Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
20-04-2024 06:16
Static task
static1
Behavioral task
behavioral1
Sample
8c550f9c1d811c800dec37eec137c7c4ef78db9d839b0125c8186ff57c17d916.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
8c550f9c1d811c800dec37eec137c7c4ef78db9d839b0125c8186ff57c17d916.exe
Resource
win10v2004-20240412-en
General
-
Target
8c550f9c1d811c800dec37eec137c7c4ef78db9d839b0125c8186ff57c17d916.exe
-
Size
5.7MB
-
MD5
432feea9784b2aa4cdb19ce766fedce1
-
SHA1
1296c1c1d0efc7ac82b578b979bda8d2c1dfd8bf
-
SHA256
8c550f9c1d811c800dec37eec137c7c4ef78db9d839b0125c8186ff57c17d916
-
SHA512
38ab79dc95da546b7794728b8cf35d07043af26f78c028112d420753bf0ad5fbebca43d2a491ff79ce6f8e1941f1f788955285b36fd9acfc3e8b4ec8be42df42
-
SSDEEP
49152:qPv94AEsKU8ggw1g+1CART5eBiyKS3EI3wybn20DCYIHvc8ixuZm9+fWsw6dTPBm:MKUgTH2M2m9UMpu1QfLczqssnKSh
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 632 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 1940 Logo1_.exe 2636 8c550f9c1d811c800dec37eec137c7c4ef78db9d839b0125c8186ff57c17d916.exe -
Loads dropped DLL 1 IoCs
pid Process 632 cmd.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SELFCERT.EXE Logo1_.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\HostSideAdapters\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Defender\it-IT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ks_IN\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\_desktop.ini Logo1_.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\te\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Mail\es-ES\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\stream_extractor\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\es-ES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe Logo1_.exe File created C:\Program Files\Microsoft Games\More Games\de-DE\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Media Player\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\id\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Chess\ja-JP\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\cy\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\fa\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows NT\TableTextService\fr-FR\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rundl132.exe 8c550f9c1d811c800dec37eec137c7c4ef78db9d839b0125c8186ff57c17d916.exe File created C:\Windows\Logo1_.exe 8c550f9c1d811c800dec37eec137c7c4ef78db9d839b0125c8186ff57c17d916.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\vDll.dll Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 1940 Logo1_.exe 1940 Logo1_.exe 1940 Logo1_.exe 1940 Logo1_.exe 1940 Logo1_.exe 1940 Logo1_.exe 1940 Logo1_.exe 1940 Logo1_.exe 1940 Logo1_.exe 1940 Logo1_.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1108 wrote to memory of 632 1108 8c550f9c1d811c800dec37eec137c7c4ef78db9d839b0125c8186ff57c17d916.exe 28 PID 1108 wrote to memory of 632 1108 8c550f9c1d811c800dec37eec137c7c4ef78db9d839b0125c8186ff57c17d916.exe 28 PID 1108 wrote to memory of 632 1108 8c550f9c1d811c800dec37eec137c7c4ef78db9d839b0125c8186ff57c17d916.exe 28 PID 1108 wrote to memory of 632 1108 8c550f9c1d811c800dec37eec137c7c4ef78db9d839b0125c8186ff57c17d916.exe 28 PID 1108 wrote to memory of 1940 1108 8c550f9c1d811c800dec37eec137c7c4ef78db9d839b0125c8186ff57c17d916.exe 29 PID 1108 wrote to memory of 1940 1108 8c550f9c1d811c800dec37eec137c7c4ef78db9d839b0125c8186ff57c17d916.exe 