Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
16-04-2024 12:08
Static task
static1
Behavioral task
behavioral1
Sample
d44aae4258e4a38f14dc3a85f92af5d543c87ee1635fca63c4d4dbc0a5cc669c.exe
Resource
win7-20240221-en
General
-
Target
d44aae4258e4a38f14dc3a85f92af5d543c87ee1635fca63c4d4dbc0a5cc669c.exe
-
Size
76KB
-
MD5
e07b751df71c59e42caa061542fa043c
-
SHA1
f2ef0ab1f49fd619212a5fdb8278d1e81ea1c137
-
SHA256
d44aae4258e4a38f14dc3a85f92af5d543c87ee1635fca63c4d4dbc0a5cc669c
-
SHA512
9a3b2d1cd357e6a3393bc626fea3ce01f0063c6ff09a37bee9bfa10d0c1770d6683e81a0c2d6b65efd66df3ce37ae00f2b20a30712c66248c50bfa0aeb938ea5
-
SSDEEP
1536:Are+Zk7qzUJBC2KsgSMcJziXriw+d9bHrkT5gUHz7FxtJ:Are+aezUa6pBiXrBkfkT5xHzD
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2624 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2560 Logo1_.exe 2844 d44aae4258e4a38f14dc3a85f92af5d543c87ee1635fca63c4d4dbc0a5cc669c.exe -
Loads dropped DLL 1 IoCs
pid Process 2624 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Templates\1033\FAX\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\mn\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\bs\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Journal\ja-JP\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\SpiderSolitaire\it-IT\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInSideAdapters\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Internet Explorer\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Internet Explorer\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\DVD Maker\de-DE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\en-US\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\TextConv\fr-FR\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\Multiplayer\Checkers\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Help\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Triedit\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Media Player\wmpconfig.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\ja-JP\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_filter\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AXIS\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\css\_desktop.ini Logo1_.exe File created C:\Program Files\Internet Explorer\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\modules\_desktop.ini Logo1_.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\lv\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Journal\Journal.exe Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\js\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rundl132.exe d44aae4258e4a38f14dc3a85f92af5d543c87ee1635fca63c4d4dbc0a5cc669c.exe File created C:\Windows\Logo1_.exe d44aae4258e4a38f14dc3a85f92af5d543c87ee1635fca63c4d4dbc0a5cc669c.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\Dll.dll Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 43 IoCs
