Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
17-04-2024 18:32
Static task
static1
Behavioral task
behavioral1
Sample
27fcf71916ebd85194fad1fb86b48650ce4702a9b060ad026fbb7bc0ea91d41b.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
27fcf71916ebd85194fad1fb86b48650ce4702a9b060ad026fbb7bc0ea91d41b.exe
Resource
win10v2004-20240412-en
General
-
Target
27fcf71916ebd85194fad1fb86b48650ce4702a9b060ad026fbb7bc0ea91d41b.exe
-
Size
248KB
-
MD5
af9b0e452328b865bc689fae98a0af3c
-
SHA1
2dcbb10f81984ccba9945a4b26c33daa56e7c9ba
-
SHA256
27fcf71916ebd85194fad1fb86b48650ce4702a9b060ad026fbb7bc0ea91d41b
-
SHA512
05b6d6b3e9892d24841657c9aa7eade636ead3e8b685b8931ed5665a403e1ac6a4110b0df314007652477cc0028dbdd10a7c6e7db4a48310a05c37fb32cee4a2
-
SSDEEP
3072:+ftffjmN5uJIt622VgyheoNuKWElCvHJ0nCIg0PlXXgTh39lZvlqyjNgK1dAjYan:mVfjmN9p2VVhewuVkCfFL3v4ySK13ao4
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 916 Logo1_.exe 1660 27fcf71916ebd85194fad1fb86b48650ce4702a9b060ad026fbb7bc0ea91d41b.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Views\Utilities\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nb-no\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\zh-cn\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\images\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\da-dk\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-white\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\de-DE\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ru-ru\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\eu\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example1.Diagnostics\Diagnostics\Simple\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-il\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\sk-sk\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\pl-pl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Microsoft.Msn.Controls\EndOfLife\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\es-MX\View3d\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\PilotshubApp.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\themes\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\en-il\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\it-it\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Defender\en-US\_desktop.ini Logo1_.exe File created C:\Program Files\Uninstall Information\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftEdge.Stable_92.0.902.67_neutral__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\ImmersiveVideoPlayback\Content\Shaders\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Examples\Calculator\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\nb-no\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\zh-cn\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\zh-cn\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\hr-hr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\zh-cn\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Internet Explorer\uk-UA\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\hi\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\pa\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-100_8wekyb3d8bbwe\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\sl-sl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\WidevineCdm\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ko-kr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\0.2.2\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ca-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\he-il\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\identity_proxy\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rundl132.exe 27fcf71916ebd85194fad1fb86b48650ce4702a9b060ad026fbb7bc0ea91d41b.exe File created C:\Windows\Logo1_.exe 27fcf71916ebd85194fad1fb86b48650ce4702a9b060ad026fbb7bc0ea91d41b.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\vDll.dll Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 916 Logo1_.exe 916 Logo1_.exe 916 Logo1_.exe 916 Logo1_.exe 916 Logo1_.exe 916 Logo1_.exe 916 Logo1_.exe 916 Logo1_.exe 916 Logo1_.exe 916 Logo1_.exe 916 Logo1_.exe 916 Logo1_.exe 916 Logo1_.exe 916 Logo1_.exe 916 Logo1_.exe 916 Logo1_.exe 916 Logo1_.exe 916 Logo1_.exe 916 Logo1_.exe 916 Logo1_.