Resubmissions
03-06-2024 05:32
240603-f8hxzaed72Analysis
-
max time kernel
149s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
04-06-2024 00:43
Static task
static1
Behavioral task
behavioral1
Sample
5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exe
Resource
win7-20240508-en
General
-
Target
5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exe
-
Size
368KB
-
MD5
6d857a11a566aeb55a9f14ee68d12a7b
-
SHA1
0cb7364b97ef764c1d888b547eb7815ff8a80f85
-
SHA256
5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc
-
SHA512
e379dc85c39c84760c951cb13bf1f663220870eac87369854eb4983cfc89abf95fab6d0c9cd56f33c7bc6609b981f854b9a77a35cd8d4b8fbc806f62c2b99d1f
-
SSDEEP
6144:n1qe1ISTzU66bkWmchVySqkvAH3qo0wWJC6G/SMT4FWqC:n1quIwU66b5zhVymA/XSRh
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2644 cmd.exe -
Executes dropped EXE 2 IoCs
Processes:
Logo1_.exe5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exepid process 2740 Logo1_.exe 1396 5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 2644 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Logo1_.exedescription ioc process File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
Processes:
Logo1_.exedescription ioc process File opened for modification C:\Program Files\VideoLAN\VLC\plugins\gui\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\js\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\Mahjong\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\pa\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\it-IT\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\js\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\zu\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\css\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\More Games\ja-JP\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\video_output\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE Logo1_.exe File created C:\Program Files (x86)\Microsoft Analysis Services\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\More Games\it-IT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\hy\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ta\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\it-IT\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\css\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jre7\lib\zi\America\Kentucky\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\SpiderSolitaire\ja-JP\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\kn\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ICE\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\css\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\Multiplayer\Spades\de-DE\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Minesweeper\MineSweeper.exe Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgzm.exe Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\fy\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\mai\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\spu\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Shared Gadgets\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\MSBuild\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\Hearts.exe Logo1_.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Reference Assemblies\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
Processes:
Logo1_.exe5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exedescription ioc process File created C:\Windows\Dll.dll Logo1_.exe File created C:\Windows\rundl132.exe 5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exe File created C:\Windows\Logo1_.exe 5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 43 IoCs
Processes:
5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exeLogo1_.exepid process 2140 5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exe 2140 5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exe 2140 5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exe 2140 5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exe 2140 5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exe 2140 5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exe 2140 5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exe 2140 5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exe 2140 5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exe 2140 5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exe 2140 5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exe 2140 5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exe 2140 5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exe 2740 Logo1_.exe 2740 Logo1_.exe 2740 Logo1_.exe 2740 Logo1_.exe 2740 Logo1_.exe 2740 Logo1_.exe 2740 Logo1_.exe 2740 Logo1_.exe 2740 Logo1_.exe 2740 Logo1_.exe 2740 Logo1_.exe 2740 Logo1_.exe 2740 Logo1_.exe 2740 Logo1_.exe 2740 Logo1_.exe 2740 Logo1_.exe 2740 Logo1_.exe 2740 Logo1_.exe 2740 Logo1_.exe 2740 Logo1_.exe 2740 Logo1_.exe 2740 Logo1_.exe 2740 Logo1_.exe 2740 Logo1_.exe 2740 Logo1_.exe 2740 Logo1_.exe 2740 Logo1_.exe 2740 Logo1_.exe 2740 Logo1_.exe 2740 Logo1_.exe -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exenet.exeLogo1_.execmd.exenet.exenet.exedescription pid process target process PID 2140 wrote to memory of 1712 2140 5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exe