Analysis
-
max time kernel
100s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
17/04/2024, 23:32
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
54de4c499b9028e27bb30b9f867ba5c941f6236deffe4b4cc84eb7a7b5f45e74.exe
Resource
win7-20240215-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
54de4c499b9028e27bb30b9f867ba5c941f6236deffe4b4cc84eb7a7b5f45e74.exe
Resource
win10v2004-20240412-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
54de4c499b9028e27bb30b9f867ba5c941f6236deffe4b4cc84eb7a7b5f45e74.exe
-
Size
78KB
-
MD5
955506b9bad41d4f9b2580c9c30ce008
-
SHA1
c2a0307df64d5e503525bd096cb212d34b7d2f72
-
SHA256
54de4c499b9028e27bb30b9f867ba5c941f6236deffe4b4cc84eb7a7b5f45e74
-
SHA512
7e47fe5fd21f13f5a0e84fbb5481d683af9bd2fcb08e13100d8f138d60f2879718fa030576199ef526f679281d7d89a35e3038340cede6f9a12b023627dc7e9e
-
SSDEEP
1536:3fgLdQAQfcfymNpQKt8fjqXnviYhb8x//LenDkBT/ri:3ftffjmNWUXnviYhb8t/LenDkBTDi
Score
7/10
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2636 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2992 Logo1_.exe 3004 54de4c499b9028e27bb30b9f867ba5c941f6236deffe4b4cc84eb7a7b5f45e74.exe -
Loads dropped DLL 2 IoCs
pid Process 2636 cmd.exe 2636 cmd.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Microsoft Games\Minesweeper\es-ES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\DVD Maker\es-ES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe Logo1_.exe File created C:\Program Files\Microsoft Games\More Games\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\win32\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\_desktop.ini Logo1_.exe File created C:\Program Files\Mozilla Firefox\gmp-clearkey\_desktop.ini Logo1_.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre7\bin\unpack200.exe Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\PurblePlace.exe Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\fonts\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jre7\lib\zi\Antarctica\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\es-ES\_desktop.ini Logo1_.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\Minesweeper\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre7\bin\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\_desktop.ini Logo1_.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\_desktop.ini Logo1_.exe File created C:\Program Files\Google\Chrome\Application\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Chess\fr-FR\_desktop.ini Logo1_.exe File created C:\Program Files\DVD Maker\Shared\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\fr-FR\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\ja-JP\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\db\bin\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\Minesweeper\ja-JP\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\fr-FR\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\Multiplayer\Checkers\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jre7\lib\management\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\DVD Maker\de-DE\_desktop.ini Logo1_.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe Logo1_.exe File created C:\Program Files\Microsoft Games\FreeCell\ja-JP\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\vDll.dll Logo1_.exe File created C:\Windows\rundl132.exe 54de4c499b9028e27bb30b9f867ba5c941f6236deffe4b4cc84eb7a7b5f45e74.exe File created C:\Windows\Logo1_.exe 54de4c499b9028e27bb30b9f867ba5c941f6236deffe4b4cc84eb7a7b5f45e74.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 2992 Logo1_.exe 2992 Logo1_.exe 2992 Logo1_.exe 2992 Logo1_.exe 2992 Logo1_.exe 2992 Logo1_.exe 2992 Logo1_.exe 2992 Logo1_.exe 2992 Logo1_.exe 2992 Logo1_.