Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
27/05/2024, 14:55
Static task
static1
Behavioral task
behavioral1
Sample
59e62592a1b00c92c45bcfb318d6b7cf0e2efb5840474944410a62954d78283e.exe
Resource
win7-20240221-en
General
-
Target
59e62592a1b00c92c45bcfb318d6b7cf0e2efb5840474944410a62954d78283e.exe
-
Size
9.1MB
-
MD5
72e96da3c1660ba9e96e533e94bff3a1
-
SHA1
baf5a4553c4b31a750d14558faee20970bca5acf
-
SHA256
59e62592a1b00c92c45bcfb318d6b7cf0e2efb5840474944410a62954d78283e
-
SHA512
1ad449ff7d603ebf2c74c65d14ed8c5e64f4da13901e0e314bd1b50e3281fb316fe487a6f502663e5c7fe443646e4a292db600481534514a01cafd0513d222e4
-
SSDEEP
98304:SpE4kgB6lqEoBaF0yJERySnnxdiJU5GkGJoY:Sp1b2yyJERySnriJUtGJoY
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2500 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2528 Logo1_.exe 2628 59e62592a1b00c92c45bcfb318d6b7cf0e2efb5840474944410a62954d78283e.exe -
Loads dropped DLL 2 IoCs
pid Process 2500 cmd.exe 2500 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\km\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\misc\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\css\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\Multiplayer\Checkers\de-DE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_mixer\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\uz\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Minesweeper\en-US\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\Purble Place\en-US\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\vi\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\css\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\modules\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Mail\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre7\bin\java.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Minesweeper\fr-FR\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jre7\lib\jfr\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jre7\lib\zi\Pacific\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\Contracts\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Journal\PDIALOG.exe Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LAYERS\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\Chess\it-IT\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Dll.dll Logo1_.exe File created C:\Windows\rundl132.exe 59e62592a1b00c92c45bcfb318d6b7cf0e2efb5840474944410a62954d78283e.exe File created C:\Windows\Logo1_.exe 59e62592a1b00c92c45bcfb318d6b7cf0e2efb5840474944410a62954d78283e.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 43 IoCs
pid Process 2164 59e62592a1b00c92c45bcfb318d6b7cf0e2efb5840474944410a62954d78283e.exe 2164 59e62592a1b00c92c45bcfb318d6b7cf0e2efb5840474944410a62954d78283e.exe 2164 59e62592a1b00c92c45bcfb318d6b7cf0e2efb5840474944410a62954d78283e.exe 2164 59e62592a1b00c92c45bcfb318d6b7cf0e2efb5840474944410a62954d78283e.exe 2164 59e62592a1b00c92c45bcfb318d6b7cf0e2efb5840474944410a62954d78283e.exe 2164 59e62592a1b00c92c45bcfb318d6b7cf0e2efb5840474944410a62954d78283e.exe 2164 59e62592a1b00c92c45bcfb318d6b7cf0e2efb5840474944410a62954d78283e.exe 2164 59e62592a1b00c92c45bcfb318d6b7cf0e2efb5840474944410a62954d78283e.exe 