Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
30/04/2024, 00:15
Static task
static1
Behavioral task
behavioral1
Sample
3dbb03f079de0968ed7b9fc588f87723c100d0b46f01086665d44ce8c3fe0cfd.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
3dbb03f079de0968ed7b9fc588f87723c100d0b46f01086665d44ce8c3fe0cfd.exe
Resource
win10v2004-20240419-en
General
-
Target
3dbb03f079de0968ed7b9fc588f87723c100d0b46f01086665d44ce8c3fe0cfd.exe
-
Size
2.8MB
-
MD5
b2b308a12162eb799117f00ea8a49a61
-
SHA1
eac813e2fc0dfb4f14eb73e8b9b6bd8b66952533
-
SHA256
3dbb03f079de0968ed7b9fc588f87723c100d0b46f01086665d44ce8c3fe0cfd
-
SHA512
33b96b137544c77d5c42d3b52600feaab4d47b24d8ce7e493e67f2930c8edb26ec53e2df3e00bed0ddebba6605ddd4064b5d67a0a2456af8b2064c9f3f3849ed
-
SSDEEP
49152:t6gLKJuMarhVnMFwTH8/giBiBcbk4ZxZ2DqFeVMhuxcPh:gd1XdhBiiMa7
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 552 Logo1_.exe 4676 3dbb03f079de0968ed7b9fc588f87723c100d0b46f01086665d44ce8c3fe0cfd.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Toolkit\Images\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\de-de\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\fi-fi\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\fr-FR\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\XboxApp.Resource\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nl-nl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sk-sk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\it-it\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\cs-cz\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\es-es\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ca-ES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\sl-sl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\tr-tr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\bn_IN\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ha-Latn-NG\View3d\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\root\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\he-il\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\eu-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files-select\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ro-ro\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\es-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\sl-sl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Examples\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\co\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ie\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\mk-MK\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\themes\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\fi-fi\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Security\BrowserCore\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\en-us\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\plugins\rhp\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\en-gb\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\ja\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\tr-tr\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\de-DE\View3d\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-ae\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ru-ru\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Internet Explorer\SIGNUP\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\it-it\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\amd64\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Lighting\Light\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\lo-LA\View3d\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\ja-JP\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ko-kr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\it-it\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\he-il\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-white\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.513.0_neutral_~_8wekyb3d8bbwe\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft.NET\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\en_GB\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\vDll.dll Logo1_.exe File created C:\Windows\rundl132.exe 3dbb03f079de0968ed7b9fc588f87723c100d0b46f01086665d44ce8c3fe0cfd.exe File created C:\Windows\Logo1_.exe 3dbb03f079de0968ed7b9fc588f87723c100d0b46f01086665d44ce8c3fe0cfd.