Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
15/05/2024, 11:14
Static task
static1
Behavioral task
behavioral1
Sample
41df2da8e7809668495d1ef4eac9b37e7aa4f4dbc300a78d6317c4c491312f2d.exe
Resource
win7-20240508-en
General
-
Target
41df2da8e7809668495d1ef4eac9b37e7aa4f4dbc300a78d6317c4c491312f2d.exe
-
Size
55KB
-
MD5
29e107f30d686aec3e2729cf6324511b
-
SHA1
a983d70e669f40ef42ed6468276fe0f856c249e6
-
SHA256
41df2da8e7809668495d1ef4eac9b37e7aa4f4dbc300a78d6317c4c491312f2d
-
SHA512
4d3f8f9328a7df29ad59cb9e339447579e8b26b577397bd0ac733e8ca20c87e5686ee825534c0576f4541f1eb0032cf55c9e5cee76a9cb81e5fd6ea44d7fb758
-
SSDEEP
1536:gsVPQsrz8haFpmqr76/Y3WLpOHqaNrFd:gsVPN8QFda/2WaNpd
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2628 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2648 Logo1_.exe 2812 41df2da8e7809668495d1ef4eac9b37e7aa4f4dbc300a78d6317c4c491312f2d.exe -
Loads dropped DLL 1 IoCs
pid Process 2628 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\js\_desktop.ini Logo1_.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\Office14\MSOHTMED.EXE Logo1_.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\extensions\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\intf\modules\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\pt_PT\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\ink\1.0\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\it-IT\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\Minesweeper\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ja\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUEPRNT\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\_desktop.ini Logo1_.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe Logo1_.exe File created C:\Program Files\Microsoft Games\Multiplayer\Spades\ja-JP\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\or_IN\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLENDS\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ar\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\bs\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Media Player\setup_wm.exe Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\fr-FR\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\eu\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\js\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CASCADE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\cgg\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\demux\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Templates\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows NT\Accessories\fr-FR\_desktop.ini Logo1_.exe File created C:\Program Files\Internet Explorer\images\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\kk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ie\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Mail\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\skins\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Journal\ja-JP\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rundl132.exe 41df2da8e7809668495d1ef4eac9b37e7aa4f4dbc300a78d6317c4c491312f2d.exe File created C:\Windows\Logo1_.exe 41df2da8e7809668495d1ef4eac9b37e7aa4f4dbc300a78d6317c4c491312f2d.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\Dll.dll Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 43 IoCs
