Analysis
-
max time kernel
150s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
10/06/2024, 06:34
Static task
static1
Behavioral task
behavioral1
Sample
c4387172b5c812b26ca2d7055541a73822b88ca284945aa7956655903d0739a4.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
c4387172b5c812b26ca2d7055541a73822b88ca284945aa7956655903d0739a4.exe
Resource
win10v2004-20240426-en
General
-
Target
c4387172b5c812b26ca2d7055541a73822b88ca284945aa7956655903d0739a4.exe
-
Size
383KB
-
MD5
b1372b6597ab5020cf03ccfe6ac47903
-
SHA1
428b31e9082cd1e00899c24533f700f3ce50ed31
-
SHA256
c4387172b5c812b26ca2d7055541a73822b88ca284945aa7956655903d0739a4
-
SHA512
6f51363bb8a7edf24699a07157d2892356bac1071b3ba8b220e5118164ef571e511844df23e98cc5dcd98c65d6ff80508df8c86756bacdcd01eea9967912dae7
-
SSDEEP
6144:nVfjmNKJlrpfX7TME2xdQ1LziCOONeswO/xVn84f:V7+CPXsdWzimJ/P8o
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 4044 Logo1_.exe 2900 c4387172b5c812b26ca2d7055541a73822b88ca284945aa7956655903d0739a4.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\misc\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hr-hr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\it-it\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\dark\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\SlowMotionEditor\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_2019.716.2316.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\fi-fi\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\1.1.1\Diagnostics\Simple\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\es_MX\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-black\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fr-fr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\en-il\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\it\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\sr-Latn-RS\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\XboxApp.UI\Resources\Images\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\pl-pl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\tool\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\it-it\_desktop.ini Logo1_.exe File created C:\Program Files\Mozilla Firefox\gmp-clearkey\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\fr-FR\View3d\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-il\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\it-it\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\it-it\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\tr-tr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ro-ro\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\sl-sl\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\hu-hu\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\pt-br\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\sl-sl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\fr-ma\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\es-es\_desktop.ini Logo1_.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.YourPhone_2019.430.2026.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\es-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\fr-ma\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ar-SA\View3d\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\hu-hu\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\fi-fi\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\uk-ua\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\en-ae\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WidevineCdm\_platform_specific\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-white\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\Scripts\Me\MeControl\offline\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fr-ma\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rundl132.exe c4387172b5c812b26ca2d7055541a73822b88ca284945aa7956655903d0739a4.exe File created C:\Windows\Logo1_.exe c4387172b5c812b26ca2d7055541a73822b88ca284945aa7956655903d0739a4.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\vDll.dll Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 4044 Logo1_.exe 4044 Logo1_.exe 4044 Logo1_.exe 4044 Logo1_.exe 4044 Logo1_.exe 4044 Logo1_.exe 4044 Logo1_.exe 4044 Logo1_.exe 4044 Logo1_.exe 4044 Logo1_.exe 4044 Logo1_.exe 4044 Logo1_.exe 4044 Logo1_.exe 4044 Logo1_.exe 4044 Logo1_.exe 4044 Logo1_.exe 4044 Logo1_.exe 4044 Logo1_.exe 4044 Logo1_.exe 4044 Logo1_.