Analysis
-
max time kernel
149s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
29/05/2024, 14:13
Static task
static1
Behavioral task
behavioral1
Sample
1270e1552e4f4aadb1cd88341ff2c78cfabbe26b235939d533bac1d49f40db3d.exe
Resource
win7-20240221-en
General
-
Target
1270e1552e4f4aadb1cd88341ff2c78cfabbe26b235939d533bac1d49f40db3d.exe
-
Size
285KB
-
MD5
66446804f070ed82c3819c50e4b9599f
-
SHA1
b0d8a8d131fdcae99bd93e57871ab0c20451a34a
-
SHA256
1270e1552e4f4aadb1cd88341ff2c78cfabbe26b235939d533bac1d49f40db3d
-
SHA512
f4b16c64c2118fb74d1b78af91b1ce8e40e3f7d524cd593ab66a3ee7f57dad75923af0a4d43689e044f55226acf1bbfe360e997f46b3ae261adfe2ebfb787ce0
-
SSDEEP
6144:81NM5pfMTi0+lfh+L5qe9T5q4GAFzWTBPMmC1UC6fOaU:81upfMTi0uhMqe9ts2zWTpMmCG7W
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2864 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2984 Logo1_.exe 2936 1270e1552e4f4aadb1cd88341ff2c78cfabbe26b235939d533bac1d49f40db3d.exe -
Loads dropped DLL 2 IoCs
pid Process 2864 cmd.exe 2864 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Help\en_US\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\css\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\TextConv\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ICE\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ARFR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\js\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Defender\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows NT\Accessories\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\es-ES\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\it-IT\_desktop.ini Logo1_.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Defender\es-ES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ks_IN\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jre7\lib\security\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\More Games\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Internet Explorer\SIGNUP\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SKY\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Defender\it-IT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\css\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\skins\fonts\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECHO\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rundl132.exe 1270e1552e4f4aadb1cd88341ff2c78cfabbe26b235939d533bac1d49f40db3d.exe File created C:\Windows\Logo1_.exe 1270e1552e4f4aadb1cd88341ff2c78cfabbe26b235939d533bac1d49f40db3d.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\Dll.dll Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 43 IoCs
pid Process 1244 1270e1552e4f4aadb1cd88341ff2c78cfabbe26b235939d533bac1d49f40db3d.exe 1244 1270e1552e4f4aadb1cd88341ff2c78cfabbe26b235939d533bac1d49f40db3d.exe 1244 1270e1552e4f4aadb1cd88341ff2c78cfabbe26b235939d533bac1d49f40db3d.exe 1244 1270e1552e4f4aadb1cd88341ff2c78cfabbe26b235939d533bac1d49f40db3d.exe 1244 1270e1552e4f4aadb1cd88341ff2c78cfabbe26b235939d533bac1d49f40db3d.exe 1244 1270e1552e4f4aadb1cd88341ff2c78cfabbe26b235939d533bac1d49f40db3d.exe 1244 1270e1552e4f4aadb1cd88341ff2c78cfabbe26b235939d533bac1d49f40db3d.exe 1244 