Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
28/08/2023, 03:26
Static task
static1
Behavioral task
behavioral1
Sample
a2efbefcadd471825c0d13338673488aed3121a724bd002a6f1ef373a3beb9d4.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
a2efbefcadd471825c0d13338673488aed3121a724bd002a6f1ef373a3beb9d4.exe
Resource
win10v2004-20230703-en
General
-
Target
a2efbefcadd471825c0d13338673488aed3121a724bd002a6f1ef373a3beb9d4.exe
-
Size
88KB
-
MD5
2c52d4d39cf1bf569c6e2447a9df419c
-
SHA1
605c0da2de1a0fd37b18195ba3365b9a8d5f598b
-
SHA256
a2efbefcadd471825c0d13338673488aed3121a724bd002a6f1ef373a3beb9d4
-
SHA512
d2eec153c7176701732d33bdc4e130eea41b732290ea3f156eeba150c7bdd3906db0644011c36fb4e7822a088a6612376e4ac90c43a49c4f931f4a6e21228b44
-
SSDEEP
768:/1ODKAaDMG8H92RwZNQSwcfymNBg+g61GoLcgm6EIvcCIlBJd1mgqgadKsQtpSFT:tfgLdQAQfcfymNlCUchDsQt8oxHeWW
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2708 Logo1_.exe 3080 a2efbefcadd471825c0d13338673488aed3121a724bd002a6f1ef373a3beb9d4.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Java\jdk1.8.0_66\jre\bin\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\fr-FR\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\HoloTileAssets\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\sl-si\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\es-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\eu\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\sv\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\fr-fr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\cs-cz\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\contrast-black\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\en-gb\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\sk-sk\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\Simple\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\root\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-il\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\tr-tr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\he-il\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\en-gb\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\en-ae\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\as_IN\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\zh-cn\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\de-de\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Defender\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\it-IT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\locale\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\da\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\dtplugin\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\de-de\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sk-sk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\nb-no\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\nb-no\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\vi\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example1.Diagnostics\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\ko-kr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ro-ro\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\pa\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Photo Viewer\de-DE\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ar-SA\View3d\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\he-IL\View3d\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files-select\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\eu-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\pt-br\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\vDll.dll Logo1_.exe File created C:\Windows\rundl132.exe a2efbefcadd471825c0d13338673488aed3121a724bd002a6f1ef373a3beb9d4.exe File created C:\Windows\Logo1_.exe a2efbefcadd471825c0d13338673488aed3121a724bd002a6f1ef373a3beb9d4.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 2708 Logo1_.exe 2708 Logo1_.exe 2708 Logo1_.exe 2708 Logo1_.exe 2708 Logo1_.exe 2708 Logo1_.exe 2708 Logo1_.exe 2708 Logo1_.exe 2708 Logo1_.exe 2708 Logo1_.exe 2708 Logo1_.exe 2708 Logo1_.exe 2708 Logo1_.exe 2708 Logo1_.exe 2708 Logo1_.exe 2708 Logo1_.exe 2708 Logo1_.exe 2708 Logo1_.exe 2708 Logo1_.exe 2708 Logo1_.