Analysis
-
max time kernel
100s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
10/06/2024, 06:34
Static task
static1
Behavioral task
behavioral1
Sample
c4387172b5c812b26ca2d7055541a73822b88ca284945aa7956655903d0739a4.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
c4387172b5c812b26ca2d7055541a73822b88ca284945aa7956655903d0739a4.exe
Resource
win10v2004-20240426-en
General
-
Target
c4387172b5c812b26ca2d7055541a73822b88ca284945aa7956655903d0739a4.exe
-
Size
383KB
-
MD5
b1372b6597ab5020cf03ccfe6ac47903
-
SHA1
428b31e9082cd1e00899c24533f700f3ce50ed31
-
SHA256
c4387172b5c812b26ca2d7055541a73822b88ca284945aa7956655903d0739a4
-
SHA512
6f51363bb8a7edf24699a07157d2892356bac1071b3ba8b220e5118164ef571e511844df23e98cc5dcd98c65d6ff80508df8c86756bacdcd01eea9967912dae7
-
SSDEEP
6144:nVfjmNKJlrpfX7TME2xdQ1LziCOONeswO/xVn84f:V7+CPXsdWzimJ/P8o
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2264 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2140 Logo1_.exe 2608 c4387172b5c812b26ca2d7055541a73822b88ca284945aa7956655903d0739a4.exe -
Loads dropped DLL 2 IoCs
pid Process 2264 cmd.exe 2264 cmd.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\DVD Maker\ja-JP\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\_desktop.ini Logo1_.exe File created C:\Program Files\DVD Maker\ja-JP\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\DVD Maker\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\DVD Maker\Shared\_desktop.ini Logo1_.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Google\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\DVD Maker\DVDMaker.exe Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\_desktop.ini Logo1_.exe File created C:\Program Files\Java\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\_desktop.ini Logo1_.exe File created C:\Program Files\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\_desktop.ini Logo1_.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Full\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\_desktop.ini Logo1_.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rundl132.exe c4387172b5c812b26ca2d7055541a73822b88ca284945aa7956655903d0739a4.exe File created C:\Windows\Logo1_.exe c4387172b5c812b26ca2d7055541a73822b88ca284945aa7956655903d0739a4.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\vDll.dll Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 2140 Logo1_.exe 2140 Logo1_.exe 2140 Logo1_.exe 2140 Logo1_.exe 2140 Logo1_.exe 2140 Logo1_.exe 2140 Logo1_.exe 2140 Logo1_.exe 2140 Logo1_.exe 2140 Logo1_.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 1732 wrote to memory of 2264 1732 c4387172b5c812b26ca2d7055541a73822b88ca284945aa7956655903d0739a4.exe 28 PID 1732 wrote to memory of 2264 1732 c4387172b5c812b26ca2d7055541a73822b88ca284945aa7956655903d0739a4.exe 28 PID 1732 wrote to memory of 2264 1732 c4387172b5c812b26ca2d7055541a73822b88ca284945aa7956655903d0739a4.exe 28 PID 1732 wrote to memory of 2264 1732 c4387172b5c812b26ca2d7055541a73822b88ca284945aa7956655903d0739a4.exe 28 PID 1732 wrote to memory of 2140 1732 c4387172b5c812b26ca2d7055541a73822b88ca284945aa7956655903d0739a4.exe 29 PID 1732 wrote to memory of 2140 1732 c4387172b5c812b26ca2d7055541a73822b88ca284945aa7956655903d0739a4.exe 29 PID 1732 wrote to memory of 2140 1732 c4387172b5c812b26ca2d7055541a73822b88ca284945aa7956655903d0739a4.exe 29 PID 1732 wrote to memory of 2140 1732 