1270e1552e4f4aadb1cd88341ff2c78cfabbe26b235939d533bac1d49f40db3d.exe 1244 1270e1552e4f4aadb1cd88341ff2c78cfabbe26b235939d533bac1d49f40db3d.exe 1244 1270e1552e4f4aadb1cd88341ff2c78cfabbe26b235939d533bac1d49f40db3d.exe 1244 1270e1552e4f4aadb1cd88341ff2c78cfabbe26b235939d533bac1d49f40db3d.exe 1244 1270e1552e4f4aadb1cd88341ff2c78cfabbe26b235939d533bac1d49f40db3d.exe 1244 1270e1552e4f4aadb1cd88341ff2c78cfabbe26b235939d533bac1d49f40db3d.exe 2984 Logo1_.exe 2984 Logo1_.exe 2984 Logo1_.exe 2984 Logo1_.exe 2984 Logo1_.exe 2984 Logo1_.exe 2984 Logo1_.exe 2984 Logo1_.exe 2984 Logo1_.exe 2984 Logo1_.exe 2984 Logo1_.exe 2984 Logo1_.exe 2984 Logo1_.exe 2984 Logo1_.exe 2984 Logo1_.exe 2984 Logo1_.exe 2984 Logo1_.exe 2984 Logo1_.exe 2984 Logo1_.exe 2984 Logo1_.exe 2984 Logo1_.exe 2984 Logo1_.exe 2984 Logo1_.exe 2984 Logo1_.exe 2984 Logo1_.exe 2984 Logo1_.exe 2984 Logo1_.exe 2984 Logo1_.exe 2984 Logo1_.exe 2984 Logo1_.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 1244 wrote to memory of 1440 1244 1270e1552e4f4aadb1cd88341ff2c78cfabbe26b235939d533bac1d49f40db3d.exe 28 PID 1244 wrote to memory of 1440 1244 1270e1552e4f4aadb1cd88341ff2c78cfabbe26b235939d533bac1d49f40db3d.exe 28 PID 1244 wrote to memory of 1440 1244 1270e1552e4f4aadb1cd88341ff2c78cfabbe26b235939d533bac1d49f40db3d.exe 28 PID 1244 wrote to memory of 1440 1244 1270e1552e4f4aadb1cd88341ff2c78cfabbe26b235939d533bac1d49f40db3d.exe 28 PID 1440 wrote to memory of 872 1440 net.exe 30 PID 1440 wrote to memory of 872 1440 net.exe 30 PID 1440 wrote to memory of 872 1440 net.exe 30 PID 1440 wrote to memory of 872 1440 net.exe 30 PID 1244 wrote to memory of 2864 1244 1270e1552e4f4aadb1cd88341ff2c78cfabbe26b235939d533bac1d49f40db3d.exe 31 PID 1244 wrote to memory of 2864 1244 1270e1552e4f4aadb1cd88341ff2c78cfabbe26b235939d533bac1d49f40db3d.exe 31 PID 1244 wrote to memory of 2864 1244 1270e1552e4f4aadb1cd88341ff2c78cfabbe26b235939d533bac1d49f40db3d.exe 31 PID 1244 wrote to memory of 2864 1244 1270e1552e4f4aadb1cd88341ff2c78cfabbe26b235939d533bac1d49f40db3d.exe 31 PID 1244 wrote to memory of 2984 1244 1270e1552e4f4aadb1cd88341ff2c78cfabbe26b235939d533bac1d49f40db3d.exe 33 PID 1244 wrote to memory of 2984 1244 1270e1552e4f4aadb1cd88341ff2c78cfabbe26b235939d533bac1d49f40db3d.exe 33 PID 1244 wrote to memory of 2984 1244 1270e1552e4f4aadb1cd88341ff2c78cfabbe26b235939d533bac1d49f40db3d.exe 33 PID 1244 wrote to memory of 2984 1244 1270e1552e4f4aadb1cd88341ff2c78cfabbe26b235939d533bac1d49f40db3d.exe 33 PID 2984 wrote to memory of 3044 2984 Logo1_.exe 34 PID 2984 wrote to memory of 3044 2984 Logo1_.exe 34 PID 2984 wrote to memory of 3044 2984 Logo1_.exe 34 PID 2984 wrote to memory of 3044 2984 Logo1_.exe 34 PID 3044 wrote to memory of 2704 3044 net.exe 36 PID 3044 wrote to memory of 2704 3044 net.exe 36 PID 3044 wrote to memory of 2704 3044 net.exe 36 PID 3044 wrote to memory of 2704 3044 net.exe 36 PID 2864 wrote to memory of 2936 2864 cmd.exe 37 PID 2864 wrote to memory of 2936 2864 cmd.exe 37 PID 2864 wrote to memory of 2936 2864 cmd.exe 37 PID 2864 wrote to memory of 2936 2864 cmd.exe 37 PID 2984 wrote to memory of 2452 2984 Logo1_.exe 38 PID 2984 wrote to memory of 2452 2984 Logo1_.exe 38 PID 2984 wrote to memory of 2452 2984 Logo1_.exe 38 PID 2984 wrote to memory of 2452 2984 Logo1_.exe 38 PID 2452 wrote to memory of 2724 2452 net.exe 40 PID 2452 wrote to memory of 2724 2452 net.exe 40 PID 2452 wrote to memory of 2724 2452 net.exe 40 PID 2452 wrote to memory of 2724 2452 net.exe 40 PID 2984 wrote to memory of 1268 2984 Logo1_.exe 21 PID 2984 wrote to memory of 1268 2984 Logo1_.exe 21
