Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
27/05/2024, 14:55
Static task
static1
Behavioral task
behavioral1
Sample
90c644aed39682aa57383b2b6a2c2f520212c09761f05cb9b7c79d36719c9f9e.exe
Resource
win7-20240220-en
General
-
Target
90c644aed39682aa57383b2b6a2c2f520212c09761f05cb9b7c79d36719c9f9e.exe
-
Size
92KB
-
MD5
5d8face1052ebfdc2d4f79fbb894029e
-
SHA1
35585f9d75f973bd7e704bbedbee0b71d9daf3b9
-
SHA256
90c644aed39682aa57383b2b6a2c2f520212c09761f05cb9b7c79d36719c9f9e
-
SHA512
6df52351cb91e1b88fe78ca820604b49d16335f440a32365220df0f153f8bb69285a8c4f6cb3c9e07dd8ebb6115d5b53e971ef1a710a4f5609d3ecc612d44bb4
-
SSDEEP
1536:FNcx1aeg1vye1MRSryapmebn4ddJZeY86iLflLJYEIs67rxo:FNf9qe1ISGLK4ddJMY86ipmns6S
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2496 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2652 Logo1_.exe 2792 90c644aed39682aa57383b2b6a2c2f520212c09761f05cb9b7c79d36719c9f9e.exe -
Loads dropped DLL 1 IoCs
pid Process 2496 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Mozilla Firefox\uninstall\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\visualization\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ka\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\es-ES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Mail\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Photo Viewer\it-IT\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\db\lib\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\COMPASS\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Media Player\de-DE\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\Purble Place\de-DE\_desktop.ini Logo1_.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Triedit\ja-JP\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\css\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\lua\meta\reader\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Google\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\de-DE\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Minesweeper\es-ES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\it-IT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\hi\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\css\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\css\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Logo1_.exe 90c644aed39682aa57383b2b6a2c2f520212c09761f05cb9b7c79d36719c9f9e.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\Dll.dll Logo1_.exe File created C:\Windows\rundl132.exe 90c644aed39682aa57383b2b6a2c2f520212c09761f05cb9b7c79d36719c9f9e.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 43 IoCs
pid Process 2908 90c644aed39682aa57383b2b6a2c2f520212c09761f05cb9b7c79d36719c9f9e.exe 2908 90c644aed39682aa57383b2b6a2c2f520212c09761f05cb9b7c79d36719c9f9e.exe 2908 90c644aed39682aa57383b2b6a2c2f520212c09761f05cb9b7c79d36719c9f9e.exe 2908 90c644aed39682aa57383b2b6a2c2f520212c09761f05cb9b7c79d36719c9f9e.exe 2908 90c644aed39682aa57383b2b6a2c2f520212c09761f05cb9b7c79d36719c9f9e.exe 2908 90c644aed39682aa57383b2b6a2c2f520212c09761f05cb9b7c79d36719c9f9e.exe 2908 90c644aed39682aa57383b2b6a2c2f520212c09761f05cb9b7c79d36719c9f9e.exe 2908 90c644aed39682aa57383b2b6a2c2f520212c09761f05cb9b7c79d36719c9f9e.exe 