Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
25/05/2024, 00:36
Static task
static1
Behavioral task
behavioral1
Sample
04053d4da072db95dc797eb41c7240e656692cdc67fe17510866c36bf5205aca.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
04053d4da072db95dc797eb41c7240e656692cdc67fe17510866c36bf5205aca.exe
Resource
win10v2004-20240426-en
General
-
Target
04053d4da072db95dc797eb41c7240e656692cdc67fe17510866c36bf5205aca.exe
-
Size
64KB
-
MD5
648d6dc6ebff924db713bc75e30249de
-
SHA1
875be1687f0280f9284c3fcd60c2a7be5d2692ef
-
SHA256
04053d4da072db95dc797eb41c7240e656692cdc67fe17510866c36bf5205aca
-
SHA512
3af59397a2e556ca08afd453a632e2cfea71210caa3c1cf65e2a6a8f898353de87afb9e4248b956cca6cc6b62bd94cba72d5c5e0a93bdc621ebf6524981c3eff
-
SSDEEP
1536:Kz3SHmLKarIpYCriw+d9bHrkT5gUHz7FxtJ:akF3pxrBkfkT5xHzD
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2912 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2916 Logo1_.exe 2708 04053d4da072db95dc797eb41c7240e656692cdc67fe17510866c36bf5205aca.exe -
Loads dropped DLL 1 IoCs
pid Process 2912 cmd.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Common Files\microsoft shared\MSClientDataMgr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft.NET\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Desert\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SpringGreen\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jre7\lib\zi\Asia\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Chess\it-IT\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Fancy\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft.NET\RedistList\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Mail\de-DE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\sr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\css\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\bn\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\Multiplayer\Spades\fr-FR\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Media Player\ja-JP\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre7\bin\unpack200.exe Logo1_.exe File created C:\Program Files (x86)\Windows NT\TableTextService\es-ES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\in_sidebar\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE Logo1_.exe File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe Logo1_.exe File created C:\Program Files (x86)\Windows NT\Accessories\de-DE\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows NT\Accessories\it-IT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\Purble Place\es-ES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre7\lib\management\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\kab\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AXIS\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\PROOF\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\kab\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\pt_BR\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\Solitaire\fr-FR\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\sr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\id\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\TextConv\es-ES\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rundl132.exe 04053d4da072db95dc797eb41c7240e656692cdc67fe17510866c36bf5205aca.exe File created C:\Windows\Logo1_.exe 04053d4da072db95dc797eb41c7240e656692cdc67fe17510866c36bf5205aca.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\vDll.dll Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 2916 Logo1_.exe 2916 Logo1_.exe 2916 Logo1_.exe 2916 Logo1_.exe 2916 Logo1_.exe 2916 Logo1_.exe 2916 Logo1_.exe 2916 Logo1_.exe 2916 Logo1_.exe 2916 Logo1_.