c4387172b5c812b26ca2d7055541a73822b88ca284945aa7956655903d0739a4.exe 29 PID 2264 wrote to memory of 2608 2264 cmd.exe 32 PID 2264 wrote to memory of 2608 2264 cmd.exe 32 PID 2264 wrote to memory of 2608 2264 cmd.exe 32 PID 2264 wrote to memory of 2608 2264 cmd.exe 32 PID 2140 wrote to memory of 2740 2140 Logo1_.exe 31 PID 2140 wrote to memory of 2740 2140 Logo1_.exe 31 PID 2140 wrote to memory of 2740 2140 Logo1_.exe 31 PID 2140 wrote to memory of 2740 2140 Logo1_.exe 31 PID 2740 wrote to memory of 2732 2740 net.exe 34 PID 2740 wrote to memory of 2732 2740 net.exe 34 PID 2740 wrote to memory of 2732 2740 net.exe 34 PID 2740 wrote to memory of 2732 2740 net.exe 34 PID 2140 wrote to memory of 1180 2140 Logo1_.exe 21 PID 2140 wrote to memory of 1180 2140 Logo1_.exe 21
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1180
-
C:\Users\Admin\AppData\Local\Temp\c4387172b5c812b26ca2d7055541a73822b88ca284945aa7956655903d0739a4.exe"C:\Users\Admin\AppData\Local\Temp\c4387172b5c812b26ca2d7055541a73822b88ca284945aa7956655903d0739a4.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\$$a770.bat3⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Users\Admin\AppData\Local\Temp\c4387172b5c812b26ca2d7055541a73822b88ca284945aa7956655903d0739a4.exe"C:\Users\Admin\AppData\Local\Temp\c4387172b5c812b26ca2d7055541a73822b88ca284945aa7956655903d0739a4.exe"4⤵
- Executes dropped EXE
PID:2608
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:2732
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
251KB
MD5f94afa1cae163777a4ead07058d9b026
SHA1f9076e8e06e3f5eaf76ce771473be0b0045fc3e9
SHA256cd34b8f29d1c48674d4079c529efef3554200bfcef576bb55a2e3f03ce0f2362
SHA51254be6fb01f76381ecde1f9cbe7d8d80f23622833bd89e6cfd3506942aa19387acf77c9b96fb6b3375f83158c51c2b6369071a155cb084f2f92cc4ae3286c4f18
-
Filesize
406KB
MD51c7f180659025e4a57f27c45015022bb
SHA178d0c244f42c5bba7abc5d6082713eeb6011a2bb
SHA256c1868d38f399e7bf79fbc3632f93ffa69c469f6b21f47cb09b09b8c4adee1193
SHA5125ffda000335fd86e1e65d82babf5eb352a4ad868950d9b2f8e363154066239780293fe89a8746c51b3f353c4e4b2dbd78ec6f6c2fa2dafe73e76dacb5422786d
-
Filesize
721B
MD591b1d997f1a8d9e617c446c99b8f6353
SHA153b9d9833c7889b2f03ccd87ca955a1b094a3eb5
SHA256d9e69fb110bf78feaf5793f3a4a5751a779c0dd1b9e5b51b5fb633f3755fb778
SHA512b7a98f3a318abcff58c53b9293b0ea6db48fa989bdbe633d590dae13868eebd3d7cc7eaf0f77ba51e39580e1fa42b460e19a1c03915a11df7fa63cab1f30b8f7
-
C:\Users\Admin\AppData\Local\Temp\c4387172b5c812b26ca2d7055541a73822b88ca284945aa7956655903d0739a4.exe.exe
Filesize357KB
MD527d23ccc82e864992f272c4e04609074
SHA1328a01ecd907aaa0f95ae1493b3d8bc28525ffdb
SHA256b413c90fbf077c9482c3ccf49be8a802883818d6d4240e0526b2cce88e520121
SHA512f1b54de6766fe0ffc221697e8a17f92c953d3c65d64a7b80e2b8d16dc12774f3a65274b0f241e2c081e44987c96dee9f82873f093742ce2018f765e5800a4b85
-
Filesize
26KB
MD5d1bd53e7079e1416e563b6787c74f3f8
SHA1dfbb7850f591cc74bcbe86418b5ef11522e9e7b0
SHA256b4a3413d2027dc45862a0959c413db5f6b7e932c3c61660c2c3df78804d1db2e
SHA512bacb9edc071341e8ea9dfd8309126f1bc29dbcc9b0cb4a9212b9ad6f6381bc2aae8f9c300eeb3e17e1519d90456e651270e316497daa5ed0f23b69a10fdd129f
-
Filesize
9B
MD560b1ffe4d5892b7ae054738eec1fd425
SHA180d4e944617f4132b1c6917345b158f3693f35c8
SHA2565e9944cc48c7ec641cf7b1b0125f47f26102c371a973612f0583f604bc3900d4
SHA5127f5c200924dbb5531df997e6a35cb94f36b54f5651284b0d6404f0576301125ef72b410a170fca889d46c033063663cfc7791f9e4c3c30695af069053eee66cc