Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
13-11-2023 16:38
Static task
static1
Behavioral task
behavioral1
Sample
5afc9b5085d7b84173b3dc3cc965d1eada75b9ba4249baa7487a68b0bb1bf623.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
5afc9b5085d7b84173b3dc3cc965d1eada75b9ba4249baa7487a68b0bb1bf623.exe
Resource
win10v2004-20231020-en
General
-
Target
5afc9b5085d7b84173b3dc3cc965d1eada75b9ba4249baa7487a68b0bb1bf623.exe
-
Size
404KB
-
MD5
4302111a17bf69deabfb58f128c71adb
-
SHA1
c9bf282ed4a976bc9dbbd9da845dd997b800a821
-
SHA256
5afc9b5085d7b84173b3dc3cc965d1eada75b9ba4249baa7487a68b0bb1bf623
-
SHA512
d463a0677a6bb7f47d771805ccd2cf9b41d03ea3e67cb52d14c35db56f69135a5b8e93b2d2624675c1b9a2cd6d3dea2a1709b9c31dbc9d029f5d4eec3df09e16
-
SSDEEP
6144:VTVfjmNKYJDqxN39AkK829a9ZFFxEA+67DTcaBbm3opTGwGrzSSmO5TCchGHLUs4:Vp7+pANd9ZFgA+6Ya4L6ddgR
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 3056 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 1344 Logo1_.exe 2816 5afc9b5085d7b84173b3dc3cc965d1eada75b9ba4249baa7487a68b0bb1bf623.exe -
Loads dropped DLL 1 IoCs
pid Process 3056 cmd.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FRAR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\DEEPBLUE\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\ManagedObjects\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\misc\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Swirl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\tet\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\codec\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\it-IT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\win32\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe Logo1_.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows NT\Accessories\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Stationery\1033\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre7\bin\javaw.exe Logo1_.exe File created C:\Program Files\Microsoft Games\Multiplayer\Backgammon\en-US\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Journal\es-ES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\Purble Place\es-ES\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\skins\fonts\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\th\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\nl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\fr\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\demux\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Help\1031\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\oc\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\Purble Place\it-IT\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\tet\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Lime\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Mail\en-US\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\packetizer\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PrivateAssemblies\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rundl132.exe 5afc9b5085d7b84173b3dc3cc965d1eada75b9ba4249baa7487a68b0bb1bf623.exe File created C:\Windows\Logo1_.exe 5afc9b5085d7b84173b3dc3cc965d1eada75b9ba4249baa7487a68b0bb1bf623.