Analysis
-
max time kernel
169s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
16/11/2023, 19:44
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7a557a998ca8474282622c29b696fcfa4720490b86167938fe4333fbe956967f.exe
Resource
win7-20231020-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
7a557a998ca8474282622c29b696fcfa4720490b86167938fe4333fbe956967f.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
7a557a998ca8474282622c29b696fcfa4720490b86167938fe4333fbe956967f.exe
-
Size
7.3MB
-
MD5
bbee57d76bd6c882e80e904308a9dec7
-
SHA1
e8b9e5891bb8b9033df51e0953947cce7cfcb378
-
SHA256
7a557a998ca8474282622c29b696fcfa4720490b86167938fe4333fbe956967f
-
SHA512
faff70072cb7f0c3357d007a58c6d82ed5f584df794670e19eab6434e72e74030c4e589ce7ac6a9b8fb39dcf71f978ddb9878363e06d6ffdeb36ac49be3fedd6
-
SSDEEP
98304:SmB9OWBVClfcaA1oZeSajfztbVCGQX4bME4bP8nQgMVQNKe5AJbI8D:Sg9OHi1oZepfxUGGNQNKe
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1068 Logo1_.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\VideoLAN\VLC\locale\mn\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ckb\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\zh_TW\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\StartScreen\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\_desktop.ini Logo1_.exe File created C:\Program Files\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-125_8wekyb3d8bbwe\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-us\jscripts\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-us\styles\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\is\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ha-Latn-NG\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\LayersControl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\pt_PT\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\sl\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-200_8wekyb3d8bbwe\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\Assets\MixerBranding\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Photo Viewer\fr-FR\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\fa-IR\View3d\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\gl-ES\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\animations\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\MovedPackages\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe Logo1_.exe File opened for modification C:\Program Files\Windows Defender\fr-FR\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe Logo1_.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\dictation\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\control\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerElevatedAppServiceClient.exe Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.18101.0_x64__8wekyb3d8bbwe\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactNative\Tracing\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\2.0.1\Diagnostics\Simple\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe Logo1_.exe File created C:\Program Files\Java\jdk-1.8\legal\jdk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\ScreenSketchAppService\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00_14.0.27323.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\vi\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Photo Viewer\de-DE\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ja-JP\View3d\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\_desktop.ini Logo1_.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\sl\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\lua\meta\reader\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Logo1_.exe 7a557a998ca8474282622c29b696fcfa4720490b86167938fe4333fbe956967f.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\vDll.dll Logo1_.exe File created C:\Windows\rundl132.exe 7a557a998ca8474282622c29b696fcfa4720490b86167938fe4333fbe956967f.