca2259d64cddb9a95b50d3d8a7450b6734d6739df87cd7692

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
474KB

MD5
1b12b9060b8875ff79fd921d924df171

SHA1
2cefdd8b0ba05d21051feb64909fef80f4d4f799

SHA256
b4e50274be3a43611ffaa568b252b827c66855f4f50024b31ac68712cdb4eaba

SHA512
26c4d288eb0525f4abaa9fa9704aabd30b21d0dc444a4d352edc92ca584b384c00dc16c3ba9b904ba9cf8718a0e51501e505873d5b09cfc76013eb8f5e5f393a

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a2B54.bat

Filesize
722B

MD5
d912643ab49e8cc43b811a6325505d43

SHA1
b854185aad2da89e4031df72d462bcb9a184ece1

SHA256
420fe404fe8e6c8624915a76d17f58a5c6d3655cce40c5866c3bee7264b485df

SHA512
cb27ab5b86663e631147df27ecdb7a7255189db96b4b4afe963e0e74c620e199c838dda389a8acb8411fbe6378fca9f85515a259866c0c6711050c4392dbb1b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\35aa03fd732362496469eed0fc61295b2960a0f5e8fcacc0a34345ab764fc530.exe.exe

Filesize
40KB

MD5
9c7a7c0374eda967af0d911a6de29329

SHA1
26ed41010559c7959a7b1eaf89e89b71b38a6968

SHA256
673a2c249387a223fed06d9bd779faeab4145c27ed2b1628ef08579f956fa59b

SHA512
f4d54e562ce436487e98e96b3904f0a8ae9838c6631b4c9542691445964e03cac023ab38e2da60e1a504bc74701dda18c13733f1da888a6210be1bb80b6be6ad

Download Submit
C:\Windows\rundl132.exe

Filesize
29KB

MD5
9cd1b22ca5305c5cc480f0f2753b057b

SHA1
e39379b4793cce690ac333aa3ed5da75c213d20c

SHA256
363a187f7123111d576a91894824b5d5a9b840066a3825755f7f24431e30d7d5

SHA512
44bb942f2fd96984416cc05bbf3c2abfa2dcfe0960a38db6f3ca3d0eb9728fd306341be525dc405d9cd315eae29bd81d3f49729b29afba0d2cf1406e5fce9eb1

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3502430532-24693940-2469786940-1000\_desktop.ini

Filesize
9B

MD5
1368e4d784ef82633de86fa6bc6e37f9

SHA1
77c7384e886b27647bb4f2fd364e7947e7b6abc6

SHA256
57507bed6cf91d70e66bd4cc287634889ef30b648cb7c44a4edec0e2cb68b772

SHA512
3cb7168e776eb564768e30eba43174014a85108ab306a7c07a1522fb42173c381a5bff9ac10944fd345dd5308061cbe2878c60d1e878f8768281c1adcf5dd85b

Download Submit
memory/1324-35-0x00000000024E0000-0x00000000024E1000-memory.dmp

Filesize
4KB

Download
memory/2772-16-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2772-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2972-37-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2972-44-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2972-50-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2972-96-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2972-102-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2972-820-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2972-1879-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2972-2682-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2972-3339-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2972-18-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download