pid Process 1540 d44aae4258e4a38f14dc3a85f92af5d543c87ee1635fca63c4d4dbc0a5cc669c.exe 1540 d44aae4258e4a38f14dc3a85f92af5d543c87ee1635fca63c4d4dbc0a5cc669c.exe 1540 d44aae4258e4a38f14dc3a85f92af5d543c87ee1635fca63c4d4dbc0a5cc669c.exe 1540 d44aae4258e4a38f14dc3a85f92af5d543c87ee1635fca63c4d4dbc0a5cc669c.exe 1540 d44aae4258e4a38f14dc3a85f92af5d543c87ee1635fca63c4d4dbc0a5cc669c.exe 1540 d44aae4258e4a38f14dc3a85f92af5d543c87ee1635fca63c4d4dbc0a5cc669c.exe 1540 d44aae4258e4a38f14dc3a85f92af5d543c87ee1635fca63c4d4dbc0a5cc669c.exe 1540 d44aae4258e4a38f14dc3a85f92af5d543c87ee1635fca63c4d4dbc0a5cc669c.exe 1540 d44aae4258e4a38f14dc3a85f92af5d543c87ee1635fca63c4d4dbc0a5cc669c.exe 1540 d44aae4258e4a38f14dc3a85f92af5d543c87ee1635fca63c4d4dbc0a5cc669c.exe 1540 d44aae4258e4a38f14dc3a85f92af5d543c87ee1635fca63c4d4dbc0a5cc669c.exe 1540 d44aae4258e4a38f14dc3a85f92af5d543c87ee1635fca63c4d4dbc0a5cc669c.exe 1540 d44aae4258e4a38f14dc3a85f92af5d543c87ee1635fca63c4d4dbc0a5cc669c.exe 2560 Logo1_.exe 2560 Logo1_.exe 2560 Logo1_.exe 2560 Logo1_.exe 2560 Logo1_.exe 2560 Logo1_.exe 2560 Logo1_.exe 2560 Logo1_.exe 2560 Logo1_.exe 2560 Logo1_.exe 2560 Logo1_.exe 2560 Logo1_.exe 2560 Logo1_.exe 2560 Logo1_.exe 2560 Logo1_.exe 2560 Logo1_.exe 2560 Logo1_.exe 2560 Logo1_.exe 2560 Logo1_.exe 2560 Logo1_.exe 2560 Logo1_.exe 2560 Logo1_.exe 2560 Logo1_.exe 2560 Logo1_.exe 2560 Logo1_.exe 2560 Logo1_.exe 2560 Logo1_.exe 2560 Logo1_.exe 2560 Logo1_.exe 2560 Logo1_.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 1540 wrote to memory of 2024 1540 d44aae4258e4a38f14dc3a85f92af5d543c87ee1635fca63c4d4dbc0a5cc669c.exe 28 PID 1540 wrote to memory of 2024 1540 d44aae4258e4a38f14dc3a85f92af5d543c87ee1635fca63c4d4dbc0a5cc669c.exe 28 PID 1540 wrote to memory of 2024 1540 d44aae4258e4a38f14dc3a85f92af5d543c87ee1635fca63c4d4dbc0a5cc669c.exe 28 PID 1540 wrote to memory of 2024 1540 d44aae4258e4a38f14dc3a85f92af5d543c87ee1635fca63c4d4dbc0a5cc669c.exe 28 PID 2024 wrote to memory of 2152 2024 net.exe 30 PID 2024 wrote to memory of 2152 2024 net.exe 30 PID 2024 wrote to memory of 2152 2024 net.exe 30 PID 2024 wrote to memory of 2152 2024 net.exe 30 PID 1540 wrote to memory of 2624 1540 d44aae4258e4a38f14dc3a85f92af5d543c87ee1635fca63c4d4dbc0a5cc669c.exe 31 PID 1540 wrote to memory of 2624 1540 d44aae4258e4a38f14dc3a85f92af5d543c87ee1635fca63c4d4dbc0a5cc669c.exe 31 PID 1540 wrote to memory of 2624 1540 d44aae4258e4a38f14dc3a85f92af5d543c87ee1635fca63c4d4dbc0a5cc669c.exe 31 PID 1540 wrote to memory of 2624 1540 d44aae4258e4a38f14dc3a85f92af5d543c87ee1635fca63c4d4dbc0a5cc669c.exe 31 PID 1540 wrote to memory of 2560 1540 d44aae4258e4a38f14dc3a85f92af5d543c87ee1635fca63c4d4dbc0a5cc669c.exe 33 PID 1540 wrote to memory of 2560 1540 d44aae4258e4a38f14dc3a85f92af5d543c87ee1635fca63c4d4dbc0a5cc669c.exe 33 PID 1540 wrote to memory of 2560 1540 d44aae4258e4a38f14dc3a85f92af5d543c87ee1635fca63c4d4dbc0a5cc669c.exe 33 PID 1540 wrote to memory of 2560 1540 d44aae4258e4a38f14dc3a85f92af5d543c87ee1635fca63c4d4dbc0a5cc669c.exe 33 PID 2560 wrote to memory of 2584 2560 Logo1_.exe 34 PID 2560 wrote to memory of 2584 2560 Logo1_.exe 34 PID 2560 wrote to memory of 2584 2560 Logo1_.exe 34 PID 2560 wrote to memory of 2584 2560 Logo1_.exe 34 PID 2584 wrote to memory of 2728 2584 net.exe 36 PID 2584 wrote to memory of 2728 2584 net.exe 36 PID 2584 wrote to memory of 2728 2584 net.exe 36 PID 2584 wrote to memory of 2728 2584 net.exe 36 PID 2624 wrote to memory of 2844 2624 cmd.exe 37 PID 2624 wrote to memory of 2844 2624 cmd.exe 37 PID 2624 wrote to memory of 2844 2624 cmd.exe 37 PID 2624 wrote to memory of 2844 2624 cmd.exe 37 PID 2560 wrote to memory of 1712 2560 Logo1_.exe 38 PID 2560 wrote to memory of 1712 2560 Logo1_.exe 38 PID 2560 wrote to memory of 1712 2560 Logo1_.exe 38 PID 2560 wrote to memory of 1712 2560 Logo1_.exe 38 PID 1712 wrote to memory of 2520 1712 net.exe 40 PID 1712 wrote to memory of 2520 1712 net.exe 40 PID 1712 wrote to memory of 2520 1712 net.exe 40 PID 1712 wrote to memory of 2520 1712 net.exe 40 PID 2560 wrote to memory of 1244 2560 Logo1_.exe 21 PID 2560 wrote to memory of 1244 2560 Logo1_.exe 21
