Analysis
-
max time kernel
151s -
max time network
182s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 00:25
Static task
static1
Behavioral task
behavioral1
Sample
efb57c2615b89c0335152d9427e447b259c8855270760cd6a25de82b63e89728.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
efb57c2615b89c0335152d9427e447b259c8855270760cd6a25de82b63e89728.exe
Resource
win10v2004-20220812-en
General
-
Target
efb57c2615b89c0335152d9427e447b259c8855270760cd6a25de82b63e89728.exe
-
Size
617KB
-
MD5
3636319b73b61f34ecba613b999ef420
-
SHA1
7f740c71f9f9782393fbb57a4b7d07243b6ec0b9
-
SHA256
efb57c2615b89c0335152d9427e447b259c8855270760cd6a25de82b63e89728
-
SHA512
bf6dce53e80c75f80dd08f5c03d07cdba7a417c7c5e9e62a84e8ea879e25a7c7788cca968487bae808f7b7c5e38d1da3c5e3ad34027f2ce1c6e2338a6005cc56
-
SSDEEP
12288:9xtzfl8EmN95SKTifcNjvYRoo1QBPP2E7ZgT7FoyNjGyDe3mjW:9bl8EmN95KkFvEook2E7ivKyNjGyD3W
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
Logo1_.exeefb57c2615b89c0335152d9427e447b259c8855270760cd6a25de82b63e89728.exepid process 3004 Logo1_.exe 2216 efb57c2615b89c0335152d9427e447b259c8855270760cd6a25de82b63e89728.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Logo1_.exedescription ioc process File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\F: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
Processes:
Logo1_.exedescription ioc process File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\meta_engine\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\hr-hr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sl-si\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\StartScreen\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ko-kr\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\en_GB\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Mail\wabmig.exe Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\Json\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.YourPhone_2019.430.2026.0_neutral_~_8wekyb3d8bbwe\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\el\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\en_GB\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\osf\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe Logo1_.exe File created C:\Program Files\Windows Defender\ja-JP\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\be-BY\View3d\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\nb-no\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\root\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ne\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\Attribution\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\klist.exe Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\StoreLogo\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sl-sl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\it-it\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\tr-tr\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\pa\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square310x310\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ro-ro\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-gb\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_neutral_~_8wekyb3d8bbwe\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ro-ro\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ko-kr\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\unpack200.exe Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\id\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_~_kzf8qxf38zg5c\AppxMetadata\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sv-se\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\th\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\ScreenSketch.exe Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_~_8wekyb3d8bbwe\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Assets\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exe Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_2019.1111.2029.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
Processes:
efb57c2615b89c0335152d9427e447b259c8855270760cd6a25de82b63e89728.exeLogo1_.exedescription ioc process File created C:\Windows\rundl132.exe efb57c2615b89c0335152d9427e447b259c8855270760cd6a25de82b63e89728.exe File created C:\Windows\Logo1_.exe efb57c2615b89c0335152d9427e447b259c8855270760cd6a25de82b63e89728.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\vDll.dll Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
Logo1_.exepid process 3004 Logo1_.exe 3004 Logo1_.exe 3004 Logo1_.exe 3004 Logo1_.exe 3004 Logo1_.exe 3004 Logo1_.exe 3004 Logo1_.exe 3004 Logo1_.exe 3004 Logo1_.exe 3004 Logo1_.exe 3004 Logo1_.exe 3004 Logo1_.exe 3004 Logo1_.exe 3004 Logo1_.exe 3004 Logo1_.exe 3004 Logo1_.exe 3004 Logo1_.exe 3004 Logo1_.exe 3004 Logo1_.exe 3004 Logo1_.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