29 PID 1108 wrote to memory of 1940 1108 8c550f9c1d811c800dec37eec137c7c4ef78db9d839b0125c8186ff57c17d916.exe 29 PID 1108 wrote to memory of 1940 1108 8c550f9c1d811c800dec37eec137c7c4ef78db9d839b0125c8186ff57c17d916.exe 29 PID 1940 wrote to memory of 2540 1940 Logo1_.exe 31 PID 1940 wrote to memory of 2540 1940 Logo1_.exe 31 PID 1940 wrote to memory of 2540 1940 Logo1_.exe 31 PID 1940 wrote to memory of 2540 1940 Logo1_.exe 31 PID 2540 wrote to memory of 2668 2540 net.exe 33 PID 2540 wrote to memory of 2668 2540 net.exe 33 PID 2540 wrote to memory of 2668 2540 net.exe 33 PID 2540 wrote to memory of 2668 2540 net.exe 33 PID 1940 wrote to memory of 1376 1940 Logo1_.exe 21 PID 1940 wrote to memory of 1376 1940 Logo1_.exe 21
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1376
-
C:\Users\Admin\AppData\Local\Temp\8c550f9c1d811c800dec37eec137c7c4ef78db9d839b0125c8186ff57c17d916.exe"C:\Users\Admin\AppData\Local\Temp\8c550f9c1d811c800dec37eec137c7c4ef78db9d839b0125c8186ff57c17d916.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\$$aE34.bat3⤵
- Deletes itself
- Loads dropped DLL
PID:632 -
C:\Users\Admin\AppData\Local\Temp\8c550f9c1d811c800dec37eec137c7c4ef78db9d839b0125c8186ff57c17d916.exe"C:\Users\Admin\AppData\Local\Temp\8c550f9c1d811c800dec37eec137c7c4ef78db9d839b0125c8186ff57c17d916.exe"4⤵
- Executes dropped EXE
PID:2636
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:2668
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
252KB
MD591a0234603ee2ffe672133195c4abc05
SHA116279814879065da9aa319c5974781a84f43e39c
SHA256d22210301ccaa7d2755a1406c535b73ef1a8c1e13366928170d9b7673d727be3
SHA5121d63d708d0b532a32031730cb8cc82f66d9025d2d6f2592b9b8591a693e3e3bd3054d2774005aeff11baa9ea7ff16ab1a7e5cf36cc80ea5d445e66f6dc7df2c4
-
Filesize
472KB
MD588eb1bca8c399bc3f46e99cdde2f047e
SHA155fafbceb011e1af2edced978686a90971bd95f2
SHA25642fd78c05bc240d4ded16ac974f17c336f6ae3a1814d548021c48a942cc30428
SHA512149d4de0c024e25a13a7bb17471e6f48391d4f26b1c8388672320eed1c255f84219ad7b72bbebc531ae558d5192dd4bb6d0dddd6c65a45300c8e8348a4fb3728
-
Filesize
721B
MD5ed1d89ea94dc8d16c875c74b97e9a996
SHA103990f70cb7ed33ffefc389fe3a08cc507629632
SHA256589b7b11b5c940d6d9d2762fbad6bbb1eb809713864f2a3176967f54ba3c94f8
SHA512b7be45c63e2a213ff5b2974ba369b5aa551467712ed1d8dd94e4e236466d440b3492ff01408bbed26afd9f0d3577738910fa86d2b6cec36d5979ef5f48af7228
-
C:\Users\Admin\AppData\Local\Temp\8c550f9c1d811c800dec37eec137c7c4ef78db9d839b0125c8186ff57c17d916.exe.exe
Filesize5.7MB
MD5c596c3539f619ec76f36741933da5bed
SHA1b3243f0ee893528f0ccd71700ca9970def6670b5
SHA256bb9f95d1b280c1ec9ae27cf564bbb1b485e2d721d44b3288a9a43c07517e38de
SHA512e6e9bd571f8a74b0d2f1a88f9c90fbf10a2150cda55cd4ad6f9a37e0c4a957a175ecb8adf17822331e6cb83bac6fec5bdc2fc87fdb5bc2bfa46ad7dac4df31d2
-
Filesize
27KB
MD518dc1033ae8902d1d05f7bb5651753be
SHA144d68d222bf905f98a2a48ba964010826c80cd59
SHA256a3f31e286d1c18d1e958f66d909c32c5f35a3b785ba9827774568b04f843f199
SHA512e7de2a47c6076f6d6de889dfe0937ac3b9e948c85f9e10a27ba2bd14b943e713c7631bd8b0d3f610418a154977cddd2acabad152b1c09b374806ce1e5e61f7eb
-
Filesize
9B
MD527729a3995958245e2d6799df42e26e7
SHA1dfe386f53277c8387b50122f3fda9bc2467815ba
SHA2569313041e89d4585b2606afa4809b101e7e8a2c944d063a28c796b0c0f070b5f1
SHA512ba9157cea7ca5c01b52e2a4a758f4e12e018990e49f1ece5fa6d83423f37a0a4dd5246d9b01e5e212d5e8c36a66a8d0e2645bc73753671295965a855a5028ec6