Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28-02-2024 20:43
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b6c19141e70a6849a43b3ef9474d146e4c54cf25f523e614b1732d81485f4b57.exe
Resource
win7-20240221-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
b6c19141e70a6849a43b3ef9474d146e4c54cf25f523e614b1732d81485f4b57.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
b6c19141e70a6849a43b3ef9474d146e4c54cf25f523e614b1732d81485f4b57.exe
-
Size
242KB
-
MD5
cc11282b7f5bbdc002dbe35ea153fab2
-
SHA1
8aaf783e56479d8f8b3d946eb941ee07c32e6210
-
SHA256
b6c19141e70a6849a43b3ef9474d146e4c54cf25f523e614b1732d81485f4b57
-
SHA512
36bcac606d5fb556f8a4656ddf652c41e0238811e213e579c0771037ab23017e0e2741742d32a57ae94da8624d95594cfe074bb4b8d13c34d05976365620bad3
-
SSDEEP
3072:1sftffjmN/B4odcQPaHy4V8y47vRNZ2iL45uN9woY46x6a8fGIkkJxGAxYJ:iVfjmN/BjZPaS4VF4T52ikHohloAs
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1320 Logo1_.exe 3848 b6c19141e70a6849a43b3ef9474d146e4c54cf25f523e614b1732d81485f4b57.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Notifications\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\nl-NL\View3d\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\da-dk\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\fi-fi\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\en-GB\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Views\Utilities\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\zh-cn\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\plugins\rhp\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe Logo1_.exe File opened for modification C:\Program Files\MSBuild\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ar-ae\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\es-ES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\fonts\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\it-it\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\it-it\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\dc-annotations\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\da-dk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-ae\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\he-il\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\he-il\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\fr-fr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Defender\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\nb-no\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\it-IT\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-black\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\sw-KE\View3d\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\AppCore\Location\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\fr-FR\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ja-jp\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ar-ae\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Mail\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-gb\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\de-de\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\cs-cz\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\pt-br\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sk-sk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Internet Explorer\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\ja-JP\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\CoreEngine\Data\BrushProfile\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\de-de\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\es-es\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk-1.8\bin\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe Logo1_.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rundl132.exe b6c19141e70a6849a43b3ef9474d146e4c54cf25f523e614b1732d81485f4b57.exe File created C:\Windows\Logo1_.exe b6c19141e70a6849a43b3ef9474d146e4c54cf25f523e614b1732d81485f4b57.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\vDll.dll Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 1320 Logo1_.exe 1320 Logo1_.exe 1320 Logo1_.exe 1320 Logo1_.exe 1320 Logo1_.exe 1320 Logo1_.exe 1320 Logo1_.exe 1320 Logo1_.exe 1320 Logo1_.exe 1320 Logo1_.exe 1320 Logo1_.exe 1320 Logo1_.exe 1320 Logo1_.exe 1320 Logo1_.exe 1320 Logo1_.exe 1320 Logo1_.exe 1320 Logo1_.exe 1320 Logo1_.exe 1320 Logo1_.exe 1320 Logo1_.