Analysis
-
max time kernel
150s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
09/06/2024, 07:32
Static task
static1
Behavioral task
behavioral1
Sample
6f14b9eafd138cac9f2ab3edccb0b7a2cb20fde19300d017cba254bf7ffa904b.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
6f14b9eafd138cac9f2ab3edccb0b7a2cb20fde19300d017cba254bf7ffa904b.exe
Resource
win10v2004-20240508-en
General
-
Target
6f14b9eafd138cac9f2ab3edccb0b7a2cb20fde19300d017cba254bf7ffa904b.exe
-
Size
1.6MB
-
MD5
10412eb16380163f24eef3c9ec8086af
-
SHA1
84e7ed7fbf5a564776924ae1bdf36b9038d8ffd2
-
SHA256
6f14b9eafd138cac9f2ab3edccb0b7a2cb20fde19300d017cba254bf7ffa904b
-
SHA512
a96d1ac5ac76971fefea3bf8beac817d335400da76b5dacb885039585ac1a8ee2b5d64c6b0de83b647f19ad00925c6b7ed61dc78b5211ef54aa4555bfccebbb9
-
SSDEEP
6144:cVfjmNNztkAzkAZqrEdrEAZUCwFjNNzRFG:e7+TNPqrEdrE7RFG
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1380 Logo1_.exe 4236 6f14b9eafd138cac9f2ab3edccb0b7a2cb20fde19300d017cba254bf7ffa904b.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\cgg\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\da-dk\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\da-dk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\pt-br\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-black\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\0.2.2\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\tr-tr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Solitaire.exe Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Voices\en-GB\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Voices\en-US\en-US_female_TTS\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\pt-br\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\cs-cz\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\zh-cn\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\root\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-gb\jsaddins\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sv-se\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\images\themes\dark\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\pl-pl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\demux\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Photo Viewer\de-DE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\fr-FR\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ar-ae\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\ja-JP\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\hr-hr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\pl-pl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\fr-fr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\pt-br\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\fr-ma\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\nb-no\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\kab\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Media Player\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-white\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ko-kr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\zh-tw\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ja-jp\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\FileAssociation\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sl-sl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\hr-hr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ko-kr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\it-it\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fr-ma\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\fi-fi\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\en-ae\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\pwahelper.exe Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\bs\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ky\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\it-IT\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Logo1_.exe 6f14b9eafd138cac9f2ab3edccb0b7a2cb20fde19300d017cba254bf7ffa904b.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\vDll.dll Logo1_.exe File created C:\Windows\rundl132.exe 6f14b9eafd138cac9f2ab3edccb0b7a2cb20fde19300d017cba254bf7ffa904b.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 1380 Logo1_.exe 1380 Logo1_.exe 1380 Logo1_.exe 1380 Logo1_.exe 1380 Logo1_.exe 1380 Logo1_.exe 1380 Logo1_.exe 1380 Logo1_.exe 1380 Logo1_.exe 1380 Logo1_.exe 1380 Logo1_.exe 1380 Logo1_.exe 1380 Logo1_.exe 1380 Logo1_.exe 1380 Logo1_.exe 1380 Logo1_.exe 1380 Logo1_.exe 1380 Logo1_.exe 1380 Logo1_.exe 1380 Logo1_.