Analysis
-
max time kernel
152s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
25/05/2024, 00:35
Static task
static1
Behavioral task
behavioral1
Sample
dcae0255b8a638f19b0faf5d417ff7ae2c2a0b3b4131341242d3c10468b950e2.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
dcae0255b8a638f19b0faf5d417ff7ae2c2a0b3b4131341242d3c10468b950e2.exe
Resource
win10v2004-20240226-en
General
-
Target
dcae0255b8a638f19b0faf5d417ff7ae2c2a0b3b4131341242d3c10468b950e2.exe
-
Size
225KB
-
MD5
1be2b5d30a6472fb7df8961f7d7fbb66
-
SHA1
00ef859167ae69a8047c0bd326db606143692258
-
SHA256
dcae0255b8a638f19b0faf5d417ff7ae2c2a0b3b4131341242d3c10468b950e2
-
SHA512
a4b066be350cad053b4a2f6490c46cc6d079696d2db3be58196894a9cf91468f7822724eb67ce283283e6b89e2d9498f67e276900213b5d95ee6e4d6cab67f94
-
SSDEEP
3072:akF3pkdeKzC/lzMPySe8DnpeIPipoHbKvXWXz9LRnsaJUS+6wPXD3fxNW7gq5yGP:PFpkdeKzC/leySe8AIqpoHbnDns1ND9m
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2992 Logo1_.exe 3132 dcae0255b8a638f19b0faf5d417ff7ae2c2a0b3b4131341242d3c10468b950e2.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-white\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ar-ae\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\sv-se\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\zh-cn\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\zh_CN\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Microsoft.Msn.Shell\Themes\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\es-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\pt-br\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\fi-fi\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\jfr\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\cs-cz\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\en-il\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Photo Viewer\en-US\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ru-ru\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\nb-no\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ko-kr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hu-hu\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fr-fr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\sv-se\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\text_renderer\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\offer_cards\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\TCUI-Toolkit\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\Trust Protection Lists\Mu\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\hr\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\video_output\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-white\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-black\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.513.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\en-ae\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\cs\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\de-DE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\tr-tr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\LiveTiles\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\uk-ua\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\css\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\jsaddins\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_2020.1906.55.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\hr-hr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\pl-pl\_desktop.ini Logo1_.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_~_8wekyb3d8bbwe\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\he-il\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\en-il\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\sv-se\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Images\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\it-it\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\plugins\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rundl132.exe dcae0255b8a638f19b0faf5d417ff7ae2c2a0b3b4131341242d3c10468b950e2.exe File created C:\Windows\Logo1_.exe dcae0255b8a638f19b0faf5d417ff7ae2c2a0b3b4131341242d3c10468b950e2.