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 4060 wrote to memory of 772 4060 27fcf71916ebd85194fad1fb86b48650ce4702a9b060ad026fbb7bc0ea91d41b.exe 87 PID 4060 wrote to memory of 772 4060 27fcf71916ebd85194fad1fb86b48650ce4702a9b060ad026fbb7bc0ea91d41b.exe 87 PID 4060 wrote to memory of 772 4060 27fcf71916ebd85194fad1fb86b48650ce4702a9b060ad026fbb7bc0ea91d41b.exe 87 PID 4060 wrote to memory of 916 4060 27fcf71916ebd85194fad1fb86b48650ce4702a9b060ad026fbb7bc0ea91d41b.exe 88 PID 4060 wrote to memory of 916 4060 27fcf71916ebd85194fad1fb86b48650ce4702a9b060ad026fbb7bc0ea91d41b.exe 88 PID 4060 wrote to memory of 916 4060 27fcf71916ebd85194fad1fb86b48650ce4702a9b060ad026fbb7bc0ea91d41b.exe 88 PID 916 wrote to memory of 4956 916 Logo1_.exe 90 PID 916 wrote to memory of 4956 916 Logo1_.exe 90 PID 916 wrote to memory of 4956 916 Logo1_.exe 90 PID 4956 wrote to memory of 4692 4956 net.exe 92 PID 4956 wrote to memory of 4692 4956 net.exe 92 PID 4956 wrote to memory of 4692 4956 net.exe 92 PID 772 wrote to memory of 1660 772 cmd.exe 93 PID 772 wrote to memory of 1660 772 cmd.exe 93 PID 916 wrote to memory of 3488 916 Logo1_.exe 57 PID 916 wrote to memory of 3488 916 Logo1_.exe 57
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3488
-
C:\Users\Admin\AppData\Local\Temp\27fcf71916ebd85194fad1fb86b48650ce4702a9b060ad026fbb7bc0ea91d41b.exe"C:\Users\Admin\AppData\Local\Temp\27fcf71916ebd85194fad1fb86b48650ce4702a9b060ad026fbb7bc0ea91d41b.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4060 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a37E8.bat3⤵
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Users\Admin\AppData\Local\Temp\27fcf71916ebd85194fad1fb86b48650ce4702a9b060ad026fbb7bc0ea91d41b.exe"C:\Users\Admin\AppData\Local\Temp\27fcf71916ebd85194fad1fb86b48650ce4702a9b060ad026fbb7bc0ea91d41b.exe"4⤵
- Executes dropped EXE
PID:1660
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:4692
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
251KB
MD5ae3b1317139020b3eac8708b069dd0e3
SHA1aae70b82d683ca54f901a29f2d51f594ddc4db52
SHA256db55243ffc0e23cca973ff661ef4320b5a16a6166009bd537be335162697f9f2
SHA512259200f907ca4c5427ce3e855062e86867f3b091e5249053743fccfeee931b5390d1d0c491c378e92ef8ac1f40ac930973bbf17ae97e69d2d82ca2b759d713d7
-
Filesize
570KB
MD52046465903795717baef2cad996b8ea4
SHA1847edc2da82ea966cb8ad601581bb1b2a050082b
SHA256314fdf43e48412ba4f45c3f64de407d225d0534d99b8a65eb85cc87a8dd5efb4
SHA512c145f93e3cd09c4869a764c31dd1f3b1057f9233ee6aebb4d96c2ccacd9a0b3ec92fdced5f6a9396d435a03c0d5beac08808997dea9b2d9018293f98b96351e3
-
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
Filesize636KB
MD52500f702e2b9632127c14e4eaae5d424
SHA18726fef12958265214eeb58001c995629834b13a
SHA25682e5b0001f025ca3b8409c98e4fb06c119c68de1e4ef60a156360cb4ef61d19c
SHA512f420c62fa1f6897f51dd7a0f0e910fb54ad14d51973a2d4840eeea0448c860bf83493fb1c07be65f731efc39e19f8a99886c8cfd058cee482fe52d255a33a55c
-
Filesize
722B
MD52abd54d4a6926cc12eb6dceb87d58f7b
SHA14bbb379dda55385060e3a42d369d05b326ffbaa0
SHA2566a5f05fecb0952316c7cb128ac097127d5ee233c9ce1fbf12232f24088d3ea94
SHA51278f6ef674d9e61aefa00f891cffcb6b3798ed0d151380dcf20803a844f96fa80f0f9566710fbe7aa4b3550968ed8ff99cd342187c31141d0d3c6b1dc7c0c39a5
-
C:\Users\Admin\AppData\Local\Temp\27fcf71916ebd85194fad1fb86b48650ce4702a9b060ad026fbb7bc0ea91d41b.exe.exe
Filesize221KB
MD5fbbe7b8761890d48b2684650e628ee6f
SHA102165b12fee787377e18ee0d7cf6a02f0a63f6f5
SHA2561edc4ec9b654020a1a426f50222d3b0ca46f63a2590a97aec5bf574660f32df8
SHA512b2aa38025733bd83843b4772284d30d4a7414fe71a786e742da94f4b7b1b9e10e21784895bb2e43b3e45a55eee1011e8069f949bcb7006a3ba7ca5806cc559e0
-
Filesize
26KB
MD52c13ef7da783a3c713fd38ba477d7207
SHA1fbab6f31554a8db094c4c4a18fda9634ee3bcb27
SHA256b3c23ddd0b2379f80be1433dc149817f6f2e8704bcc253d25e73c2a32188c494
SHA512f62bbdaedd6fb6c370e5331e0df7c4ec14ca5db97dc58613de29a478675183b04fb5d5b8ebf180c7336adc8db08825a4eb2f7332726d9aca56ca5548c96f1d6e
-
Filesize
9B
MD52be02af4dacf3254e321ffba77f0b1c6
SHA1d8349307ec08d45f2db9c9735bde8f13e27a551d
SHA256766fe9c47ca710d9a00c08965550ee7de9cba2d32d67e4901e8cec7e33151d16
SHA51257f61e1b939ed98e6db460ccdbc36a1460b727a99baac0e3b041666dedcef11fcd72a486d91ec7f0ee6e1aec40465719a6a5c22820c28be1066fe12fcd47ddd0