Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
15/05/2024, 11:14
Static task
static1
Behavioral task
behavioral1
Sample
555f54a0ea329f3205f4ec2d266e49a0c421b78e94efd155af7c4d29571703b5.exe
Resource
win7-20231129-en
General
-
Target
555f54a0ea329f3205f4ec2d266e49a0c421b78e94efd155af7c4d29571703b5.exe
-
Size
271KB
-
MD5
ebbefa2804f5899556b8d0002d708fbd
-
SHA1
a211624a2a79ce03ef0ac3527c069e815c9cde86
-
SHA256
555f54a0ea329f3205f4ec2d266e49a0c421b78e94efd155af7c4d29571703b5
-
SHA512
4ef826d83469cf4dae542d90728de28f1597767d70adbc785439755610355e4f3376caf917aeac807cc234d294cd7c345be2c05fb2e28cd766b00b56986ab57e
-
SSDEEP
3072:gyVPN8QFda/2NLRkgUA1nQZwFGVO4Mqg+WDY:TMaNLRp1nQ4QLd
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2688 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 3008 Logo1_.exe 2640 555f54a0ea329f3205f4ec2d266e49a0c421b78e94efd155af7c4d29571703b5.exe -
Loads dropped DLL 1 IoCs
pid Process 2688 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\css\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre7\bin\java.exe Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\cgg\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ia\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ko\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\VSTA\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\Multiplayer\Spades\it-IT\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\he\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Google\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ia\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\nb\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\sl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Defender\MSASCui.exe Logo1_.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\Mahjong\fr-FR\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\Multiplayer\Checkers\ja-JP\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe Logo1_.exe File created C:\Program Files\VideoLAN\VLC\skins\fonts\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VBA\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Chess\it-IT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PAPYRUS\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Media Player\Media Renderer\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Analysis Services\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CANYON\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ky\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\pt_BR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Media Player\Visualizations\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\fr-FR\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUECALM\_desktop.ini Logo1_.exe File created C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\_desktop.ini Logo1_.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\lua\sd\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\Dll.dll Logo1_.exe File created C:\Windows\rundl132.exe 555f54a0ea329f3205f4ec2d266e49a0c421b78e94efd155af7c4d29571703b5.exe File created C:\Windows\Logo1_.exe 555f54a0ea329f3205f4ec2d266e49a0c421b78e94efd155af7c4d29571703b5.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 43 IoCs