2908 90c644aed39682aa57383b2b6a2c2f520212c09761f05cb9b7c79d36719c9f9e.exe 2908 90c644aed39682aa57383b2b6a2c2f520212c09761f05cb9b7c79d36719c9f9e.exe 2908 90c644aed39682aa57383b2b6a2c2f520212c09761f05cb9b7c79d36719c9f9e.exe 2908 90c644aed39682aa57383b2b6a2c2f520212c09761f05cb9b7c79d36719c9f9e.exe 2908 90c644aed39682aa57383b2b6a2c2f520212c09761f05cb9b7c79d36719c9f9e.exe 2652 Logo1_.exe 2652 Logo1_.exe 2652 Logo1_.exe 2652 Logo1_.exe 2652 Logo1_.exe 2652 Logo1_.exe 2652 Logo1_.exe 2652 Logo1_.exe 2652 Logo1_.exe 2652 Logo1_.exe 2652 Logo1_.exe 2652 Logo1_.exe 2652 Logo1_.exe 2652 Logo1_.exe 2652 Logo1_.exe 2652 Logo1_.exe 2652 Logo1_.exe 2652 Logo1_.exe 2652 Logo1_.exe 2652 Logo1_.exe 2652 Logo1_.exe 2652 Logo1_.exe 2652 Logo1_.exe 2652 Logo1_.exe 2652 Logo1_.exe 2652 Logo1_.exe 2652 Logo1_.exe 2652 Logo1_.exe 2652 Logo1_.exe 2652 Logo1_.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 2908 wrote to memory of 1840 2908 90c644aed39682aa57383b2b6a2c2f520212c09761f05cb9b7c79d36719c9f9e.exe 28 PID 2908 wrote to memory of 1840 2908 90c644aed39682aa57383b2b6a2c2f520212c09761f05cb9b7c79d36719c9f9e.exe 28 PID 2908 wrote to memory of 1840 2908 90c644aed39682aa57383b2b6a2c2f520212c09761f05cb9b7c79d36719c9f9e.exe 28 PID 2908 wrote to memory of 1840 2908 90c644aed39682aa57383b2b6a2c2f520212c09761f05cb9b7c79d36719c9f9e.exe 28 PID 1840 wrote to memory of 2584 1840 net.exe 30 PID 1840 wrote to memory of 2584 1840 net.exe 30 PID 1840 wrote to memory of 2584 1840 net.exe 30 PID 1840 wrote to memory of 2584 1840 net.exe 30 PID 2908 wrote to memory of 2496 2908 90c644aed39682aa57383b2b6a2c2f520212c09761f05cb9b7c79d36719c9f9e.exe 31 PID 2908 wrote to memory of 2496 2908 90c644aed39682aa57383b2b6a2c2f520212c09761f05cb9b7c79d36719c9f9e.exe 31 PID 2908 wrote to memory of 2496 2908 90c644aed39682aa57383b2b6a2c2f520212c09761f05cb9b7c79d36719c9f9e.exe 31 PID 2908 wrote to memory of 2496 2908 90c644aed39682aa57383b2b6a2c2f520212c09761f05cb9b7c79d36719c9f9e.exe 31 PID 2908 wrote to memory of 2652 2908 90c644aed39682aa57383b2b6a2c2f520212c09761f05cb9b7c79d36719c9f9e.exe 33 PID 2908 wrote to memory of 2652 2908 90c644aed39682aa57383b2b6a2c2f520212c09761f05cb9b7c79d36719c9f9e.exe 33 PID 2908 wrote to memory of 2652 2908 90c644aed39682aa57383b2b6a2c2f520212c09761f05cb9b7c79d36719c9f9e.exe 33 PID 2908 wrote to memory of 2652 2908 90c644aed39682aa57383b2b6a2c2f520212c09761f05cb9b7c79d36719c9f9e.exe 33 PID 2652 wrote to memory of 2516 2652 Logo1_.exe 34 PID 2652 wrote to memory of 2516 2652 Logo1_.exe 34 PID 2652 wrote to memory of 2516 2652 Logo1_.exe 34 PID 2652 wrote to memory of 2516 2652 Logo1_.exe 34 PID 2496 wrote to memory of 2792 2496 cmd.exe 36 PID 2496 wrote to memory of 2792 2496 cmd.exe 36 PID 2496 wrote to memory of 2792 2496 cmd.exe 36 PID 2496 wrote to memory of 2792 2496 cmd.exe 36 PID 2516 wrote to memory of 2684 2516 net.exe 37 PID 2516 wrote to memory of 2684 2516 net.exe 37 PID 2516 wrote to memory of 2684 2516 net.exe 37 PID 2516 wrote to memory of 2684 2516 net.exe 37 PID 2652 wrote to memory of 2564 2652 Logo1_.exe 38 PID 2652 wrote to memory of 2564 2652 Logo1_.exe 38 PID 2652 wrote to memory of 2564 2652 Logo1_.exe 38 PID 2652 wrote to memory of 2564 2652 Logo1_.exe 38 PID 2564 wrote to memory of 2392 2564 net.exe 40 PID 2564 wrote to memory of 2392 2564 net.exe 40 PID 2564 wrote to memory of 2392 2564 net.exe 40 PID 2564 wrote to memory of 2392 2564 net.exe 40 PID 2652 wrote to memory of 1100 2652 Logo1_.exe 20 PID 2652 wrote to memory of 1100 2652 Logo1_.exe 20
