Analysis
-
max time kernel
149s -
max time network
104s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
10/06/2024, 06:29
Static task
static1
Behavioral task
behavioral1
Sample
66e7cf0074df6f8113d916150df7020efa7d4331e1fca3a8e8dd970c308b8ddf.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
66e7cf0074df6f8113d916150df7020efa7d4331e1fca3a8e8dd970c308b8ddf.exe
Resource
win10v2004-20240508-en
General
-
Target
66e7cf0074df6f8113d916150df7020efa7d4331e1fca3a8e8dd970c308b8ddf.exe
-
Size
5.7MB
-
MD5
ffdedf9f01400fa60aec00a05f2fe5b8
-
SHA1
ea5f90c4a7a9845aed022a6c1e43950fc1476e5c
-
SHA256
66e7cf0074df6f8113d916150df7020efa7d4331e1fca3a8e8dd970c308b8ddf
-
SHA512
07f1cb62dcc38a7dfc2e116df0d7657892c447dfdcace523533281a4b4b2ac2a0840e8cfe7d419d7aaea4b8826f15f14a46f36164a511af4c71ecec02a0e7db0
-
SSDEEP
49152:jPv94AEsKU8ggw1g+1CART5eBiyKS3EI3wybn20DCYIHvc8ixuZm9+fWsw6dTPBJ:rKUgTH2M2m9UMpu1QfLczqssnKSk
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2400 Logo1_.exe 1620 66e7cf0074df6f8113d916150df7020efa7d4331e1fca3a8e8dd970c308b8ddf.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\uk-ua\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\he-il\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\nb-no\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WidevineCdm\_platform_specific\win_x64\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\pt-br\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\fr-ma\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fr-ma\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-tw\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\notificationsUI\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\Assets\Images\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\uk-UA\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\uk\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-black\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\de-de\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\fr-ma\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\MSBuild\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\images\themes\dark\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\en-US\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\is\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Security\BrowserCore\en-US\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Voices\beeps\beeps\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\uk-ua\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Examples\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\si\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\de\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\sv-se\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\zh-tw\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Reference Assemblies\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\meta\art\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\video_filter\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\he-IL\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-black\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sl-sl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\en-ae\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\fr-FR\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\fi-fi\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\root\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\root\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\uk-ua\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxTsr.exe Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-white\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rundl132.exe 66e7cf0074df6f8113d916150df7020efa7d4331e1fca3a8e8dd970c308b8ddf.exe File created C:\Windows\Logo1_.exe 66e7cf0074df6f8113d916150df7020efa7d4331e1fca3a8e8dd970c308b8ddf.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\vDll.dll Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 2400 Logo1_.exe 2400 Logo1_.exe 2400 Logo1_.exe 2400 Logo1_.exe 2400 Logo1_.exe 2400 Logo1_.exe 2400 Logo1_.exe 2400 Logo1_.exe 2400 Logo1_.exe 2400 Logo1_.exe 2400 Logo1_.exe 2400 Logo1_.exe 2400 Logo1_.exe 2400 Logo1_.exe 2400 Logo1_.exe 2400 Logo1_.exe 2400 Logo1_.exe 2400 Logo1_.exe 2400 Logo1_.exe 2400 Logo1_.