Analysis
-
max time kernel
143s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
09/06/2024, 07:32
Static task
static1
Behavioral task
behavioral1
Sample
6f14b9eafd138cac9f2ab3edccb0b7a2cb20fde19300d017cba254bf7ffa904b.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
6f14b9eafd138cac9f2ab3edccb0b7a2cb20fde19300d017cba254bf7ffa904b.exe
Resource
win10v2004-20240508-en
General
-
Target
6f14b9eafd138cac9f2ab3edccb0b7a2cb20fde19300d017cba254bf7ffa904b.exe
-
Size
1.6MB
-
MD5
10412eb16380163f24eef3c9ec8086af
-
SHA1
84e7ed7fbf5a564776924ae1bdf36b9038d8ffd2
-
SHA256
6f14b9eafd138cac9f2ab3edccb0b7a2cb20fde19300d017cba254bf7ffa904b
-
SHA512
a96d1ac5ac76971fefea3bf8beac817d335400da76b5dacb885039585ac1a8ee2b5d64c6b0de83b647f19ad00925c6b7ed61dc78b5211ef54aa4555bfccebbb9
-
SSDEEP
6144:cVfjmNNztkAzkAZqrEdrEAZUCwFjNNzRFG:e7+TNPqrEdrE7RFG
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2368 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 1680 Logo1_.exe 2624 6f14b9eafd138cac9f2ab3edccb0b7a2cb20fde19300d017cba254bf7ffa904b.exe -
Loads dropped DLL 1 IoCs
pid Process 2368 cmd.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre7\bin\jabswitch.exe Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Word.en-us\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\it-IT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\PublicAssemblies\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.fr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PROPLUS\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Office14\PROOF\1033\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\QUAD\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Defender\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\pt_BR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Chess\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RADIAL\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\d3d11\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_output\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\Purble Place\es-ES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\logger\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jre7\lib\security\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\SpeechEngines\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Media Player\Network Sharing\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\es-ES\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\Minesweeper\en-US\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\Solitaire\it-IT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows NT\Accessories\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Triedit\es-ES\_desktop.ini Logo1_.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\js\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\oc\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Mail\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\on_desktop\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\bn_IN\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\mk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Defender\it-IT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\vDll.dll Logo1_.exe File created C:\Windows\rundl132.exe 6f14b9eafd138cac9f2ab3edccb0b7a2cb20fde19300d017cba254bf7ffa904b.exe File created C:\Windows\Logo1_.exe 6f14b9eafd138cac9f2ab3edccb0b7a2cb20fde19300d017cba254bf7ffa904b.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 1680 Logo1_.exe 1680 Logo1_.exe 1680 Logo1_.exe 1680 Logo1_.exe 1680 Logo1_.exe 1680 Logo1_.exe 1680 Logo1_.exe 1680 Logo1_.exe 1680 Logo1_.exe 1680 Logo1_.