Analysis
-
max time kernel
157s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28/02/2024, 04:33
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ab795ebf88c8715c9de2323ad9988b19ff76bb2298c454bf208cc1c8ee27fe7d.exe
Resource
win7-20240221-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
ab795ebf88c8715c9de2323ad9988b19ff76bb2298c454bf208cc1c8ee27fe7d.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
ab795ebf88c8715c9de2323ad9988b19ff76bb2298c454bf208cc1c8ee27fe7d.exe
-
Size
2.8MB
-
MD5
5186991d575948f47057661a657c7395
-
SHA1
6899240c7b154327e2a68d333106eac81efea895
-
SHA256
ab795ebf88c8715c9de2323ad9988b19ff76bb2298c454bf208cc1c8ee27fe7d
-
SHA512
1cf88d5e6152c5ecd5248a360a9a12eacf168870615bc49e65cfb30ee45ff57324a4489c17a0087e0d2519585853ff1889b98aed2fb2183327cc650daeda56ba
-
SSDEEP
49152:v6gLKJuMarhVnMFwTH8/giBiBcbk4ZxZ2DqFeVMhuxcPh:id1XdhBiiMa7
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1364 Logo1_.exe 3792 ab795ebf88c8715c9de2323ad9988b19ff76bb2298c454bf208cc1c8ee27fe7d.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\x64\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\th\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Mail\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Mail\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\en-ae\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_neutral_~_8wekyb3d8bbwe\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\fonts\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pt-br\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\fr-FR\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\it-IT\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\en-il\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\Installer\setup.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Media Player\wmprph.exe Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\sl\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\pt-br\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\eu-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\pt-br\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\dark\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\lua\meta\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-black\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\be-BY\View3d\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\tr-tr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\eu-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\de-DE\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Photo Viewer\en-US\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PlaceCard\contrast-black\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Trust Protection Lists\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\zh-Hans\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\View3D.ResourceResolver.exe Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\fr-ma\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\an\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\pt-br\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\cs-cz\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\css\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\km\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-gb\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\root\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rundl132.exe ab795ebf88c8715c9de2323ad9988b19ff76bb2298c454bf208cc1c8ee27fe7d.exe File created C:\Windows\Logo1_.exe ab795ebf88c8715c9de2323ad9988b19ff76bb2298c454bf208cc1c8ee27fe7d.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\vDll.dll Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 1364 Logo1_.exe 1364 Logo1_.exe 1364 Logo1_.exe 1364 Logo1_.exe 1364 Logo1_.exe 1364 Logo1_.exe 1364 Logo1_.exe 1364 Logo1_.exe 1364 Logo1_.exe 1364 Logo1_.exe 1364 Logo1_.exe 1364 Logo1_.exe 1364 Logo1_.exe 1364 Logo1_.exe 1364 Logo1_.exe 1364 Logo1_.exe 1364 Logo1_.exe 1364 Logo1_.exe 1364 Logo1_.exe 1364 Logo1_.