Analysis
-
max time kernel
155s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
04-11-2023 09:37
Static task
static1
Behavioral task
behavioral1
Sample
3e8999e26a5f465701cca0c6ad7dcf0ae4b55df2aea98f117a212465bd00c691.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
3e8999e26a5f465701cca0c6ad7dcf0ae4b55df2aea98f117a212465bd00c691.exe
Resource
win10v2004-20231023-en
General
-
Target
3e8999e26a5f465701cca0c6ad7dcf0ae4b55df2aea98f117a212465bd00c691.exe
-
Size
3.3MB
-
MD5
3e2e461969f003f51b4767f09264f034
-
SHA1
92cfe0f580994774a78bb6f400855c18c3703be1
-
SHA256
3e8999e26a5f465701cca0c6ad7dcf0ae4b55df2aea98f117a212465bd00c691
-
SHA512
367902b71bd79f1545a8550dd2181d59c9bc4a03be9bfecf1ecf0efa70ef0cc316c72a4a2ede3308b1f7d495482b847517b579ce623efbabc93f111b6d190e4c
-
SSDEEP
49152:V7OD1wyVu6kLS4U/DiaJ0de0r2AJisyYy20QkTu5dPkLoJjEW3:cwv6kw/eJNHy2z+LoJjEW3
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 5072 Logo1_.exe 5080 3e8999e26a5f465701cca0c6ad7dcf0ae4b55df2aea98f117a212465bd00c691.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\_desktop.ini Logo1_.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-black\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\de\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-black\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\CoreEngine\Data\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\cy\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\te\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\gui\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Portable Devices\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Videos\SmartSelect\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\et-EE\View3d\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example1.Diagnostics\Diagnostics\Simple\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\id\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-200_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-125_8wekyb3d8bbwe\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Resources\Fonts\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\gd\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-125_8wekyb3d8bbwe\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\css\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ha-Latn-NG\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_2019.716.2316.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\Fonts\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-white\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Multimedia Platform\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\en-GB\View3d\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\nl-NL\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.18101.0_x64__8wekyb3d8bbwe\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\SoundRec.exe Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.ZuneMusic_2019.19071.19011.0_neutral_~_8wekyb3d8bbwe\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-200_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Microsoft.Notes.exe Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\StartScreen\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Microsoft.Support.SDK\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Mail\wabmig.exe Logo1_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exe Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\th-TH\_desktop.ini Logo1_.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ha-Latn-NG\View3d\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\mk-MK\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\it\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\jsaddins\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.2.2_2.2.27405.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.ScreenSketch_2019.904.1644.0_neutral_~_8wekyb3d8bbwe\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.18101.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rundl132.exe 3e8999e26a5f465701cca0c6ad7dcf0ae4b55df2aea98f117a212465bd00c691.exe File created C:\Windows\Logo1_.exe 3e8999e26a5f465701cca0c6ad7dcf0ae4b55df2aea98f117a212465bd00c691.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\vDll.dll Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 5072 Logo1_.exe 5072 Logo1_.exe 5072 Logo1_.exe 5072 Logo1_.exe 5072 Logo1_.exe 5072 Logo1_.exe 5072 Logo1_.exe 5072 Logo1_.exe 5072 Logo1_.exe 5072 Logo1_.exe 5072 Logo1_.exe 5072 Logo1_.exe 5072 Logo1_.exe 5072 Logo1_.exe 5072 Logo1_.exe 5072 Logo1_.exe 5072 Logo1_.exe 5072 Logo1_.exe 5072 Logo1_.exe 5072 Logo1_.