pid Process 2180 41df2da8e7809668495d1ef4eac9b37e7aa4f4dbc300a78d6317c4c491312f2d.exe 2180 41df2da8e7809668495d1ef4eac9b37e7aa4f4dbc300a78d6317c4c491312f2d.exe 2180 41df2da8e7809668495d1ef4eac9b37e7aa4f4dbc300a78d6317c4c491312f2d.exe 2180 41df2da8e7809668495d1ef4eac9b37e7aa4f4dbc300a78d6317c4c491312f2d.exe 2180 41df2da8e7809668495d1ef4eac9b37e7aa4f4dbc300a78d6317c4c491312f2d.exe 2180 41df2da8e7809668495d1ef4eac9b37e7aa4f4dbc300a78d6317c4c491312f2d.exe 2180 41df2da8e7809668495d1ef4eac9b37e7aa4f4dbc300a78d6317c4c491312f2d.exe 2180 41df2da8e7809668495d1ef4eac9b37e7aa4f4dbc300a78d6317c4c491312f2d.exe 2180 41df2da8e7809668495d1ef4eac9b37e7aa4f4dbc300a78d6317c4c491312f2d.exe 2180 41df2da8e7809668495d1ef4eac9b37e7aa4f4dbc300a78d6317c4c491312f2d.exe 2180 41df2da8e7809668495d1ef4eac9b37e7aa4f4dbc300a78d6317c4c491312f2d.exe 2180 41df2da8e7809668495d1ef4eac9b37e7aa4f4dbc300a78d6317c4c491312f2d.exe 2180 41df2da8e7809668495d1ef4eac9b37e7aa4f4dbc300a78d6317c4c491312f2d.exe 2648 Logo1_.exe 2648 Logo1_.exe 2648 Logo1_.exe 2648 Logo1_.exe 2648 Logo1_.exe 2648 Logo1_.exe 2648 Logo1_.exe 2648 Logo1_.exe 2648 Logo1_.exe 2648 Logo1_.exe 2648 Logo1_.exe 2648 Logo1_.exe 2648 Logo1_.exe 2648 Logo1_.exe 2648 Logo1_.exe 2648 Logo1_.exe 2648 Logo1_.exe 2648 Logo1_.exe 2648 Logo1_.exe 2648 Logo1_.exe 2648 Logo1_.exe 2648 Logo1_.exe 2648 Logo1_.exe 2648 Logo1_.exe 2648 Logo1_.exe 2648 Logo1_.exe 2648 Logo1_.exe 2648 Logo1_.exe 2648 Logo1_.exe 2648 Logo1_.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2812 41df2da8e7809668495d1ef4eac9b37e7aa4f4dbc300a78d6317c4c491312f2d.exe -
Suspicious use of WriteProcessMemory 41 IoCs
description pid Process procid_target PID 2180 wrote to memory of 2192 2180 41df2da8e7809668495d1ef4eac9b37e7aa4f4dbc300a78d6317c4c491312f2d.exe 28 PID 2180 wrote to memory of 2192 2180 41df2da8e7809668495d1ef4eac9b37e7aa4f4dbc300a78d6317c4c491312f2d.exe 28 PID 2180 wrote to memory of 2192 2180 41df2da8e7809668495d1ef4eac9b37e7aa4f4dbc300a78d6317c4c491312f2d.exe 28 PID 2180 wrote to memory of 2192 2180 41df2da8e7809668495d1ef4eac9b37e7aa4f4dbc300a78d6317c4c491312f2d.exe 28 PID 2192 wrote to memory of 3052 2192 net.exe 30 PID 2192 wrote to memory of 3052 2192 net.exe 30 PID 2192 wrote to memory of 3052 2192 net.exe 30 PID 2192 wrote to memory of 3052 2192 net.exe 30 PID 2180 wrote to memory of 2628 2180 41df2da8e7809668495d1ef4eac9b37e7aa4f4dbc300a78d6317c4c491312f2d.exe 31 PID 2180 wrote to memory of 2628 2180 41df2da8e7809668495d1ef4eac9b37e7aa4f4dbc300a78d6317c4c491312f2d.exe 31 PID 2180 wrote to memory of 2628 2180 41df2da8e7809668495d1ef4eac9b37e7aa4f4dbc300a78d6317c4c491312f2d.exe 31 PID 2180 wrote to memory of 2628 2180 41df2da8e7809668495d1ef4eac9b37e7aa4f4dbc300a78d6317c4c491312f2d.exe 31 PID 2180 wrote to memory of 2648 2180 41df2da8e7809668495d1ef4eac9b37e7aa4f4dbc300a78d6317c4c491312f2d.exe 33 PID 2180 wrote to memory of 2648 2180 41df2da8e7809668495d1ef4eac9b37e7aa4f4dbc300a78d6317c4c491312f2d.exe 33 PID 2180 wrote to memory of 2648 2180 41df2da8e7809668495d1ef4eac9b37e7aa4f4dbc300a78d6317c4c491312f2d.exe 33 PID 2180 wrote to memory of 2648 2180 41df2da8e7809668495d1ef4eac9b37e7aa4f4dbc300a78d6317c4c491312f2d.exe 33 PID 2648 wrote to memory of 2644 2648 Logo1_.exe 34 PID 2648 wrote to memory of 2644 2648 Logo1_.exe 34 PID 2648 wrote to memory of 2644 2648 Logo1_.exe 34 PID 2648 wrote to memory of 2644 2648 Logo1_.exe 34 PID 2644 wrote to memory of 2636 2644 net.exe 36 PID 2644 wrote to memory of 2636 2644 net.exe 36 PID 2644 wrote to memory of 2636 2644 net.exe 36 PID 2644 wrote to memory of 2636 2644 net.exe 36 PID 2628 wrote to memory of 2812 2628 cmd.exe 37 PID 2628 wrote to memory of 2812 2628 cmd.exe 37 PID 2628 wrote to memory of 2812 2628 cmd.exe 37 PID 2628 wrote to