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 2108 wrote to memory of 2636 2108 54de4c499b9028e27bb30b9f867ba5c941f6236deffe4b4cc84eb7a7b5f45e74.exe 28 PID 2108 wrote to memory of 2636 2108 54de4c499b9028e27bb30b9f867ba5c941f6236deffe4b4cc84eb7a7b5f45e74.exe 28 PID 2108 wrote to memory of 2636 2108 54de4c499b9028e27bb30b9f867ba5c941f6236deffe4b4cc84eb7a7b5f45e74.exe 28 PID 2108 wrote to memory of 2636 2108 54de4c499b9028e27bb30b9f867ba5c941f6236deffe4b4cc84eb7a7b5f45e74.exe 28 PID 2108 wrote to memory of 2992 2108 54de4c499b9028e27bb30b9f867ba5c941f6236deffe4b4cc84eb7a7b5f45e74.exe 30 PID 2108 wrote to memory of 2992 2108 54de4c499b9028e27bb30b9f867ba5c941f6236deffe4b4cc84eb7a7b5f45e74.exe 30 PID 2108 wrote to memory of 2992 2108 54de4c499b9028e27bb30b9f867ba5c941f6236deffe4b4cc84eb7a7b5f45e74.exe 30 PID 2108 wrote to memory of 2992 2108 54de4c499b9028e27bb30b9f867ba5c941f6236deffe4b4cc84eb7a7b5f45e74.exe 30 PID 2992 wrote to memory of 2572 2992 Logo1_.exe 31 PID 2992 wrote to memory of 2572 2992 Logo1_.exe 31 PID 2992 wrote to memory of 2572 2992 Logo1_.exe 31 PID 2992 wrote to memory of 2572 2992 Logo1_.exe 31 PID 2636 wrote to memory of 3004 2636 cmd.exe 33 PID 2636 wrote to memory of 3004 2636 cmd.exe 33 PID 2636 wrote to memory of 3004 2636 cmd.exe 33 PID 2636 wrote to memory of 3004 2636 cmd.exe 33 PID 2572 wrote to memory of 1972 2572 net.exe 34 PID 2572 wrote to memory of 1972 2572 net.exe 34 PID 2572 wrote to memory of 1972 2572 net.exe 34 PID 2572 wrote to memory of 1972 2572 net.exe 34 PID 2992 wrote to memory of 1124 2992 Logo1_.exe 20 PID 2992 wrote to memory of 1124 2992 Logo1_.exe 20
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1124
-
C:\Users\Admin\AppData\Local\Temp\54de4c499b9028e27bb30b9f867ba5c941f6236deffe4b4cc84eb7a7b5f45e74.exe"C:\Users\Admin\AppData\Local\Temp\54de4c499b9028e27bb30b9f867ba5c941f6236deffe4b4cc84eb7a7b5f45e74.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\$$a17F4.bat3⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Users\Admin\AppData\Local\Temp\54de4c499b9028e27bb30b9f867ba5c941f6236deffe4b4cc84eb7a7b5f45e74.exe"C:\Users\Admin\AppData\Local\Temp\54de4c499b9028e27bb30b9f867ba5c941f6236deffe4b4cc84eb7a7b5f45e74.exe"4⤵
- Executes dropped EXE
PID:3004
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:1972
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
251KB
MD53ac2a02ae8472cb0a798cb805d2e65c5
SHA1d23e40f07a99ba35f9a720a946fedc0dac86a8da
SHA256a93c98f0bc6d82fcf404eb0044ae952e511cfe81d54106da4eb4be25d58d6ccf
SHA5128bd2e2194aa82ebc78fa89742002a39e595bfd11aef4e890ce146d07b8b27f4ab80e28f4d98018f87c5217a2da2471b4eac99b6ea5fb28c07d654497096f8667
-
Filesize
471KB
MD54cfdb20b04aa239d6f9e83084d5d0a77
SHA1f22863e04cc1fd4435f785993ede165bd8245ac6
SHA25630ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9
SHA51235b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86
-
Filesize
722B
MD5e126aad8fd04c187282a0c15ded3d517
SHA1ed1f4789db55bed4dd1ee96e4de0955f174ce1cd
SHA256df33f36c73469761ac6bea41f745d3c35ed141b81066b54833ec595604cae0f1
SHA512f9a1598ac5dc36f228be16b765a774ec79cea0d669a7bfbce7864dfc82efcaf68193b55805c10adbfe2fdabf83bcb64c37a66b23fefdc807a2110d76cf04fc9e
-
Filesize
26KB
MD55b4b652ee77ef4d70046838d30dc9cae
SHA1afe3e77b108490d09c6f191c29ed69c0aa6105e7
SHA256168ce3cb9563c08e2df7f382d6cbe8473a184bd3c7ce5a14398b41f39bc5be28
SHA51255daffaa8bd61db5b34d68b8d0aaeee4457e4f17f5bc1b5cce61b5b3bea61511b51f17f15bf9e5fed43ef2d4c261cacb9afe366bc6301345dff807c5a02986a5
-
Filesize
9B
MD52be02af4dacf3254e321ffba77f0b1c6
SHA1d8349307ec08d45f2db9c9735bde8f13e27a551d
SHA256766fe9c47ca710d9a00c08965550ee7de9cba2d32d67e4901e8cec7e33151d16
SHA51257f61e1b939ed98e6db460ccdbc36a1460b727a99baac0e3b041666dedcef11fcd72a486d91ec7f0ee6e1aec40465719a6a5c22820c28be1066fe12fcd47ddd0
-
\Users\Admin\AppData\Local\Temp\54de4c499b9028e27bb30b9f867ba5c941f6236deffe4b4cc84eb7a7b5f45e74.exe
Filesize52KB
MD5ea602cfb7b4eb2f4192a192d97a71e28
SHA1bd82fd34c60ca4a70f1153d0888c83207fd12403
SHA25699a66e369f0cbebc727d38fc85c9e6ca39efad8b0c4983a7689118973a2ddcde
SHA512e3609d2b07839f8f197933645cac5dd86363363a86a0af8107c0841298c3fb73d9dd6cac899c430b14e9e1b31e96d70b4c6d5a27be20e112ec06628862c8d3a6