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 2972 wrote to memory of 2912 2972 04053d4da072db95dc797eb41c7240e656692cdc67fe17510866c36bf5205aca.exe 28 PID 2972 wrote to memory of 2912 2972 04053d4da072db95dc797eb41c7240e656692cdc67fe17510866c36bf5205aca.exe 28 PID 2972 wrote to memory of 2912 2972 04053d4da072db95dc797eb41c7240e656692cdc67fe17510866c36bf5205aca.exe 28 PID 2972 wrote to memory of 2912 2972 04053d4da072db95dc797eb41c7240e656692cdc67fe17510866c36bf5205aca.exe 28 PID 2972 wrote to memory of 2916 2972 04053d4da072db95dc797eb41c7240e656692cdc67fe17510866c36bf5205aca.exe 29 PID 2972 wrote to memory of 2916 2972 04053d4da072db95dc797eb41c7240e656692cdc67fe17510866c36bf5205aca.exe 29 PID 2972 wrote to memory of 2916 2972 04053d4da072db95dc797eb41c7240e656692cdc67fe17510866c36bf5205aca.exe 29 PID 2972 wrote to memory of 2916 2972 04053d4da072db95dc797eb41c7240e656692cdc67fe17510866c36bf5205aca.exe 29 PID 2916 wrote to memory of 2648 2916 Logo1_.exe 31 PID 2916 wrote to memory of 2648 2916 Logo1_.exe 31 PID 2916 wrote to memory of 2648 2916 Logo1_.exe 31 PID 2916 wrote to memory of 2648 2916 Logo1_.exe 31 PID 2912 wrote to memory of 2708 2912 cmd.exe 33 PID 2912 wrote to memory of 2708 2912 cmd.exe 33 PID 2912 wrote to memory of 2708 2912 cmd.exe 33 PID 2912 wrote to memory of 2708 2912 cmd.exe 33 PID 2648 wrote to memory of 2928 2648 net.exe 34 PID 2648 wrote to memory of 2928 2648 net.exe 34 PID 2648 wrote to memory of 2928 2648 net.exe 34 PID 2648 wrote to memory of 2928 2648 net.exe 34 PID 2916 wrote to memory of 1208 2916 Logo1_.exe 21 PID 2916 wrote to memory of 1208 2916 Logo1_.exe 21
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1208
-
C:\Users\Admin\AppData\Local\Temp\04053d4da072db95dc797eb41c7240e656692cdc67fe17510866c36bf5205aca.exe"C:\Users\Admin\AppData\Local\Temp\04053d4da072db95dc797eb41c7240e656692cdc67fe17510866c36bf5205aca.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\$$a146B.bat3⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Users\Admin\AppData\Local\Temp\04053d4da072db95dc797eb41c7240e656692cdc67fe17510866c36bf5205aca.exe"C:\Users\Admin\AppData\Local\Temp\04053d4da072db95dc797eb41c7240e656692cdc67fe17510866c36bf5205aca.exe"4⤵
- Executes dropped EXE
PID:2708
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:2928
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
252KB
MD56735a16d04dfac1f92f7ab89c64b071f
SHA1502eaa755229fc80b186faf533cf827c322bab66
SHA2563a071105a38c10f7fa17dcc239337e999b57b68f4bd05c168b2548956931383c
SHA512bfe01bb853f187f68d0fe64da2da4cf1d26c0491eb3183a7c7d5e905a1b1c3db90b84c1cdadb00c7d7f733ef32a9153dfa73de5259d9f1c3d401633145b420a8
-
Filesize
472KB
MD588eb1bca8c399bc3f46e99cdde2f047e
SHA155fafbceb011e1af2edced978686a90971bd95f2
SHA25642fd78c05bc240d4ded16ac974f17c336f6ae3a1814d548021c48a942cc30428
SHA512149d4de0c024e25a13a7bb17471e6f48391d4f26b1c8388672320eed1c255f84219ad7b72bbebc531ae558d5192dd4bb6d0dddd6c65a45300c8e8348a4fb3728
-
Filesize
722B
MD5091eec9a0c065312de2e104302e1f895
SHA1f0fd73d055aed07715dbb13f30b3160f80625aa5
SHA25661142a6d91a7937443d6acfe4f161feab9a4e409b13cc5626f049f723739453b
SHA512465beb2771858aad2cba20a905e104f2b3605ec5d8d5173e2f5dd9135906890bfd231a744247a509cf5609fcaa30b8d137f58e6a151ddc1b44b1802d561cec18
-
C:\Users\Admin\AppData\Local\Temp\04053d4da072db95dc797eb41c7240e656692cdc67fe17510866c36bf5205aca.exe.exe
Filesize36KB
MD59f498971cbe636662f3d210747d619e1
SHA144b8e2732fa1e2f204fc70eaa1cb406616250085
SHA2568adf6748981c3e7b62f5dbca992be6675574fffbce7673743f2d7fe787d56a41
SHA512b73083c2f7b028d2946cb8f7b4fe2289fedaa4175364a2aac37db0aeff4602aede772ccc9eba7e6dcfcb7276e52604ca45d8021952201b5834485b48bca3dc93
-
Filesize
27KB
MD52b90d375fad4e39663e1c00356e9206b
SHA15c84c40605f4af4185647e0a68aafed0ebbdc393
SHA256623973fd332abcafc9944af01d2fe114d0293a00cc29a67300cde94769b337cf
SHA5127c9491cf52bdea6936bb7b2e30562941ca26a41587e5fdd05e02d17e37b773ebf0856092b3030ae31da2ce43196682e96873c0c9adfc8525903b11bf36e4806f
-
Filesize
9B
MD57619ead719f9163af9f64f79eeff7c36
SHA17b956c82fba1f4a0ea8b09ca2e39d89159e21b75
SHA256da9af76d7e3938d1bd300436de0d394ef0453f260a69c94905084222eb3fbb45
SHA51229dd3ef54766931036c2f0d755bb3fc89619e548c95658577930a5a748ac2b2855a9e5ee5601697ebbac8a7d435abd4c9e9e2255b0e455e267e0d95358fa86df