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1244
-
C:\Users\Admin\AppData\Local\Temp\d44aae4258e4a38f14dc3a85f92af5d543c87ee1635fca63c4d4dbc0a5cc669c.exe"C:\Users\Admin\AppData\Local\Temp\d44aae4258e4a38f14dc3a85f92af5d543c87ee1635fca63c4d4dbc0a5cc669c.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"3⤵
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"4⤵PID:2152
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\$$a6E4D.bat3⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Users\Admin\AppData\Local\Temp\d44aae4258e4a38f14dc3a85f92af5d543c87ee1635fca63c4d4dbc0a5cc669c.exe"C:\Users\Admin\AppData\Local\Temp\d44aae4258e4a38f14dc3a85f92af5d543c87ee1635fca63c4d4dbc0a5cc669c.exe"4⤵
- Executes dropped EXE
PID:2844
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:2728
-
-
-
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:2520
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
264KB
MD5398a7064313570d5e852fb87febbf03f
SHA1117d0ca007b73a8c7115f8880f54540e37ff7490
SHA25630429016be8ea9e22585980572b4b2af1ddabb9cba93e9222a231f4d95353751
SHA512e96c03db73e0b3d86b6a51fcc20f4b131116b1c2a649030b8f13d60d207944bd4ec1fe734c32e3f390d454dad3f6ad780ff52209c56852cc4456559102f01c80
-
Filesize
484KB
MD5ed07588854ba117151a141b0a96bda37
SHA178c58f4e85e9d9d4e39c230f1354e183f87bdd9e
SHA256fb97be2678ad28fef1f9f5a651fe12123ebea998adbb7f96b7073612990aa7d8
SHA51245487252c6da9155a3a017c5030425e80dc6fb44d88efd470179f4c9b5b7e91d0785be70d458c5c64247abf2763e514bf07989608f9307084306e65f3d76f579
-
Filesize
722B
MD5bc074d0f0a92d33e91bad5105f8780e8
SHA12a89d8a1e68f714de4547bee64a869b413b87562
SHA25629ca0a9809a4689a29b8a8219d1cbaca6acfebd013c7656e9a263fc0caeffd95
SHA512b3f8ec865f9c8e594136b59e5ff20b8bcd4fd33fb0860c084c117532b49f22f3756dc24fdcdbafb66322cc9b8cbd41cdea7b3f3cb8a748cad825eb25447a5181
-
C:\Users\Admin\AppData\Local\Temp\d44aae4258e4a38f14dc3a85f92af5d543c87ee1635fca63c4d4dbc0a5cc669c.exe.exe
Filesize36KB
MD59f498971cbe636662f3d210747d619e1
SHA144b8e2732fa1e2f204fc70eaa1cb406616250085
SHA2568adf6748981c3e7b62f5dbca992be6675574fffbce7673743f2d7fe787d56a41
SHA512b73083c2f7b028d2946cb8f7b4fe2289fedaa4175364a2aac37db0aeff4602aede772ccc9eba7e6dcfcb7276e52604ca45d8021952201b5834485b48bca3dc93
-
Filesize
39KB
MD50209d825c40705a1752ceecc4fe453c6
SHA1875b45703ab4a4f9b7b13c16277b235d43f075ef
SHA2560fbeb3b115479ea9f34e86e511238d235b942922660740d37e9f249b4e3fdf1e
SHA512b88b1ba93382a3a6fe4253a0c8fe69baa02a0c0dd74b2e6c79d7688f5c16be144676bb7bd3e061be96603148738845fddd05bbd4782d3abcb0bf495c1c96aa40
-
Filesize
9B
MD502ced53ce3f5b175c3bbec378047e7a7
SHA1dafdf07efa697ec99b3d7b9f7512439a52ea618d
SHA256485bb2341321a2837fd015a36963ea549c7c6f40985e165fd56c8a1e89b3f331
SHA512669dde3ea8628704d40681a7f8974cf52985385c92a61a540c97c18c13eb4d451207ae171b2a56cd061cadbc90e672a84eb55111b1f5016846918d73fb075c99