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 3008 wrote to memory of 1492 3008 6f14b9eafd138cac9f2ab3edccb0b7a2cb20fde19300d017cba254bf7ffa904b.exe 82 PID 3008 wrote to memory of 1492 3008 6f14b9eafd138cac9f2ab3edccb0b7a2cb20fde19300d017cba254bf7ffa904b.exe 82 PID 3008 wrote to memory of 1492 3008 6f14b9eafd138cac9f2ab3edccb0b7a2cb20fde19300d017cba254bf7ffa904b.exe 82 PID 3008 wrote to memory of 1380 3008 6f14b9eafd138cac9f2ab3edccb0b7a2cb20fde19300d017cba254bf7ffa904b.exe 83 PID 3008 wrote to memory of 1380 3008 6f14b9eafd138cac9f2ab3edccb0b7a2cb20fde19300d017cba254bf7ffa904b.exe 83 PID 3008 wrote to memory of 1380 3008 6f14b9eafd138cac9f2ab3edccb0b7a2cb20fde19300d017cba254bf7ffa904b.exe 83 PID 1380 wrote to memory of 3972 1380 Logo1_.exe 84 PID 1380 wrote to memory of 3972 1380 Logo1_.exe 84 PID 1380 wrote to memory of 3972 1380 Logo1_.exe 84 PID 3972 wrote to memory of 4208 3972 net.exe 87 PID 3972 wrote to memory of 4208 3972 net.exe 87 PID 3972 wrote to memory of 4208 3972 net.exe 87 PID 1492 wrote to memory of 4236 1492 cmd.exe 88 PID 1492 wrote to memory of 4236 1492 cmd.exe 88 PID 1492 wrote to memory of 4236 1492 cmd.exe 88 PID 1380 wrote to memory of 3412 1380 Logo1_.exe 56 PID 1380 wrote to memory of 3412 1380 Logo1_.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3412
-
C:\Users\Admin\AppData\Local\Temp\6f14b9eafd138cac9f2ab3edccb0b7a2cb20fde19300d017cba254bf7ffa904b.exe"C:\Users\Admin\AppData\Local\Temp\6f14b9eafd138cac9f2ab3edccb0b7a2cb20fde19300d017cba254bf7ffa904b.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6522.bat3⤵
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Users\Admin\AppData\Local\Temp\6f14b9eafd138cac9f2ab3edccb0b7a2cb20fde19300d017cba254bf7ffa904b.exe"C:\Users\Admin\AppData\Local\Temp\6f14b9eafd138cac9f2ab3edccb0b7a2cb20fde19300d017cba254bf7ffa904b.exe"4⤵
- Executes dropped EXE
PID:4236
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:4208
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
251KB
MD5505a6d58bf497236343021e7b0034d01
SHA1990dd5f5430bb0247faec84532659a3abd02d175
SHA256e704d8b1ef5ab127f7312aa99cd0bb7f7fe0d6bf64a247c943ce5fad3e389ce5
SHA51218f68912c5e37601cff09c4b17441a28a14bfa4b8170ea08216a554ab9bf38c895c6864ffcc0481f83809e2197434452f1e69e9be33b4077942e2969ceb42c1f
-
Filesize
570KB
MD5f7b58e900d8d07f4fd06d76326305cf9
SHA15891e9701df11a967b96ae7d85534715d79bc569
SHA2566438d8093bfb4ab8daaa71a8e4a30bc25da53c77ae147b0220f1d532f109f24a
SHA5123c59854ea132d4c376491ec1904cf518d8c5d1b366f9508f31af4bdfa3605d80578cf10dcbd4302d2002528081f19ba4dee7a1c227517aa05a4257f8b76f9f20
-
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
Filesize636KB
MD52500f702e2b9632127c14e4eaae5d424
SHA18726fef12958265214eeb58001c995629834b13a
SHA25682e5b0001f025ca3b8409c98e4fb06c119c68de1e4ef60a156360cb4ef61d19c
SHA512f420c62fa1f6897f51dd7a0f0e910fb54ad14d51973a2d4840eeea0448c860bf83493fb1c07be65f731efc39e19f8a99886c8cfd058cee482fe52d255a33a55c
-
Filesize
722B
MD5ac888e4371f17c79e833da6139bc4bbc
SHA17865c4d5bfe5b8d7eb06f3bbb0d8844579112c5d
SHA256dbdf71f02f5770af61f0f0ebf6333438bda4f3b9158815343af2223ce7010698
SHA5120428106c3a636101458effbbe9d956ae41312a6870f71e4d9e34a978682dd9fc34d388cf8ab4daac5457560268bc45d0c1400d83d83b11c17972f39c5bfd3d36
-
C:\Users\Admin\AppData\Local\Temp\6f14b9eafd138cac9f2ab3edccb0b7a2cb20fde19300d017cba254bf7ffa904b.exe.exe
Filesize1.5MB
MD5217599a88bc058877bcca5f75dfe55d3
SHA10a5088843680a8af17dc03a06eecbb6d143bb415
SHA2563bbd4367c9caf48e6d2fcdb42db9b1da55ae4243205d1961e9e6ecc60978ca04
SHA512a58098618662b3f14914cb1b897897a821f66bcec1fa89fa1af4d0dbf3480ac7c53dd7684739adb52a92ec5c0f587bf4c4ea7b7f3c01d765c6a582bd68cc0a46
-
Filesize
26KB
MD516a25aa1146ec85df075ba1510f85564
SHA1ee6817d101321f1cc58a16e306d352df1cb1b040
SHA256d8cc4fa8f7d5c07a625985c45cb6b2a663b8bb533e2e3a96a1bde6716b4e8670
SHA512b248affed14b7c92f7bf78c50cdc75ad29d49d2d883761c9440c1a7a185cea6e0aa5f7b8d363848af7eb51dad7727ec47b0991483f7f27c4d8a2833ae51ce80f
-
Filesize
8B
MD59bf5ad0e8bbf0ba1630c244358e5c6dd
SHA125918532222a7063195beeb76980b6ec9e59e19a
SHA256551cc5b618f0fa78108dd2388d9136893adb10499e4836e9728f4e96530bf02f
SHA5127fdce76bb191d4988d92e3d97ce8db4cae1b5c1f93198bffc4e863d324d814246353200d32ea730f83345fcb7ad82213c2bcd31351e905e473d9596bc7b43ad3