Analysis
-
max time kernel
151s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 16:39
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c5cbb3894f71286134c0370b43cffce1eb7966826a202a2d686971ca0d0aef89.exe
Resource
win7-20240221-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
c5cbb3894f71286134c0370b43cffce1eb7966826a202a2d686971ca0d0aef89.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
c5cbb3894f71286134c0370b43cffce1eb7966826a202a2d686971ca0d0aef89.exe
-
Size
68KB
-
MD5
cf08282c66ca9fa57bed18d079cd2cfa
-
SHA1
c69021c3ce39aa135aa824a8d9f4188f9a89881c
-
SHA256
c5cbb3894f71286134c0370b43cffce1eb7966826a202a2d686971ca0d0aef89
-
SHA512
850dadcf963a89631458691b8ed35cbf49417b598d048273c9a25593db00eecdf4067e4b43bed8517a9021e973e01049141d969ce36082db651b886db02a0ea2
-
SSDEEP
1536:G3SHmLKarIpYeEToa9D4ZQKbgZi1dst7x9PxQ:GkF3pdlZQKbgZi1St7xQ
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 4404 Logo1_.exe 1004 c5cbb3894f71286134c0370b43cffce1eb7966826a202a2d686971ca0d0aef89.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\2.0.1\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\sl-sl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\keystore\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\sl-SI\View3d\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\te-IN\View3d\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Resources\RetailDemo\strings\en-us\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jre-1.8\lib\security\policy\limited\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\kk-KZ\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\hu-hu\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\en-ae\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\uk-ua\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\zh-cn\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\en-gb\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\sl-sl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Photo Viewer\it-IT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\de-de\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\services_discovery\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\cs-cz\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\da-dk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-black\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\sv-se\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\pl-pl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\zh-tw\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\zh-cn\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Internet Explorer\it-IT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\text_renderer\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-white\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Store.Purchase\Resources\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hu-hu\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\en-ae\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\sv-se\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ro-ro\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\de-de\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ta-IN\View3d\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\jsaddins\locallaunch\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sl-sl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\he-il\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\root\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\en-ae\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\identity_proxy\win11\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Defender\ja-JP\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Toolkit\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-il\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fi-fi\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\hu-HU\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rundl132.exe c5cbb3894f71286134c0370b43cffce1eb7966826a202a2d686971ca0d0aef89.exe File created C:\Windows\Logo1_.exe c5cbb3894f71286134c0370b43cffce1eb7966826a202a2d686971ca0d0aef89.