Analysis
-
max time kernel
152s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
26/05/2024, 10:43
Static task
static1
Behavioral task
behavioral1
Sample
b1639bc7a4813b7ba22c49c0050e93e7a1e25942f12a862c46c73bc99054e693.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b1639bc7a4813b7ba22c49c0050e93e7a1e25942f12a862c46c73bc99054e693.exe
Resource
win10v2004-20240226-en
General
-
Target
b1639bc7a4813b7ba22c49c0050e93e7a1e25942f12a862c46c73bc99054e693.exe
-
Size
100KB
-
MD5
50458e0e3de0cd602647b63607892642
-
SHA1
c5f443fd65e717ecee1af1f2148be813283c299d
-
SHA256
b1639bc7a4813b7ba22c49c0050e93e7a1e25942f12a862c46c73bc99054e693
-
SHA512
8a3055fcaa672def4b1efd38b9bedff8f3ef639a3fc6c113a4d793cfa5169ddcd4d6c1c8b9cec5160ea5eb5f0d18e861c8915cef801075074a9632989c7fd371
-
SSDEEP
768:Uf1ODKAaDMG8H92RwZNQSwcfymNBg+g61GoLHxurmSoqCzX3zIp8J80CpxuUe0Cp:UNfgLdQAQfcfymNnLzkTEuL7lfT9S
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 4488 Logo1_.exe 3668 b1639bc7a4813b7ba22c49c0050e93e7a1e25942f12a862c46c73bc99054e693.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\it-it\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\sv-se\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk-1.8\lib\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Microsoft.MicrosoftSolitaireCollection.exe Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nl-nl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\cs-cz\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ko-kr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\versions\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\da-dk\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\pl-pl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Photo Viewer\es-ES\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\fr-FR\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\hu-HU\View3d\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.UI.Xaml.2.0_2.1810.18004.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\uk-ua\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Examples\Calculator\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\themes\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\es-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\sl-sl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\sl-si\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\it-it\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\tr-tr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\plugins\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\pl-pl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\tr-tr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\_desktop.ini Logo1_.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ko\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\eu-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Internet Explorer\images\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\spu\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\fr-ma\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\sl-sl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\fr-ma\_desktop.ini Logo1_.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe Logo1_.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\es-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Photo Viewer\de-DE\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\pl-pl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ja-jp\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\it-it\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\sl-sl\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\visualization\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxTsr.exe Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\en-il\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\de-de\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\vDll.dll Logo1_.exe File created C:\Windows\rundl132.exe b1639bc7a4813b7ba22c49c0050e93e7a1e25942f12a862c46c73bc99054e693.exe File created C:\Windows\Logo1_.exe b1639bc7a4813b7ba22c49c0050e93e7a1e25942f12a862c46c73bc99054e693.