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\vDll.dll Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 2992 Logo1_.exe 2992 Logo1_.exe 2992 Logo1_.exe 2992 Logo1_.exe 2992 Logo1_.exe 2992 Logo1_.exe 2992 Logo1_.exe 2992 Logo1_.exe 2992 Logo1_.exe 2992 Logo1_.exe 2992 Logo1_.exe 2992 Logo1_.exe 2992 Logo1_.exe 2992 Logo1_.exe 2992 Logo1_.exe 2992 Logo1_.exe 2992 Logo1_.exe 2992 Logo1_.exe 2992 Logo1_.exe 2992 Logo1_.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 628 wrote to memory of 1304 628 dcae0255b8a638f19b0faf5d417ff7ae2c2a0b3b4131341242d3c10468b950e2.exe 91 PID 628 wrote to memory of 1304 628 dcae0255b8a638f19b0faf5d417ff7ae2c2a0b3b4131341242d3c10468b950e2.exe 91 PID 628 wrote to memory of 1304 628 dcae0255b8a638f19b0faf5d417ff7ae2c2a0b3b4131341242d3c10468b950e2.exe 91 PID 628 wrote to memory of 2992 628 dcae0255b8a638f19b0faf5d417ff7ae2c2a0b3b4131341242d3c10468b950e2.exe 92 PID 628 wrote to memory of 2992 628 dcae0255b8a638f19b0faf5d417ff7ae2c2a0b3b4131341242d3c10468b950e2.exe 92 PID 628 wrote to memory of 2992 628 dcae0255b8a638f19b0faf5d417ff7ae2c2a0b3b4131341242d3c10468b950e2.exe 92 PID 2992 wrote to memory of 4864 2992 Logo1_.exe 94 PID 2992 wrote to memory of 4864 2992 Logo1_.exe 94 PID 2992 wrote to memory of 4864 2992 Logo1_.exe 94 PID 4864 wrote to memory of 4740 4864 net.exe 96 PID 4864 wrote to memory of 4740 4864 net.exe 96 PID 4864 wrote to memory of 4740 4864 net.exe 96 PID 1304 wrote to memory of 3132 1304 cmd.exe 97 PID 1304 wrote to memory of 3132 1304 cmd.exe 97 PID 1304 wrote to memory of 3132 1304 cmd.exe 97 PID 2992 wrote to memory of 3268 2992 Logo1_.exe 57 PID 2992 wrote to memory of 3268 2992 Logo1_.exe 57
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3268
-
C:\Users\Admin\AppData\Local\Temp\dcae0255b8a638f19b0faf5d417ff7ae2c2a0b3b4131341242d3c10468b950e2.exe"C:\Users\Admin\AppData\Local\Temp\dcae0255b8a638f19b0faf5d417ff7ae2c2a0b3b4131341242d3c10468b950e2.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aF4C0.bat3⤵
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Users\Admin\AppData\Local\Temp\dcae0255b8a638f19b0faf5d417ff7ae2c2a0b3b4131341242d3c10468b950e2.exe"C:\Users\Admin\AppData\Local\Temp\dcae0255b8a638f19b0faf5d417ff7ae2c2a0b3b4131341242d3c10468b950e2.exe"4⤵
- Executes dropped EXE
PID:3132
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:4740
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4072 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:81⤵PID:4956
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
252KB
MD56735a16d04dfac1f92f7ab89c64b071f
SHA1502eaa755229fc80b186faf533cf827c322bab66
SHA2563a071105a38c10f7fa17dcc239337e999b57b68f4bd05c168b2548956931383c
SHA512bfe01bb853f187f68d0fe64da2da4cf1d26c0491eb3183a7c7d5e905a1b1c3db90b84c1cdadb00c7d7f733ef32a9153dfa73de5259d9f1c3d401633145b420a8
-
Filesize
571KB
MD5bab747a805ee67f925718f2624d54a11
SHA13f6fa0fe958f3a43e38c66014443e0c261f46bcc
SHA25603078980fff7ce8873b7e46fd8b79c2a86bb0354fc65268eac2aeff6d981e73e
SHA51265edbfebdfdf27c496f596bac45f63cd4834dbfb171bd2683a15a3d207b489ee65a045a0b78729005b457f551f128f444fba45baa63c8fe8748f422f48431c14
-
Filesize
722B
MD55b48b9faad06525d9632a4e49dbb8ca7
SHA1750b8c73cc0dadc888c85ba345721767347e881d
SHA256f86a69b534206aade43edd225dbfd6d5e78cc015ee300a95f3d71bc6584ac301
SHA512544a422601c1bad4b5e3ad1a275eb16b06d9b26dfeebf167b207e1631bbe41714201f80251feebafb1ba9ea98ae643ee5dde26958be9ff90bac4e2d064828607
-
C:\Users\Admin\AppData\Local\Temp\dcae0255b8a638f19b0faf5d417ff7ae2c2a0b3b4131341242d3c10468b950e2.exe.exe
Filesize198KB
MD5e133c2d85cff4edd7fe8e8f0f8be6cdb
SHA1b8269209ebb6fe44bc50dab35f97b0ae244701b4
SHA2566c5e7d9c81a409e67c143cd3aed33bddc3967fa4c9ab3b98560b7d3bf57d093d
SHA512701b7d1c7e154519d77043f7de09d60c1ff76c95f820fc1c9afca19724efb0847d646686053354156fd4e8a9dab1f29a79d3223f939a3ff1b3613770dc8603b1
-
Filesize
27KB
MD52b90d375fad4e39663e1c00356e9206b
SHA15c84c40605f4af4185647e0a68aafed0ebbdc393
SHA256623973fd332abcafc9944af01d2fe114d0293a00cc29a67300cde94769b337cf
SHA5127c9491cf52bdea6936bb7b2e30562941ca26a41587e5fdd05e02d17e37b773ebf0856092b3030ae31da2ce43196682e96873c0c9adfc8525903b11bf36e4806f
-
Filesize
9B
MD57619ead719f9163af9f64f79eeff7c36
SHA17b956c82fba1f4a0ea8b09ca2e39d89159e21b75
SHA256da9af76d7e3938d1bd300436de0d394ef0453f260a69c94905084222eb3fbb45
SHA51229dd3ef54766931036c2f0d755bb3fc89619e548c95658577930a5a748ac2b2855a9e5ee5601697ebbac8a7d435abd4c9e9e2255b0e455e267e0d95358fa86df