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1268
-
C:\Users\Admin\AppData\Local\Temp\1270e1552e4f4aadb1cd88341ff2c78cfabbe26b235939d533bac1d49f40db3d.exe"C:\Users\Admin\AppData\Local\Temp\1270e1552e4f4aadb1cd88341ff2c78cfabbe26b235939d533bac1d49f40db3d.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"3⤵
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"4⤵PID:872
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\$$a9647.bat3⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Users\Admin\AppData\Local\Temp\1270e1552e4f4aadb1cd88341ff2c78cfabbe26b235939d533bac1d49f40db3d.exe"C:\Users\Admin\AppData\Local\Temp\1270e1552e4f4aadb1cd88341ff2c78cfabbe26b235939d533bac1d49f40db3d.exe"4⤵
- Executes dropped EXE
PID:2936
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:2704
-
-
-
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:2724
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
258KB
MD5c9badcb684862f516b396d44b56baceb
SHA10d8eabcdc92e05177e46da3ea05ae2f41b01416c
SHA25614c73a5bd721c24ebd8109d5d9a1e7dc8802c1bef0401cdd123ab41ae381c609
SHA512543671893e74c261f12be887a10669dae034fcacad4998ae5282fe102aa4bcdcfa0776a9667f32f60fae93acdc5c2ad23f11ad330354295e9e44a67bc1dddb68
-
Filesize
478KB
MD5c8b074fbff9452f981c52acd82c24918
SHA103ffff9c1f1e8da670c6c65b2d858a9ed7eae4fa
SHA256986587b92dc97769781c303bcf1c6e13dacd413cac927afb4462389b3204d888
SHA512fc282e5789ea88095cfd50a0aa1c38d63515f70b28c52c2d68da57119f4b8f5f5ba4216a3547fe5202939d0ca3c8ad6c1cd938831c5b0bb3fc6e96b6d834bf8c
-
Filesize
722B
MD5d21c5e7fdd825f56bb8986509027d2ae
SHA123a5498421ef66de1edbf91b4f440b9f3cd2cf92
SHA25622a6b21db9fdbd0d6d2ecd81c7fd96b4244c2acdf2edf70732b67f7077d1054b
SHA51233b0b2d1e58eb6daab0e8cb7f23238f3ca4143fe4f99ac60633bd839037822d424f223a3e691b8e95d8e3230d2a9052b6d639ed4aa69e9d7b7d76a33a998ac96
-
C:\Users\Admin\AppData\Local\Temp\1270e1552e4f4aadb1cd88341ff2c78cfabbe26b235939d533bac1d49f40db3d.exe.exe
Filesize252KB
MD59e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1ec66cda99f44b62470c6930e5afda061579cde35
SHA2568899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA5122ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156
-
Filesize
33KB
MD57a091274be36971fce58dba0c887a23e
SHA11dcc358a109927e63e11775b0f38cca741f8d230
SHA256308ea0a61b9625ffc055c1709dfa413e77ef4d9e01926435215044f6e9ab8757
SHA5129497df8f2d42a38e831fc72c1c0f57f9a120afce4cf93b5b0c7f4462ee3f3fed722ad02733b6919879733fb06136e925a8ab6e62aaad63bce02b1a6fd6858607
-
Filesize
9B
MD54b2b75605a65a6762ec4715de0a70902
SHA13b85993ef06d2d814abc405188fdd19a1bffea0c
SHA25677072cc5a7b394508cf5d819ff8cf4385a9b3cb15d8715a59845ccfa235ea34e
SHA512888361e75afd4308bdad817af543704a42ffdf2d798acef619459e9978ac68f1cf4d468c6e0b146ab738b0109fdf331c4380471aa83f637b0f6ab06164840c65