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 3988 wrote to memory of 3060 3988 3e8999e26a5f465701cca0c6ad7dcf0ae4b55df2aea98f117a212465bd00c691.exe 90 PID 3988 wrote to memory of 3060 3988 3e8999e26a5f465701cca0c6ad7dcf0ae4b55df2aea98f117a212465bd00c691.exe 90 PID 3988 wrote to memory of 3060 3988 3e8999e26a5f465701cca0c6ad7dcf0ae4b55df2aea98f117a212465bd00c691.exe 90 PID 3988 wrote to memory of 5072 3988 3e8999e26a5f465701cca0c6ad7dcf0ae4b55df2aea98f117a212465bd00c691.exe 93 PID 3988 wrote to memory of 5072 3988 3e8999e26a5f465701cca0c6ad7dcf0ae4b55df2aea98f117a212465bd00c691.exe 93 PID 3988 wrote to memory of 5072 3988 3e8999e26a5f465701cca0c6ad7dcf0ae4b55df2aea98f117a212465bd00c691.exe 93 PID 5072 wrote to memory of 3184 5072 Logo1_.exe 94 PID 5072 wrote to memory of 3184 5072 Logo1_.exe 94 PID 5072 wrote to memory of 3184 5072 Logo1_.exe 94 PID 3060 wrote to memory of 5080 3060 cmd.exe 96 PID 3060 wrote to memory of 5080 3060 cmd.exe 96 PID 3184 wrote to memory of 4788 3184 net.exe 97 PID 3184 wrote to memory of 4788 3184 net.exe 97 PID 3184 wrote to memory of 4788 3184 net.exe 97 PID 5072 wrote to memory of 3156 5072 Logo1_.exe 20 PID 5072 wrote to memory of 3156 5072 Logo1_.exe 20
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3156
-
C:\Users\Admin\AppData\Local\Temp\3e8999e26a5f465701cca0c6ad7dcf0ae4b55df2aea98f117a212465bd00c691.exe"C:\Users\Admin\AppData\Local\Temp\3e8999e26a5f465701cca0c6ad7dcf0ae4b55df2aea98f117a212465bd00c691.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3988 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a217D.bat3⤵
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Users\Admin\AppData\Local\Temp\3e8999e26a5f465701cca0c6ad7dcf0ae4b55df2aea98f117a212465bd00c691.exe"C:\Users\Admin\AppData\Local\Temp\3e8999e26a5f465701cca0c6ad7dcf0ae4b55df2aea98f117a212465bd00c691.exe"4⤵
- Executes dropped EXE
PID:5080
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:3184 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:4788
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
484KB
MD5e707e19b04804d739137a82fbba2baa9
SHA122c58fe3de71434377659208218ca6fc5d568a08
SHA25631e83dd1a799cde7731b20b8598a6308b03b5f78de8bd672d07765906346495f
SHA51221919054dc8e9fd73a177ed86aa085ed95efce13ecf2f7d1d9149aae59f071e5a0e4d222e483814d4828ac5c5d3df1bdd9b1dc1161e6e819a00255e632f11459
-
Filesize
722B
MD5be18153dedd99337fbf3cafb76019a0d
SHA18aff8c63a6aaccca1e0273cae9118fd528bf6fcc
SHA256af30567173979869c4c938a60dca010cd990509979fe24554ada83d756719efc
SHA51279d428e2d6971d2e91f38603c3900de250571f756843512fd56f282db6f7d14f429027ae35a74d487b0ec5540792a0f3f5fac1312debca5bcaefd1e3a413cef5
-
C:\Users\Admin\AppData\Local\Temp\3e8999e26a5f465701cca0c6ad7dcf0ae4b55df2aea98f117a212465bd00c691.exe
Filesize3.2MB
MD505eaae72e8de3c506880278ac5a2a9d7
SHA1182dfc7897f0f17f2c6174c481ccc9d2c198a420
SHA25669667b2690467f2c81a56edeb19cc73e620e95db8d50c34fb163c0f579689d7d
SHA512dec670f4e5cb8029c21bfe87be022b602bda3b0738cc27478e20206ec4c245548b70c001b10d123b9045efc81de25ace430a77ff6e229075f98f19c2d96ffae8
-
C:\Users\Admin\AppData\Local\Temp\3e8999e26a5f465701cca0c6ad7dcf0ae4b55df2aea98f117a212465bd00c691.exe.exe
Filesize3.2MB
MD505eaae72e8de3c506880278ac5a2a9d7
SHA1182dfc7897f0f17f2c6174c481ccc9d2c198a420
SHA25669667b2690467f2c81a56edeb19cc73e620e95db8d50c34fb163c0f579689d7d
SHA512dec670f4e5cb8029c21bfe87be022b602bda3b0738cc27478e20206ec4c245548b70c001b10d123b9045efc81de25ace430a77ff6e229075f98f19c2d96ffae8
-
Filesize
26KB
MD55ae65773d0e0a119933fc8f2c4717d5b
SHA1464955e3c0a100e1da6bc216a9293a17881abeaf
SHA256db1202812eafcc520148f302869a028b8509cb6cbc09eaddcfed1e82ee2785bb
SHA51218a6639c611ebd3dbd1929acd1cd41174879e02302e7bb6cce81d05633345ce300dd9bb7d7b2f9eddfb58ad52da5c2c1d79a4f7983eb810f8327727f055ffae7
-
Filesize
26KB
MD55ae65773d0e0a119933fc8f2c4717d5b
SHA1464955e3c0a100e1da6bc216a9293a17881abeaf
SHA256db1202812eafcc520148f302869a028b8509cb6cbc09eaddcfed1e82ee2785bb
SHA51218a6639c611ebd3dbd1929acd1cd41174879e02302e7bb6cce81d05633345ce300dd9bb7d7b2f9eddfb58ad52da5c2c1d79a4f7983eb810f8327727f055ffae7
-
Filesize
26KB
MD55ae65773d0e0a119933fc8f2c4717d5b
SHA1464955e3c0a100e1da6bc216a9293a17881abeaf
SHA256db1202812eafcc520148f302869a028b8509cb6cbc09eaddcfed1e82ee2785bb
SHA51218a6639c611ebd3dbd1929acd1cd41174879e02302e7bb6cce81d05633345ce300dd9bb7d7b2f9eddfb58ad52da5c2c1d79a4f7983eb810f8327727f055ffae7
-
Filesize
9B
MD56029ce528adbc1284163cdd2b27a082e
SHA1a2f23e1d5101c3b6929686a2d5711c2af2dec1b7
SHA2565036deecfbb090aa7f7c21c159b1921df0cf23eedafb7e0c208668ad82872dae
SHA512a661e939e69a59f88fd86fa654371ba4b3e3e8faf5c1b39bdaa0def8b277b26b63e96d4f5eb047ca3d8888597165dc709f395eeaf333c25c9cf56441c31dd676