Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
30-04-2024 22:14
Static task
static1
Behavioral task
behavioral1
Sample
a46aa5e8af05e1ea85a99fede9d8bd7820f0327aabc68f15a42a5360b58dfb2f.exe
Resource
win7-20240419-en
General
-
Target
a46aa5e8af05e1ea85a99fede9d8bd7820f0327aabc68f15a42a5360b58dfb2f.exe
-
Size
497KB
-
MD5
9dacbd16c744b80ac18ab1ba7240cbf3
-
SHA1
b8a3e0dc23ecabe9eb5e3a942d1acf08ad7bcf25
-
SHA256
a46aa5e8af05e1ea85a99fede9d8bd7820f0327aabc68f15a42a5360b58dfb2f
-
SHA512
ce406b5cb018e81d82be891a1842a257f01fd25fd92308c3ce39a9638b438551d804fe919460de0f090d8a698271fe83f9cd2e73e8768270e506247224760908
-
SSDEEP
12288:u+azbvb1gL5pRTcAkS/3hzN8qE43fm78V:uBzb+5jcAkSYqyE
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2776 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2816 Logo1_.exe 2764 a46aa5e8af05e1ea85a99fede9d8bd7820f0327aabc68f15a42a5360b58dfb2f.exe -
Loads dropped DLL 1 IoCs
pid Process 2776 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ARCTIC\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\EURO\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SLATE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\js\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\SpiderSolitaire\ja-JP\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\hi\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Media Player\Visualizations\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Mail\it-IT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Minesweeper\es-ES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\lv\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\pa\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\IRIS\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\Chess\ja-JP\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\FreeCell\ja-JP\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\spu\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\PublicAssemblies\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Media Player\Visualizations\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe Logo1_.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\am\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Media Player\it-IT\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\eo\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\ja-JP\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe Logo1_.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ARFR\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Photo Viewer\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\on_desktop\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CANYON\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Defender\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe Logo1_.exe File opened for modification C:\Program Files\Windows Media Player\wmpshare.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\_desktop.ini Logo1_.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\cy\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rundl132.exe a46aa5e8af05e1ea85a99fede9d8bd7820f0327aabc68f15a42a5360b58dfb2f.exe File created C:\Windows\Logo1_.exe a46aa5e8af05e1ea85a99fede9d8bd7820f0327aabc68f15a42a5360b58dfb2f.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\Dll.dll Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 43 IoCs