2164 59e62592a1b00c92c45bcfb318d6b7cf0e2efb5840474944410a62954d78283e.exe 2164 59e62592a1b00c92c45bcfb318d6b7cf0e2efb5840474944410a62954d78283e.exe 2164 59e62592a1b00c92c45bcfb318d6b7cf0e2efb5840474944410a62954d78283e.exe 2164 59e62592a1b00c92c45bcfb318d6b7cf0e2efb5840474944410a62954d78283e.exe 2164 59e62592a1b00c92c45bcfb318d6b7cf0e2efb5840474944410a62954d78283e.exe 2528 Logo1_.exe 2528 Logo1_.exe 2528 Logo1_.exe 2528 Logo1_.exe 2528 Logo1_.exe 2528 Logo1_.exe 2528 Logo1_.exe 2528 Logo1_.exe 2528 Logo1_.exe 2528 Logo1_.exe 2528 Logo1_.exe 2528 Logo1_.exe 2528 Logo1_.exe 2528 Logo1_.exe 2528 Logo1_.exe 2528 Logo1_.exe 2528 Logo1_.exe 2528 Logo1_.exe 2528 Logo1_.exe 2528 Logo1_.exe 2528 Logo1_.exe 2528 Logo1_.exe 2528 Logo1_.exe 2528 Logo1_.exe 2528 Logo1_.exe 2528 Logo1_.exe 2528 Logo1_.exe 2528 Logo1_.exe 2528 Logo1_.exe 2528 Logo1_.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 2164 wrote to memory of 2120 2164 59e62592a1b00c92c45bcfb318d6b7cf0e2efb5840474944410a62954d78283e.exe 28 PID 2164 wrote to memory of 2120 2164 59e62592a1b00c92c45bcfb318d6b7cf0e2efb5840474944410a62954d78283e.exe 28 PID 2164 wrote to memory of 2120 2164 59e62592a1b00c92c45bcfb318d6b7cf0e2efb5840474944410a62954d78283e.exe 28 PID 2164 wrote to memory of 2120 2164 59e62592a1b00c92c45bcfb318d6b7cf0e2efb5840474944410a62954d78283e.exe 28 PID 2120 wrote to memory of 2536 2120 net.exe 30 PID 2120 wrote to memory of 2536 2120 net.exe 30 PID 2120 wrote to memory of 2536 2120 net.exe 30 PID 2120 wrote to memory of 2536 2120 net.exe 30 PID 2164 wrote to memory of 2500 2164 59e62592a1b00c92c45bcfb318d6b7cf0e2efb5840474944410a62954d78283e.exe 31 PID 2164 wrote to memory of 2500 2164 59e62592a1b00c92c45bcfb318d6b7cf0e2efb5840474944410a62954d78283e.exe 31 PID 2164 wrote to memory of 2500 2164 59e62592a1b00c92c45bcfb318d6b7cf0e2efb5840474944410a62954d78283e.exe 31 PID 2164 wrote to memory of 2500 2164 59e62592a1b00c92c45bcfb318d6b7cf0e2efb5840474944410a62954d78283e.exe 31 PID 2164 wrote to memory of 2528 2164 59e62592a1b00c92c45bcfb318d6b7cf0e2efb5840474944410a62954d78283e.exe 33 PID 2164 wrote to memory of 2528 2164 59e62592a1b00c92c45bcfb318d6b7cf0e2efb5840474944410a62954d78283e.exe 33 PID 2164 wrote to memory of 2528 2164 59e62592a1b00c92c45bcfb318d6b7cf0e2efb5840474944410a62954d78283e.exe 33 PID 2164 wrote to memory of 2528 2164 59e62592a1b00c92c45bcfb318d6b7cf0e2efb5840474944410a62954d78283e.exe 33 PID 2528 wrote to memory of 2660 2528 Logo1_.exe 34 PID 2528 wrote to memory of 2660 2528 Logo1_.exe 34 PID 2528 wrote to memory of 2660 2528 Logo1_.exe 34 PID 2528 wrote to memory of 2660 2528 Logo1_.exe 34 PID 2660 wrote to memory of 2860 2660 net.exe 36 PID 2660 wrote to memory of 2860 2660 net.exe 36 PID 2660 wrote to memory of 2860 2660 net.exe 36 PID 2660 wrote to memory of 2860 2660 net.exe 36 PID 2500 wrote to memory of 2628 2500 cmd.exe 37 PID 2500 wrote to memory of 2628 2500 cmd.exe 37 PID 2500 wrote to memory of 2628 2500 cmd.exe 37 PID 2500 wrote to memory of 2628 2500 cmd.exe 37 PID 2528 wrote to memory of 1868 2528 Logo1_.exe 38 PID 2528 wrote to memory of 1868 2528 Logo1_.exe 38 PID 2528 wrote to memory of 1868 2528 Logo1_.exe 38 PID 2528 wrote to memory of 1868 2528 Logo1_.exe 38 PID 1868 wrote to memory of 2424 1868 net.exe 40 PID 1868 wrote to memory of 2424 1868 net.exe 40 PID 1868 wrote to memory of 2424 1868 net.exe 40 PID 1868 wrote to memory of 2424 1868 net.exe 40 PID 2528 wrote to memory of 1192 2528 Logo1_.exe 21 PID 2528 wrote to memory of 1192 2528 Logo1_.exe 21
