Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
05/01/2024, 02:08
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
427f9615cf393b372949ae9b027a3e01.exe
Resource
win7-20231215-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
427f9615cf393b372949ae9b027a3e01.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
427f9615cf393b372949ae9b027a3e01.exe
-
Size
330KB
-
MD5
427f9615cf393b372949ae9b027a3e01
-
SHA1
048293ce62da9d65a6df04ca57bdf0e0b90de2f6
-
SHA256
8fd593fd43f03a3e1b2490663e0a642707b363666a653cd10fb14a3d1f2b67a7
-
SHA512
804a90f01c9e4133684db3512202cbe7323bffe6686a7b2d5b0934d6a42ae15b12bf70bc7e4b3a8eed611e31a7da7c7c7e79573467d033db1943f916bf6fa61c
-
SSDEEP
3072:CftffhJCu/IQqifsI2+wrIk95SICKPsyEjvTtQXkVqKgvqgyAN9tQRiBE+y/Z:SVfhgu/1x2F0iSIGN7pmvX9/Q9Z
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 3268 Logo1_.exe 4880 427f9615cf393b372949ae9b027a3e01.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\pt-br\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows NT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\es-ES\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.UI.Xaml.2.0_2.1810.18004.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\TagAlbumDefinitions\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hr-hr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files-select\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-gb\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\sv-se\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ko-kr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ko-kr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\en-ae\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ja-jp\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsAppRuntime.1.2_2000.802.31.0_x86__8wekyb3d8bbwe\MSIX\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sv-se\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\da-DK\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\hu-hu\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\zh-cn\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\es-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\keystore\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-125_8wekyb3d8bbwe\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\th-TH\View3d\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\FileAssociation\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsAppRuntime.1.2_2000.802.31.0_x86__8wekyb3d8bbwe\pt-BR\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\2.0.1\Diagnostics\Simple\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\zh-cn\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ko-kr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ro-ro\_desktop.ini Logo1_.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\cs\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\images\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\smsconnect\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\hu-hu\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ro-ro\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\en-il\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\PhotosApp\Assets\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_2019.716.2316.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\de-de\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\pt-br\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.181.5\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.181.5\MicrosoftEdgeUpdateOnDemand.exe Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\VideoFrameExtractor\UserControls\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\en-gb\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\ja-jp\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\de-de\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rundl132.exe 427f9615cf393b372949ae9b027a3e01.exe File created C:\Windows\Logo1_.exe 427f9615cf393b372949ae9b027a3e01.