Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
25-04-2024 04:45
Static task
static1
Behavioral task
behavioral1
Sample
dc266e56ea3f4a30862083ea50a7103e4274ad4914d6d000ab88f46efe0cdfae.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
dc266e56ea3f4a30862083ea50a7103e4274ad4914d6d000ab88f46efe0cdfae.exe
Resource
win10v2004-20240412-en
General
-
Target
dc266e56ea3f4a30862083ea50a7103e4274ad4914d6d000ab88f46efe0cdfae.exe
-
Size
5.7MB
-
MD5
3c18d0890a3c8dd4e536fb64b1c4e6b3
-
SHA1
3327e9354250a4838f6d04961cc3af25af4bc165
-
SHA256
dc266e56ea3f4a30862083ea50a7103e4274ad4914d6d000ab88f46efe0cdfae
-
SHA512
33e8eb0554eaf4432ef3ada555e0a056198d23eb0a2a50c6ef30b020a56015f07106ad1e91e7287bcc57fe75ac4d9419e89fe3ce658c0d0c16012e47cd1994bb
-
SSDEEP
49152:GPv94AEsKU8ggw1g+1CART5eBiyKS3EI3wybn20DCYIHvc8ixuZm9+fWsw6dTPBJ:YKUgTH2M2m9UMpu1QfLczqssnKSk
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 876 Logo1_.exe 4744 dc266e56ea3f4a30862083ea50a7103e4274ad4914d6d000ab88f46efe0cdfae.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\VideoLAN\VLC\locale\eo\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.ZuneMusic_2019.19071.19011.0_neutral_~_8wekyb3d8bbwe\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ja-jp\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ca-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ja-jp\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Media Player\Network Sharing\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\_desktop.ini Logo1_.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\x86\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\zh-tw\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\zh-cn\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\pt-br\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-il\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\cs-cz\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\es-ES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Images\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\AppCS\Assets\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\da-dk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\uk-ua\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\hu-hu\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Media Player\Icons\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\hr-hr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\FileAssociation\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-gb\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\fi-fi\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\plugins\rhp\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\en-ae\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\XboxApp.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\sk-sk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\fi\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\be-BY\View3d\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\cs-cz\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\fr-ma\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\zh-tw\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ka\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Store.Purchase\Controls\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sl-sl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\tr-tr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\tr-tr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example1.Diagnostics\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Spacer\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_~_kzf8qxf38zg5c\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Google\Update\Install\{703E9549-BDC2-4121-B382-D61E8F1A4A8B}\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\vDll.dll Logo1_.exe File created C:\Windows\rundl132.exe dc266e56ea3f4a30862083ea50a7103e4274ad4914d6d000ab88f46efe0cdfae.exe File created C:\Windows\Logo1_.exe dc266e56ea3f4a30862083ea50a7103e4274ad4914d6d000ab88f46efe0cdfae.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 876 Logo1_.exe 876 Logo1_.exe 876 Logo1_.exe 876 Logo1_.exe 876 Logo1_.exe 876 Logo1_.exe 876 Logo1_.exe 876 Logo1_.exe 876 Logo1_.exe 876 Logo1_.exe 876 Logo1_.exe 876 Logo1_.exe 876 Logo1_.exe 876 Logo1_.exe 876 Logo1_.exe 876 Logo1_.exe 876 Logo1_.exe 876 Logo1_.exe 876 Logo1_.exe 876 Logo1_.