Analysis
-
max time kernel
149s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
27/05/2024, 14:55
Static task
static1
Behavioral task
behavioral1
Sample
5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe
Resource
win7-20240221-en
General
-
Target
5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe
-
Size
47KB
-
MD5
a5b10f2d2b138f11d8985765bcb9f8eb
-
SHA1
aaf6cdb38c6650fae32fa17abb4d2d8a0eed388f
-
SHA256
5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d
-
SHA512
026bc2a5a10a9723fc036083436ca07a16fcc62370f0ad599a1bdad77a51e4d24a582eebe2df9010affa045910646f22a456ca67d0dbb00b1df50e66d3031755
-
SSDEEP
768:F/M3UpQFJFKZj1PVs9Ag1vzbExhU1GBRSkjiFWQ3655Kv1X/qY1MSd:Fecx1aeg1vye1MRS5HqaNrFd
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2636 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2688 Logo1_.exe 2576 5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe -
Loads dropped DLL 1 IoCs
pid Process 2636 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FREN\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\css\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\sq\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\th\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\More Games\it-IT\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jre7\lib\zi\SystemV\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE Logo1_.exe File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\lua\http\images\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\sl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\wa\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_mixer\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Mail\wabmig.exe Logo1_.exe File created C:\Program Files\Microsoft Games\Mahjong\en-US\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\More Games\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\en-US\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\nn\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Mail\de-DE\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\fi\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\lg\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Journal\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\ja-JP\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgzm.exe Logo1_.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\hrtfs\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\stream_out\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Media Player\de-DE\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\include\win32\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\en-US\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\km\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\es-ES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATER\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\de-DE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\oc\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\oc\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rundl132.exe 5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe File created C:\Windows\Logo1_.exe 5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\Dll.dll Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 43 IoCs
pid Process 2744 5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe 2744 5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe 2744 5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe 2744 5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe 2744 5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe 2744 5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe 2744 5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe 2744 5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe 2744 5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe 2744 5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe 2744 5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe 2744 5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe 2744 5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe 2688 Logo1_.exe 2688 Logo1_.exe 2688 Logo1_.exe 2688 Logo1_.exe 2688 Logo1_.exe 2688 Logo1_.exe 2688 Logo1_.exe 2688 Logo1_.exe 2688 Logo1_.exe 2688 Logo1_.exe 2688 Logo1_.exe 2688 Logo1_.exe 2688 Logo1_.exe 2688 Logo1_.exe 2688 Logo1_.exe 2688 Logo1_.exe 2688 Logo1_.exe 2688 Logo1_.exe 2688 Logo1_.exe 2688 Logo1_.exe 2688 Logo1_.exe 2688 Logo1_.exe 2688 Logo1_.exe 2688 Logo1_.exe 2688 Logo1_.exe 2688 Logo1_.exe 2688 Logo1_.exe 2688 Logo1_.exe 2688 Logo1_.exe 2688 Logo1_.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2576 5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe -
Suspicious use of WriteProcessMemory 41 IoCs
