Analysis
-
max time kernel
149s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
27/05/2024, 14:54
Static task
static1
Behavioral task
behavioral1
Sample
5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe
Resource
win7-20240419-en
General
-
Target
5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe
-
Size
5.7MB
-
MD5
9801aeac198b42944dff1f476de6e746
-
SHA1
378e7e7918e4deaf286a550120d31fb8e44dfa92
-
SHA256
5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff
-
SHA512
12ce5b322088f7ec63f5ff8798db0840dcaf7b7e0b5e3f32ac7385fae44d17f594d45f6bf33866ee4aa00a3374f412242cc6e16de9939da2d2f7ff2490fc7370
-
SSDEEP
49152:iPv94AEsKU8ggw1g+1CART5eBiyKS3EI3wybn20DCYIHvc8ixuZm9+fWsw6dTPBJ:0KUgTH2M2m9UMpu1QfLczqssnKSk
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2336 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2612 Logo1_.exe 2824 5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe -
Loads dropped DLL 1 IoCs
pid Process 2336 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaire.exe Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Analysis Services\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ie\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\th\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Mail\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Defender\fr-FR\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jre7\lib\fonts\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Mail\it-IT\_desktop.ini Logo1_.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\tr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Photo Viewer\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows NT\Accessories\ja-JP\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\zh_CN\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CASCADE\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\DESIGNER\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInSideAdapters\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\video_chroma\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Stationery\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Australia\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\FreeCell\it-IT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\he\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ja-JP\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\Chess\de-DE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\TextConv\en-US\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rundl132.exe 5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe File created C:\Windows\Logo1_.exe 5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\Dll.dll Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 43 IoCs
pid Process 3020 5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe 3020 5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe 3020 5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe 3020 5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe 3020 5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe 3020 5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe 3020 5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe 3020 5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe 3020 5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe 3020 5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe 3020 5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe 3020 5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe 3020 5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe 2612 Logo1_.exe 2612 Logo1_.exe 2612 Logo1_.exe 2612 Logo1_.exe 2612 Logo1_.exe 2612 Logo1_.exe 2612 Logo1_.exe 2612 Logo1_.exe 2612 Logo1_.exe 2612 Logo1_.exe 2612 Logo1_.exe 2612 Logo1_.exe 2612 Logo1_.exe 2612 Logo1_.exe 2612 Logo1_.exe 2612 Logo1_.exe 2612 Logo1_.exe 2612 Logo1_.exe 2612 Logo1_.exe 2612 Logo1_.exe 2612 Logo1_.exe 2612 Logo1_.exe 2612 Logo1_.exe 2612 Logo1_.exe 2612 Logo1_.exe 2612 Logo1_.exe 2612 Logo1_.exe 2612 Logo1_.exe 2612 Logo1_.exe 2612 Logo1_.exe -
Suspicious use of WriteProcessMemory 34 IoCs
