Analysis
-
max time kernel
111s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
10/06/2024, 06:29
Static task
static1
Behavioral task
behavioral1
Sample
0a27c0d3eecafc5bdd1690a669ac6fa22398b72143309605b7a6e964a75cfb2a.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
0a27c0d3eecafc5bdd1690a669ac6fa22398b72143309605b7a6e964a75cfb2a.exe
Resource
win10v2004-20240226-en
General
-
Target
0a27c0d3eecafc5bdd1690a669ac6fa22398b72143309605b7a6e964a75cfb2a.exe
-
Size
954KB
-
MD5
2504e1898b774412970a40eb0384e6d0
-
SHA1
a66afeeb56ea11fa6c848a68c27e0e3a4b5c40dc
-
SHA256
0a27c0d3eecafc5bdd1690a669ac6fa22398b72143309605b7a6e964a75cfb2a
-
SHA512
3526593c39da3445051b764331a1b02d2e2223ae52e45abd53b836b7e4f100c004adbda1a487aeb6b1a9a37ea5595e44299ae59ac36559c5db2cc72adb484c04
-
SSDEEP
24576:r7cvC8GHhLAMrIYnoa0upI3H/Po63LjUcF1/:r7cvCPGMhn8Pb7
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 3104 Logo1_.exe 2780 0a27c0d3eecafc5bdd1690a669ac6fa22398b72143309605b7a6e964a75cfb2a.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe Logo1_.exe File created C:\Program Files\Java\jre-1.8\lib\images\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jre-1.8\lib\images\cursors\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\createdump.exe Logo1_.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\pt-BR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk-1.8\jre\legal\javafx\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk-1.8\legal\javafx\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe Logo1_.exe File created C:\Program Files\Java\jre-1.8\lib\management\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe Logo1_.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\_desktop.ini Logo1_.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\it\_desktop.ini Logo1_.exe File created C:\Program Files\Google\Chrome\Application\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jre-1.8\lib\applet\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\dotnet\shared\_desktop.ini Logo1_.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\pl\_desktop.ini Logo1_.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\tr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\amd64\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe Logo1_.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\cmm\_desktop.ini Logo1_.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\cs\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe Logo1_.exe File created C:\Program Files\Java\jdk-1.8\include\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe Logo1_.exe File created C:\Program Files\dotnet\shared\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\de\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ja\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk-1.8\bin\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jre-1.8\lib\jfr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\_desktop.ini Logo1_.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\fr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk-1.8\jre\legal\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\jfr\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jre-1.8\bin\server\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\dotnet\_desktop.ini Logo1_.exe File created C:\Program Files\dotnet\host\fxr\6.0.25\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\_desktop.ini Logo1_.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe Logo1_.exe File opened for modification C:\Program Files\dotnet\host\fxr\6.0.25\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\server\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rundl132.exe 0a27c0d3eecafc5bdd1690a669ac6fa22398b72143309605b7a6e964a75cfb2a.exe File created C:\Windows\Logo1_.exe 0a27c0d3eecafc5bdd1690a669ac6fa22398b72143309605b7a6e964a75cfb2a.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\vDll.dll Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 3104 Logo1_.exe 3104 Logo1_.exe 3104 Logo1_.exe 3104 Logo1_.exe 3104 Logo1_.exe 3104 Logo1_.exe 3104 Logo1_.exe 3104 Logo1_.exe 3104 Logo1_.exe 3104 Logo1_.exe 3104 Logo1_.exe 3104 Logo1_.exe 3104 Logo1_.exe 3104 Logo1_.exe 3104 Logo1_.exe 3104 Logo1_.exe 3104 Logo1_.exe 3104 Logo1_.exe 3104 Logo1_.exe 3104 Logo1_.