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1848 wrote to memory of 116 1848 b6c19141e70a6849a43b3ef9474d146e4c54cf25f523e614b1732d81485f4b57.exe 88 PID 1848 wrote to memory of 116 1848 b6c19141e70a6849a43b3ef9474d146e4c54cf25f523e614b1732d81485f4b57.exe 88 PID 1848 wrote to memory of 116 1848 b6c19141e70a6849a43b3ef9474d146e4c54cf25f523e614b1732d81485f4b57.exe 88 PID 1848 wrote to memory of 1320 1848 b6c19141e70a6849a43b3ef9474d146e4c54cf25f523e614b1732d81485f4b57.exe 89 PID 1848 wrote to memory of 1320 1848 b6c19141e70a6849a43b3ef9474d146e4c54cf25f523e614b1732d81485f4b57.exe 89 PID 1848 wrote to memory of 1320 1848 b6c19141e70a6849a43b3ef9474d146e4c54cf25f523e614b1732d81485f4b57.exe 89 PID 1320 wrote to memory of 672 1320 Logo1_.exe 90 PID 1320 wrote to memory of 672 1320 Logo1_.exe 90 PID 1320 wrote to memory of 672 1320 Logo1_.exe 90 PID 672 wrote to memory of 1688 672 net.exe 93 PID 672 wrote to memory of 1688 672 net.exe 93 PID 672 wrote to memory of 1688 672 net.exe 93 PID 116 wrote to memory of 3848 116 cmd.exe 94 PID 116 wrote to memory of 3848 116 cmd.exe 94 PID 1320 wrote to memory of 3476 1320 Logo1_.exe 50 PID 1320 wrote to memory of 3476 1320 Logo1_.exe 50
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3476
-
C:\Users\Admin\AppData\Local\Temp\b6c19141e70a6849a43b3ef9474d146e4c54cf25f523e614b1732d81485f4b57.exe"C:\Users\Admin\AppData\Local\Temp\b6c19141e70a6849a43b3ef9474d146e4c54cf25f523e614b1732d81485f4b57.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3F89.bat3⤵
- Suspicious use of WriteProcessMemory
PID:116 -
C:\Users\Admin\AppData\Local\Temp\b6c19141e70a6849a43b3ef9474d146e4c54cf25f523e614b1732d81485f4b57.exe"C:\Users\Admin\AppData\Local\Temp\b6c19141e70a6849a43b3ef9474d146e4c54cf25f523e614b1732d81485f4b57.exe"4⤵
- Executes dropped EXE
PID:3848
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:672 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:1688
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
251KB
MD53663c1381766ef643154f7248cee081a
SHA1d3391539358af56ef7ac65a5b87886e45e9bc42c
SHA2560471b2b82fb08307f138b69649e69dd51864d5650e13d0dafe67d37d91288c29
SHA512c3ed0a5d8b9eaa02efd030d4191849f5aa999e1585a47af66e8497ab494141488e97ca39289b412919f33faf78016c4e875522232c8f67bde995d968ecc7f6f7
-
Filesize
570KB
MD5b9f8e419ad6f08a56fa9d815bde02ffd
SHA18df2b9234fa20465c05bcdc6cfb7c21ca83724aa
SHA256038188527c2871dcb922bbb93183cede3eab482a396a2c01bcc0c78fbba8c0e3
SHA512e10ada046e8e17a66594a3b1f155f85beb24601a3daf0832bce1d3a1f0edca4e17f669ec278a7ea9b36e5912c777d81534f770f440b64147c932160c7eec4517
-
Filesize
481KB
MD51db5b390daa2d070657fbdb4f5d2cc55
SHA177e633e49df484b827080753514cc376749b0ceb
SHA256d5fbaf5c0d8e313d4dad23b28cac4256c5dbed6ab3b0d797e2971f30c5e095ad
SHA51268aa0152f5aae79a146c1813915fd16ec5454b285bd1781370923f97d6c147d53684192f7f4161e5c1a340959ec432ecaac127b0abe7d08f70c387e08ee4f617
-
Filesize
722B
MD5f0a379874db1cc986dca849c215f7224
SHA14f943cab54204df9dbb8ba45be8010e2f005cdd5
SHA25668f57d159e39738f99516807c1a604b4147af88a75dae4854b99a84c989bf7c3
SHA51248ce6f5e15ecab157c9c02ff12dfdece515be4fd062ef5a3c51d536ec793154436eef6bd71f7346dfb02bd9604053607b314bef09494187e868d40d8df494280
-
C:\Users\Admin\AppData\Local\Temp\b6c19141e70a6849a43b3ef9474d146e4c54cf25f523e614b1732d81485f4b57.exe.exe
Filesize216KB
MD5af36620e7fa6b04d5de0c3a7a0a68dac
SHA111fee214334ee1dde041418bbd4fe80ed4798c0f
SHA2566c24b87acf2e25f0bd71a6e212dd906d629049d9ceee6e6f49253f01b729b05c
SHA512b223e886177f4a5773a44d687ccce1571c78b8181076c3f656aab17566ae67165c1289d760b386c922ea254a4e659da26a216cab2caa43f7b08aba8a75735c9b
-
Filesize
26KB
MD5785fa6c3710afc18d7fdec70e3b9a469
SHA1d2903f4fa74689c6b8a7e5e7c8d9c1791a71523d
SHA256c0e031a2d0e39b141a0cf1c8384e190bc6fa0cc8f4e0f36cde97ac631f126c27
SHA51200b7c2d17161542744b54ef5a770363a1de0a21805da3d1b1b169de28c4939b2bc67d4eaa7cee9b2c0c46d853109b5943295f39051b5a7ae7e1924e002db606f
-
Filesize
9B
MD520579de1c6702ea14f25df921a00274b
SHA1fc7299007b5fb0580c7a3ef6ae0efd8aaf80a35f
SHA2563eb24c26a19e67d7f499ccb30f78fc29bee126bafd13f41470223c1b8f2e1e4e
SHA512e9a21ede4321b86e5d215d41321741f8db22b9eb92c1325026182c688311d5134041102a194d670abcbd182d2c91d5180ac9b7c9daaf9e41109a3b3d8e3c3d81