pid Process 1960 555f54a0ea329f3205f4ec2d266e49a0c421b78e94efd155af7c4d29571703b5.exe 1960 555f54a0ea329f3205f4ec2d266e49a0c421b78e94efd155af7c4d29571703b5.exe 1960 555f54a0ea329f3205f4ec2d266e49a0c421b78e94efd155af7c4d29571703b5.exe 1960 555f54a0ea329f3205f4ec2d266e49a0c421b78e94efd155af7c4d29571703b5.exe 1960 555f54a0ea329f3205f4ec2d266e49a0c421b78e94efd155af7c4d29571703b5.exe 1960 555f54a0ea329f3205f4ec2d266e49a0c421b78e94efd155af7c4d29571703b5.exe 1960 555f54a0ea329f3205f4ec2d266e49a0c421b78e94efd155af7c4d29571703b5.exe 1960 555f54a0ea329f3205f4ec2d266e49a0c421b78e94efd155af7c4d29571703b5.exe 1960 555f54a0ea329f3205f4ec2d266e49a0c421b78e94efd155af7c4d29571703b5.exe 1960 555f54a0ea329f3205f4ec2d266e49a0c421b78e94efd155af7c4d29571703b5.exe 1960 555f54a0ea329f3205f4ec2d266e49a0c421b78e94efd155af7c4d29571703b5.exe 1960 555f54a0ea329f3205f4ec2d266e49a0c421b78e94efd155af7c4d29571703b5.exe 1960 555f54a0ea329f3205f4ec2d266e49a0c421b78e94efd155af7c4d29571703b5.exe 3008 Logo1_.exe 3008 Logo1_.exe 3008 Logo1_.exe 3008 Logo1_.exe 3008 Logo1_.exe 3008 Logo1_.exe 3008 Logo1_.exe 3008 Logo1_.exe 3008 Logo1_.exe 3008 Logo1_.exe 3008 Logo1_.exe 3008 Logo1_.exe 3008 Logo1_.exe 3008 Logo1_.exe 3008 Logo1_.exe 3008 Logo1_.exe 3008 Logo1_.exe 3008 Logo1_.exe 3008 Logo1_.exe 3008 Logo1_.exe 3008 Logo1_.exe 3008 Logo1_.exe 3008 Logo1_.exe 3008 Logo1_.exe 3008 Logo1_.exe 3008 Logo1_.exe 3008 Logo1_.exe 3008 Logo1_.exe 3008 Logo1_.exe 3008 Logo1_.exe -
Suspicious use of WriteProcessMemory 41 IoCs
description pid Process procid_target PID 1960 wrote to memory of 3056 1960 555f54a0ea329f3205f4ec2d266e49a0c421b78e94efd155af7c4d29571703b5.exe 28 PID 1960 wrote to memory of 3056 1960 555f54a0ea329f3205f4ec2d266e49a0c421b78e94efd155af7c4d29571703b5.exe 28 PID 1960 wrote to memory of 3056 1960 555f54a0ea329f3205f4ec2d266e49a0c421b78e94efd155af7c4d29571703b5.exe 28 PID 1960 wrote to memory of 3056 1960 555f54a0ea329f3205f4ec2d266e49a0c421b78e94efd155af7c4d29571703b5.exe 28 PID 3056 wrote to memory of 2904 3056 net.exe 30 PID 3056 wrote to memory of 2904 3056 net.exe 30 PID 3056 wrote to memory of 2904 3056 net.exe 30 PID 3056 wrote to memory of 2904 3056 net.exe 30 PID 1960 wrote to memory of 2688 1960 555f54a0ea329f3205f4ec2d266e49a0c421b78e94efd155af7c4d29571703b5.exe 31 PID 1960 wrote to memory of 2688 1960 555f54a0ea329f3205f4ec2d266e49a0c421b78e94efd155af7c4d29571703b5.exe 31 PID 1960 wrote to memory of 2688 1960 555f54a0ea329f3205f4ec2d266e49a0c421b78e94efd155af7c4d29571703b5.exe 31 PID 1960 wrote to memory of 2688 1960 555f54a0ea329f3205f4ec2d266e49a0c421b78e94efd155af7c4d29571703b5.exe 31 PID 1960 wrote to memory of 3008 1960 555f54a0ea329f3205f4ec2d266e49a0c421b78e94efd155af7c4d29571703b5.exe 33 PID 1960 wrote to memory of 3008 1960 555f54a0ea329f3205f4ec2d266e49a0c421b78e94efd155af7c4d29571703b5.exe 33 PID 1960 wrote to memory of 3008 1960 555f54a0ea329f3205f4ec2d266e49a0c421b78e94efd155af7c4d29571703b5.exe 33 PID 1960 wrote to memory of 3008 1960 555f54a0ea329f3205f4ec2d266e49a0c421b78e94efd155af7c4d29571703b5.exe 33 PID 3008 wrote to memory of 2644 3008 Logo1_.exe 34 PID 3008 wrote to memory of 2644 3008 Logo1_.exe 34 PID 3008 wrote to memory of 2644 3008 Logo1_.exe 34 PID 3008 wrote to memory of 2644 3008 Logo1_.exe 34 PID 2688 wrote to memory of 2640 2688 cmd.exe 36 PID 2688 wrote to memory of 2640 2688 cmd.exe 36 PID 2688 wrote to memory of 2640 2688 cmd.exe 36 PID 2688 wrote to memory of 2640 2688 cmd.exe 36 PID 2688 wrote to memory of 2640 2688 cmd.exe 36 PID 2688 wrote to memory of 2640 2688 cmd.exe 36 PID 2688 wrote to memory of 2640 2688 cmd.exe 36 PID 2644 wrote to memory of 2572 2644 net.exe 37 PID 2644 wrote to memory of 