Analysis
-
max time kernel
150s -
max time network
105s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
25/05/2024, 00:36
Static task
static1
Behavioral task
behavioral1
Sample
61aa87cf72e04e2782ec617fe213b8c7d7b39e6ebb1c881d51ce5cf4727f91d4.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
61aa87cf72e04e2782ec617fe213b8c7d7b39e6ebb1c881d51ce5cf4727f91d4.exe
Resource
win10v2004-20240508-en
General
-
Target
61aa87cf72e04e2782ec617fe213b8c7d7b39e6ebb1c881d51ce5cf4727f91d4.exe
-
Size
68KB
-
MD5
23f8010c15a4e25ee61c616bfd27b700
-
SHA1
dfee92c5b7bc4e3fafd36de439a88564a4df47a1
-
SHA256
61aa87cf72e04e2782ec617fe213b8c7d7b39e6ebb1c881d51ce5cf4727f91d4
-
SHA512
4507de6945e05ad1cc989f0917975ddb9d58a5d5c49469eb0a6e095caae8a8fca19bb8390b81f4a44395885f7e4831cf1c39f7519786e785886b84e9a3dbc8f5
-
SSDEEP
1536:Kz3SHmLKarIpYeEToa9D4ZQKbgZi1dst7x9PxQ:akF3pdlZQKbgZi1St7xQ
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 4356 Logo1_.exe 2596 61aa87cf72e04e2782ec617fe213b8c7d7b39e6ebb1c881d51ce5cf4727f91d4.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\sk-sk\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\fi-fi\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\uk-ua\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\{C02579D9-A0AB-42F6-B7D3-0D46468AED6D}\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\ja-JP\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\es-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\fi-fi\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\da-dk\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\ro-ro\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ko-KR\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\CoreEngine\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\it-IT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\da-dk\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sv-se\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\sv-se\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\hu-hu\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\services_discovery\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\Assets\MixerBranding\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\cef\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\he-il\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\en-il\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sl-si\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\zh-cn\_desktop.ini Logo1_.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jre-1.8\lib\jfr\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Fonts\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\ja-JP\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\pl-pl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\zh-tw\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jre-1.8\lib\security\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\MSBuild\Microsoft\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Images\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\it-it\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fi-fi\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\themes\dark\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\am\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\nb\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\lua\extensions\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\zh-cn\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\km\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_2019.716.2313.0_neutral_~_8wekyb3d8bbwe\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rundl132.exe 61aa87cf72e04e2782ec617fe213b8c7d7b39e6ebb1c881d51ce5cf4727f91d4.exe File created C:\Windows\Logo1_.exe 61aa87cf72e04e2782ec617fe213b8c7d7b39e6ebb1c881d51ce5cf4727f91d4.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\vDll.dll Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 4356 Logo1_.exe 4356 Logo1_.exe 4356 Logo1_.exe 4356 Logo1_.exe 4356 Logo1_.exe 4356 Logo1_.exe 4356 Logo1_.exe 4356 Logo1_.exe 4356 Logo1_.exe 4356 Logo1_.exe 4356 Logo1_.exe 4356 Logo1_.exe 4356 Logo1_.exe 4356 Logo1_.exe 4356 Logo1_.exe 4356 Logo1_.exe 4356 Logo1_.exe 4356 Logo1_.exe 4356 Logo1_.exe 4356 Logo1_.