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\vDll.dll Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 3268 Logo1_.exe 3268 Logo1_.exe 3268 Logo1_.exe 3268 Logo1_.exe 3268 Logo1_.exe 3268 Logo1_.exe 3268 Logo1_.exe 3268 Logo1_.exe 3268 Logo1_.exe 3268 Logo1_.exe 3268 Logo1_.exe 3268 Logo1_.exe 3268 Logo1_.exe 3268 Logo1_.exe 3268 Logo1_.exe 3268 Logo1_.exe 3268 Logo1_.exe 3268 Logo1_.exe 3268 Logo1_.exe 3268 Logo1_.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 4576 wrote to memory of 3540 4576 427f9615cf393b372949ae9b027a3e01.exe 89 PID 4576 wrote to memory of 3540 4576 427f9615cf393b372949ae9b027a3e01.exe 89 PID 4576 wrote to memory of 3540 4576 427f9615cf393b372949ae9b027a3e01.exe 89 PID 4576 wrote to memory of 3268 4576 427f9615cf393b372949ae9b027a3e01.exe 90 PID 4576 wrote to memory of 3268 4576 427f9615cf393b372949ae9b027a3e01.exe 90 PID 4576 wrote to memory of 3268 4576 427f9615cf393b372949ae9b027a3e01.exe 90 PID 3268 wrote to memory of 3936 3268 Logo1_.exe 92 PID 3268 wrote to memory of 3936 3268 Logo1_.exe 92 PID 3268 wrote to memory of 3936 3268 Logo1_.exe 92 PID 3936 wrote to memory of 2904 3936 net.exe 94 PID 3936 wrote to memory of 2904 3936 net.exe 94 PID 3936 wrote to memory of 2904 3936 net.exe 94 PID 3268 wrote to memory of 3364 3268 Logo1_.exe 39 PID 3268 wrote to memory of 3364 3268 Logo1_.exe 39
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3364
-
C:\Users\Admin\AppData\Local\Temp\427f9615cf393b372949ae9b027a3e01.exe"C:\Users\Admin\AppData\Local\Temp\427f9615cf393b372949ae9b027a3e01.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4FA6.bat3⤵PID:3540
-
C:\Users\Admin\AppData\Local\Temp\427f9615cf393b372949ae9b027a3e01.exe"C:\Users\Admin\AppData\Local\Temp\427f9615cf393b372949ae9b027a3e01.exe"4⤵
- Executes dropped EXE
PID:4880
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3268 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:2904
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
251KB
MD5d6ba8cba8342c3088ca603a7853ba889
SHA13b98fb0e636d7fa449d80f7dc03586a845ef53d6
SHA256e0eef1fc8924f7f4da010520e7978d95d1f648476c5730af7ca12615452103ad
SHA512fa7ee684342ecfcb1025c0722f881762c7966e25a222e7d7996601fc6698e95ce6f8d0283b2c58b95103c2e21e7c0d237182aaa7e0f569cfc7ebd9c6a227297b
-
Filesize
570KB
MD52f7a5573c30b7e672790196321dd9013
SHA1da1afaa70ce319d719318e6479ef804619d729bd
SHA2562bdacc1d61136335527942ba3c14f9fbfaace30c86e7b78657e737f64dfd6737
SHA5122752c7995920d225a725596675147220179e734da38e67eb7a4e6f6ce1130f0d8c12434cf20b6dc70bef380dde28957d0b12b656cb119eee070a4752b27ee910
-
Filesize
481KB
MD53d2c4c03edc5deaff2da6b8c40b9e910
SHA100cbc9f113f6e31193b793718639b9b87dc690c8
SHA2567afe05938671d682a8eeca0f48a1cf660961c82ef15879a0773b1e69f9660474
SHA5120f58f88693ec448090f5d298440ac08c207978e790b2f49a0d92d93ab6e11c1a8fa78c5cd65278a83c232cb0adbd2c672c21d5c65162370c9a42065507a3c594
-
Filesize
530B
MD541ab740e3daedc32b0f10a9e03e64fe7
SHA14e76293aad93223604d12b7275d81e87fccb8f20
SHA256142207d992dc9b5c8549957f7ba3f741af31f9ea186d389de501b5e36d1f8849
SHA51263d12b0825c96bfa7a576a6f819e576c8cf177464da0c58a348d144eed67987a3d85ecf71b8c01826b28c717fc0d58fbb4814bf2234a40c58418b7f445e294d3
-
Filesize
304KB
MD532856c61ab3c0711dbf54890dcd0755a
SHA1d242f8115fec145dfdff0a0729f34991027bd7a3
SHA256de6e79f384444aebb61c5d38044ea430c2911162d1a3770267a63ac2cd9c03ab
SHA51200fd2b0e4965b7a85ca772a34fae8fdeca14dfc5bc347412ebe6d15017ebc07f22cd78d9f6f9f61c49ba26ba62a21bae6721488872be97a6ffd64616320f83a8
-
Filesize
26KB
MD54deec1ee4c508e658e9ac56bd4e367d8
SHA18449fb96da6490e6abe8e6aa9cd38051f2c39625
SHA256e4af0831fd974f9cbdbeca824ddeaf6d14472d0078aeb60fc3ed31c6189a763b
SHA5127fab6020e1151beec9f8bc77c520c1ae60ec76815a24fbd5551b78a696611e5f9639f34671e84885fee17a227263b4904c47deedd0734c6c5b38fddfcd908b40