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 1068 Logo1_.exe 1068 Logo1_.exe 1068 Logo1_.exe 1068 Logo1_.exe 1068 Logo1_.exe 1068 Logo1_.exe 1068 Logo1_.exe 1068 Logo1_.exe 1068 Logo1_.exe 1068 Logo1_.exe 1068 Logo1_.exe 1068 Logo1_.exe 1068 Logo1_.exe 1068 Logo1_.exe 1068 Logo1_.exe 1068 Logo1_.exe 1068 Logo1_.exe 1068 Logo1_.exe 1068 Logo1_.exe 1068 Logo1_.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2380 wrote to memory of 2244 2380 7a557a998ca8474282622c29b696fcfa4720490b86167938fe4333fbe956967f.exe 88 PID 2380 wrote to memory of 2244 2380 7a557a998ca8474282622c29b696fcfa4720490b86167938fe4333fbe956967f.exe 88 PID 2380 wrote to memory of 2244 2380 7a557a998ca8474282622c29b696fcfa4720490b86167938fe4333fbe956967f.exe 88 PID 2380 wrote to memory of 1068 2380 7a557a998ca8474282622c29b696fcfa4720490b86167938fe4333fbe956967f.exe 89 PID 2380 wrote to memory of 1068 2380 7a557a998ca8474282622c29b696fcfa4720490b86167938fe4333fbe956967f.exe 89 PID 2380 wrote to memory of 1068 2380 7a557a998ca8474282622c29b696fcfa4720490b86167938fe4333fbe956967f.exe 89 PID 1068 wrote to memory of 2000 1068 Logo1_.exe 91 PID 1068 wrote to memory of 2000 1068 Logo1_.exe 91 PID 1068 wrote to memory of 2000 1068 Logo1_.exe 91 PID 2000 wrote to memory of 3928 2000 net.exe 93 PID 2000 wrote to memory of 3928 2000 net.exe 93 PID 2000 wrote to memory of 3928 2000 net.exe 93 PID 1068 wrote to memory of 3324 1068 Logo1_.exe 68 PID 1068 wrote to memory of 3324 1068 Logo1_.exe 68
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3324
-
C:\Users\Admin\AppData\Local\Temp\7a557a998ca8474282622c29b696fcfa4720490b86167938fe4333fbe956967f.exe"C:\Users\Admin\AppData\Local\Temp\7a557a998ca8474282622c29b696fcfa4720490b86167938fe4333fbe956967f.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aBFD5.bat3⤵PID:2244
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:3928
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
487KB
MD52c59ca21f6f1c944b31c2f361cb8f878
SHA1f8b94103ad705dd04f9cd7564bbe96fae10416dc
SHA25619a5c6c80514db49bd9b4cca0fc061de530325b2f913d1f08daed8220f2c12c3
SHA5125b2dfa0199fa83e59e0496d7e05dae6c6204f04348161c860266ee25d0b94f546c0d20473bedb1cceab65158bf042ef03d1e7468a1bc9479d780f261b58a7f86
-
Filesize
722B
MD58b9f8b5180bdfe8c2d039bcbb4e2fa46
SHA1b0e612e1e8bf6a614ef08e7e3ca8abb41f1b1910
SHA256149ecb9434da6e627823af5ee22075e291022cb29eb82b553fe26f7fc4fcf55c
SHA51255b86e392438c3d8e248c2a9d1ac24f82eb506e78092d3bcf7f746bdd5526be7ddbab63927ce40741fa6c33128ce9e821c9373f23a07d08b0d5dbb5aed4a2663
-
C:\Users\Admin\AppData\Local\Temp\7a557a998ca8474282622c29b696fcfa4720490b86167938fe4333fbe956967f.exe.exe
Filesize7.3MB
MD5172b6d29b3cdcdf2b0b14332eb216161
SHA17534c39aecd8a968c8cdf34db4cb388d999a3065
SHA2563bb1c042bf917e6577be28edce3243628e9ce4245e9abbc2cc0196ccca26630c
SHA51271e4e14c689974821c0bb80637a53cd5234df0111b809612ac810846fe2ba9d288da20141455b984dd842c8343166f807f8da51e74b66fbe3aec181db72806ce
-
Filesize
29KB
MD581630564087dc0b55754dcef927e5854
SHA1be4be4b86da3df0627f99434e8c15d89119ee8ba
SHA2566e58398b6ead714b557d62f4c5734ee2b2042a796c63ab55b0454eab6c401d3a
SHA5122214d41d0448e3028619a1af5c1843ebafcda81f29c31e3dfb063766fca33cce57d68474d435a8a45cc6bb3a29545eb403a9043881dc41289a7e765e1d759dd8
-
Filesize
29KB
MD581630564087dc0b55754dcef927e5854
SHA1be4be4b86da3df0627f99434e8c15d89119ee8ba
SHA2566e58398b6ead714b557d62f4c5734ee2b2042a796c63ab55b0454eab6c401d3a
SHA5122214d41d0448e3028619a1af5c1843ebafcda81f29c31e3dfb063766fca33cce57d68474d435a8a45cc6bb3a29545eb403a9043881dc41289a7e765e1d759dd8
-
Filesize
29KB
MD581630564087dc0b55754dcef927e5854
SHA1be4be4b86da3df0627f99434e8c15d89119ee8ba
SHA2566e58398b6ead714b557d62f4c5734ee2b2042a796c63ab55b0454eab6c401d3a
SHA5122214d41d0448e3028619a1af5c1843ebafcda81f29c31e3dfb063766fca33cce57d68474d435a8a45cc6bb3a29545eb403a9043881dc41289a7e765e1d759dd8
-
Filesize
10B
MD560d14ad2d8cf983c15b0537099900c9c
SHA1e1ee66c7f17631143d9ddf816bc1ec0787e17447
SHA2563ac04e33b3ef42c31240d788afd9639b8f26c5edf2f0d7bb82d348a7d8bc513e
SHA5122d19dfda574fdbc46ee25954549bcc6330abebc4432abde57253d602aa750fe3cb3a976c769aeeae3cc0a7a5e43e505256a474dd3be5f84ceaba0607d6bb6685