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 552 Logo1_.exe 552 Logo1_.exe 552 Logo1_.exe 552 Logo1_.exe 552 Logo1_.exe 552 Logo1_.exe 552 Logo1_.exe 552 Logo1_.exe 552 Logo1_.exe 552 Logo1_.exe 552 Logo1_.exe 552 Logo1_.exe 552 Logo1_.exe 552 Logo1_.exe 552 Logo1_.exe 552 Logo1_.exe 552 Logo1_.exe 552 Logo1_.exe 552 Logo1_.exe 552 Logo1_.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2784 wrote to memory of 4644 2784 3dbb03f079de0968ed7b9fc588f87723c100d0b46f01086665d44ce8c3fe0cfd.exe 84 PID 2784 wrote to memory of 4644 2784 3dbb03f079de0968ed7b9fc588f87723c100d0b46f01086665d44ce8c3fe0cfd.exe 84 PID 2784 wrote to memory of 4644 2784 3dbb03f079de0968ed7b9fc588f87723c100d0b46f01086665d44ce8c3fe0cfd.exe 84 PID 2784 wrote to memory of 552 2784 3dbb03f079de0968ed7b9fc588f87723c100d0b46f01086665d44ce8c3fe0cfd.exe 85 PID 2784 wrote to memory of 552 2784 3dbb03f079de0968ed7b9fc588f87723c100d0b46f01086665d44ce8c3fe0cfd.exe 85 PID 2784 wrote to memory of 552 2784 3dbb03f079de0968ed7b9fc588f87723c100d0b46f01086665d44ce8c3fe0cfd.exe 85 PID 552 wrote to memory of 4684 552 Logo1_.exe 87 PID 552 wrote to memory of 4684 552 Logo1_.exe 87 PID 552 wrote to memory of 4684 552 Logo1_.exe 87 PID 4684 wrote to memory of 4732 4684 net.exe 89 PID 4684 wrote to memory of 4732 4684 net.exe 89 PID 4684 wrote to memory of 4732 4684 net.exe 89 PID 552 wrote to memory of 3480 552 Logo1_.exe 56 PID 552 wrote to memory of 3480 552 Logo1_.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3480
-
C:\Users\Admin\AppData\Local\Temp\3dbb03f079de0968ed7b9fc588f87723c100d0b46f01086665d44ce8c3fe0cfd.exe"C:\Users\Admin\AppData\Local\Temp\3dbb03f079de0968ed7b9fc588f87723c100d0b46f01086665d44ce8c3fe0cfd.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3A98.bat3⤵PID:4644
-
C:\Users\Admin\AppData\Local\Temp\3dbb03f079de0968ed7b9fc588f87723c100d0b46f01086665d44ce8c3fe0cfd.exe"C:\Users\Admin\AppData\Local\Temp\3dbb03f079de0968ed7b9fc588f87723c100d0b46f01086665d44ce8c3fe0cfd.exe"4⤵
- Executes dropped EXE
PID:4676
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:4684 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:4732
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
247KB
MD5b611236664f228f87f5605656b22c94e
SHA1577f88b5708d114c50801323bea7ccf2aa1f572c
SHA256c1ddc72e6a9125169721af39379a8312f12c14855067fc0a50b6c95f8b159bb2
SHA5127e4608529275bb7906ff821ed2d439c29db22373b81558a4b1ae9c0cc5ff43fc1b6384378aa9d7e965ad7a2921b4fba57b4c6e47c98f77210b82d6b79a3371c7
-
Filesize
573KB
MD5df2ea083f9bf31bbd8f3644e90e2b4e7
SHA170a8690904eb5a5da503f43759b5cb80d2838a6d
SHA256554486c45097e6aad0e2f63f05c018d6e19a91fcedf6c56ae3b4e1b7ffdf46db
SHA512d99a22e3d2909826b2381043fb23bb7dcc02348cda0022c7356dbf958c97ed6aff1e1571f2c0c334415b1e376b149eca674c1ff7d0a426d017c3071eea810afa
-
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
Filesize639KB
MD5ff7ce6c4ffc92d1beca4883dfcfde0af
SHA14a52e320cd88765f13e2799a4980a12f788c98a4
SHA2565a4e150d03f1cfadccd40a407a3ae8ec5ffbb5d28ea95dca136d67cac24fd8b5
SHA51299056bcbb382e545304a33002a6cfbb7a57df663feca5a3842bf077d1126931ba78d5e04a93cbd72a7c6d9eb09005750e5cff1030d8586e26838e7634d7ad583
-
Filesize
722B
MD55617b9fc5c318e4f388ebd97283aefce
SHA1d7ee8bfa84b0f8c5679e5401759de88d31bfbd79
SHA256d4ec950ae54bd090d71bdc4497ef0660a54b425f4b6b144fd496320d468668c7
SHA512f926c899f4fa5e521e57dd434d45b2300dc0f80c1ac0a547d6419cc11f704ce7795d53b210034ef6e41af2f07f96e2bac6b4c37b2eed76297bd5917702df64d9
-
C:\Users\Admin\AppData\Local\Temp\3dbb03f079de0968ed7b9fc588f87723c100d0b46f01086665d44ce8c3fe0cfd.exe.exe
Filesize2.8MB
MD5095092f4e746810c5829038d48afd55a
SHA1246eb3d41194dddc826049bbafeb6fc522ec044a
SHA2562f606012843d144610dc7be55d1716d5d106cbc6acbce57561dc0e62c38b8588
SHA5127f36fc03bfed0f3cf6ac3406c819993bf995e4f8c26a7589e9032c14b5a9c7048f5567f77b3b15f946c5282fc0be6308a92eab7879332d74c400d0c139ce8400
-
Filesize
29KB
MD534b640fa0177319ac442b6f3bbdaac54
SHA1174c06017aeaceaab18228ca8eead4f7e94e58a2
SHA256e0520317e9229269c4ab52b7690e1c289c2d3f9284f651c3f9d7d6abd1e49207
SHA5122cbe13eff0bb3b532c33efc8aa781951adfc256ad96a0e32ffdb37f4eded8d474a0b3a143d50a9a4ca1f3938eb8f0a09a1333278eb211b5cc2c0466173244d9a
-
Filesize
9B
MD53441ca64b7a268fd1abb0c149aa9e827
SHA1977a6be7624a5ff4ea1de4f422b44b4974c17827
SHA256fafa54a384b4b9bfe970b0e803afe0c0284021acca503892961170d49985dd99
SHA51284d8adce555267049d33544c4402eaa9bb3ff2022fd76cd619e4cb1fd544c5825cd7769065dd525b58e3befd579d3dd11ec2e0032907ff7dd36f83975b5b5848