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 876 wrote to memory of 1480 876 ab795ebf88c8715c9de2323ad9988b19ff76bb2298c454bf208cc1c8ee27fe7d.exe 95 PID 876 wrote to memory of 1480 876 ab795ebf88c8715c9de2323ad9988b19ff76bb2298c454bf208cc1c8ee27fe7d.exe 95 PID 876 wrote to memory of 1480 876 ab795ebf88c8715c9de2323ad9988b19ff76bb2298c454bf208cc1c8ee27fe7d.exe 95 PID 876 wrote to memory of 1364 876 ab795ebf88c8715c9de2323ad9988b19ff76bb2298c454bf208cc1c8ee27fe7d.exe 96 PID 876 wrote to memory of 1364 876 ab795ebf88c8715c9de2323ad9988b19ff76bb2298c454bf208cc1c8ee27fe7d.exe 96 PID 876 wrote to memory of 1364 876 ab795ebf88c8715c9de2323ad9988b19ff76bb2298c454bf208cc1c8ee27fe7d.exe 96 PID 1364 wrote to memory of 776 1364 Logo1_.exe 98 PID 1364 wrote to memory of 776 1364 Logo1_.exe 98 PID 1364 wrote to memory of 776 1364 Logo1_.exe 98 PID 776 wrote to memory of 3012 776 net.exe 100 PID 776 wrote to memory of 3012 776 net.exe 100 PID 776 wrote to memory of 3012 776 net.exe 100 PID 1364 wrote to memory of 3596 1364 Logo1_.exe 79 PID 1364 wrote to memory of 3596 1364 Logo1_.exe 79
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3596
-
C:\Users\Admin\AppData\Local\Temp\ab795ebf88c8715c9de2323ad9988b19ff76bb2298c454bf208cc1c8ee27fe7d.exe"C:\Users\Admin\AppData\Local\Temp\ab795ebf88c8715c9de2323ad9988b19ff76bb2298c454bf208cc1c8ee27fe7d.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8993.bat3⤵PID:1480
-
C:\Users\Admin\AppData\Local\Temp\ab795ebf88c8715c9de2323ad9988b19ff76bb2298c454bf208cc1c8ee27fe7d.exe"C:\Users\Admin\AppData\Local\Temp\ab795ebf88c8715c9de2323ad9988b19ff76bb2298c454bf208cc1c8ee27fe7d.exe"4⤵
- Executes dropped EXE
PID:3792
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:3012
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2148 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:81⤵PID:2976
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
254KB
MD56ac989adedb73a3d38a2a1072014d6e5
SHA182b09041e346e27bfaf231236ec178e96ae6a1af
SHA256dfaf0612e3ecd20129d93e805d322897c33a8ceb2ce3a96e4dfbd503dcb1b677
SHA51279e2e92e7ce51633b3e2afaa457cbebdecb36811926bdbf3351a0c9e16d1eaba869927ea1e310844678559b20e34952f5b61da3ea34fdda12b4801f49714bacc
-
Filesize
573KB
MD518ca81f4fe7726b280affe25cf9c497d
SHA1f67aa3b7f6473720c096e175ebf987cbd24ffef3
SHA25611525090ab4b83c480f7f026fda557967f569bf943880a4d7a762c55e47d8a46
SHA512175719b14c0d55edd5cce053e1fccc1d7e708151c57f6848cc4d48201e01ba5a05dbdeb8325f3a489b1fd80e0facb29c49b4290182316bb9cee3984e68ca812a
-
Filesize
722B
MD532b4cb796bbc8a1784843214c0906ba9
SHA1c8352620e242ac2034bdccf2274edcd7ef6bde72
SHA256c85ee5f7b22e96d1afafc8b06f2d35f207b875ed033a1c6e53deb688eb16a21c
SHA512f1e246e71e6806c4a865e4b7cbfc8a18b64fdcc3ac7931656fef9b8eed83b292b6659b1b4d8ef113cc75af8015aac2ba342b48e462c27407aa868900eeaeadae
-
C:\Users\Admin\AppData\Local\Temp\ab795ebf88c8715c9de2323ad9988b19ff76bb2298c454bf208cc1c8ee27fe7d.exe.exe
Filesize2.8MB
MD5095092f4e746810c5829038d48afd55a
SHA1246eb3d41194dddc826049bbafeb6fc522ec044a
SHA2562f606012843d144610dc7be55d1716d5d106cbc6acbce57561dc0e62c38b8588
SHA5127f36fc03bfed0f3cf6ac3406c819993bf995e4f8c26a7589e9032c14b5a9c7048f5567f77b3b15f946c5282fc0be6308a92eab7879332d74c400d0c139ce8400
-
Filesize
29KB
MD548417a1e1b19255298820609095c0839
SHA163339faa9379182e7294e9e64e0cf9240c3e46f5
SHA25630474181dcd232e3f151f005e47c635b759fa30560b6cff497ca654c6f70ca63
SHA51240c633d5136634874734405f59a0998236d3123765d887e9fc4cc0cf2e00c1a2343246a2cb78b4a6cb7fd3573c2220a79c682b78f60db1257038c104d1cb1492
-
Filesize
9B
MD520579de1c6702ea14f25df921a00274b
SHA1fc7299007b5fb0580c7a3ef6ae0efd8aaf80a35f
SHA2563eb24c26a19e67d7f499ccb30f78fc29bee126bafd13f41470223c1b8f2e1e4e
SHA512e9a21ede4321b86e5d215d41321741f8db22b9eb92c1325026182c688311d5134041102a194d670abcbd182d2c91d5180ac9b7c9daaf9e41109a3b3d8e3c3d81