Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25/12/2023, 07:51
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
102ca957a61c263da2b97850322455bf.exe
Resource
win7-20231215-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
102ca957a61c263da2b97850322455bf.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
102ca957a61c263da2b97850322455bf.exe
-
Size
95KB
-
MD5
102ca957a61c263da2b97850322455bf
-
SHA1
31e394198cb598873543e1ab51ab5a8235b978e2
-
SHA256
3fdb09ca52969e42204da872f8496ebf08ba631108daa6af1603e9cd42b8c0f4
-
SHA512
9b010d2c6d4b1978b776edb290f26b81b9f88531384265674265fa0309f71af2d084d8bd2d519adf86a95caeff1f5abf993f14d269b9c1f92ad629b23995f9ad
-
SSDEEP
1536:M4fgLdQAQfhJIJ0IOhdIeXQVIOUaQGqseL5t5EMlnFusG9yGYJHu0f2RKYdwCaj:HftffhJCu/IJIJaGselt5JFFN2pYO0Og
Score
7/10
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2240 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2832 Logo1_.exe 2756 102ca957a61c263da2b97850322455bf.exe -
Loads dropped DLL 2 IoCs
pid Process 2240 cmd.exe 2240 cmd.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\VideoLAN\VLC\plugins\meta_engine\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Servers\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\km\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\ja-JP\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\zh_TW\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Media Player\setup_wm.exe Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\DVD Maker\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ARCTIC\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre7\bin\plugin2\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EDGE\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre7\lib\management\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\Multiplayer\Spades\en-US\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\fr-FR\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SLATE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSTORDB.EXE Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\WSS\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\zh_CN\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_filter\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\it-IT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\de-DE\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\access\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\css\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Media Player\Icons\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\bg\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\_desktop.ini Logo1_.exe File created C:\Program Files\7-Zip\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre7\bin\rmiregistry.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Help\1046\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Full\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\pt_BR\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\text_renderer\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rundl132.exe 102ca957a61c263da2b97850322455bf.exe File created C:\Windows\Logo1_.exe 102ca957a61c263da2b97850322455bf.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\vDll.dll Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 2832 Logo1_.exe 2832 Logo1_.exe 2832 Logo1_.exe 2832 Logo1_.exe 2832 Logo1_.exe 2832 Logo1_.exe 2832 Logo1_.exe 2832 Logo1_.exe 2832 Logo1_.exe 2832 Logo1_.