36bc476c6f334803f02d9b630c34c1340e82c58ee7c43a09130201b462279abb

Analysis

max time kernel
149s
max time network
19s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
11/08/2024, 18:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36bc476c6f334803f02d9b630c34c1340e82c58ee7c43a09130201b462279abb.exe
Size

5.7MB
MD5

6c822d198ae082fec64f1f0ae64c3a20
SHA1

1250bc9d2da2e2af0fc1d5823f0b2b2ed8554298
SHA256

36bc476c6f334803f02d9b630c34c1340e82c58ee7c43a09130201b462279abb
SHA512

1fe4a423838d8e3d577c2ec5b1eebee8d876ae7586da99c96410a3d123ba3690bb676cb3e1670e51571a0034090f80060e6e52118109830eee0e995a9fd1a4c5
SSDEEP

49152:oPv94AEsKU8ggw1g+1CART5eBiyKS3EI3wybn20DCYIHvc8ixuZm9+fWsw6dTPBJ:WKUgTH2M2m9UMpu1QfLczqssnKSk

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
688	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2524	Logo1_.exe
2700	36bc476c6f334803f02d9b630c34c1340e82c58ee7c43a09130201b462279abb.exe

Loads dropped DLL 1 IoCs

pid	Process
688	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\COMPASS\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ESEN\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.es\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\QUERIES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ca@valencia\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\uz\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Triedit\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATERMAR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\misc\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUEPRNT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\nn\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RMNSQUE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Americana\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft.NET\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ne\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sw\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\js\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	36bc476c6f334803f02d9b630c34c1340e82c58ee7c43a09130201b462279abb.exe
File created	C:\Windows\Logo1_.exe	36bc476c6f334803f02d9b630c34c1340e82c58ee7c43a09130201b462279abb.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	36bc476c6f334803f02d9b630c34c1340e82c58ee7c43a09130201b462279abb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logo1_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2524	Logo1_.exe
2524	Logo1_.exe
2524	Logo1_.exe
2524	Logo1_.exe
2524	Logo1_.exe
2524	Logo1_.exe
2524	Logo1_.exe
2524	Logo1_.exe
2524	Logo1_.exe
2524	Logo1_.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1344 wrote to memory of 688	1344	36bc476c6f334803f02d9b630c34c1340e82c58ee7c43a09130201b462279abb.exe	29
PID 1344 wrote to memory of 688	1344	36bc476c6f334803f02d9b630c34c1340e82c58ee7c43a09130201b462279abb.exe	29
PID 1344 wrote to memory of 688	1344	36bc476c6f334803f02d9b630c34c1340e82c58ee7c43a09130201b462279abb.exe	29
PID 1344 wrote to memory of 688	1344	36bc476c6f334803f02d9b630c34c1340e82c58ee7c43a09130201b462279abb.exe	29
PID 1344 wrote to memory of 2524	1344	36bc476c6f334803f02d9b630c34c1340e82c58ee7c43a09130201b462279abb.exe	30
PID 1344 wrote to memory of 2524	1344	36bc476c6f334803f02d9b630c34c1340e82c58ee7c43a09130201b462279abb.exe	30
PID 1344 wrote to memory of 2524	1344	36bc476c6f334803f02d9b630c34c1340e82c58ee7c43a09130201b462279abb.exe	30
PID 1344 wrote to memory of 2524	1344	36bc476c6f334803f02d9b630c34c1340e82c58ee7c43a09130201b462279abb.exe	30
PID 2524 wrote to memory of 2576	2524	Logo1_.exe	31
PID 2524 wrote to memory of 2576	2524	Logo1_.exe	31
PID 2524 wrote to memory of 2576	2524	Logo1_.exe	31
PID 2524 wrote to memory of 2576	2524	Logo1_.exe	31
PID 2576 wrote to memory of 1112	2576	net.exe	34
PID 2576 wrote to memory of 1112	2576	net.exe	34
PID 2576 wrote to memory of 1112	2576	net.exe	34
PID 2576 wrote to memory of 1112	2576	net.exe	34
PID 2524 wrote to memory of 1428	2524	Logo1_.exe	20
PID 2524 wrote to memory of 1428	2524	Logo1_.exe	20