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 4996 wrote to memory of 2296 4996 66e7cf0074df6f8113d916150df7020efa7d4331e1fca3a8e8dd970c308b8ddf.exe 82 PID 4996 wrote to memory of 2296 4996 66e7cf0074df6f8113d916150df7020efa7d4331e1fca3a8e8dd970c308b8ddf.exe 82 PID 4996 wrote to memory of 2296 4996 66e7cf0074df6f8113d916150df7020efa7d4331e1fca3a8e8dd970c308b8ddf.exe 82 PID 4996 wrote to memory of 2400 4996 66e7cf0074df6f8113d916150df7020efa7d4331e1fca3a8e8dd970c308b8ddf.exe 83 PID 4996 wrote to memory of 2400 4996 66e7cf0074df6f8113d916150df7020efa7d4331e1fca3a8e8dd970c308b8ddf.exe 83 PID 4996 wrote to memory of 2400 4996 66e7cf0074df6f8113d916150df7020efa7d4331e1fca3a8e8dd970c308b8ddf.exe 83 PID 2400 wrote to memory of 4404 2400 Logo1_.exe 85 PID 2400 wrote to memory of 4404 2400 Logo1_.exe 85 PID 2400 wrote to memory of 4404 2400 Logo1_.exe 85 PID 4404 wrote to memory of 1624 4404 net.exe 87 PID 4404 wrote to memory of 1624 4404 net.exe 87 PID 4404 wrote to memory of 1624 4404 net.exe 87 PID 2400 wrote to memory of 3412 2400 Logo1_.exe 56 PID 2400 wrote to memory of 3412 2400 Logo1_.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3412
-
C:\Users\Admin\AppData\Local\Temp\66e7cf0074df6f8113d916150df7020efa7d4331e1fca3a8e8dd970c308b8ddf.exe"C:\Users\Admin\AppData\Local\Temp\66e7cf0074df6f8113d916150df7020efa7d4331e1fca3a8e8dd970c308b8ddf.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a5004.bat3⤵PID:2296
-
C:\Users\Admin\AppData\Local\Temp\66e7cf0074df6f8113d916150df7020efa7d4331e1fca3a8e8dd970c308b8ddf.exe"C:\Users\Admin\AppData\Local\Temp\66e7cf0074df6f8113d916150df7020efa7d4331e1fca3a8e8dd970c308b8ddf.exe"4⤵
- Executes dropped EXE
PID:1620
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:1624
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
254KB
MD59fff503fad7fa1d9cc7453fdf86ff0e0
SHA1f9b728ba2e8bf2b3a570583f06b0fd7e9fce4ef2
SHA256826148f8b31a5372a71adf8f51961e1b59de63c8865393feffb99ece5e113147
SHA512c00773863ea4b6d88ba1c5a9dcfd2f1033e540c854f2f041bb193f367a9153d54d9fcec0c71e4e9834bbe98a6a5be030b045d34e3b54d69cddfd4d427895af4f
-
Filesize
448KB
MD58d8715c87a2cb853487aea6cd7400bde
SHA185bbc8edd7f5a99cf13e75e2df48c0d41e62fa7f
SHA256d3b5c031761699a91b97afb5aab4c5a651810612ac4caaa38fc9adcf4be95080
SHA512052307804dec7d1bf2fb99e297ddef910f8d42dcbd4106eb3c84c4a5980e896d936e0f25422dd2ed5190174fc920a18c7e589b18b321bdd57280c67e10f76b59
-
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
Filesize639KB
MD5c168f1400f09b767044170c5c0603287
SHA1806b134d2145304a602bc358c2664cc266a52aeb
SHA25605d52614bdae4496eb435a35b3eb91cc424abb582fdaaae8a8f96a3cf34e2676
SHA512532f698580361daa78290a7871c1a58fd6e9a445ec78224f7b90bea454fb15183eaa9cee1ef9dcf3fb30a56b5fa6e57de67b817fe04cd5bd61ca5e6710f8f9a1
-
Filesize
722B
MD562019ba06e7040e9d87bba27d275af85
SHA1a5b867ff91f4b93c4cfc38d982a485a678241f20
SHA25629ae213d49e96668e3657b7205617964b9ba4b6a3385dab2873be0224cb57403
SHA51212199f6648b2721d6bcea96fd3f4093419bef848b94929500d8f371a898b771396a3f83fe0a0b804faf8ff01d752748997d57d40427bd4aebd9a16ef77acf4f3
-
C:\Users\Admin\AppData\Local\Temp\66e7cf0074df6f8113d916150df7020efa7d4331e1fca3a8e8dd970c308b8ddf.exe.exe
Filesize5.7MB
MD5ba18e99b3e17adb5b029eaebc457dd89
SHA1ec0458f3c00d35b323f08d4e1cc2e72899429c38
SHA256f5ee36de8edf9be2ac2752b219cfdcb7ca1677071b8e116cb876306e9f1b6628
SHA5121f41929e6f5b555b60c411c7810cbf14e3af26100df5ac4533ec3739a278c1b925687284660efb4868e3741305098e2737836229efc9fe46c97a6057c10e677c
-
Filesize
29KB
MD5ba189b5e31c56a2e16e9c7accf623760
SHA152470f4d5e556832e9e4ff4625751ae62219d0ee
SHA256037c1fc35982012dddedd497646d12ef35654415a14d4bbd467dca672954a3ed
SHA5128da8c08b8af3450f715d2a04b492f2f459a93695bdf7514441705d041d5aba0df6edbb7a5e69e9a8bcbabd9f3c692e2522365ef2e889db3857043118c6df05b0
-
Filesize
9B
MD560b1ffe4d5892b7ae054738eec1fd425
SHA180d4e944617f4132b1c6917345b158f3693f35c8
SHA2565e9944cc48c7ec641cf7b1b0125f47f26102c371a973612f0583f604bc3900d4
SHA5127f5c200924dbb5531df997e6a35cb94f36b54f5651284b0d6404f0576301125ef72b410a170fca889d46c033063663cfc7791f9e4c3c30695af069053eee66cc