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1528 wrote to memory of 2612 1528 c4387172b5c812b26ca2d7055541a73822b88ca284945aa7956655903d0739a4.exe 83 PID 1528 wrote to memory of 2612 1528 c4387172b5c812b26ca2d7055541a73822b88ca284945aa7956655903d0739a4.exe 83 PID 1528 wrote to memory of 2612 1528 c4387172b5c812b26ca2d7055541a73822b88ca284945aa7956655903d0739a4.exe 83 PID 1528 wrote to memory of 4044 1528 c4387172b5c812b26ca2d7055541a73822b88ca284945aa7956655903d0739a4.exe 84 PID 1528 wrote to memory of 4044 1528 c4387172b5c812b26ca2d7055541a73822b88ca284945aa7956655903d0739a4.exe 84 PID 1528 wrote to memory of 4044 1528 c4387172b5c812b26ca2d7055541a73822b88ca284945aa7956655903d0739a4.exe 84 PID 4044 wrote to memory of 2696 4044 Logo1_.exe 86 PID 4044 wrote to memory of 2696 4044 Logo1_.exe 86 PID 4044 wrote to memory of 2696 4044 Logo1_.exe 86 PID 2696 wrote to memory of 448 2696 net.exe 88 PID 2696 wrote to memory of 448 2696 net.exe 88 PID 2696 wrote to memory of 448 2696 net.exe 88 PID 2612 wrote to memory of 2900 2612 cmd.exe 89 PID 2612 wrote to memory of 2900 2612 cmd.exe 89 PID 4044 wrote to memory of 3412 4044 Logo1_.exe 56 PID 4044 wrote to memory of 3412 4044 Logo1_.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3412
-
C:\Users\Admin\AppData\Local\Temp\c4387172b5c812b26ca2d7055541a73822b88ca284945aa7956655903d0739a4.exe"C:\Users\Admin\AppData\Local\Temp\c4387172b5c812b26ca2d7055541a73822b88ca284945aa7956655903d0739a4.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a688D.bat3⤵
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Users\Admin\AppData\Local\Temp\c4387172b5c812b26ca2d7055541a73822b88ca284945aa7956655903d0739a4.exe"C:\Users\Admin\AppData\Local\Temp\c4387172b5c812b26ca2d7055541a73822b88ca284945aa7956655903d0739a4.exe"4⤵
- Executes dropped EXE
PID:2900
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:448
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
251KB
MD5f94afa1cae163777a4ead07058d9b026
SHA1f9076e8e06e3f5eaf76ce771473be0b0045fc3e9
SHA256cd34b8f29d1c48674d4079c529efef3554200bfcef576bb55a2e3f03ce0f2362
SHA51254be6fb01f76381ecde1f9cbe7d8d80f23622833bd89e6cfd3506942aa19387acf77c9b96fb6b3375f83158c51c2b6369071a155cb084f2f92cc4ae3286c4f18
-
Filesize
570KB
MD5a964e08fd0a647bcefec2700384f64f2
SHA1efbd5172da29dad460b6db2931ba6ca15c64f229
SHA256043177ace13169a9e2db63140168b5964b8cc16fe018d411966ad36f3d796daa
SHA512b7ebbb3aed8244ea6da59fac99d128e18efc6add29d972d05489db2cb19e2792e905ecf7a164de9dc4299a62fc87c698bb4f8cda0dc7b54620f8b96d28b10242
-
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
Filesize636KB
MD52500f702e2b9632127c14e4eaae5d424
SHA18726fef12958265214eeb58001c995629834b13a
SHA25682e5b0001f025ca3b8409c98e4fb06c119c68de1e4ef60a156360cb4ef61d19c
SHA512f420c62fa1f6897f51dd7a0f0e910fb54ad14d51973a2d4840eeea0448c860bf83493fb1c07be65f731efc39e19f8a99886c8cfd058cee482fe52d255a33a55c
-
Filesize
722B
MD563916397f955683998a1fe2d0caf0276
SHA1b69cd86b370e871905833c33e4e5805378c4dd3c
SHA2569737e1c9427010e423a0fce3a8e957de8f55c7f3873c9f8b49b4f46f0845b178
SHA512402e115660e981259d09bbca385262ecbd79acf28497b4ef627c96a99fc749b93713697aaf42d1f38e86b45997192f8fd1e059927fd3a56540516df089409988
-
C:\Users\Admin\AppData\Local\Temp\c4387172b5c812b26ca2d7055541a73822b88ca284945aa7956655903d0739a4.exe.exe
Filesize357KB
MD527d23ccc82e864992f272c4e04609074
SHA1328a01ecd907aaa0f95ae1493b3d8bc28525ffdb
SHA256b413c90fbf077c9482c3ccf49be8a802883818d6d4240e0526b2cce88e520121
SHA512f1b54de6766fe0ffc221697e8a17f92c953d3c65d64a7b80e2b8d16dc12774f3a65274b0f241e2c081e44987c96dee9f82873f093742ce2018f765e5800a4b85
-
Filesize
26KB
MD5d1bd53e7079e1416e563b6787c74f3f8
SHA1dfbb7850f591cc74bcbe86418b5ef11522e9e7b0
SHA256b4a3413d2027dc45862a0959c413db5f6b7e932c3c61660c2c3df78804d1db2e
SHA512bacb9edc071341e8ea9dfd8309126f1bc29dbcc9b0cb4a9212b9ad6f6381bc2aae8f9c300eeb3e17e1519d90456e651270e316497daa5ed0f23b69a10fdd129f
-
Filesize
9B
MD560b1ffe4d5892b7ae054738eec1fd425
SHA180d4e944617f4132b1c6917345b158f3693f35c8
SHA2565e9944cc48c7ec641cf7b1b0125f47f26102c371a973612f0583f604bc3900d4
SHA5127f5c200924dbb5531df997e6a35cb94f36b54f5651284b0d6404f0576301125ef72b410a170fca889d46c033063663cfc7791f9e4c3c30695af069053eee66cc