description pid Process procid_target PID 2744 wrote to memory of 2488 2744 5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe 28 PID 2744 wrote to memory of 2488 2744 5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe 28 PID 2744 wrote to memory of 2488 2744 5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe 28 PID 2744 wrote to memory of 2488 2744 5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe 28 PID 2488 wrote to memory of 2844 2488 net.exe 30 PID 2488 wrote to memory of 2844 2488 net.exe 30 PID 2488 wrote to memory of 2844 2488 net.exe 30 PID 2488 wrote to memory of 2844 2488 net.exe 30 PID 2744 wrote to memory of 2636 2744 5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe 31 PID 2744 wrote to memory of 2636 2744 5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe 31 PID 2744 wrote to memory of 2636 2744 5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe 31 PID 2744 wrote to memory of 2636 2744 5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe 31 PID 2744 wrote to memory of 2688 2744 5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe 33 PID 2744 wrote to memory of 2688 2744 5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe 33 PID 2744 wrote to memory of 2688 2744 5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe 33 PID 2744 wrote to memory of 2688 2744 5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe 33 PID 2688 wrote to memory of 2616 2688 Logo1_.exe 34 PID 2688 wrote to memory of 2616 2688 Logo1_.exe 34 PID 2688 wrote to memory of 2616 2688 Logo1_.exe 34 PID 2688 wrote to memory of 2616 2688 Logo1_.exe 34 PID 2616 wrote to memory of 2524 2616 net.exe 36 PID 2616 wrote to memory of 2524 2616 net.exe 36 PID 2616 wrote to memory of 2524 2616 net.exe 36 PID 2616 wrote to memory of 2524 2616 net.exe 36 PID 2636 wrote to memory of 2576 2636 cmd.exe 37 PID 2636 wrote to memory of 2576 2636 cmd.exe 37 PID 2636 wrote to memory of 2576 2636 cmd.exe 37 PID 2636 wrote to memory of 2576 2636 cmd.exe 37 PID 2636 wrote to memory of 2576 2636 cmd.exe 37 PID 2636 wrote to memory of 2576 2636 cmd.exe 37 PID 2636 wrote to memory of 2576 2636 cmd.exe 37 PID 2688 wrote to memory of 2704 2688 Logo1_.exe 38 PID 2688 wrote to memory of 2704 2688 Logo1_.exe 38 PID 2688 wrote to memory of 2704 2688 Logo1_.exe 38 PID 2688 wrote to memory of 2704 2688 Logo1_.exe 38 PID 2704 wrote to memory of 2196 2704 net.exe 40 PID 2704 wrote to memory of 2196 2704 net.exe 40 PID 2704 wrote to memory of 2196 2704 net.exe 40 PID 2704 wrote to memory of 2196 2704 net.exe 40 PID 2688 wrote to memory of 1192 2688 Logo1_.exe 21 PID 2688 wrote to memory of 1192 2688 Logo1_.exe 21
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1192
-
C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe"C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"3⤵
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"4⤵PID:2844
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\$$a7B29.bat3⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe"C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:2576
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:2524
-
-
-
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:2196
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
258KB
MD50b13bc356da9ab8c8c3b34a9cc4b1b77
SHA1eae4523bb908335e1c253cf339f20c80746b7735
SHA25635269339dfac2f4ff18e696d97215de68692d671da2224aa8327ceadcafc09dd
SHA5126a7ee3e68114f51c4898c66ea0d9cb1c885fa38188947c700773190885ec543a2eaa83b851b14697fbcb5bdf28b2741ab36dd61c994884c46e504bdf57e62bf8
-
Filesize
478KB
MD55700ba4e3909c1880d8210357d85dc81
SHA1f24e2100cc3cee398eb116957faa839e69e73d0a
SHA256853f0d42da7e7db96eda3ffc261acbf0ae35585311d8919f8cd87c2984c1e1bd
SHA512e54dd8ba25b56287ef4c4f6d427df62f5dca49c5bf6095146c86cbfc35238506aa1015d0e470663392f5470e2cd7eed838e60c105183dbe51a496f75098e8c8c
-
Filesize
722B
MD520208c019eb5693aa0626fece8da52bc
SHA1ca6235b8bf045bff955eae3a98196c81a734f420
SHA2564d48427db29538fc5abdce6b2b4571a6332437de284e690b21b1075865623f92
SHA512867d4e2327e10d542252884afc7f5441c70749cb58afe1a9c573180844a3c0403679f84fef468fd9eda3db0366d83aead2c6ba592dba528ff745943ddb7f7964
-
C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe.exe
Filesize14KB
MD5ad782ffac62e14e2269bf1379bccbaae
SHA19539773b550e902a35764574a2be2d05bc0d8afc
SHA2561c8a77db924ebeb952052334dc95add388700c02b073b07973cd8fe0a0a360b8
SHA512a1e9d6316ffc55f4751090961733e98c93b2a391666ff50b50e9dea39783746e501d14127e7ee9343926976d7e3cd224f13736530354d8466ea995dab35c8dc2
-
Filesize
33KB
MD5021a2a0555836de111f013f5eeaaa5f7
SHA12d6048f2500d31afe6028b89936901de4f59e0c3
SHA2569e9e8520278bfdad09f0e7caee657288c69006bf8d40cda2ff811a14fc6db2e5
SHA512d2b9f264971ddafab44bff6584d74ce983635a0a727646068bf0c7d2db26ca524b6a4d343726f1dae93548230a9e2686691e22ddcc0e018df1bdd0bd18af9032
-
Filesize
9B
MD5fa1e1ef0fdda97877a13339b28fa95e5
SHA17e2cffca41118e7b2d62963bd940630b15b85653
SHA256968b715c081472526487d60da8968e9b3bde2dac103f69beb3f6abe6ef7bc191
SHA5123d55913a97aa89a7201342705640c1d031d19ad8aca4939219067f84e3fe118f47b4e388f490f69f605683d3854425c3de188f731886405474ae8e3d42c86f4f