75feb51f91fb1e6c06d8338fd0e79d94c5b5059dabbc9e1032f1fd69c6b4220a

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 05:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06b20a20c9de68e0f69b7f19de820ef5.exe
Size

58KB
MD5

06b20a20c9de68e0f69b7f19de820ef5
SHA1

41df559aefd262a53815a95a54287cfe622dabf5
SHA256

75feb51f91fb1e6c06d8338fd0e79d94c5b5059dabbc9e1032f1fd69c6b4220a
SHA512

5d25fc6933f6aaf6e2d2c548a06dd79fa33df388c8ecb1f9567355ddeaefd3c8bd4554a7e1088853130d6ef8ef3a263e59c3aea7cc0bbd6ac5d3bfb1d7c0c917
SSDEEP

1536:p4q8Q1xZtffrb8sjPFNhTYsFFrzckH2fmitDg:qKtfDwsjPThTYszDH2fO

Score

7^/10

spyware stealer

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2400	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1908	Logo1_.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\7z.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\PurblePlace.exe	Logo1_.exe
File opened for modification	C:\Program Files\Windows Mail\wabmig.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SETLANG.EXE	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\IEContentService.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaire.exe	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	Logo1_.exe
File opened for modification	C:\Program Files\Windows Mail\WinMail.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSTORDB.EXE	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	Logo1_.exe
File opened for modification	C:\Program Files\Windows Defender\MSASCui.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVEMN.EXE	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\wmpenc.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\wab.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\chkrzm.exe	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{7AE638D3-C69D-42D5-9B63-3C52AA32D796}\chrome_installer.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\wmprph.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	Logo1_.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Logo1_.exe	06b20a20c9de68e0f69b7f19de820ef5.exe
File created	C:\Windows\virDll.dll	Logo1_.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1908	Logo1_.exe
1908	Logo1_.exe
1908	Logo1_.exe
1908	Logo1_.exe
1908	Logo1_.exe
1908	Logo1_.exe
1908	Logo1_.exe
1908	Logo1_.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2660 wrote to memory of 2400	2660	06b20a20c9de68e0f69b7f19de820ef5.exe	18
PID 2660 wrote to memory of 2400	2660	06b20a20c9de68e0f69b7f19de820ef5.exe	18
PID 2660 wrote to memory of 2400	2660	06b20a20c9de68e0f69b7f19de820ef5.exe	18
PID 2660 wrote to memory of 2400	2660	06b20a20c9de68e0f69b7f19de820ef5.exe	18
PID 2660 wrote to memory of 1908	2660	06b20a20c9de68e0f69b7f19de820ef5.exe	17
PID 2660 wrote to memory of 1908	2660	06b20a20c9de68e0f69b7f19de820ef5.exe	17
PID 2660 wrote to memory of 1908	2660	06b20a20c9de68e0f69b7f19de820ef5.exe	17
PID 2660 wrote to memory of 1908	2660	06b20a20c9de68e0f69b7f19de820ef5.exe	17
PID 1908 wrote to memory of 1380	1908	Logo1_.exe	7
PID 1908 wrote to memory of 1380	1908	Logo1_.exe	7

C:\Users\Admin\AppData\Local\Temp\06b20a20c9de68e0f69b7f19de820ef5.exe
"C:\Users\Admin\AppData\Local\Temp\06b20a20c9de68e0f69b7f19de820ef5.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Windows\Logo1_.exe
  C:\Windows\Logo1_.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1908
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\$$a6D4.bat
  2⤵
  - Deletes itself
  PID:2400

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$a6D4.bat

Filesize
529B

MD5
0d15cc289f1a57ae2442d27705abef12

SHA1
973f039462df0cbc7b49a9e00a8b3c944bc1a262

SHA256
b2e1773708d2398933b9da001003a6af9292c7a7af2b2c3609f0c178e586708f

SHA512
ab76691c8dae80ac2b57eb8ea2080d323d7b9c7102a54c063173bf536af0aaa0f6b10e17b04b37b21277c904a8dfc413e5a1e9fda85a0efdb5f0949d1f68b2c2

Download Submit
C:\Windows\Logo1_.exe

Filesize
58KB

MD5
d3067363e6e0c36a8090d6f155de0b52

SHA1
92ed48dfa0b159b9645b868bd69c9b70f963e526

SHA256
b8cadd0ac47418494c38417f6f98e48e7b081c5b4aa1c93116f231e9a86e36ea

SHA512
241c09d3c5bc6df05cd14df9a20a65201cb2b7b95646ea8024341a30f61544fb4af0b82e3335062e4de3fe79423682c125dbec538668ac41099d6538235ae3a8

Download Submit
memory/1380-20-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/1908-240-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2660-13-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download