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1100
-
C:\Users\Admin\AppData\Local\Temp\90c644aed39682aa57383b2b6a2c2f520212c09761f05cb9b7c79d36719c9f9e.exe"C:\Users\Admin\AppData\Local\Temp\90c644aed39682aa57383b2b6a2c2f520212c09761f05cb9b7c79d36719c9f9e.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"3⤵
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"4⤵PID:2584
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\$$a18BE.bat3⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Users\Admin\AppData\Local\Temp\90c644aed39682aa57383b2b6a2c2f520212c09761f05cb9b7c79d36719c9f9e.exe"C:\Users\Admin\AppData\Local\Temp\90c644aed39682aa57383b2b6a2c2f520212c09761f05cb9b7c79d36719c9f9e.exe"4⤵
- Executes dropped EXE
PID:2792
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:2684
-
-
-
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:2392
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
258KB
MD525161eb204d86328bf9af51c9f0753b9
SHA1b68529e2a928f8c5c424474eb69ceae0415d9c0c
SHA256c600e7f71b7a59ba015142cb4411f8fd86e6888ed41e55298c21289c3a8ac315
SHA512e7d13a41338fe1787b44feddd74dcccd200ce2f069766cabeb76b7cbe957ef22a41499a11229c94e06fd59462a6b824fa62d7d13cc362c7adf2f1e05c03de926
-
Filesize
478KB
MD55700ba4e3909c1880d8210357d85dc81
SHA1f24e2100cc3cee398eb116957faa839e69e73d0a
SHA256853f0d42da7e7db96eda3ffc261acbf0ae35585311d8919f8cd87c2984c1e1bd
SHA512e54dd8ba25b56287ef4c4f6d427df62f5dca49c5bf6095146c86cbfc35238506aa1015d0e470663392f5470e2cd7eed838e60c105183dbe51a496f75098e8c8c
-
Filesize
722B
MD5e75424874ba411f2e4c556f3f3df604e
SHA1a682503e7da3b2dc330c9cc9c2a89e9f25047a63
SHA256a4da8b4cbdacbee3b27ac210ca31c84f2bc8642e65d68215704189468fd9ef6b
SHA512aeb0b7440c86ed9d9b88a8de6664a9ecfbe3cb20b2e25ea8d2873c46d7fdb97e0c6578ad9ea65d29b280918a6b6eb3c68ea042bf429155ef8474ef451a49cf3f
-
C:\Users\Admin\AppData\Local\Temp\90c644aed39682aa57383b2b6a2c2f520212c09761f05cb9b7c79d36719c9f9e.exe.exe
Filesize59KB
MD5dfc18f7068913dde25742b856788d7ca
SHA1cbaa23f782c2ddcd7c9ff024fd0b096952a2b387
SHA256ff4ac75c02247000da084de006c214d3dd3583867bd3533ba788e22734c7a2bf
SHA512d0c7ec1dae41a803325b51c12490c355ed779d297daa35247889950491e52427810132f0829fc7ffa3022f1a106f4e4ba78ed612223395313a6f267e9ab24945
-
Filesize
33KB
MD55a63f8e9068767deb1ccd980deb047fa
SHA19383b1103782394fbbee5705456e4f3600a86b66
SHA25629de80ac5ca4f60d8fbdc59d956164370d31dd5d4504cf8fa97c29800eb7766c
SHA512f42e3e5217dd13e7efa8092969e65f1b5eb1273d12685c90c5b3ca31e2a9502e12244111d555245e4f8505c0cdadfb7e73c565e2dcbd8fab568867957652b5bc
-
Filesize
9B
MD5fa1e1ef0fdda97877a13339b28fa95e5
SHA17e2cffca41118e7b2d62963bd940630b15b85653
SHA256968b715c081472526487d60da8968e9b3bde2dac103f69beb3f6abe6ef7bc191
SHA5123d55913a97aa89a7201342705640c1d031d19ad8aca4939219067f84e3fe118f47b4e388f490f69f605683d3854425c3de188f731886405474ae8e3d42c86f4f