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 2176 wrote to memory of 2368 2176 6f14b9eafd138cac9f2ab3edccb0b7a2cb20fde19300d017cba254bf7ffa904b.exe 28 PID 2176 wrote to memory of 2368 2176 6f14b9eafd138cac9f2ab3edccb0b7a2cb20fde19300d017cba254bf7ffa904b.exe 28 PID 2176 wrote to memory of 2368 2176 6f14b9eafd138cac9f2ab3edccb0b7a2cb20fde19300d017cba254bf7ffa904b.exe 28 PID 2176 wrote to memory of 2368 2176 6f14b9eafd138cac9f2ab3edccb0b7a2cb20fde19300d017cba254bf7ffa904b.exe 28 PID 2176 wrote to memory of 1680 2176 6f14b9eafd138cac9f2ab3edccb0b7a2cb20fde19300d017cba254bf7ffa904b.exe 29 PID 2176 wrote to memory of 1680 2176 6f14b9eafd138cac9f2ab3edccb0b7a2cb20fde19300d017cba254bf7ffa904b.exe 29 PID 2176 wrote to memory of 1680 2176 6f14b9eafd138cac9f2ab3edccb0b7a2cb20fde19300d017cba254bf7ffa904b.exe 29 PID 2176 wrote to memory of 1680 2176 6f14b9eafd138cac9f2ab3edccb0b7a2cb20fde19300d017cba254bf7ffa904b.exe 29 PID 1680 wrote to memory of 2572 1680 Logo1_.exe 31 PID 1680 wrote to memory of 2572 1680 Logo1_.exe 31 PID 1680 wrote to memory of 2572 1680 Logo1_.exe 31 PID 1680 wrote to memory of 2572 1680 Logo1_.exe 31 PID 2368 wrote to memory of 2624 2368 cmd.exe 34 PID 2368 wrote to memory of 2624 2368 cmd.exe 34 PID 2368 wrote to memory of 2624 2368 cmd.exe 34 PID 2368 wrote to memory of 2624 2368 cmd.exe 34 PID 2572 wrote to memory of 2652 2572 net.exe 33 PID 2572 wrote to memory of 2652 2572 net.exe 33 PID 2572 wrote to memory of 2652 2572 net.exe 33 PID 2572 wrote to memory of 2652 2572 net.exe 33 PID 1680 wrote to memory of 1196 1680 Logo1_.exe 21 PID 1680 wrote to memory of 1196 1680 Logo1_.exe 21
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1196
-
C:\Users\Admin\AppData\Local\Temp\6f14b9eafd138cac9f2ab3edccb0b7a2cb20fde19300d017cba254bf7ffa904b.exe"C:\Users\Admin\AppData\Local\Temp\6f14b9eafd138cac9f2ab3edccb0b7a2cb20fde19300d017cba254bf7ffa904b.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\$$aD3A.bat3⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Users\Admin\AppData\Local\Temp\6f14b9eafd138cac9f2ab3edccb0b7a2cb20fde19300d017cba254bf7ffa904b.exe"C:\Users\Admin\AppData\Local\Temp\6f14b9eafd138cac9f2ab3edccb0b7a2cb20fde19300d017cba254bf7ffa904b.exe"4⤵
- Executes dropped EXE
PID:2624
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:2652
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
251KB
MD5505a6d58bf497236343021e7b0034d01
SHA1990dd5f5430bb0247faec84532659a3abd02d175
SHA256e704d8b1ef5ab127f7312aa99cd0bb7f7fe0d6bf64a247c943ce5fad3e389ce5
SHA51218f68912c5e37601cff09c4b17441a28a14bfa4b8170ea08216a554ab9bf38c895c6864ffcc0481f83809e2197434452f1e69e9be33b4077942e2969ceb42c1f
-
Filesize
471KB
MD54cfdb20b04aa239d6f9e83084d5d0a77
SHA1f22863e04cc1fd4435f785993ede165bd8245ac6
SHA25630ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9
SHA51235b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86
-
Filesize
721B
MD569f8db53cf829987b33d45c9ef09672c
SHA1756f16a3535a1ffe70285159819956e4a8c5beaa
SHA2562c0ea8b522563ac8e5fd92c292b68f394da69987f4460832db63f1872ce7ca6e
SHA512c5809d1f30c5a185f744b7f68129f6b1af0c2ac6a2bb95f9c38a7d7cfa453581a6de95685e7edab060c3c044f8b6dc85d995f16c17c908e82fab1303e62debc2
-
C:\Users\Admin\AppData\Local\Temp\6f14b9eafd138cac9f2ab3edccb0b7a2cb20fde19300d017cba254bf7ffa904b.exe.exe
Filesize1.5MB
MD5217599a88bc058877bcca5f75dfe55d3
SHA10a5088843680a8af17dc03a06eecbb6d143bb415
SHA2563bbd4367c9caf48e6d2fcdb42db9b1da55ae4243205d1961e9e6ecc60978ca04
SHA512a58098618662b3f14914cb1b897897a821f66bcec1fa89fa1af4d0dbf3480ac7c53dd7684739adb52a92ec5c0f587bf4c4ea7b7f3c01d765c6a582bd68cc0a46
-
Filesize
26KB
MD516a25aa1146ec85df075ba1510f85564
SHA1ee6817d101321f1cc58a16e306d352df1cb1b040
SHA256d8cc4fa8f7d5c07a625985c45cb6b2a663b8bb533e2e3a96a1bde6716b4e8670
SHA512b248affed14b7c92f7bf78c50cdc75ad29d49d2d883761c9440c1a7a185cea6e0aa5f7b8d363848af7eb51dad7727ec47b0991483f7f27c4d8a2833ae51ce80f
-
Filesize
8B
MD59bf5ad0e8bbf0ba1630c244358e5c6dd
SHA125918532222a7063195beeb76980b6ec9e59e19a
SHA256551cc5b618f0fa78108dd2388d9136893adb10499e4836e9728f4e96530bf02f
SHA5127fdce76bb191d4988d92e3d97ce8db4cae1b5c1f93198bffc4e863d324d814246353200d32ea730f83345fcb7ad82213c2bcd31351e905e473d9596bc7b43ad3