Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25-12-2023 19:16
Static task
static1
Behavioral task
behavioral1
Sample
cff73c205f17ac986289d0f9b84d2d9545d05c26c6480edc6e59e9d4126f9619.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
cff73c205f17ac986289d0f9b84d2d9545d05c26c6480edc6e59e9d4126f9619.exe
Resource
win10v2004-20231215-en
General
-
Target
cff73c205f17ac986289d0f9b84d2d9545d05c26c6480edc6e59e9d4126f9619.exe
-
Size
3.3MB
-
MD5
52c24fc732ae5d03dd73aea086e72ad1
-
SHA1
4bc9ae3dfd63f593d3a18fb116e3b33975ae4447
-
SHA256
cff73c205f17ac986289d0f9b84d2d9545d05c26c6480edc6e59e9d4126f9619
-
SHA512
7ce869f91bbd096067f4316f58a5ec3971d2e76e90212b645fc97c0da7d41fc5f97f6cb1819ac80643b0dbad1d1b6e62fea68a462347ee8eff1be2af213e3519
-
SSDEEP
49152:nD1wyVu6kLS4U/DiaJ0de0r2AJisyYy20QkTu5dPkLoJjEWJ:5wv6kw/eJNHy2z+LoJjEWJ
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2360 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2824 Logo1_.exe 3004 cff73c205f17ac986289d0f9b84d2d9545d05c26c6480edc6e59e9d4126f9619.exe -
Loads dropped DLL 1 IoCs
pid Process 2360 cmd.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\MSBuild\Microsoft\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\lua\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ESEN\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\VSTO\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Help\1041\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\InfoPath.en-us\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\de-DE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\css\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Mail\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\fr-FR\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\uk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\tet\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\it-IT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre7\lib\jfr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Components\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Defender\de-DE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\_desktop.ini Logo1_.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\sr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\uz\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\zh_TW\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\en_GB\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Excel.en-us\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jre7\lib\ext\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Media Player\it-IT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Mail\wab.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\fa\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\NETWORK\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\hi\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe Logo1_.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\js\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\Multiplayer\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\Multiplayer\Backgammon\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\pa\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ia\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ja\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE Logo1_.exe File created C:\Program Files (x86)\Windows NT\Accessories\de-DE\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Logo1_.exe cff73c205f17ac986289d0f9b84d2d9545d05c26c6480edc6e59e9d4126f9619.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\vDll.dll Logo1_.exe File created C:\Windows\rundl132.exe cff73c205f17ac986289d0f9b84d2d9545d05c26c6480edc6e59e9d4126f9619.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 2824 Logo1_.exe 2824 Logo1_.exe 2824 Logo1_.exe 2824 Logo1_.exe 2824 Logo1_.exe 2824 Logo1_.exe 2824 Logo1_.exe 2824 Logo1_.exe 2824 Logo1_.exe 2824 Logo1_.