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4060 wrote to memory of 100 4060 0a27c0d3eecafc5bdd1690a669ac6fa22398b72143309605b7a6e964a75cfb2a.exe 91 PID 4060 wrote to memory of 100 4060 0a27c0d3eecafc5bdd1690a669ac6fa22398b72143309605b7a6e964a75cfb2a.exe 91 PID 4060 wrote to memory of 100 4060 0a27c0d3eecafc5bdd1690a669ac6fa22398b72143309605b7a6e964a75cfb2a.exe 91 PID 4060 wrote to memory of 3104 4060 0a27c0d3eecafc5bdd1690a669ac6fa22398b72143309605b7a6e964a75cfb2a.exe 92 PID 4060 wrote to memory of 3104 4060 0a27c0d3eecafc5bdd1690a669ac6fa22398b72143309605b7a6e964a75cfb2a.exe 92 PID 4060 wrote to memory of 3104 4060 0a27c0d3eecafc5bdd1690a669ac6fa22398b72143309605b7a6e964a75cfb2a.exe 92 PID 3104 wrote to memory of 1956 3104 Logo1_.exe 94 PID 3104 wrote to memory of 1956 3104 Logo1_.exe 94 PID 3104 wrote to memory of 1956 3104 Logo1_.exe 94 PID 100 wrote to memory of 2780 100 cmd.exe 96 PID 100 wrote to memory of 2780 100 cmd.exe 96 PID 100 wrote to memory of 2780 100 cmd.exe 96 PID 1956 wrote to memory of 3760 1956 net.exe 97 PID 1956 wrote to memory of 3760 1956 net.exe 97 PID 1956 wrote to memory of 3760 1956 net.exe 97 PID 3104 wrote to memory of 3376 3104 Logo1_.exe 57 PID 3104 wrote to memory of 3376 3104 Logo1_.exe 57
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3376
-
C:\Users\Admin\AppData\Local\Temp\0a27c0d3eecafc5bdd1690a669ac6fa22398b72143309605b7a6e964a75cfb2a.exe"C:\Users\Admin\AppData\Local\Temp\0a27c0d3eecafc5bdd1690a669ac6fa22398b72143309605b7a6e964a75cfb2a.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4060 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD532.bat3⤵
- Suspicious use of WriteProcessMemory
PID:100 -
C:\Users\Admin\AppData\Local\Temp\0a27c0d3eecafc5bdd1690a669ac6fa22398b72143309605b7a6e964a75cfb2a.exe"C:\Users\Admin\AppData\Local\Temp\0a27c0d3eecafc5bdd1690a669ac6fa22398b72143309605b7a6e964a75cfb2a.exe"4⤵
- Executes dropped EXE
PID:2780
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3104 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:3760
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4112 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:81⤵PID:3916
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
251KB
MD5099be1f135daaba3e2a8198ee3502b2a
SHA1a792724c7592d07434bfc6ed5151f23966e73924
SHA256773c644013e8b8fe0321403099693f0ab941283b381a178716049afc92cb63a1
SHA512371f1d56f64091b3c0b08353797e353f22b2e73423243ea2ef5a9d91853331e90d2512e591163100c68df38549912b87a13abbb2c5520684b44ee2032e935366
-
Filesize
570KB
MD5badb9005aff0ac965a63969ff04438f9
SHA14ed0a9f6b83e0aca5c3807a83cb17d2fd7e5d165
SHA2567e9d99e9ba0e2bce9e46c3d7a757c5abcce5491143fc6288a21d4cac6849b67c
SHA512fe17f00e6e35dd81862a82afd2a396c159d2b090b6fee235b268f9feacf9aec58113a355a04f5f368230bea77548890ae38a287bf626e03d029f293158c59687
-
Filesize
722B
MD5fecbb5904927d913c7b39c5b700072ea
SHA10470f24d58de892788f8f438911ade8158d74f26
SHA256c392991de4e550cdfc97408f8c4daa06e471f0bbd746b4230dde0f5d93c9570d
SHA512e69e312d7de6edce12c806bf3b5ae4ccb3d3e114738e3d43baecc4570bcda2101d662cb517d03eaf0aaab265b65f4c9c7c97829a4b418232a6c1961256849fbd
-
C:\Users\Admin\AppData\Local\Temp\0a27c0d3eecafc5bdd1690a669ac6fa22398b72143309605b7a6e964a75cfb2a.exe.exe
Filesize928KB
MD59ae85ec1fa398ef12c39c3e2d466c503
SHA15beb85be6228b5dc0f34cf7375bcf4d9f83fa06a
SHA2566ee75ac40a41d2717762117cd9649ed1780aa67769dbbb84ef508b76d75a19c3
SHA5122e0b1e79c34209fd9c3e2b65da62d370225b7499c57cb0a7bf5c306e7f99a0ad6493b493eeca99a460ba051b907517c9423cff46ea80b13f1081144849fad7eb
-
Filesize
26KB
MD57c15205a07dd533f95522e5ffdfea7c4
SHA169ca1e1a8b842a8795c164376518add592d6b63b
SHA256dd66c57aa3dab4a1879b1cbf49e4bb77df174a145cd3b7adbe021ab3f02795db
SHA512d388c426086a683dd50d18cdf3151ee8b62f5b057dd73a4eba56c5866b2b09c10dba2e7501ee2972f69782f08fdca13b7c37eb887f95c6de2f5622b982d74f65
-
Filesize
9B
MD560b1ffe4d5892b7ae054738eec1fd425
SHA180d4e944617f4132b1c6917345b158f3693f35c8
SHA2565e9944cc48c7ec641cf7b1b0125f47f26102c371a973612f0583f604bc3900d4
SHA5127f5c200924dbb5531df997e6a35cb94f36b54f5651284b0d6404f0576301125ef72b410a170fca889d46c033063663cfc7791f9e4c3c30695af069053eee66cc