Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
30/05/2024, 03:29
Static task
static1
Behavioral task
behavioral1
Sample
33ca50c4f96973afec1dac7bc22211b554b7a4a458e7272ad3d5b2fc7e6a229e.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
33ca50c4f96973afec1dac7bc22211b554b7a4a458e7272ad3d5b2fc7e6a229e.exe
Resource
win10v2004-20240226-en
General
-
Target
33ca50c4f96973afec1dac7bc22211b554b7a4a458e7272ad3d5b2fc7e6a229e.exe
-
Size
959KB
-
MD5
ecb2a6231699f4fe3c9da36d001494b5
-
SHA1
a4293e7d2783e194b745e164451d0355be3a9ae9
-
SHA256
33ca50c4f96973afec1dac7bc22211b554b7a4a458e7272ad3d5b2fc7e6a229e
-
SHA512
e6fe76b1c270830ac47f1b67e4ef8d42d600083173c0bcb9ba70449e08754cf3b7379fad4ba172b4d88bdfef31b6a305f1f287c738ac5a1b7025ee1a4a198602
-
SSDEEP
12288:QRKcv8Nh7py6Rmi78gkPH3aPI9vyVg/0paQuj3IdD02fKBjtp/:lBpDRmi78gkPXlyo0G/jr
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 1448 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 1388 Logo1_.exe 2596 33ca50c4f96973afec1dac7bc22211b554b7a4a458e7272ad3d5b2fc7e6a229e.exe -
Loads dropped DLL 2 IoCs
pid Process 1448 cmd.exe 1448 cmd.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\vi\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jre7\lib\zi\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\SpeechEngines\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\audio_mixer\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\DAO\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\text_renderer\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\es-ES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre7\bin\ssvagent.exe Logo1_.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\sidebar.exe Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RMNSQUE\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jre7\lib\images\cursors\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\Hearts\es-ES\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows NT\Accessories\it-IT\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Wordconv.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\sl\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\DVD Maker\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\it-IT\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proofing.en-us\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\1033\14\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\mai\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSClientDataMgr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\Adobe AIR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\sidebar.exe Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\bn_IN\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\fa\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\services_discovery\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Office14\3082\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Portal\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows NT\Accessories\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rundl132.exe 33ca50c4f96973afec1dac7bc22211b554b7a4a458e7272ad3d5b2fc7e6a229e.exe File created C:\Windows\Logo1_.exe 33ca50c4f96973afec1dac7bc22211b554b7a4a458e7272ad3d5b2fc7e6a229e.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\vDll.dll Logo1_.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 1388 Logo1_.exe 1388 Logo1_.exe 1388 Logo1_.exe 1388 Logo1_.exe 1388 Logo1_.exe 1388 Logo1_.exe 1388 Logo1_.exe 1388 Logo1_.exe 1388 Logo1_.exe 1388 Logo1_.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2596 33ca50c4f96973afec1dac7bc22211b554b7a4a458e7272ad3d5b2fc7e6a229e.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeRestorePrivilege 2596 33ca50c4f96973afec1dac7bc22211b554b7a4a458e7272ad3d5b2fc7e6a229e.exe Token: 35 2596 33ca50c4f96973afec1dac7bc22211b554b7a4a458e7272ad3d5b2fc7e6a229e.