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1192
-
C:\Users\Admin\AppData\Local\Temp\59e62592a1b00c92c45bcfb318d6b7cf0e2efb5840474944410a62954d78283e.exe"C:\Users\Admin\AppData\Local\Temp\59e62592a1b00c92c45bcfb318d6b7cf0e2efb5840474944410a62954d78283e.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"3⤵
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"4⤵PID:2536
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\$$a2923.bat3⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Users\Admin\AppData\Local\Temp\59e62592a1b00c92c45bcfb318d6b7cf0e2efb5840474944410a62954d78283e.exe"C:\Users\Admin\AppData\Local\Temp\59e62592a1b00c92c45bcfb318d6b7cf0e2efb5840474944410a62954d78283e.exe"4⤵
- Executes dropped EXE
PID:2628
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:2860
-
-
-
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:2424
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
258KB
MD5b0f0ba2ced2322f9b443c020b49aba8e
SHA191b3403975535602f6efea9706c4cc8d8b4c10b5
SHA256708c46a3f135edb785d489050463c9e5acb5f96c089577eb2f806438b4da6a12
SHA5129e96244b2f2a4370055ad8bc6600452921bc6cb7766457fc8d700938ca620d2e6722aa2bab8f97ff562a9bc4f54ff70a6de05614a7e781742be78ab32586952f
-
Filesize
478KB
MD5a64e221e7aa252d2cafadf779e374ad0
SHA15043394894c490e1964e52918ac6648359046dbc
SHA256a183bc22f75dc7df2202c1d3100d4e20ca73028a03dff5b81a5864de0fedcad0
SHA512ed60c60a6897a7744ae96ac4a783b18ab8925edcd66e4155dc48b8f56f252f521649d59f35b1680856e30e0aed3d0dad62acd39148cccf7779706467b57f0283
-
Filesize
722B
MD5e9f9541799ad76146d2c71bae7892fba
SHA16b8bd8b7683577dc5210e970f4e02d063723b2c1
SHA25655b200a8b738eac7693f9527870151a3fe56b57d34799cd046dfe5c12b8dfa7a
SHA5121025f7ef084faa68b16b519cc9a4002da4500bf4b59281ab30dc5a0bae65df865d6ba331b171e61b23d4b1288ac8edf82e4ad9115aef8613894a4d05e12e6ae6
-
C:\Users\Admin\AppData\Local\Temp\59e62592a1b00c92c45bcfb318d6b7cf0e2efb5840474944410a62954d78283e.exe.exe
Filesize9.0MB
MD54f4608dd4d3246360a9c53b14d4e3ad7
SHA18774ebd330496951e156d3fd08170f1e14c76401
SHA2560e886c735baf30f4a7c9f91751fc631624c0ded01b76d9570aa26f2289a28c8e
SHA51207c635e9469934274481d7158f422e3d3483ab06e50658697edd0f133dfbf5096c04605fe3ce50a8215a0c6ace3c6b5123bd6b76b36d004b1ef3b9cc26b1225c
-
Filesize
33KB
MD5a0b93ff728f6114ae0074a2b4a5bcd47
SHA1e795935cb0e0cb344e27bda4899f238a77af6258
SHA25645d9f916a1fa961daa8391edf289e7a0d76f055af591c873f7b9215b9c2224cb
SHA5120ef7dc4a992dae6fe8b59addbafebdf1cc1d2fdf13b33a4e09d0740718bb61d2a8ccfd19eb505e00f119bfe266fac800a0dc541d2d5eefe29ea68cc693619160
-
Filesize
9B
MD5fa1e1ef0fdda97877a13339b28fa95e5
SHA17e2cffca41118e7b2d62963bd940630b15b85653
SHA256968b715c081472526487d60da8968e9b3bde2dac103f69beb3f6abe6ef7bc191
SHA5123d55913a97aa89a7201342705640c1d031d19ad8aca4939219067f84e3fe118f47b4e388f490f69f605683d3854425c3de188f731886405474ae8e3d42c86f4f