net.exe PID 2140 wrote to memory of 1712 2140 5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exe net.exe PID 2140 wrote to memory of 1712 2140 5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exe net.exe PID 2140 wrote to memory of 1712 2140 5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exe net.exe PID 1712 wrote to memory of 1276 1712 net.exe net1.exe PID 1712 wrote to memory of 1276 1712 net.exe net1.exe PID 1712 wrote to memory of 1276 1712 net.exe net1.exe PID 1712 wrote to memory of 1276 1712 net.exe net1.exe PID 2140 wrote to memory of 2644 2140 5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exe cmd.exe PID 2140 wrote to memory of 2644 2140 5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exe cmd.exe PID 2140 wrote to memory of 2644 2140 5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exe cmd.exe PID 2140 wrote to memory of 2644 2140 5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exe cmd.exe PID 2140 wrote to memory of 2740 2140 5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exe Logo1_.exe PID 2140 wrote to memory of 2740 2140 5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exe Logo1_.exe PID 2140 wrote to memory of 2740 2140 5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exe Logo1_.exe PID 2140 wrote to memory of 2740 2140 5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exe Logo1_.exe PID 2740 wrote to memory of 2540 2740 Logo1_.exe net.exe PID 2740 wrote to memory of 2540 2740 Logo1_.exe net.exe PID 2740 wrote to memory of 2540 2740 Logo1_.exe net.exe PID 2740 wrote to memory of 2540 2740 Logo1_.exe net.exe PID 2644 wrote to memory of 1396 2644 cmd.exe 5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exe PID 2644 wrote to memory of 1396 2644 cmd.exe 5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exe PID 2644 wrote to memory of 1396 2644 cmd.exe 5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exe PID 2644 wrote to memory of 1396 2644 cmd.exe 5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exe PID 2540 wrote to memory of 2568 2540 net.exe net1.exe PID 2540 wrote to memory of 2568 2540 net.exe net1.exe PID 2540 wrote to memory of 2568 2540 net.exe net1.exe PID 2540 wrote to memory of 2568 2540 net.exe net1.exe PID 2740 wrote to memory of 2772 2740 Logo1_.exe net.exe PID 2740 wrote to memory of 2772 2740 Logo1_.exe net.exe PID 2740 wrote to memory of 2772 2740 Logo1_.exe net.exe PID 2740 wrote to memory of 2772 2740 Logo1_.exe net.exe PID 2772 wrote to memory of 2776 2772 net.exe net1.exe PID 2772 wrote to memory of 2776 2772 net.exe net1.exe PID 2772 wrote to memory of 2776 2772 net.exe net1.exe PID 2772 wrote to memory of 2776 2772 net.exe net1.exe PID 2740 wrote to memory of 1196 2740 Logo1_.exe Explorer.EXE PID 2740 wrote to memory of 1196 2740 Logo1_.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1196
-
C:\Users\Admin\AppData\Local\Temp\5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exe"C:\Users\Admin\AppData\Local\Temp\5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"3⤵
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"4⤵PID:1276
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\$$a1999.bat3⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Users\Admin\AppData\Local\Temp\5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exe"C:\Users\Admin\AppData\Local\Temp\5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exe"4⤵
- Executes dropped EXE
PID:1396
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:2568
-
-
-
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:2776
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
478KB
MD55e54b5419052a6321d15fe6088be5258
SHA1420003c0ad68fa2b977bee9e2ca2d1a53f8f1ec2
SHA256142a70f95c82ea8acba8d3550273a20411a5b82f6d1b1c9657db51c3f83d5d97
SHA5126d2d2025ed17d6f730d3fbb3a5549e60cfe951c7d9e0063f4ecca045ee28a375eac11fb9aa9cc484b181369165a0f7abae967807bad16aac0e4b60b7a8092f71
-
Filesize
722B
MD53f3b51c63c14ee592360045156f61549
SHA1296039d00b5cc1a6e4f2cc0f6f6582351c767c2b
SHA256ef8861701f4e1a743785be6d72d5e3f5e5fc6481671e04a95c1b22efb1c7bc7b
SHA5123f1aee9b5ecd496f55255f9cac4aa9e21d3116da15a91bf7ee835a018fc54d7717b4977f568135c90aba58911930e7e6fd953ec29eb2d71041ceca018b944a67
-
C:\Users\Admin\AppData\Local\Temp\5628df40dadaa39660521577b549537c23e129593a7584c55c008f62f7f6efdc.exe.exe
Filesize335KB
MD540ac62c087648ccc2c58dae066d34c98
SHA10e87efb6ddfe59e534ea9e829cad35be8563e5f7
SHA256482c4c1562490e164d5f17990253373691aa5eab55a81c7f890fe9583a9ea916
SHA5120c1ff13ff88409d54fee2ceb07fe65135ce2a9aa6f8da51ac0158abb2cfbb3a898ef26f476931986f1367622f21a7c0b0e742d0f4de8be6e215596b0d88c518f
-
Filesize
33KB
MD5005782dec3941236334d871c5153fbf3
SHA1c973a6811e47002ccb7c48911cf58d9b0f15c990
SHA256def563a72f35ff1bd5d55bb4d8db6b098975b14f9f0a1e6c099415dda5887103
SHA512235604f421d5596f55f22ce59116a6975c527b433c26630c8a0aed7089710a9b4a781db2eae71eb93e7917ed4cf154554bbf37fa2ea4c7c0aaaa7737d96f2933
-
Filesize
8B
MD5378d822ce12583d0d584184af22d1d77
SHA1c062ac770b028df6db676099e02f09fc2f77b171
SHA2561ad01f8e46c86dfa34468e306eabe54b58d56134130b53ea7677961e3baaf6c7
SHA51223cf7b916de734c6bb6fd3b2beee21f3e82bc95e93d8662dca818d7cf13602706f22671dce61388b2a7e0b613c07c70512331c4132759b16cf438cb1750bc397