Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
05-03-2024 11:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b495ad8edaf6f8da1c38437a3d6c44c8.exe
Resource
win7-20240221-en
windows7-x64
9 signatures
150 seconds
General
-
Target
b495ad8edaf6f8da1c38437a3d6c44c8.exe
-
Size
72KB
-
MD5
b495ad8edaf6f8da1c38437a3d6c44c8
-
SHA1
1e98a8dc9421eae40037421bc332f86b224a5a39
-
SHA256
ddd235cb2286fbf73341cfe720fce3b7616c1fd4f5b71dae23e3f5a08d4fb1ce
-
SHA512
8036e3d4edf0d4f928498c354e49615bb3c70667ea8004ff84a9002ad7553237386e3d467f7f3588d084f9824996b6468a018c8af09f4a33aeea1e63703c5659
-
SSDEEP
1536:p4q8Q1xZtffrb8sjPFNhTYsFFrzckH2fmitVVXC3adCA:qKtfDwsjPThTYszDH2fRCK7
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 1964 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 1840 Logo1_.exe 2652 b495ad8edaf6f8da1c38437a3d6c44c8.exe -
Loads dropped DLL 1 IoCs
pid Process 1964 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe Logo1_.exe File opened for modification C:\Program Files\Windows Photo Viewer\ImagingDevices.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\shvlzm.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Media Player\wmpenc.exe Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\Solitaire.exe Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSTORE.EXE Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SCANPST.EXE Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\ONELEV.EXE Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE Logo1_.exe File opened for modification C:\Program Files\Java\jre7\bin\keytool.exe Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\FreeCell.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe Logo1_.exe File opened for modification C:\Program Files\Windows Mail\wab.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSTORDB.EXE Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre7\bin\klist.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre7\bin\kinit.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Wordconv.exe Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SETLANG.EXE Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre7\bin\ktab.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre7\bin\pack200.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre7\bin\servertool.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre7\bin\unpack200.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Mail\WinMail.exe Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Mail\wab.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre7\bin\javaw.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE Logo1_.exe File opened for modification C:\Program Files\Java\jre7\bin\javaws.exe Logo1_.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Logo1_.exe b495ad8edaf6f8da1c38437a3d6c44c8.exe File created C:\Windows\virDll.dll Logo1_.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 1840 Logo1_.exe 1840 Logo1_.exe 1840 Logo1_.exe 1840 Logo1_.exe 1840 Logo1_.exe 1840 Logo1_.exe 1840 Logo1_.exe 1840 Logo1_.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2020 wrote to memory of 1964 2020 b495ad8edaf6f8da1c38437a3d6c44c8.exe 28 PID 2020 wrote to memory of 1964 2020 b495ad8edaf6f8da1c38437a3d6c44c8.exe 28 PID 2020 wrote to memory of 1964 2020 b495ad8edaf6f8da1c38437a3d6c44c8.exe 28 PID 2020 wrote to memory of 1964 2020 b495ad8edaf6f8da1c38437a3d6c44c8.exe 28 PID 2020 wrote to memory of 1840 2020 b495ad8edaf6f8da1c38437a3d6c44c8.exe 29 PID 2020 wrote to memory of 1840 2020 b495ad8edaf6f8da1c38437a3d6c44c8.exe 29 PID 2020 wrote to memory of 1840 2020 b495ad8edaf6f8da1c38437a3d6c44c8.exe 29 PID 2020 wrote to memory of 1840 2020 b495ad8edaf6f8da1c38437a3d6c44c8.exe 29 PID 1840 wrote to memory of 1184 1840 Logo1_.exe 21 PID 1840 wrote to memory of 1184 1840 Logo1_.exe 21 PID 1964 wrote to memory of 2652 1964 cmd.exe 31 PID 1964 wrote to memory of 2652 1964 cmd.exe 31 PID 1964 wrote to memory of 2652 1964 cmd.exe 31 PID 1964 wrote to memory of 2652 1964 cmd.exe 31
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1184
-
C:\Users\Admin\AppData\Local\Temp\b495ad8edaf6f8da1c38437a3d6c44c8.exe"C:\Users\Admin\AppData\Local\Temp\b495ad8edaf6f8da1c38437a3d6c44c8.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\$$a27FA.bat3⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Users\Admin\AppData\Local\Temp\b495ad8edaf6f8da1c38437a3d6c44c8.exe"C:\Users\Admin\AppData\Local\Temp\b495ad8edaf6f8da1c38437a3d6c44c8.exe"4⤵
- Executes dropped EXE
PID:2652
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1840
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
530B
MD5efff2e33f0620a1e26fef83619f4fc5f
SHA1021ad953b8872da704b5c31acbf9d89d1c40f051
SHA2567af59481119e4d7ad0ec4e5923dec354cda501ec0846430d32e7ebbc721fb5e4
SHA512068269172ad5b11e6343f628b1ea5a8b2d8cedc4091a89fe9d9071b0886dfa1c4977e23f2ee205b45bdc62f590a75bcb8dc931028dfbe2e9cf09a5375c3a1ce3
-
Filesize
14KB
MD524ef7650a464eb95f8a5bba03202a9ef
SHA1fd6e36e45fda812ec49eb9a07ce8a6a2ed6cb70c
SHA256290a6c952a8216276bea217b1de6a0e8e3150083fe3b441f3784acac02c77f51
SHA5126402433d125f7e6b8478f2a06fa03e547adc95b18a6426324cbedb39a94ace3e7aa1605b3391b8cb0cf93cddfbc2eaecf781001e915f1546b9492bdebcae64db
-
Filesize
58KB
MD55f37f663a4fa45d381d07638032d024c
SHA1ee3f57a5b28850c4ab25758174faca9ea1af40bd
SHA256bdb0ef4eab81fe0e8d164e94ff78fea2c33a9578a9d8f0cf655240a2215c38ba
SHA512fc6c77edf8bc56484ecb5354240bb9202a536fdb34596b6c1392641be4e762fba5dbe5e325f255d76566b5716684246fc75518c2bb29ea2235ff5a3f1f995485