pid Process 1740 a46aa5e8af05e1ea85a99fede9d8bd7820f0327aabc68f15a42a5360b58dfb2f.exe 1740 a46aa5e8af05e1ea85a99fede9d8bd7820f0327aabc68f15a42a5360b58dfb2f.exe 1740 a46aa5e8af05e1ea85a99fede9d8bd7820f0327aabc68f15a42a5360b58dfb2f.exe 1740 a46aa5e8af05e1ea85a99fede9d8bd7820f0327aabc68f15a42a5360b58dfb2f.exe 1740 a46aa5e8af05e1ea85a99fede9d8bd7820f0327aabc68f15a42a5360b58dfb2f.exe 1740 a46aa5e8af05e1ea85a99fede9d8bd7820f0327aabc68f15a42a5360b58dfb2f.exe 1740 a46aa5e8af05e1ea85a99fede9d8bd7820f0327aabc68f15a42a5360b58dfb2f.exe 1740 a46aa5e8af05e1ea85a99fede9d8bd7820f0327aabc68f15a42a5360b58dfb2f.exe 1740 a46aa5e8af05e1ea85a99fede9d8bd7820f0327aabc68f15a42a5360b58dfb2f.exe 1740 a46aa5e8af05e1ea85a99fede9d8bd7820f0327aabc68f15a42a5360b58dfb2f.exe 1740 a46aa5e8af05e1ea85a99fede9d8bd7820f0327aabc68f15a42a5360b58dfb2f.exe 1740 a46aa5e8af05e1ea85a99fede9d8bd7820f0327aabc68f15a42a5360b58dfb2f.exe 1740 a46aa5e8af05e1ea85a99fede9d8bd7820f0327aabc68f15a42a5360b58dfb2f.exe 2816 Logo1_.exe 2816 Logo1_.exe 2816 Logo1_.exe 2816 Logo1_.exe 2816 Logo1_.exe 2816 Logo1_.exe 2816 Logo1_.exe 2816 Logo1_.exe 2816 Logo1_.exe 2816 Logo1_.exe 2816 Logo1_.exe 2816 Logo1_.exe 2816 Logo1_.exe 2816 Logo1_.exe 2816 Logo1_.exe 2816 Logo1_.exe 2816 Logo1_.exe 2816 Logo1_.exe 2816 Logo1_.exe 2816 Logo1_.exe 2816 Logo1_.exe 2816 Logo1_.exe 2816 Logo1_.exe 2816 Logo1_.exe 2816 Logo1_.exe 2816 Logo1_.exe 2816 Logo1_.exe 2816 Logo1_.exe 2816 Logo1_.exe 2816 Logo1_.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 1740 wrote to memory of 1852 1740 a46aa5e8af05e1ea85a99fede9d8bd7820f0327aabc68f15a42a5360b58dfb2f.exe 28 PID 1740 wrote to memory of 1852 1740 a46aa5e8af05e1ea85a99fede9d8bd7820f0327aabc68f15a42a5360b58dfb2f.exe 28 PID 1740 wrote to memory of 1852 1740 a46aa5e8af05e1ea85a99fede9d8bd7820f0327aabc68f15a42a5360b58dfb2f.exe 28 PID 1740 wrote to memory of 1852 1740 a46aa5e8af05e1ea85a99fede9d8bd7820f0327aabc68f15a42a5360b58dfb2f.exe 28 PID 1852 wrote to memory of 2608 1852 net.exe 30 PID 1852 wrote to memory of 2608 1852 net.exe 30 PID 1852 wrote to memory of 2608 1852 net.exe 30 PID 1852 wrote to memory of 2608 1852 net.exe 30 PID 1740 wrote to memory of 2776 1740 a46aa5e8af05e1ea85a99fede9d8bd7820f0327aabc68f15a42a5360b58dfb2f.exe 31 PID 1740 wrote to memory of 2776 1740 a46aa5e8af05e1ea85a99fede9d8bd7820f0327aabc68f15a42a5360b58dfb2f.exe 31 PID 1740 wrote to memory of 2776 1740 a46aa5e8af05e1ea85a99fede9d8bd7820f0327aabc68f15a42a5360b58dfb2f.exe 31 PID 1740 wrote to memory of 2776 1740 a46aa5e8af05e1ea85a99fede9d8bd7820f0327aabc68f15a42a5360b58dfb2f.exe 31 PID 1740 wrote to memory of 2816 1740 a46aa5e8af05e1ea85a99fede9d8bd7820f0327aabc68f15a42a5360b58dfb2f.exe 33 PID 1740 wrote to memory of 2816 1740 a46aa5e8af05e1ea85a99fede9d8bd7820f0327aabc68f15a42a5360b58dfb2f.exe 33 PID 1740 wrote to memory of 2816 1740 a46aa5e8af05e1ea85a99fede9d8bd7820f0327aabc68f15a42a5360b58dfb2f.exe 33 PID 1740 wrote to memory of 2816 1740 a46aa5e8af05e1ea85a99fede9d8bd7820f0327aabc68f15a42a5360b58dfb2f.exe 33 PID 2816 wrote to memory of 2888 2816 Logo1_.exe 34 PID 2816 wrote to memory of 2888 2816 Logo1_.exe 34 PID 2816 wrote to memory of 2888 2816 Logo1_.exe 34 PID 2816 wrote to memory of 2888 2816 Logo1_.exe 34 PID 2776 wrote to memory of 2764 2776 cmd.exe 36 PID 2776 wrote to memory of 2764 2776 cmd.exe 36 PID 2776 wrote to memory of 2764 2776 cmd.exe 36 