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 4180 wrote to memory of 4264 4180 61aa87cf72e04e2782ec617fe213b8c7d7b39e6ebb1c881d51ce5cf4727f91d4.exe 83 PID 4180 wrote to memory of 4264 4180 61aa87cf72e04e2782ec617fe213b8c7d7b39e6ebb1c881d51ce5cf4727f91d4.exe 83 PID 4180 wrote to memory of 4264 4180 61aa87cf72e04e2782ec617fe213b8c7d7b39e6ebb1c881d51ce5cf4727f91d4.exe 83 PID 4180 wrote to memory of 4356 4180 61aa87cf72e04e2782ec617fe213b8c7d7b39e6ebb1c881d51ce5cf4727f91d4.exe 84 PID 4180 wrote to memory of 4356 4180 61aa87cf72e04e2782ec617fe213b8c7d7b39e6ebb1c881d51ce5cf4727f91d4.exe 84 PID 4180 wrote to memory of 4356 4180 61aa87cf72e04e2782ec617fe213b8c7d7b39e6ebb1c881d51ce5cf4727f91d4.exe 84 PID 4356 wrote to memory of 2348 4356 Logo1_.exe 85 PID 4356 wrote to memory of 2348 4356 Logo1_.exe 85 PID 4356 wrote to memory of 2348 4356 Logo1_.exe 85 PID 2348 wrote to memory of 3084 2348 net.exe 88 PID 2348 wrote to memory of 3084 2348 net.exe 88 PID 2348 wrote to memory of 3084 2348 net.exe 88 PID 4264 wrote to memory of 2596 4264 cmd.exe 89 PID 4264 wrote to memory of 2596 4264 cmd.exe 89 PID 4356 wrote to memory of 3532 4356 Logo1_.exe 56 PID 4356 wrote to memory of 3532 4356 Logo1_.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3532
-
C:\Users\Admin\AppData\Local\Temp\61aa87cf72e04e2782ec617fe213b8c7d7b39e6ebb1c881d51ce5cf4727f91d4.exe"C:\Users\Admin\AppData\Local\Temp\61aa87cf72e04e2782ec617fe213b8c7d7b39e6ebb1c881d51ce5cf4727f91d4.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4180 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a42D5.bat3⤵
- Suspicious use of WriteProcessMemory
PID:4264 -
C:\Users\Admin\AppData\Local\Temp\61aa87cf72e04e2782ec617fe213b8c7d7b39e6ebb1c881d51ce5cf4727f91d4.exe"C:\Users\Admin\AppData\Local\Temp\61aa87cf72e04e2782ec617fe213b8c7d7b39e6ebb1c881d51ce5cf4727f91d4.exe"4⤵
- Executes dropped EXE
PID:2596
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4356 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:3084
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
252KB
MD56735a16d04dfac1f92f7ab89c64b071f
SHA1502eaa755229fc80b186faf533cf827c322bab66
SHA2563a071105a38c10f7fa17dcc239337e999b57b68f4bd05c168b2548956931383c
SHA512bfe01bb853f187f68d0fe64da2da4cf1d26c0491eb3183a7c7d5e905a1b1c3db90b84c1cdadb00c7d7f733ef32a9153dfa73de5259d9f1c3d401633145b420a8
-
Filesize
571KB
MD5bab747a805ee67f925718f2624d54a11
SHA13f6fa0fe958f3a43e38c66014443e0c261f46bcc
SHA25603078980fff7ce8873b7e46fd8b79c2a86bb0354fc65268eac2aeff6d981e73e
SHA51265edbfebdfdf27c496f596bac45f63cd4834dbfb171bd2683a15a3d207b489ee65a045a0b78729005b457f551f128f444fba45baa63c8fe8748f422f48431c14
-
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
Filesize637KB
MD59cba1e86016b20490fff38fb45ff4963
SHA1378720d36869d50d06e9ffeef87488fbc2a8c8f7
SHA256a22e6d0f5c7d44fefc2204e0f7c7b048e1684f6cf249ba98c006bbf791c22d19
SHA5122f3737d29ea3925d10ea5c717786425f6434be732974586328f03691a35cd1539828e3301685749e5c4135b8094f15b87fb9659915de63678a25749e2f8f5765
-
Filesize
722B
MD53c432e8c401243174cc6291a7ba7af5e
SHA16da9f37e17bf9164c807fd9757831c8b84f85b63
SHA25658bdbfc1ab73431e7a0c353523eb7dc77e918217e47c26ea71ca165f4cbd3c41
SHA5120463445ccbb0335864a58f98d09fad2a5cd34def9a04c1cb7eccef900fbbddac44559daac64174ff9b84fcb96312467c09a04713b9df8466ee23ec5ccf52b381
-
C:\Users\Admin\AppData\Local\Temp\61aa87cf72e04e2782ec617fe213b8c7d7b39e6ebb1c881d51ce5cf4727f91d4.exe.exe
Filesize41KB
MD5977e405c109268909fd24a94cc23d4f0
SHA1af5d032c2b6caa2164cf298e95b09060665c4188
SHA256cd24c61fe7dc3896c6c928c92a2adc58fab0a3ff61ef7ddcac1ba794182ab12f
SHA51212b4b59c1a8e65e72aa07ee4b6b6cd9fdedead01d5ce8e30f16ca26b5d733655e23a71c1d273a950a5b1a6cce810b696612de4a1148ac5f468ddf05d4549eed5
-
Filesize
27KB
MD52b90d375fad4e39663e1c00356e9206b
SHA15c84c40605f4af4185647e0a68aafed0ebbdc393
SHA256623973fd332abcafc9944af01d2fe114d0293a00cc29a67300cde94769b337cf
SHA5127c9491cf52bdea6936bb7b2e30562941ca26a41587e5fdd05e02d17e37b773ebf0856092b3030ae31da2ce43196682e96873c0c9adfc8525903b11bf36e4806f
-
Filesize
9B
MD57619ead719f9163af9f64f79eeff7c36
SHA17b956c82fba1f4a0ea8b09ca2e39d89159e21b75
SHA256da9af76d7e3938d1bd300436de0d394ef0453f260a69c94905084222eb3fbb45
SHA51229dd3ef54766931036c2f0d755bb3fc89619e548c95658577930a5a748ac2b2855a9e5ee5601697ebbac8a7d435abd4c9e9e2255b0e455e267e0d95358fa86df