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\vDll.dll Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 1344 Logo1_.exe 1344 Logo1_.exe 1344 Logo1_.exe 1344 Logo1_.exe 1344 Logo1_.exe 1344 Logo1_.exe 1344 Logo1_.exe 1344 Logo1_.exe 1344 Logo1_.exe 1344 Logo1_.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2816 5afc9b5085d7b84173b3dc3cc965d1eada75b9ba4249baa7487a68b0bb1bf623.exe 2816 5afc9b5085d7b84173b3dc3cc965d1eada75b9ba4249baa7487a68b0bb1bf623.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 2244 wrote to memory of 3056 2244 5afc9b5085d7b84173b3dc3cc965d1eada75b9ba4249baa7487a68b0bb1bf623.exe 28 PID 2244 wrote to memory of 3056 2244 5afc9b5085d7b84173b3dc3cc965d1eada75b9ba4249baa7487a68b0bb1bf623.exe 28 PID 2244 wrote to memory of 3056 2244 5afc9b5085d7b84173b3dc3cc965d1eada75b9ba4249baa7487a68b0bb1bf623.exe 28 PID 2244 wrote to memory of 3056 2244 5afc9b5085d7b84173b3dc3cc965d1eada75b9ba4249baa7487a68b0bb1bf623.exe 28 PID 2244 wrote to memory of 1344 2244 5afc9b5085d7b84173b3dc3cc965d1eada75b9ba4249baa7487a68b0bb1bf623.exe 30 PID 2244 wrote to memory of 1344 2244 5afc9b5085d7b84173b3dc3cc965d1eada75b9ba4249baa7487a68b0bb1bf623.exe 30 PID 2244 wrote to memory of 1344 2244 5afc9b5085d7b84173b3dc3cc965d1eada75b9ba4249baa7487a68b0bb1bf623.exe 30 PID 2244 wrote to memory of 1344 2244 5afc9b5085d7b84173b3dc3cc965d1eada75b9ba4249baa7487a68b0bb1bf623.exe 30 PID 1344 wrote to memory of 2644 1344 Logo1_.exe 31 PID 1344 wrote to memory of 2644 1344 Logo1_.exe 31 PID 1344 wrote to memory of 2644 1344 Logo1_.exe 31 PID 1344 wrote to memory of 2644 1344 Logo1_.exe 31 PID 3056 wrote to memory of 2816 3056 cmd.exe 33 PID 3056 wrote to memory of 2816 3056 cmd.exe 33 PID 3056 wrote to memory of 2816 3056 cmd.exe 33 PID 3056 wrote to memory of 2816 3056 cmd.exe 33 PID 2644 wrote to memory of 2832 2644 net.exe 34 PID 2644 wrote to memory of 2832 2644 net.exe 34 PID 2644 wrote to memory of 2832 2644 net.exe 34 PID 2644 wrote to memory of 2832 2644 net.exe 34 PID 1344 wrote to memory of 1216 1344 Logo1_.exe 15 PID 1344 wrote to memory of 1216 1344 Logo1_.exe 15
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1216
-
C:\Users\Admin\AppData\Local\Temp\5afc9b5085d7b84173b3dc3cc965d1eada75b9ba4249baa7487a68b0bb1bf623.exe"C:\Users\Admin\AppData\Local\Temp\5afc9b5085d7b84173b3dc3cc965d1eada75b9ba4249baa7487a68b0bb1bf623.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\$$a514B.bat3⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Users\Admin\AppData\Local\Temp\5afc9b5085d7b84173b3dc3cc965d1eada75b9ba4249baa7487a68b0bb1bf623.exe"C:\Users\Admin\AppData\Local\Temp\5afc9b5085d7b84173b3dc3cc965d1eada75b9ba4249baa7487a68b0bb1bf623.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2816
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:2832
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
251KB
MD53d155daa199ad799f9ccc932630abcca
SHA1a4bd194a97e046ddf5ccaef03debce2c79b8fbea
SHA25649a785cbb804a40b71f337a7b5b820d784b03a49bbe6d859463f7cdb9fd60cc5
SHA512c50fdff168ce358f32fe9e4e58e09fe74590498fea4849a9c92020a10bb7729778f63e2a37d0aaadaca4a7e9d87d36ac7ddd35dc1fbcd5c1b3b193c77c6865a2
-
Filesize
471KB
MD54cfdb20b04aa239d6f9e83084d5d0a77
SHA1f22863e04cc1fd4435f785993ede165bd8245ac6
SHA25630ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9
SHA51235b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86
-
Filesize
722B
MD5d25298ec3b6403e91643dbb0362880d4