2572 2644 net.exe 37 PID 2644 wrote to memory of 2572 2644 net.exe 37 PID 2644 wrote to memory of 2572 2644 net.exe 37 PID 3008 wrote to memory of 2608 3008 Logo1_.exe 38 PID 3008 wrote to memory of 2608 3008 Logo1_.exe 38 PID 3008 wrote to memory of 2608 3008 Logo1_.exe 38 PID 3008 wrote to memory of 2608 3008 Logo1_.exe 38 PID 2608 wrote to memory of 2716 2608 net.exe 40 PID 2608 wrote to memory of 2716 2608 net.exe 40 PID 2608 wrote to memory of 2716 2608 net.exe 40 PID 2608 wrote to memory of 2716 2608 net.exe 40 PID 3008 wrote to memory of 1352 3008 Logo1_.exe 21 PID 3008 wrote to memory of 1352 3008 Logo1_.exe 21
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1352
-
C:\Users\Admin\AppData\Local\Temp\555f54a0ea329f3205f4ec2d266e49a0c421b78e94efd155af7c4d29571703b5.exe"C:\Users\Admin\AppData\Local\Temp\555f54a0ea329f3205f4ec2d266e49a0c421b78e94efd155af7c4d29571703b5.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"3⤵
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"4⤵PID:2904
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\$$a454.bat3⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Users\Admin\AppData\Local\Temp\555f54a0ea329f3205f4ec2d266e49a0c421b78e94efd155af7c4d29571703b5.exe"C:\Users\Admin\AppData\Local\Temp\555f54a0ea329f3205f4ec2d266e49a0c421b78e94efd155af7c4d29571703b5.exe"4⤵
- Executes dropped EXE
PID:2640
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:2572
-
-
-
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:2716
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
265KB
MD579eab7525c90eddd53b099eb20de6192
SHA172c81bc2f96f74cac04149ebada5ab98daaf7991
SHA256173d81becdc11080495a4185a823e50ac9f418495c82df2717c10eed65768598
SHA5121e0e604e1a9f5eb7e6af3a1c82b714a3c6d4bcf037a72b0c695f4f4d1428cfce4d664f77d27faac2781c3c8f257c1a8e9a6432771873b99a7bf18f900d222b83
-
Filesize
485KB
MD53ac7773258fe0684e8a28f3793a74ed3
SHA1316fba91c21ea13e4576a5eeec832fd585c31ca0
SHA2569f41dbbbdf4edcf63ba6262af0ae0d9a13874d0e008522af866f12f3e71b198f
SHA5128d2647018107b940fe80b5ab979570b9f255764195976272b8c2ee8640b0e91493d5e7fa598b4ce29bda8f87cf495c6c71fd62734d51761b04bb5127eb5b2b4a
-
Filesize
721B
MD588f52713dbba5f3ac59e8e7eb3dd72ce
SHA131df9147f22145b4c23c16588e0843f0a587fb2c
SHA256cb40b2bcca185be37ee83164954d4ea7c93d2b98f3b4d8dbdbe7b51da4d19581
SHA512b0aaa966711a677a0445e29f23eaf80c61b81f0fbf842fda4759f3df7e1ca071824f570ad54551ef3cd6607b95cee769e8cad32276398a676fde43d4961c93cf
-
C:\Users\Admin\AppData\Local\Temp\555f54a0ea329f3205f4ec2d266e49a0c421b78e94efd155af7c4d29571703b5.exe.exe
Filesize231KB
MD56f581a41167d2d484fcba20e6fc3c39a
SHA1d48de48d24101b9baaa24f674066577e38e6b75c
SHA2563eb8d53778eab9fb13b4c97aeab56e4bad2a6ea3748d342f22eaf4d7aa3185a7
SHA512e1177b6cea89445d58307b3327c78909adff225497f9abb8de571cdd114b547a8f515ec3ab038b583bf752a085b231f6329d6ca82fbe6be8a58cd97a1dbaf0f6
-
Filesize
40KB
MD5151bab8f081aff19a57fba82f5fcf212
SHA1284e23feb67e6b8834158b6233e7351b80f72331
SHA256a3c1bd441443f9938f1fa54e98d3fac4953823db04e7691474e4e2cea332cdc0
SHA5127b55b6207c1105cd1fd1505f44e0511a94d9b8361f132cdd902ac25db76d536fc8c5c2c53f9aa65dc20c6c483072c7848e71677d736192dc3b85af893e04a59f
-
Filesize
9B
MD59d187c446579e70f430c5bb5556efc0c
SHA10379a56b3d4a9e75d426a088cd523d01929186b2
SHA256544ddbeef004b81b45d0e94b3b745247127ea912498b2037a66e1b9e896ab85f
SHA5126844cb10d0d40b145129edd38157ede9fdb8dacf2c8a0888c7478ff1d0346e5dfd451bb297aea18097330751ae7520761e4a51804b8fb60c19541b97c600ddbc