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1428
- C:\Users\Admin\AppData\Local\Temp\36bc476c6f334803f02d9b630c34c1340e82c58ee7c43a09130201b462279abb.exe
  "C:\Users\Admin\AppData\Local\Temp\36bc476c6f334803f02d9b630c34c1340e82c58ee7c43a09130201b462279abb.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1344
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$aF0E.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:688
  - - C:\Users\Admin\AppData\Local\Temp\36bc476c6f334803f02d9b630c34c1340e82c58ee7c43a09130201b462279abb.exe
      "C:\Users\Admin\AppData\Local\Temp\36bc476c6f334803f02d9b630c34c1340e82c58ee7c43a09130201b462279abb.exe"
      4⤵
      Executes dropped EXE
      PID:2700
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2524
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2576
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
254KB

MD5
3ca1bf22fc4c86f1ffd00a866ab6ff39

SHA1
059063c11ade4cafeb9eea49592aa4a049ee9269

SHA256
1123254ef1434c7002e054e89afbbb5a47cba9aff92916c03203e3dff7704220

SHA512
5ff6e33ff4e45571b0684ddc95e4ffaf8260151b2fcd2ae9be2bd72be27ee8e8364e2185e1df5f1019e9d9d937b757bcd538483ca12d0eca6cc7f36bd88d81b0

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
474KB

MD5
6eabc463f8025a7e6e65f38cba22f126

SHA1
3e430ee5ec01c5509ed750b88d3473e7990dfe95

SHA256
cc8da3ecd355b519d81415d279ed037c725ba221bf323d250aa92ee2b2b88ca7

SHA512
c8fde7026ac8633403bbefee4b044457184388fb7343d8c46f5f7f272724227976bf485ea91da49e2a85dd0cfb73f260ac705d8007333dd3e5539fe5ed67e3ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aF0E.bat

Filesize
721B

MD5
1611fba5cfaad3c5d129ffbe8ba538b0

SHA1
be9a835c366b98bb669118b72eb7d032520df033

SHA256
8a74d46237b9cc72d7eb31afb3c98e5879bdeb4af5776af645c141ca65f17434

SHA512
78c2c5c13cb75bba54e8a1f90c184bf4000db409b39c0c023ff05e316739426abf8dc08c3881356d7db3c02956433a359ce156318ab4e9d77689a0d9f2f3ccda

Download Submit
C:\Users\Admin\AppData\Local\Temp\36bc476c6f334803f02d9b630c34c1340e82c58ee7c43a09130201b462279abb.exe.exe

Filesize
5.7MB

MD5
ba18e99b3e17adb5b029eaebc457dd89

SHA1
ec0458f3c00d35b323f08d4e1cc2e72899429c38

SHA256
f5ee36de8edf9be2ac2752b219cfdcb7ca1677071b8e116cb876306e9f1b6628

SHA512
1f41929e6f5b555b60c411c7810cbf14e3af26100df5ac4533ec3739a278c1b925687284660efb4868e3741305098e2737836229efc9fe46c97a6057c10e677c

Download Submit
C:\Windows\rundl132.exe

Filesize
29KB

MD5
59cf89273d7670b3a02082cb3d07247b

SHA1
1eea81d6955e2261c34051229fbf1b0c9a0c4b69

SHA256
ad96165b92a8d503cbaf656fa18c3811d0ef50982349cc0722ddbd7c7b1bbe45

SHA512
e1969f1246989c978e3bf238adae89e3d1d1040798d354baa4aa2bcf7c8373af291db700a08871e08992fb173f3d34c93cd82d14c53fd6cfd6a21b5eb571c416

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2257386474-3982792636-3902186748-1000\_desktop.ini

Filesize
9B

MD5
79a2fb76ad00a8ac07f11b6a179f5297

SHA1
72b4f589fd7945d8c80b370d1d3a1f2467f3eb81

SHA256
2f723e98c3a3556269a4d81d4a27d6a0ab13a84c5ba737493c07354a2608684f

SHA512
3a21c2e60e8e035fb90d428e86bb927077d8354a16f1abc291ccba4a4d7fee4f51cf781fa9202e5602a88ca70a6ba264ac49762100be5f6e09a2ec930e098168

Download Submit
memory/1344-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1344-17-0x00000000002F0000-0x0000000000326000-memory.dmp

Filesize
216KB

Download
memory/1344-16-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1428-30-0x0000000002E30000-0x0000000002E31000-memory.dmp

Filesize
4KB

Download
memory/2524-40-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2524-46-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2524-92-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2524-98-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2524-580-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2524-1876-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2524-2132-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2524-33-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2524-3336-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2524-22-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download