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 2056 wrote to memory of 2240 2056 102ca957a61c263da2b97850322455bf.exe 28 PID 2056 wrote to memory of 2240 2056 102ca957a61c263da2b97850322455bf.exe 28 PID 2056 wrote to memory of 2240 2056 102ca957a61c263da2b97850322455bf.exe 28 PID 2056 wrote to memory of 2240 2056 102ca957a61c263da2b97850322455bf.exe 28 PID 2056 wrote to memory of 2832 2056 102ca957a61c263da2b97850322455bf.exe 29 PID 2056 wrote to memory of 2832 2056 102ca957a61c263da2b97850322455bf.exe 29 PID 2056 wrote to memory of 2832 2056 102ca957a61c263da2b97850322455bf.exe 29 PID 2056 wrote to memory of 2832 2056 102ca957a61c263da2b97850322455bf.exe 29 PID 2832 wrote to memory of 2268 2832 Logo1_.exe 30 PID 2832 wrote to memory of 2268 2832 Logo1_.exe 30 PID 2832 wrote to memory of 2268 2832 Logo1_.exe 30 PID 2832 wrote to memory of 2268 2832 Logo1_.exe 30 PID 2268 wrote to memory of 2808 2268 net.exe 33 PID 2268 wrote to memory of 2808 2268 net.exe 33 PID 2268 wrote to memory of 2808 2268 net.exe 33 PID 2268 wrote to memory of 2808 2268 net.exe 33 PID 2240 wrote to memory of 2756 2240 cmd.exe 34 PID 2240 wrote to memory of 2756 2240 cmd.exe 34 PID 2240 wrote to memory of 2756 2240 cmd.exe 34 PID 2240 wrote to memory of 2756 2240 cmd.exe 34 PID 2832 wrote to memory of 1420 2832 Logo1_.exe 12 PID 2832 wrote to memory of 1420 2832 Logo1_.exe 12
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1420
-
C:\Users\Admin\AppData\Local\Temp\102ca957a61c263da2b97850322455bf.exe"C:\Users\Admin\AppData\Local\Temp\102ca957a61c263da2b97850322455bf.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\$$a8FB2.bat3⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Users\Admin\AppData\Local\Temp\102ca957a61c263da2b97850322455bf.exe"C:\Users\Admin\AppData\Local\Temp\102ca957a61c263da2b97850322455bf.exe"4⤵
- Executes dropped EXE
PID:2756
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:2808
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
251KB
MD5d22177d5406ae01b712a3f6711693c25
SHA10d413ce2c3645472437d933617ad749fe3f4d997
SHA256d40b74f9734a92d73b20bfd2c8fcc703854325714e8fe19fdaf26eb8c0439a04
SHA512cf7380b756daf84961e6ed8cdab35ffb6d57d6cf0740dfdd15a6453ebbdcb0153aef51c0d7f89551f431bab940a874eb999a0b9fbe2d090e307774e8ca7d3751
-
Filesize
471KB
MD5cd063a49bae945a38047d1627588ee01
SHA11608915d38130f68d3398c174f206dc073814e7b
SHA256ae8ed667c2ef87a5a30302264032701269ee5821aa6b33343ceb404257709f38
SHA512c789f3def7d88f776b609be95f98a0876f7b1126586603e77ade5554f8538acd22608484ef9978ee6e2e9214393e4c8d3c48ac22ff7ecae9a8dba9fa7cd7a39b
-
Filesize
530B
MD54afb44ef24233da153e2ad13cdb6bf43
SHA1f201a8f1cf071516da0406e42f5388524a3254e5
SHA256fff1cf8cd3a1c04a8f6b527776c62b006721e8972d00a512b4bfca6ff33e1307
SHA5122904a40a35a558e2ca9584ef24afdf8fd39fe0e4c91988d92339aed69971df35b6925f40b23106661de8395830f378a3061b8bf85408813b4ccaa176c66919ac
-
Filesize
69KB
MD5ae374e374da6a3522d7ce982bc1fe36a
SHA1ec2f2b04a63294f3e88456200db5af6074ce4f5c
SHA256ffce1cc73821b24ad3f1d9de112df6fd7456c93bdb79af3ba49ec5b8239a38a1
SHA512c3016f9d8f9dd30616d95792c6981cacd3d41f2531209174db1905efb249aafa92fdacc967e512592287ed284cf94b92627c87bf1fea0189f9022ebdcb8ebe8a
-
Filesize
26KB
MD5307f58c9c0de8436de6b0ea5d358513d
SHA14df05bf43764d9f3672edaa8437d371e7d145edd
SHA2569937c83b61783135229b94daf2ae3c56d64811512be65892a88606aabfd03b1c
SHA5125137a664de3e65b8da773c2bac730791971bad78463966c232db0cb1cc93101527c19396cd9575be6dbc2e0c75d978a62b702a435cc853ae418cae1dbf5edacf
-
Filesize
10B
MD55700371755e9238ee012f3bf6444e816
SHA13a72d1425bec0ea7dcd0902e1fa7db3877eff254
SHA256e089752af3f0a42db847473d9db5a45c0e8b88b0e7e108ba334c85481944a1ed
SHA512c392d9271ff1f5c8bd17b90bc6ec9c30e2c6b1ce6ebde84b7e337eb07d213c68791bc344fb9a392ec81b6c763c45c16ae2b60f6c60f61e76a411375cefaeff07