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 2468 wrote to memory of 2360 2468 cff73c205f17ac986289d0f9b84d2d9545d05c26c6480edc6e59e9d4126f9619.exe 28 PID 2468 wrote to memory of 2360 2468 cff73c205f17ac986289d0f9b84d2d9545d05c26c6480edc6e59e9d4126f9619.exe 28 PID 2468 wrote to memory of 2360 2468 cff73c205f17ac986289d0f9b84d2d9545d05c26c6480edc6e59e9d4126f9619.exe 28 PID 2468 wrote to memory of 2360 2468 cff73c205f17ac986289d0f9b84d2d9545d05c26c6480edc6e59e9d4126f9619.exe 28 PID 2468 wrote to memory of 2824 2468 cff73c205f17ac986289d0f9b84d2d9545d05c26c6480edc6e59e9d4126f9619.exe 29 PID 2468 wrote to memory of 2824 2468 cff73c205f17ac986289d0f9b84d2d9545d05c26c6480edc6e59e9d4126f9619.exe 29 PID 2468 wrote to memory of 2824 2468 cff73c205f17ac986289d0f9b84d2d9545d05c26c6480edc6e59e9d4126f9619.exe 29 PID 2468 wrote to memory of 2824 2468 cff73c205f17ac986289d0f9b84d2d9545d05c26c6480edc6e59e9d4126f9619.exe 29 PID 2824 wrote to memory of 2308 2824 Logo1_.exe 34 PID 2824 wrote to memory of 2308 2824 Logo1_.exe 34 PID 2824 wrote to memory of 2308 2824 Logo1_.exe 34 PID 2824 wrote to memory of 2308 2824 Logo1_.exe 34 PID 2308 wrote to memory of 2704 2308 net.exe 32 PID 2308 wrote to memory of 2704 2308 net.exe 32 PID 2308 wrote to memory of 2704 2308 net.exe 32 PID 2308 wrote to memory of 2704 2308 net.exe 32 PID 2360 wrote to memory of 3004 2360 cmd.exe 33 PID 2360 wrote to memory of 3004 2360 cmd.exe 33 PID 2360 wrote to memory of 3004 2360 cmd.exe 33 PID 2360 wrote to memory of 3004 2360 cmd.exe 33 PID 2824 wrote to memory of 1212 2824 Logo1_.exe 14 PID 2824 wrote to memory of 1212 2824 Logo1_.exe 14
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1212
-
C:\Users\Admin\AppData\Local\Temp\cff73c205f17ac986289d0f9b84d2d9545d05c26c6480edc6e59e9d4126f9619.exe"C:\Users\Admin\AppData\Local\Temp\cff73c205f17ac986289d0f9b84d2d9545d05c26c6480edc6e59e9d4126f9619.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\$$a5ABD.bat3⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Users\Admin\AppData\Local\Temp\cff73c205f17ac986289d0f9b84d2d9545d05c26c6480edc6e59e9d4126f9619.exe"C:\Users\Admin\AppData\Local\Temp\cff73c205f17ac986289d0f9b84d2d9545d05c26c6480edc6e59e9d4126f9619.exe"4⤵
- Executes dropped EXE
PID:3004
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:2308
-
-
-
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"1⤵PID:2704
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
254KB
MD521bf7ddf289399c445b4d9218330a791
SHA134a1c135f4466d6a9e7fb8c5c7064686393df9b0
SHA256dbc084ecd299645cbd9763ef936a492ecd2165e1359fddbcacd804f25aa13874
SHA5123d97fba0c3bf09651e9149234e760b557ad221d4258663db7849d09b479029677afcefae1aef5b6ce33f2838bc668b664bb99d07517bf520da972e8ac4ec6df3
-
Filesize
722B
MD5e1ba1272d17b9985ee9423f9a54ed39b
SHA1221825f08a8e3248dd6955921f86ea747da76818
SHA256de587b3a0aea3486c4e9df17d9401e531175cd2c47e9197de64aa5d2bc264243
SHA512abe30fdd62334a231cdb66c4d2806c51a00232d2cba8fac3af06e4858dcee3efcdc6afe0d681827142bbd98e1f15d0bad8fee01adc5b60d8c153310dc3a94e2c
-
C:\Users\Admin\AppData\Local\Temp\cff73c205f17ac986289d0f9b84d2d9545d05c26c6480edc6e59e9d4126f9619.exe
Filesize257KB
MD57451d05eea016a0f4d0945f57a1a3304
SHA1317c45f558777fc1bb6e3977af47c36cc70b02c1
SHA256f7b2eea91fa2ae888b74e89cd8193a906f9f2cab9f8719980976635ff752095f
SHA51268eba56e72183a9e5c9bf15cf0bbd0dc2b1a801620b0e2d240b3ba0fe864c1d0dcf6a008375e0da3b7371923d8b5965d3340865d733e05c5939ec463aafa87e4
-
C:\Users\Admin\AppData\Local\Temp\cff73c205f17ac986289d0f9b84d2d9545d05c26c6480edc6e59e9d4126f9619.exe.exe
Filesize1024KB
MD5693243c45bf3aff63cfdbde9c61d0736
SHA1f05be7171535ab3ab478670b57130667427ddbf8
SHA256854850fc130b54c43107aafd7639a8a212fa94db68fcd015ec7b56a03e3c6024
SHA5121ce6f64faead55386a60568f3b02f780793cb7001f940a97f38ebe3d60cc141bf7ac650e7f2d20ed258df58de9ee16e45980f0c7bd1e3b82f7320390ceda5fac
-
Filesize
29KB
MD53f8f6ddcfd8d2e131ec9ff9ff2090ca1
SHA1bc69b2fbbab6fc66b5e8bd2ca7a358bc7000b44f
SHA256d33385041bbdbcbf890a8f56eb6877b4ecc87d319b10944074e97df9620bd8f2
SHA5123652c4658d4a200d23ce970ee61b7831f4f91a121fd3ca6a5254e1a4dfe9866ceb17ad039bc1f30289b38c270ab6bef0d096329126acb285ad4d6f0c6bdcb97c
-
Filesize
10B
MD50c6beb6d4da16bbf902e01a42ff163f5
SHA1aeeec783750199c10f8dd6e8aa828a44233e760b
SHA2562c5a0b332a8c9449c746ee8dd0d751b77f5ff89c525609cd48a7959a9cf2e793
SHA5123f4ec9bc64092ea98aee91777e052f410194ce728890df45cbeccb60c321c5547e52eaae747c8b64c4f8a9c22a04c0f20146bb7cc5826552ae23e3be8ccb7c3a
-
\Users\Admin\AppData\Local\Temp\cff73c205f17ac986289d0f9b84d2d9545d05c26c6480edc6e59e9d4126f9619.exe
Filesize576KB
MD5f499c332ee83352289ac4308317ab95d
SHA1d6cce866a9fdc71f310876824828bcfe26a44f08
SHA256be1f0b258d2efd581e06497764f483ce6c9cba66b8d42ffb24b21246488b22c4
SHA512bfd20781678a4cdccf3679205fabb480042449dd23befd65aa36ae905a0c9c2e0d3195f22593b15b46543a39378ac8240fff76ea508e6d9badb1ab5126e1d69e