description pid Process procid_target PID 3020 wrote to memory of 1828 3020 5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe 28 PID 3020 wrote to memory of 1828 3020 5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe 28 PID 3020 wrote to memory of 1828 3020 5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe 28 PID 3020 wrote to memory of 1828 3020 5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe 28 PID 1828 wrote to memory of 2780 1828 net.exe 30 PID 1828 wrote to memory of 2780 1828 net.exe 30 PID 1828 wrote to memory of 2780 1828 net.exe 30 PID 1828 wrote to memory of 2780 1828 net.exe 30 PID 3020 wrote to memory of 2336 3020 5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe 31 PID 3020 wrote to memory of 2336 3020 5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe 31 PID 3020 wrote to memory of 2336 3020 5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe 31 PID 3020 wrote to memory of 2336 3020 5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe 31 PID 3020 wrote to memory of 2612 3020 5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe 33 PID 3020 wrote to memory of 2612 3020 5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe 33 PID 3020 wrote to memory of 2612 3020 5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe 33 PID 3020 wrote to memory of 2612 3020 5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe 33 PID 2612 wrote to memory of 2604 2612 Logo1_.exe 34 PID 2612 wrote to memory of 2604 2612 Logo1_.exe 34 PID 2612 wrote to memory of 2604 2612 Logo1_.exe 34 PID 2612 wrote to memory of 2604 2612 Logo1_.exe 34 PID 2604 wrote to memory of 2488 2604 net.exe 37 PID 2604 wrote to memory of 2488 2604 net.exe 37 PID 2604 wrote to memory of 2488 2604 net.exe 37 PID 2604 wrote to memory of 2488 2604 net.exe 37 PID 2612 wrote to memory of 2764 2612 Logo1_.exe 38 PID 2612 wrote to memory of 2764 2612 Logo1_.exe 38 PID 2612 wrote to memory of 2764 2612 Logo1_.exe 38 PID 2612 wrote to memory of 2764 2612 Logo1_.exe 38 PID 2764 wrote to memory of 2396 2764 net.exe 40 PID 2764 wrote to memory of 2396 2764 net.exe 40 PID 2764 wrote to memory of 2396 2764 net.exe 40 PID 2764 wrote to memory of 2396 2764 net.exe 40 PID 2612 wrote to memory of 1152 2612 Logo1_.exe 20 PID 2612 wrote to memory of 1152 2612 Logo1_.exe 20
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1152
-
C:\Users\Admin\AppData\Local\Temp\5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe"C:\Users\Admin\AppData\Local\Temp\5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"3⤵
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"4⤵PID:2780
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\$$a1861.bat3⤵
- Deletes itself
- Loads dropped DLL
PID:2336 -
C:\Users\Admin\AppData\Local\Temp\5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe"C:\Users\Admin\AppData\Local\Temp\5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe"4⤵
- Executes dropped EXE
PID:2824
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:2488
-
-
-
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:2396
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
258KB
MD525161eb204d86328bf9af51c9f0753b9
SHA1b68529e2a928f8c5c424474eb69ceae0415d9c0c
SHA256c600e7f71b7a59ba015142cb4411f8fd86e6888ed41e55298c21289c3a8ac315
SHA512e7d13a41338fe1787b44feddd74dcccd200ce2f069766cabeb76b7cbe957ef22a41499a11229c94e06fd59462a6b824fa62d7d13cc362c7adf2f1e05c03de926
-
Filesize
478KB
MD55700ba4e3909c1880d8210357d85dc81
SHA1f24e2100cc3cee398eb116957faa839e69e73d0a
SHA256853f0d42da7e7db96eda3ffc261acbf0ae35585311d8919f8cd87c2984c1e1bd
SHA512e54dd8ba25b56287ef4c4f6d427df62f5dca49c5bf6095146c86cbfc35238506aa1015d0e470663392f5470e2cd7eed838e60c105183dbe51a496f75098e8c8c
-
Filesize
722B
MD5e8d0a495a5c28f734de357b1551c6834
SHA10ad8fbd3d4f56cb6bc05fb5ac3893d748781089b
SHA256748ea4a583b88e45d7fd2bcda133a07184b46e7f31bb86223a4788d45806a000
SHA5129bff037271165f183a7a69a3a08b62ff8e88fae7b03ba76095b805b836b30f6d69ad3475e13e10ed6df726e51174a03f975ecb40dbe62e0c25f2ec283ea7509d
-
C:\Users\Admin\AppData\Local\Temp\5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe.exe
Filesize5.7MB
MD5ba18e99b3e17adb5b029eaebc457dd89
SHA1ec0458f3c00d35b323f08d4e1cc2e72899429c38
SHA256f5ee36de8edf9be2ac2752b219cfdcb7ca1677071b8e116cb876306e9f1b6628
SHA5121f41929e6f5b555b60c411c7810cbf14e3af26100df5ac4533ec3739a278c1b925687284660efb4868e3741305098e2737836229efc9fe46c97a6057c10e677c
-
Filesize
33KB
MD55a63f8e9068767deb1ccd980deb047fa
SHA19383b1103782394fbbee5705456e4f3600a86b66
SHA25629de80ac5ca4f60d8fbdc59d956164370d31dd5d4504cf8fa97c29800eb7766c
SHA512f42e3e5217dd13e7efa8092969e65f1b5eb1273d12685c90c5b3ca31e2a9502e12244111d555245e4f8505c0cdadfb7e73c565e2dcbd8fab568867957652b5bc
-
Filesize
9B
MD5fa1e1ef0fdda97877a13339b28fa95e5
SHA17e2cffca41118e7b2d62963bd940630b15b85653
SHA256968b715c081472526487d60da8968e9b3bde2dac103f69beb3f6abe6ef7bc191
SHA5123d55913a97aa89a7201342705640c1d031d19ad8aca4939219067f84e3fe118f47b4e388f490f69f605683d3854425c3de188f731886405474ae8e3d42c86f4f