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 2172 wrote to memory of 1448 2172 33ca50c4f96973afec1dac7bc22211b554b7a4a458e7272ad3d5b2fc7e6a229e.exe 28 PID 2172 wrote to memory of 1448 2172 33ca50c4f96973afec1dac7bc22211b554b7a4a458e7272ad3d5b2fc7e6a229e.exe 28 PID 2172 wrote to memory of 1448 2172 33ca50c4f96973afec1dac7bc22211b554b7a4a458e7272ad3d5b2fc7e6a229e.exe 28 PID 2172 wrote to memory of 1448 2172 33ca50c4f96973afec1dac7bc22211b554b7a4a458e7272ad3d5b2fc7e6a229e.exe 28 PID 2172 wrote to memory of 1388 2172 33ca50c4f96973afec1dac7bc22211b554b7a4a458e7272ad3d5b2fc7e6a229e.exe 30 PID 2172 wrote to memory of 1388 2172 33ca50c4f96973afec1dac7bc22211b554b7a4a458e7272ad3d5b2fc7e6a229e.exe 30 PID 2172 wrote to memory of 1388 2172 33ca50c4f96973afec1dac7bc22211b554b7a4a458e7272ad3d5b2fc7e6a229e.exe 30 PID 2172 wrote to memory of 1388 2172 33ca50c4f96973afec1dac7bc22211b554b7a4a458e7272ad3d5b2fc7e6a229e.exe 30 PID 1388 wrote to memory of 2980 1388 Logo1_.exe 31 PID 1388 wrote to memory of 2980 1388 Logo1_.exe 31 PID 1388 wrote to memory of 2980 1388 Logo1_.exe 31 PID 1388 wrote to memory of 2980 1388 Logo1_.exe 31 PID 2980 wrote to memory of 2620 2980 net.exe 33 PID 2980 wrote to memory of 2620 2980 net.exe 33 PID 2980 wrote to memory of 2620 2980 net.exe 33 PID 2980 wrote to memory of 2620 2980 net.exe 33 PID 1448 wrote to memory of 2596 1448 cmd.exe 34 PID 1448 wrote to memory of 2596 1448 cmd.exe 34 PID 1448 wrote to memory of 2596 1448 cmd.exe 34 PID 1448 wrote to memory of 2596 1448 cmd.exe 34 PID 1388 wrote to memory of 1192 1388 Logo1_.exe 21 PID 1388 wrote to memory of 1192 1388 Logo1_.exe 21
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1192
-
C:\Users\Admin\AppData\Local\Temp\33ca50c4f96973afec1dac7bc22211b554b7a4a458e7272ad3d5b2fc7e6a229e.exe"C:\Users\Admin\AppData\Local\Temp\33ca50c4f96973afec1dac7bc22211b554b7a4a458e7272ad3d5b2fc7e6a229e.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\$$a786B.bat3⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Users\Admin\AppData\Local\Temp\33ca50c4f96973afec1dac7bc22211b554b7a4a458e7272ad3d5b2fc7e6a229e.exe"C:\Users\Admin\AppData\Local\Temp\33ca50c4f96973afec1dac7bc22211b554b7a4a458e7272ad3d5b2fc7e6a229e.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2596
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:2620
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
254KB
MD56594c9dee8b3a34129af16b59eab751a
SHA11edcd1a1f91ea569dedc1391610e2438b25dc3a1
SHA256cb2c2d9ba31f305f280301882b6e859d27fc2210e2ab2a21232afb8a38d07571
SHA512d53d9ec26500f4d4f2c19c036c57ef97d97b09f634a5772c7e31d088b22db508544beea563d50b51c336aef4ec737a9a39cf56f9df68676ff6e97900362541d3
-
Filesize
474KB
MD56f0ec1ca208b0521f58bcd694897df06
SHA1808a16d524301513af8ee772936f6bdcf41623a6
SHA25653b5d4205b0f2ae4ba0051244fffcaf0cfecbf78dfc448e4d2e68e53e15f15bf
SHA512d8318484059a9988dae4b8a53d1ccec1a54ed825e1937d70fccc9bd26222a0c4b23718f368e6d193e6dd7b9d999e5e8d5f23717ea160468b6287004a722503f2
-
Filesize
722B
MD5e73bb8b1828c4df03339422830161389
SHA176712bc03ae4217c4b9bec4f8fb14913acb76fda
SHA25625bb746d78496c36d6abe410990a8fec166b40b2b708986b873ca696a9b37a89
SHA51267b61bb88a6e28678ee3b17f4ce60e8496c5bcd90a2713c1a4eb059707f0f02bfdde52f14979e5576dc47eb1b284784e919eb7ae7688ecaedc8c036d244ce64c
-
C:\Users\Admin\AppData\Local\Temp\33ca50c4f96973afec1dac7bc22211b554b7a4a458e7272ad3d5b2fc7e6a229e.exe.exe
Filesize930KB
MD530ac0b832d75598fb3ec37b6f2a8c86a
SHA16f47dbfd6ff36df7ba581a4cef024da527dc3046
SHA2561ea0839c8dc95ad2c060af7d042c40c0daed58ce8e4524c0fba12fd73e4afb74
SHA512505870601a4389b7ed2c8fecf85835adfd2944cbc10801f74bc4e08f5a0d6ecc9a52052fc37e216304cd1655129021862294a698ed36b3b43d428698f7263057
-
Filesize
29KB
MD5e138d7d47ace7dfa816f7ac64e8d4898
SHA19d0be22461b768c1f2541e204d6b0de4e6de18d6
SHA2562cfdf912ecaf532855d684e10474a60243b5ed381d522669ee6c3c4ba0fffe75
SHA512bbbcd2879ebe1e566ae56f98c45a76aad8f58201b791156328661b98a1adaa89b98e0e1888c1eac3052f298afad2b09da1817c1b8911fa2da77bc87e5927b568
-
Filesize
9B
MD5588b2065b2adfd8dfd688104d02aad5a
SHA1263f0ca294d728a13f51220aea8123aa257cc6e2
SHA256f9ab49edf14c6bda17287f7caa63d3b3bb20a65215f1462cf05577a5c1c472e6
SHA51299106035ac4547c81fd737f5f79ddd32ea10fde9e3ea97102472c871aa9f94ee3f68823bcc4bb308e92265a9c3cacd4b1f5c9f52f8d3e630cdf6bdcd3c737e2d