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1356 wrote to memory of 1820 1356 a2efbefcadd471825c0d13338673488aed3121a724bd002a6f1ef373a3beb9d4.exe 81 PID 1356 wrote to memory of 1820 1356 a2efbefcadd471825c0d13338673488aed3121a724bd002a6f1ef373a3beb9d4.exe 81 PID 1356 wrote to memory of 1820 1356 a2efbefcadd471825c0d13338673488aed3121a724bd002a6f1ef373a3beb9d4.exe 81 PID 1356 wrote to memory of 2708 1356 a2efbefcadd471825c0d13338673488aed3121a724bd002a6f1ef373a3beb9d4.exe 83 PID 1356 wrote to memory of 2708 1356 a2efbefcadd471825c0d13338673488aed3121a724bd002a6f1ef373a3beb9d4.exe 83 PID 1356 wrote to memory of 2708 1356 a2efbefcadd471825c0d13338673488aed3121a724bd002a6f1ef373a3beb9d4.exe 83 PID 2708 wrote to memory of 3876 2708 Logo1_.exe 84 PID 2708 wrote to memory of 3876 2708 Logo1_.exe 84 PID 2708 wrote to memory of 3876 2708 Logo1_.exe 84 PID 3876 wrote to memory of 3496 3876 net.exe 86 PID 3876 wrote to memory of 3496 3876 net.exe 86 PID 3876 wrote to memory of 3496 3876 net.exe 86 PID 1820 wrote to memory of 3080 1820 cmd.exe 87 PID 1820 wrote to memory of 3080 1820 cmd.exe 87 PID 1820 wrote to memory of 3080 1820 cmd.exe 87 PID 2708 wrote to memory of 2000 2708 Logo1_.exe 48 PID 2708 wrote to memory of 2000 2708 Logo1_.exe 48
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:2000
-
C:\Users\Admin\AppData\Local\Temp\a2efbefcadd471825c0d13338673488aed3121a724bd002a6f1ef373a3beb9d4.exe"C:\Users\Admin\AppData\Local\Temp\a2efbefcadd471825c0d13338673488aed3121a724bd002a6f1ef373a3beb9d4.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6AA1.bat3⤵
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Users\Admin\AppData\Local\Temp\a2efbefcadd471825c0d13338673488aed3121a724bd002a6f1ef373a3beb9d4.exe"C:\Users\Admin\AppData\Local\Temp\a2efbefcadd471825c0d13338673488aed3121a724bd002a6f1ef373a3beb9d4.exe"4⤵
- Executes dropped EXE
PID:3080
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:3876 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:3496
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
251KB
MD51cd82144e9bdf90aae91927cfe472e91
SHA142b5487d6f4643b16fcf1ded3c232a24fb7f10ec
SHA256e4f742f5d37492ab60a8f7abfbb6049093c8de3b6512fb3050ef09afa33da6cf
SHA5125a3f468575e88d2295f0d52dccb0fbbd853f96d90926186b7a374c14e6bdbfe5d8054e679bd20dbbe9319c3d9719819d0ea09cdce45a84f54d0e1b7c88136a3b
-
Filesize
268KB
MD59378c654878e01f4699f4d85401c0233
SHA107950db0507c1f93e10b5a16f1e26ffae1dea73b
SHA256c61c793a2f50757a5a5c910e195e59b0ecbb6bcef02e4b6f04674854d1e5c4ee
SHA5123ced01a8a82aefc9f71cf03b7b8eb1a83cb1d3d412e14b7b7b8250b24463a4aa163a3c90306732b907df8d551e79b5492eb4894f73ecbea5db765072f80164c9
-
Filesize
722B
MD53706200868257ac647dbbc4170589227
SHA176a1ae7ab206c6c5872847cae92b9ce5d50aabdd
SHA256a0376cbc823b6252c2ddfa659ad0657a6420be07926221c09288ec6f45cb2b7b
SHA51210f66a4ef17ec78a8ed45254081c6f5557071fa7a8e993d65e85a83247856fc2b69dcd70d7e0e295216db960874a5386ba92c5ae6104ef7d86496110197c87e6
-
C:\Users\Admin\AppData\Local\Temp\a2efbefcadd471825c0d13338673488aed3121a724bd002a6f1ef373a3beb9d4.exe
Filesize62KB
MD5563e5d234d4f6287131bdf5ea1c371d1
SHA1bb5006b7fbbc4c5266d63233e74ba829fcba846a
SHA256c7c7d345ff20a9ca813c6fe3c6c09451a906fd0b32c5044732e82d841e87cf4f
SHA5120cbd1e3ed330dbbc14727164a9f900fc0b16cd86cff30b6d756e21c3f65e361ef8882ac7bd7b6399960feae409ad0178e0e0eae0f5281a047c7cc8478d9b5382
-
C:\Users\Admin\AppData\Local\Temp\a2efbefcadd471825c0d13338673488aed3121a724bd002a6f1ef373a3beb9d4.exe.exe
Filesize62KB
MD5563e5d234d4f6287131bdf5ea1c371d1
SHA1bb5006b7fbbc4c5266d63233e74ba829fcba846a
SHA256c7c7d345ff20a9ca813c6fe3c6c09451a906fd0b32c5044732e82d841e87cf4f
SHA5120cbd1e3ed330dbbc14727164a9f900fc0b16cd86cff30b6d756e21c3f65e361ef8882ac7bd7b6399960feae409ad0178e0e0eae0f5281a047c7cc8478d9b5382
-
Filesize
26KB
MD588af5b73238a71023386adc35d3af4ed
SHA1d5f2bb1c8a4174588eb3768d187252b582e6579d
SHA256dbff77fb2b63ebd55608ccdfe4182f721ce1553b94b35e3fd1e6a1553997d1cf
SHA512fd1291d45e74dab90d80357a518f4cb20a645f55063f8258f87e060fa3c885e8970c66573f4669f01d06692b8f40673534b514081120eb021800813ce86545d2
-
Filesize
26KB
MD588af5b73238a71023386adc35d3af4ed
SHA1d5f2bb1c8a4174588eb3768d187252b582e6579d
SHA256dbff77fb2b63ebd55608ccdfe4182f721ce1553b94b35e3fd1e6a1553997d1cf
SHA512fd1291d45e74dab90d80357a518f4cb20a645f55063f8258f87e060fa3c885e8970c66573f4669f01d06692b8f40673534b514081120eb021800813ce86545d2
-
Filesize
26KB
MD588af5b73238a71023386adc35d3af4ed
SHA1d5f2bb1c8a4174588eb3768d187252b582e6579d
SHA256dbff77fb2b63ebd55608ccdfe4182f721ce1553b94b35e3fd1e6a1553997d1cf
SHA512fd1291d45e74dab90d80357a518f4cb20a645f55063f8258f87e060fa3c885e8970c66573f4669f01d06692b8f40673534b514081120eb021800813ce86545d2
-
Filesize
9B
MD5ec7139d5bb99bcebaf0b91c58a9ec5aa
SHA170404362dd74e309722fd282c3492ec95674123c
SHA256eb17ae1b1de9e95e0d159893048f2de5c1c158467e768cc0ddbaa517c45e0582
SHA512b0114d8f74b17836819b750cff2b590b652e04bb2dc0e9dc8bffac7ed66bd9ded03cd35abc7fc0fcd0127a994c283dcd162e97e6dd76f5a903ff59e4951dfc48