PID 2776 wrote to memory of 2764 2776 cmd.exe 36 PID 2888 wrote to memory of 2812 2888 net.exe 37 PID 2888 wrote to memory of 2812 2888 net.exe 37 PID 2888 wrote to memory of 2812 2888 net.exe 37 PID 2888 wrote to memory of 2812 2888 net.exe 37 PID 2816 wrote to memory of 2768 2816 Logo1_.exe 38 PID 2816 wrote to memory of 2768 2816 Logo1_.exe 38 PID 2816 wrote to memory of 2768 2816 Logo1_.exe 38 PID 2816 wrote to memory of 2768 2816 Logo1_.exe 38 PID 2768 wrote to memory of 3060 2768 net.exe 40 PID 2768 wrote to memory of 3060 2768 net.exe 40 PID 2768 wrote to memory of 3060 2768 net.exe 40 PID 2768 wrote to memory of 3060 2768 net.exe 40 PID 2816 wrote to memory of 1228 2816 Logo1_.exe 21 PID 2816 wrote to memory of 1228 2816 Logo1_.exe 21
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1228
-
C:\Users\Admin\AppData\Local\Temp\a46aa5e8af05e1ea85a99fede9d8bd7820f0327aabc68f15a42a5360b58dfb2f.exe"C:\Users\Admin\AppData\Local\Temp\a46aa5e8af05e1ea85a99fede9d8bd7820f0327aabc68f15a42a5360b58dfb2f.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"3⤵
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"4⤵PID:2608
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\$$a119D.bat3⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Users\Admin\AppData\Local\Temp\a46aa5e8af05e1ea85a99fede9d8bd7820f0327aabc68f15a42a5360b58dfb2f.exe"C:\Users\Admin\AppData\Local\Temp\a46aa5e8af05e1ea85a99fede9d8bd7820f0327aabc68f15a42a5360b58dfb2f.exe"4⤵
- Executes dropped EXE
PID:2764
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:2812
-
-
-
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:3060
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
264KB
MD5266a8decd1271ba104a9fff2eb37568f
SHA15fae11187d40c55a75f7174e4af12fef3e0a33a9
SHA25625040ab6bb8ee761b351ca816cce03c80530b89aba11824a74326e84277e2aee
SHA51215e0794324d0066c7cef77dc1f48441d2ddfa355a683c3a49cc6ead86399121122a49c449306330796600b7aa46679b20b9797e8e14aa2ef183102bd8dac304e
-
Filesize
484KB
MD579d4fd1cb70f3844796aa1ea18a238e2
SHA178d207a7de2aeb85eefc185d894b0b7626e1e1f3
SHA256ccaacc3965c1bdfce8cd1e934895a4563dddf082016e56846966c250bed87d5b
SHA5127a0167cbce49f09ea39e490862b8c371eacf8ce3d74d6a6054e7f0e1df4b307019f5adee03603fcb9d4db2b17841cbc9cf129e9480d70b20c266fe82b3979b33
-
Filesize
722B
MD563e88ab03d0b43bb45f6d2b49daee99a
SHA1541ac40e625a9498cd27efdf8aa6bfabdad5e4e1
SHA25617bed5e40e3da0a4e806ec50f0726db1633789245c09942fc9406a6b61bc384c
SHA512af67cb4e423497b7752c742e5b6f0ab9797848d706eda78287c15f9362007fa7f9337471540517350afc44df778f914ad0f4890209b6285b079c39f3c4c225ae
-
C:\Users\Admin\AppData\Local\Temp\a46aa5e8af05e1ea85a99fede9d8bd7820f0327aabc68f15a42a5360b58dfb2f.exe.exe
Filesize458KB
MD5619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
Filesize
39KB
MD54ea1c860080808fe13e78caa0034c62b
SHA159e326df70ba545b4c443b9a4d4d4ecb725a0ede
SHA256fef391543155b7d88565a03cdcb35eb2d9c44b22f3d4af8ef9fd0f48289f6958
SHA512880bf02f0776da8fde359b6f71b05ed11947f507d44e461f23c55dbeabc54ce63325c877fac5dd2d31c5dad3feb0d81bf02f767ac238494ef7ca5c84ec354e6f
-
Filesize
9B
MD53441ca64b7a268fd1abb0c149aa9e827
SHA1977a6be7624a5ff4ea1de4f422b44b4974c17827
SHA256fafa54a384b4b9bfe970b0e803afe0c0284021acca503892961170d49985dd99
SHA51284d8adce555267049d33544c4402eaa9bb3ff2022fd76cd619e4cb1fd544c5825cd7769065dd525b58e3befd579d3dd11ec2e0032907ff7dd36f83975b5b5848