memory of 2812 2628 cmd.exe 37 PID 2628 wrote to memory of 2812 2628 cmd.exe 37 PID 2628 wrote to memory of 2812 2628 cmd.exe 37 PID 2628 wrote to memory of 2812 2628 cmd.exe 37 PID 2648 wrote to memory of 2828 2648 Logo1_.exe 38 PID 2648 wrote to memory of 2828 2648 Logo1_.exe 38 PID 2648 wrote to memory of 2828 2648 Logo1_.exe 38 PID 2648 wrote to memory of 2828 2648 Logo1_.exe 38 PID 2828 wrote to memory of 2408 2828 net.exe 40 PID 2828 wrote to memory of 2408 2828 net.exe 40 PID 2828 wrote to memory of 2408 2828 net.exe 40 PID 2828 wrote to memory of 2408 2828 net.exe 40 PID 2648 wrote to memory of 1192 2648 Logo1_.exe 21 PID 2648 wrote to memory of 1192 2648 Logo1_.exe 21
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1192
-
C:\Users\Admin\AppData\Local\Temp\41df2da8e7809668495d1ef4eac9b37e7aa4f4dbc300a78d6317c4c491312f2d.exe"C:\Users\Admin\AppData\Local\Temp\41df2da8e7809668495d1ef4eac9b37e7aa4f4dbc300a78d6317c4c491312f2d.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"3⤵
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"4⤵PID:3052
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\$$a1D60.bat3⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Users\Admin\AppData\Local\Temp\41df2da8e7809668495d1ef4eac9b37e7aa4f4dbc300a78d6317c4c491312f2d.exe"C:\Users\Admin\AppData\Local\Temp\41df2da8e7809668495d1ef4eac9b37e7aa4f4dbc300a78d6317c4c491312f2d.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:2812
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:2636
-
-
-
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:2408
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
265KB
MD53e662e0df77f4da5af03e89f3ae78b61
SHA11641ff1f24a84f6bf99ce0862e7b65b3b7e51cdd
SHA25663da64c91cace3a705acc5d1b6703fc1661bf312aebea8be9f5056c2371fea76
SHA51250b419b015669ee564381a8e21fe49be374974e5ccfc929d38e3c6ec9410b5690b56ff0c124da4385c628b971eb10c5505ee972199ff049fe7e88b4ad0f2a735
-
Filesize
485KB
MD53ac7773258fe0684e8a28f3793a74ed3
SHA1316fba91c21ea13e4576a5eeec832fd585c31ca0
SHA2569f41dbbbdf4edcf63ba6262af0ae0d9a13874d0e008522af866f12f3e71b198f
SHA5128d2647018107b940fe80b5ab979570b9f255764195976272b8c2ee8640b0e91493d5e7fa598b4ce29bda8f87cf495c6c71fd62734d51761b04bb5127eb5b2b4a
-
Filesize
722B
MD5da0922ef6ac29282f5c423addc3b70e3
SHA1f9dc24e9376bbbed144fb3280f5255d33a299872
SHA2569aff9358fb8ab49694cf05762aa4f73e80982b5cec018e255e7b42ebe2e5045d
SHA5123021a4b4e259ee9e7a256ad083f9e4665c6dce196d7fd9994b492c5e2d810c7f85332e1aed30379564ddea2a05927d6aebbd4c7dc31fcfe68ca072c2301a2540
-
C:\Users\Admin\AppData\Local\Temp\41df2da8e7809668495d1ef4eac9b37e7aa4f4dbc300a78d6317c4c491312f2d.exe.exe
Filesize14KB
MD5ad782ffac62e14e2269bf1379bccbaae
SHA19539773b550e902a35764574a2be2d05bc0d8afc
SHA2561c8a77db924ebeb952052334dc95add388700c02b073b07973cd8fe0a0a360b8
SHA512a1e9d6316ffc55f4751090961733e98c93b2a391666ff50b50e9dea39783746e501d14127e7ee9343926976d7e3cd224f13736530354d8466ea995dab35c8dc2
-
Filesize
40KB
MD503f7f9164b72da0e3d4893f390083549
SHA174f536b847ef4d3f83f0e610f138306d90bd7410
SHA25697150e552c7ed63fd1a333fbd3ac5bcd45dcc8630c5554b6241bf77d6a2e4504
SHA51246d9423a17ccc7b3347bd99bdd9607ada5609b4999bd8697580e826c29bc84a98203e4c9d8ddb1e1f1606aba3d0541cb80e7d1f78bbf0d4dd800e280b59ad11e
-
Filesize
9B
MD59d187c446579e70f430c5bb5556efc0c
SHA10379a56b3d4a9e75d426a088cd523d01929186b2
SHA256544ddbeef004b81b45d0e94b3b745247127ea912498b2037a66e1b9e896ab85f
SHA5126844cb10d0d40b145129edd38157ede9fdb8dacf2c8a0888c7478ff1d0346e5dfd451bb297aea18097330751ae7520761e4a51804b8fb60c19541b97c600ddbc