efb57c2615b89c0335152d9427e447b259c8855270760cd6a25de82b63e89728.exeLogo1_.exenet.execmd.exedescription pid process target process PID 1796 wrote to memory of 4880 1796 efb57c2615b89c0335152d9427e447b259c8855270760cd6a25de82b63e89728.exe cmd.exe PID 1796 wrote to memory of 4880 1796 efb57c2615b89c0335152d9427e447b259c8855270760cd6a25de82b63e89728.exe cmd.exe PID 1796 wrote to memory of 4880 1796 efb57c2615b89c0335152d9427e447b259c8855270760cd6a25de82b63e89728.exe cmd.exe PID 1796 wrote to memory of 3004 1796 efb57c2615b89c0335152d9427e447b259c8855270760cd6a25de82b63e89728.exe Logo1_.exe PID 1796 wrote to memory of 3004 1796 efb57c2615b89c0335152d9427e447b259c8855270760cd6a25de82b63e89728.exe Logo1_.exe PID 1796 wrote to memory of 3004 1796 efb57c2615b89c0335152d9427e447b259c8855270760cd6a25de82b63e89728.exe Logo1_.exe PID 3004 wrote to memory of 2864 3004 Logo1_.exe net.exe PID 3004 wrote to memory of 2864 3004 Logo1_.exe net.exe PID 3004 wrote to memory of 2864 3004 Logo1_.exe net.exe PID 2864 wrote to memory of 1064 2864 net.exe net1.exe PID 2864 wrote to memory of 1064 2864 net.exe net1.exe PID 2864 wrote to memory of 1064 2864 net.exe net1.exe PID 4880 wrote to memory of 2216 4880 cmd.exe efb57c2615b89c0335152d9427e447b259c8855270760cd6a25de82b63e89728.exe PID 4880 wrote to memory of 2216 4880 cmd.exe efb57c2615b89c0335152d9427e447b259c8855270760cd6a25de82b63e89728.exe PID 4880 wrote to memory of 2216 4880 cmd.exe efb57c2615b89c0335152d9427e447b259c8855270760cd6a25de82b63e89728.exe PID 3004 wrote to memory of 2692 3004 Logo1_.exe Explorer.EXE PID 3004 wrote to memory of 2692 3004 Logo1_.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\efb57c2615b89c0335152d9427e447b259c8855270760cd6a25de82b63e89728.exe"C:\Users\Admin\AppData\Local\Temp\efb57c2615b89c0335152d9427e447b259c8855270760cd6a25de82b63e89728.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a2606.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\efb57c2615b89c0335152d9427e447b259c8855270760cd6a25de82b63e89728.exe"C:\Users\Admin\AppData\Local\Temp\efb57c2615b89c0335152d9427e447b259c8855270760cd6a25de82b63e89728.exe"4⤵
- Executes dropped EXE
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\$$a2606.batFilesize
722B
MD58e57be551f94f1603550595820742c4f
SHA10e312e2f2f54b4d9889c073e5825a23cffcab309
SHA256388e63992ee31f990de4e70a2aae1b1817193a014149e0e9c226cbf7a897df71
SHA512fe0c271da8cbfa64f1077e4d8fba058fc61b77cce9a765b093636c2a0d40df3acedce1600df23387d6982abba479796c742bc68a97c82b6f30dbd57ebe8a62c9
-
C:\Users\Admin\AppData\Local\Temp\efb57c2615b89c0335152d9427e447b259c8855270760cd6a25de82b63e89728.exeFilesize
588KB
MD5dd0042f0c3b606a6a8b92d49afb18ad6
SHA174fbb38fa923a2db686a7492c2c8feb9a23a7be4
SHA2568d3be4c93d02af5f42ec46af598d6da40c61d467cb2fee5e222f9c1e7a84b852
SHA512c36cf2e958c532b9d9b7d943f52e92525ceb4b0d41662ff6652f2929c26ce0afc22dff645bd44fd7878d170e0bf2dfa031d5be666e97498e6dcbe5cb113c51ba
-
C:\Users\Admin\AppData\Local\Temp\efb57c2615b89c0335152d9427e447b259c8855270760cd6a25de82b63e89728.exe.exeFilesize
588KB
MD5dd0042f0c3b606a6a8b92d49afb18ad6
SHA174fbb38fa923a2db686a7492c2c8feb9a23a7be4
SHA2568d3be4c93d02af5f42ec46af598d6da40c61d467cb2fee5e222f9c1e7a84b852
SHA512c36cf2e958c532b9d9b7d943f52e92525ceb4b0d41662ff6652f2929c26ce0afc22dff645bd44fd7878d170e0bf2dfa031d5be666e97498e6dcbe5cb113c51ba
-
C:\Windows\Logo1_.exeFilesize
29KB
MD5486b2ec07e9305329ba6058d9ef9d6b1
SHA190aea0a417079569be2dfcd369c92d7c9a016ece
SHA25657fed882e20017888230812e229df6a0b404777c262c1b56a424dfdc95b91d58
SHA51291da07899ad08d3f1e9dff3d8af0522ba1cc6bd75dfb1191b4eabfc5099c2e2477b6008f8cea18a366b0e14217d38660258be1d495269ef3caca3a4a4ff2c441
-
C:\Windows\Logo1_.exeFilesize
29KB
MD5486b2ec07e9305329ba6058d9ef9d6b1
SHA190aea0a417079569be2dfcd369c92d7c9a016ece
SHA25657fed882e20017888230812e229df6a0b404777c262c1b56a424dfdc95b91d58
SHA51291da07899ad08d3f1e9dff3d8af0522ba1cc6bd75dfb1191b4eabfc5099c2e2477b6008f8cea18a366b0e14217d38660258be1d495269ef3caca3a4a4ff2c441
-
C:\Windows\rundl132.exeFilesize
29KB
MD5486b2ec07e9305329ba6058d9ef9d6b1
SHA190aea0a417079569be2dfcd369c92d7c9a016ece
SHA25657fed882e20017888230812e229df6a0b404777c262c1b56a424dfdc95b91d58
SHA51291da07899ad08d3f1e9dff3d8af0522ba1cc6bd75dfb1191b4eabfc5099c2e2477b6008f8cea18a366b0e14217d38660258be1d495269ef3caca3a4a4ff2c441
-
memory/1064-139-0x0000000000000000-mapping.dmp
-
memory/1796-136-0x0000000000400000-0x0000000000436000-memory.dmpFilesize
216KB
-
memory/2216-143-0x0000000000000000-mapping.dmp
-
memory/2864-138-0x0000000000000000-mapping.dmp
-
memory/3004-140-0x0000000000400000-0x0000000000436000-memory.dmpFilesize
216KB
-
memory/3004-133-0x0000000000000000-mapping.dmp
-
memory/3004-145-0x0000000000400000-0x0000000000436000-memory.dmpFilesize
216KB
-
memory/4880-132-0x0000000000000000-mapping.dmp