SHA19a41566f1a6cac5fa0eb9656b9bc5f84b4af996b
SHA256d910915a9862dc43bf1ea33452dc5ff756fe56ceefa601f91f16c118c790c1fc
SHA51265f2acf756affe39985ead5cc5911ff1918aaf809ebb48628b061a8a052008d69669d4429a940047d51ed1d756fb5710e6c437acfe38d39299d7553205e8e069
-
Filesize
722B
MD5d25298ec3b6403e91643dbb0362880d4
SHA19a41566f1a6cac5fa0eb9656b9bc5f84b4af996b
SHA256d910915a9862dc43bf1ea33452dc5ff756fe56ceefa601f91f16c118c790c1fc
SHA51265f2acf756affe39985ead5cc5911ff1918aaf809ebb48628b061a8a052008d69669d4429a940047d51ed1d756fb5710e6c437acfe38d39299d7553205e8e069
-
C:\Users\Admin\AppData\Local\Temp\5afc9b5085d7b84173b3dc3cc965d1eada75b9ba4249baa7487a68b0bb1bf623.exe
Filesize378KB
MD500f8f1a85705f7533255d6caf892cc02
SHA189de1eeac3e28d27844d29c1bcfb536379ab5632
SHA256428115181572671d1f6b8e3d21f27705be0789a1c8d8cb01f97a2ac47cff8d93
SHA512208ff4eb218fe823c5a7b32980c313d7ff661b7966f0313963081f75c5afc0f2b1f0cedfdbc7dde6e812c3e918e21fa2f3a8f566cd58848c71ef5fad87d380d8
-
C:\Users\Admin\AppData\Local\Temp\5afc9b5085d7b84173b3dc3cc965d1eada75b9ba4249baa7487a68b0bb1bf623.exe.exe
Filesize378KB
MD500f8f1a85705f7533255d6caf892cc02
SHA189de1eeac3e28d27844d29c1bcfb536379ab5632
SHA256428115181572671d1f6b8e3d21f27705be0789a1c8d8cb01f97a2ac47cff8d93
SHA512208ff4eb218fe823c5a7b32980c313d7ff661b7966f0313963081f75c5afc0f2b1f0cedfdbc7dde6e812c3e918e21fa2f3a8f566cd58848c71ef5fad87d380d8
-
Filesize
26KB
MD5ffa33fa7aa580111297ca0f65115012a
SHA1d8f8cc29d4acae6d0ac00afd6aa5fcd69677084a
SHA25607e4b58de5ec7cccbba41baa084ea701296791de10b172ba569732c4ef0ed2ad
SHA512e92f77f8bef0aa6ad7f04eb60caab9c16c56b027303eb296056facc4d97b80b783a2cd549bf4e902891814f6de8a11a23644c3cfe7a2fa95305bf32043c46413
-
Filesize
26KB
MD5ffa33fa7aa580111297ca0f65115012a
SHA1d8f8cc29d4acae6d0ac00afd6aa5fcd69677084a
SHA25607e4b58de5ec7cccbba41baa084ea701296791de10b172ba569732c4ef0ed2ad
SHA512e92f77f8bef0aa6ad7f04eb60caab9c16c56b027303eb296056facc4d97b80b783a2cd549bf4e902891814f6de8a11a23644c3cfe7a2fa95305bf32043c46413
-
Filesize
26KB
MD5ffa33fa7aa580111297ca0f65115012a
SHA1d8f8cc29d4acae6d0ac00afd6aa5fcd69677084a
SHA25607e4b58de5ec7cccbba41baa084ea701296791de10b172ba569732c4ef0ed2ad
SHA512e92f77f8bef0aa6ad7f04eb60caab9c16c56b027303eb296056facc4d97b80b783a2cd549bf4e902891814f6de8a11a23644c3cfe7a2fa95305bf32043c46413
-
Filesize
26KB
MD5ffa33fa7aa580111297ca0f65115012a
SHA1d8f8cc29d4acae6d0ac00afd6aa5fcd69677084a
SHA25607e4b58de5ec7cccbba41baa084ea701296791de10b172ba569732c4ef0ed2ad
SHA512e92f77f8bef0aa6ad7f04eb60caab9c16c56b027303eb296056facc4d97b80b783a2cd549bf4e902891814f6de8a11a23644c3cfe7a2fa95305bf32043c46413
-
Filesize
10B
MD57af371ae7aad351d505f1b26382de243
SHA10a19bf0a1ccfb902a03b3da68bdd289190e62f5f
SHA2564fcc643d52dbc25dd57a011e27cbb0503711cf1a2ad1610a4f9e7b9f17c5bc1b
SHA5121127b9c88de9e2d58f7a512dd52c31bb9d96b0543f13e4cfff59ca2b73e60307538dd9bcd1c480e6d260fe45b44208a5554a5a60e8c2e3da8385b2cdd0e77d3e
-
\Users\Admin\AppData\Local\Temp\5afc9b5085d7b84173b3dc3cc965d1eada75b9ba4249baa7487a68b0bb1bf623.exe
Filesize378KB
MD500f8f1a85705f7533255d6caf892cc02
SHA189de1eeac3e28d27844d29c1bcfb536379ab5632
SHA256428115181572671d1f6b8e3d21f27705be0789a1c8d8cb01f97a2ac47cff8d93
SHA512208ff4eb218fe823c5a7b32980c313d7ff661b7966f0313963081f75c5afc0f2b1f0cedfdbc7dde6e812c3e918e21fa2f3a8f566cd58848c71ef5fad87d380d8