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 4488 Logo1_.exe 4488 Logo1_.exe 4488 Logo1_.exe 4488 Logo1_.exe 4488 Logo1_.exe 4488 Logo1_.exe 4488 Logo1_.exe 4488 Logo1_.exe 4488 Logo1_.exe 4488 Logo1_.exe 4488 Logo1_.exe 4488 Logo1_.exe 4488 Logo1_.exe 4488 Logo1_.exe 4488 Logo1_.exe 4488 Logo1_.exe 4488 Logo1_.exe 4488 Logo1_.exe 4488 Logo1_.exe 4488 Logo1_.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 4768 wrote to memory of 768 4768 b1639bc7a4813b7ba22c49c0050e93e7a1e25942f12a862c46c73bc99054e693.exe 92 PID 4768 wrote to memory of 768 4768 b1639bc7a4813b7ba22c49c0050e93e7a1e25942f12a862c46c73bc99054e693.exe 92 PID 4768 wrote to memory of 768 4768 b1639bc7a4813b7ba22c49c0050e93e7a1e25942f12a862c46c73bc99054e693.exe 92 PID 4768 wrote to memory of 4488 4768 b1639bc7a4813b7ba22c49c0050e93e7a1e25942f12a862c46c73bc99054e693.exe 94 PID 4768 wrote to memory of 4488 4768 b1639bc7a4813b7ba22c49c0050e93e7a1e25942f12a862c46c73bc99054e693.exe 94 PID 4768 wrote to memory of 4488 4768 b1639bc7a4813b7ba22c49c0050e93e7a1e25942f12a862c46c73bc99054e693.exe 94 PID 4488 wrote to memory of 5076 4488 Logo1_.exe 95 PID 4488 wrote to memory of 5076 4488 Logo1_.exe 95 PID 4488 wrote to memory of 5076 4488 Logo1_.exe 95 PID 768 wrote to memory of 3668 768 cmd.exe 97 PID 768 wrote to memory of 3668 768 cmd.exe 97 PID 5076 wrote to memory of 4956 5076 net.exe 98 PID 5076 wrote to memory of 4956 5076 net.exe 98 PID 5076 wrote to memory of 4956 5076 net.exe 98 PID 4488 wrote to memory of 3300 4488 Logo1_.exe 57 PID 4488 wrote to memory of 3300 4488 Logo1_.exe 57
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3300
-
C:\Users\Admin\AppData\Local\Temp\b1639bc7a4813b7ba22c49c0050e93e7a1e25942f12a862c46c73bc99054e693.exe"C:\Users\Admin\AppData\Local\Temp\b1639bc7a4813b7ba22c49c0050e93e7a1e25942f12a862c46c73bc99054e693.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD59.bat3⤵
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Users\Admin\AppData\Local\Temp\b1639bc7a4813b7ba22c49c0050e93e7a1e25942f12a862c46c73bc99054e693.exe"C:\Users\Admin\AppData\Local\Temp\b1639bc7a4813b7ba22c49c0050e93e7a1e25942f12a862c46c73bc99054e693.exe"4⤵
- Executes dropped EXE
PID:3668
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4488 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:4956
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4144 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:81⤵PID:4552
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
251KB
MD510e927db6aae50e89fcb4d441d9e27e1
SHA16a2250c03aba8fe7a9c388742db5ac4e473fa178
SHA256a68e60f5bc35fdb50525110f44ad636498278629d38a3854369e9a93ed70ee19
SHA5121d6c8b2d48403d037fc31ffeee690ca956ed8595671e1400c8dad69347ac0749d94498b00feec325575d98d300c0694d0083ca7e2e72a124ff45e9f74dd09227
-
Filesize
570KB
MD5b322a272bfc6d40615d88a259b3f0216
SHA1de89b902e2c003fd4baec5770db6427e3c6b3d17
SHA2564842c0008eddf4d4dabd0266c3ddbb5f34177104eb7b2341baea6fb4b02a2b76
SHA5124691ef362831d06f431d096e0e21f5b06c8d311a748e7e25bde9e9b2481afe0a8ddea7923e5cf0191c601543c10ca714ba442c9ec2222f9e890cff7f33c3521c
-
Filesize
721B
MD55e5e224ea5701d9bc87fbb9ed05ed56f
SHA145a7da24048e884c32082b948721046499f4c7e1
SHA25620a8c2c4361f5096200198049a2d99bc7179de262903c19be3cef51ee4dd8fca
SHA5122b9628d3b4d0aa2eded3cf2e9f1bd33f519fe957f5539fe77998a35bec41055d75531e36ba76a53a267f74370e6d7e9844977dced913d527c05e8920591aaea8
-
C:\Users\Admin\AppData\Local\Temp\b1639bc7a4813b7ba22c49c0050e93e7a1e25942f12a862c46c73bc99054e693.exe.exe
Filesize74KB
MD5545d1e26963a478eee9bb844caac1802
SHA1cfb64537a634a1f7111ab799c05a706a0869b55a
SHA256b88ea7dadb71946c6b5d9b6a2c6c974cd5b6a29408eb63bde7953713057f3f7d
SHA51245ce1c2a4be515e19633a704a8b92cc0756bf268e942b5d9e60ae1e0492bf82486af1c91162e1595b5a6742134a52e98012ab25d97216615b997121e30d20a74
-
Filesize
26KB
MD5e7093a12cfd837f03fc2aa86eaa886ba
SHA1bfeb2bd83d5d07adb9e0df6d23177660982f884d
SHA2569ce4f790a3ad9cb93ba0b875d0888db7e560fbbbceb022a1624252a26dde4db2
SHA5128ff9f31ff0e19431aec46a5ba04387ea145f42d4480911f5ea07deb9e8e48b6ce631d919746fa7446568a3a5e56c23a92f1e632379580cd286e7bdcc04350f55
-
Filesize
9B
MD5a470ca2426c102d035971b2e504d921b
SHA11720ef61e5c8e2ad6da9992a78940228fc81d615
SHA25613721d3153b316d1b54c64b67de19ae5147cb78e332448e6b800f6d510c269f5
SHA512c12907d26eac47d219aaa47b11d243738b0e698f898f9f2bd199652bc094197227ce12bc5fc96f5da25f1fd7b5904fe71ee3792105b05ac13a135d89aa1c1831