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2548 wrote to memory of 4708 2548 dc266e56ea3f4a30862083ea50a7103e4274ad4914d6d000ab88f46efe0cdfae.exe 82 PID 2548 wrote to memory of 4708 2548 dc266e56ea3f4a30862083ea50a7103e4274ad4914d6d000ab88f46efe0cdfae.exe 82 PID 2548 wrote to memory of 4708 2548 dc266e56ea3f4a30862083ea50a7103e4274ad4914d6d000ab88f46efe0cdfae.exe 82 PID 2548 wrote to memory of 876 2548 dc266e56ea3f4a30862083ea50a7103e4274ad4914d6d000ab88f46efe0cdfae.exe 83 PID 2548 wrote to memory of 876 2548 dc266e56ea3f4a30862083ea50a7103e4274ad4914d6d000ab88f46efe0cdfae.exe 83 PID 2548 wrote to memory of 876 2548 dc266e56ea3f4a30862083ea50a7103e4274ad4914d6d000ab88f46efe0cdfae.exe 83 PID 876 wrote to memory of 1512 876 Logo1_.exe 85 PID 876 wrote to memory of 1512 876 Logo1_.exe 85 PID 876 wrote to memory of 1512 876 Logo1_.exe 85 PID 1512 wrote to memory of 2272 1512 net.exe 88 PID 1512 wrote to memory of 2272 1512 net.exe 88 PID 1512 wrote to memory of 2272 1512 net.exe 88 PID 876 wrote to memory of 3448 876 Logo1_.exe 56 PID 876 wrote to memory of 3448 876 Logo1_.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3448
-
C:\Users\Admin\AppData\Local\Temp\dc266e56ea3f4a30862083ea50a7103e4274ad4914d6d000ab88f46efe0cdfae.exe"C:\Users\Admin\AppData\Local\Temp\dc266e56ea3f4a30862083ea50a7103e4274ad4914d6d000ab88f46efe0cdfae.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a2FBB.bat3⤵PID:4708
-
C:\Users\Admin\AppData\Local\Temp\dc266e56ea3f4a30862083ea50a7103e4274ad4914d6d000ab88f46efe0cdfae.exe"C:\Users\Admin\AppData\Local\Temp\dc266e56ea3f4a30862083ea50a7103e4274ad4914d6d000ab88f46efe0cdfae.exe"4⤵
- Executes dropped EXE
PID:4744
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:2272
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
254KB
MD5b972986ddc5ad7e3b78622aaec4ae4c0
SHA107ec90600067df6a2264a189ad2179175fc48798
SHA256cef76ca308c743c0da4d0adc190484f0a08dcb4a4b87946beef0cd9d2c8915a5
SHA512aeba6991cd7bbc8731468d94455f3abf564e76cab681d023089b17cda58229fdab97c39e001081887a2c5efb0969d15fac9fab2657075dfc768448aeb4825023
-
Filesize
573KB
MD513257d0f99234c552f5366105bda5965
SHA104f0a6c539d94a50212986d6c980c03363998794
SHA25667f262a67d59106ec94ad9797c2e263eb8daa44966fa8fce95857a240e24a597
SHA512a37980a5c1b803dd8e065e9637e755944175c2c909b48dce1add91a506b8fec9776ab397246061d225365d04998c25b39f34798ae4eeed7a1366e40d0f6cd57c
-
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
Filesize639KB
MD5cda7714d2ec36fbd5dfd358b3cc885ce
SHA1410c57ed71630d168738f40cea3ccc65529b0ae1
SHA256d2c7832ddb52cfbb750dfffae048fd9c6a9cf06a52b7de91a0be255dffadef4e
SHA51289cc9f52ae02711a9f90f2ba8e6b62c8ac442b967903067e1f3c5c12ff3ca012b62b8af4e4e7c3762b4c3ee255826b509fdb064c0d2861a2c2953a02c4fc1714
-
Filesize
722B
MD51083d15d425e7b3420c581fdfb4ebc39
SHA1cb3dd169ff5c220b370cba964405e4b9d1c2c7ee
SHA25664f4ec8100d6ef9ffca2945fe910016511c3d3ec5c89bddcd9ea3885e9632fbd
SHA512e6595195eda5f2814ceab92ba89a7e88b66e28c482b89459a1f559f32ae837d16e36e146a6d26c2a5e1dbe24611834961ef90a86be391eecf5681ea61a21ea7f
-
C:\Users\Admin\AppData\Local\Temp\dc266e56ea3f4a30862083ea50a7103e4274ad4914d6d000ab88f46efe0cdfae.exe.exe
Filesize5.7MB
MD5ba18e99b3e17adb5b029eaebc457dd89
SHA1ec0458f3c00d35b323f08d4e1cc2e72899429c38
SHA256f5ee36de8edf9be2ac2752b219cfdcb7ca1677071b8e116cb876306e9f1b6628
SHA5121f41929e6f5b555b60c411c7810cbf14e3af26100df5ac4533ec3739a278c1b925687284660efb4868e3741305098e2737836229efc9fe46c97a6057c10e677c
-
Filesize
29KB
MD5dac673b75fd1f13a8f885a8ca5252a58
SHA1809080cb9ecc0d4978b724a48ca3e9fb6d65d11a
SHA256ca09ca81af02465f58f3c9037f9d3ec216a9cb41f876bc64ca9a13d7b0558a2c
SHA512cc5336c6a7cf8189de065ea93420015c62ccfa3c7fa5cf1f9e02d8d25ae551c64353eac54c502d02568d0f2fd0706be7098e41f163c1d1b684955d601323610c
-
Filesize
9B
MD57ef570b2b21e58fd906ef1a980d64425
SHA118502489f652e74f8972bbfa100d5c163d719ab7
SHA256c3ce1b9216b58ac7d9ed3b93e5e3a1d6a2473b53b5bc1f008a621def49517055
SHA512e1175d861a79d62b85cd18661375f1c956dcc97e958765dc225f3aa4b0f0100ca9e17b9c61f5e18fc2a96e5167c0563f60645033aff1be1ec2f372c1b9a8b35f