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\vDll.dll Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 4404 Logo1_.exe 4404 Logo1_.exe 4404 Logo1_.exe 4404 Logo1_.exe 4404 Logo1_.exe 4404 Logo1_.exe 4404 Logo1_.exe 4404 Logo1_.exe 4404 Logo1_.exe 4404 Logo1_.exe 4404 Logo1_.exe 4404 Logo1_.exe 4404 Logo1_.exe 4404 Logo1_.exe 4404 Logo1_.exe 4404 Logo1_.exe 4404 Logo1_.exe 4404 Logo1_.exe 4404 Logo1_.exe 4404 Logo1_.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 4504 wrote to memory of 5048 4504 c5cbb3894f71286134c0370b43cffce1eb7966826a202a2d686971ca0d0aef89.exe 91 PID 4504 wrote to memory of 5048 4504 c5cbb3894f71286134c0370b43cffce1eb7966826a202a2d686971ca0d0aef89.exe 91 PID 4504 wrote to memory of 5048 4504 c5cbb3894f71286134c0370b43cffce1eb7966826a202a2d686971ca0d0aef89.exe 91 PID 4504 wrote to memory of 4404 4504 c5cbb3894f71286134c0370b43cffce1eb7966826a202a2d686971ca0d0aef89.exe 93 PID 4504 wrote to memory of 4404 4504 c5cbb3894f71286134c0370b43cffce1eb7966826a202a2d686971ca0d0aef89.exe 93 PID 4504 wrote to memory of 4404 4504 c5cbb3894f71286134c0370b43cffce1eb7966826a202a2d686971ca0d0aef89.exe 93 PID 4404 wrote to memory of 3640 4404 Logo1_.exe 94 PID 4404 wrote to memory of 3640 4404 Logo1_.exe 94 PID 4404 wrote to memory of 3640 4404 Logo1_.exe 94 PID 5048 wrote to memory of 1004 5048 cmd.exe 96 PID 5048 wrote to memory of 1004 5048 cmd.exe 96 PID 3640 wrote to memory of 748 3640 net.exe 97 PID 3640 wrote to memory of 748 3640 net.exe 97 PID 3640 wrote to memory of 748 3640 net.exe 97 PID 4404 wrote to memory of 3348 4404 Logo1_.exe 57 PID 4404 wrote to memory of 3348 4404 Logo1_.exe 57
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3348
-
C:\Users\Admin\AppData\Local\Temp\c5cbb3894f71286134c0370b43cffce1eb7966826a202a2d686971ca0d0aef89.exe"C:\Users\Admin\AppData\Local\Temp\c5cbb3894f71286134c0370b43cffce1eb7966826a202a2d686971ca0d0aef89.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a16BF.bat3⤵
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Users\Admin\AppData\Local\Temp\c5cbb3894f71286134c0370b43cffce1eb7966826a202a2d686971ca0d0aef89.exe"C:\Users\Admin\AppData\Local\Temp\c5cbb3894f71286134c0370b43cffce1eb7966826a202a2d686971ca0d0aef89.exe"4⤵
- Executes dropped EXE
PID:1004
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:3640 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:748
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1420 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:81⤵PID:4836
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
252KB
MD5aec3e70823702612922f49926cf46330
SHA1fb47f88132379cd37da9bd89fbe6fcfcd494f07b
SHA25629d99176f47551e7c03ecfb289ea8cc1f92bc71ebeeaf6bc723af95296076e65
SHA512c0ae6694745b36c72a2e9db678d10cc5e24e4cb8a99452f7e2b2bbfdc72ce92091fb14877635decb5a35e47884fdb14ec5ddcea9e5f7aad5805b748fd67de2ae
-
Filesize
957KB
MD580bf260df89c057496376d984effe1be
SHA12a1cd97d1496ce99bd67a4ac87b02313a309c3b6
SHA2568a30e5aa083682fefadfcb4150113ea4da4f9e1081c3e99669106f4e31e3f4b7
SHA512d3b0629145e2d579421ad0409996c0b21a4f1a34720de58f6cdde69cd267cef085128cc3aadb81e654634699e6c18cce3284eef7abb55ad1156fdecb20a1c596
-
Filesize
722B
MD521c9404c20ebc042781728be0a512095
SHA1c7c1d0f308c54ebb71527251c4dfdb9d0dba9f4d
SHA256ddda8a83bdd6f38732755cec314be7e7af2b3b8db1c9d12aa05535b75bf9fe37
SHA51258a5c55d42f71fb82207950f8febac33effd8d6e05551bc3d95503ad08e34228932683d2b5ad02a8466cdf3082e6484d9abdc249b963a3fb5ec1c04297848c1c
-
C:\Users\Admin\AppData\Local\Temp\c5cbb3894f71286134c0370b43cffce1eb7966826a202a2d686971ca0d0aef89.exe.exe
Filesize41KB
MD5977e405c109268909fd24a94cc23d4f0
SHA1af5d032c2b6caa2164cf298e95b09060665c4188
SHA256cd24c61fe7dc3896c6c928c92a2adc58fab0a3ff61ef7ddcac1ba794182ab12f
SHA51212b4b59c1a8e65e72aa07ee4b6b6cd9fdedead01d5ce8e30f16ca26b5d733655e23a71c1d273a950a5b1a6cce810b696612de4a1148ac5f468ddf05d4549eed5
-
Filesize
27KB
MD5eb1a02b78a20cabcf7ec612b31700373
SHA16aeb98e4840a711543aa21fba7251e6b2cbeca17
SHA2567e805b33bc963ed5068d2893a702b600784332685f56d06c27e685f6d1f6ef81
SHA512890d593d65cccd73e5fefc8b675c5384a801d60fd2c86c48c06361f8944f01097f3e33e9ceac5cc147c4ed9fc10ed051f35d1bf54b33c8226b94ac9134823381
-
Filesize
9B
MD5304501c003da3bc5756aa53a757c30cc
SHA194dfcea0ef17f89b3a60a85a07edb4c00170cc1c
SHA2569f4b03cbd52378f329bfc7088f8242bbc1a0a2754bc2f8a40e3b74e0dedecd6e
SHA51278cd3c2cb4cb66e41d8947e1231256c2043d71c77f97e92915e938a6c1d9a8c003512027d98bc71bf582875d269e5fbe6e134f57b25f5f79fe16f9a412387dc8