Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
12/06/2024, 23:42
Static task
static1
Behavioral task
behavioral1
Sample
4f0e4f648fe4146d3e8f42e1da12606cde8c423a35556729d5069e241a0c1b5c.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
4f0e4f648fe4146d3e8f42e1da12606cde8c423a35556729d5069e241a0c1b5c.exe
Resource
win10v2004-20240508-en
General
-
Target
4f0e4f648fe4146d3e8f42e1da12606cde8c423a35556729d5069e241a0c1b5c.exe
-
Size
66KB
-
MD5
a878b58aacb81b190eb1c0a7de1df471
-
SHA1
801d617704eb88f0c6c3fb243ae189494b6964af
-
SHA256
4f0e4f648fe4146d3e8f42e1da12606cde8c423a35556729d5069e241a0c1b5c
-
SHA512
5533b38cdfe0f9412967278b958fc13fc9b494ac7c9f062633217a51f6bc8ae20b8a9602161c4d27d34c539aade1feeeae226656967b094ef2cf231957a1cf02
-
SSDEEP
1536:kIfgLdQAQfcfymNg33CLlAJmiRTOlfm7dxh:/ftffjmN83kAJJaMh
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2540 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2548 Logo1_.exe 2752 4f0e4f648fe4146d3e8f42e1da12606cde8c423a35556729d5069e241a0c1b5c.exe -
Loads dropped DLL 1 IoCs
pid Process 2540 cmd.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInSideAdapters\_desktop.ini Logo1_.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jre7\lib\ext\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\SpiderSolitaire\it-IT\_desktop.ini Logo1_.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ca\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Library\SOLVER\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\lua\playlist\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\en-US\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Google\Update\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SpringGreen\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\1033\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.WW\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\IRIS\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SAMPLES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUEPRNT\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe Logo1_.exe File created C:\Program Files\Microsoft Games\FreeCell\en-US\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLENDS\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre7\lib\fonts\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\es-ES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Portable Devices\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows NT\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Photo Viewer\fr-FR\_desktop.ini Logo1_.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATERMAR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE Logo1_.exe File created C:\Program Files\Microsoft Games\Hearts\ja-JP\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Defender\de-DE\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\kk\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ug\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SETLANG.EXE Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\Hearts.exe Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\modules\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Logo1_.exe 4f0e4f648fe4146d3e8f42e1da12606cde8c423a35556729d5069e241a0c1b5c.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\vDll.dll Logo1_.exe File created C:\Windows\rundl132.exe 4f0e4f648fe4146d3e8f42e1da12606cde8c423a35556729d5069e241a0c1b5c.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 2548 Logo1_.exe 2548 Logo1_.exe 2548 Logo1_.exe 2548 Logo1_.exe 2548 Logo1_.exe 2548 Logo1_.exe 2548 Logo1_.exe 2548 Logo1_.exe 2548 Logo1_.exe 2548 Logo1_.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 2180 wrote to memory of 2540 2180 4f0e4f648fe4146d3e8f42e1da12606cde8c423a35556729d5069e241a0c1b5c.exe 28 PID 2180 wrote to memory of 2540 2180 4f0e4f648fe4146d3e8f42e1da12606cde8c423a35556729d5069e241a0c1b5c.exe 28 PID 2180 wrote to memory of 2540 2180 4f0e4f648fe4146d3e8f42e1da12606cde8c423a35556729d5069e241a0c1b5c.exe 28 PID 2180 wrote to memory of 2540 2180 4f0e4f648fe4146d3e8f42e1da12606cde8c423a35556729d5069e241a0c1b5c.exe 28 PID 2180 wrote to memory of 2548 2180 4f0e4f648fe4146d3e8f42e1da12606cde8c423a35556729d5069e241a0c1b5c.exe 29 PID 2180 wrote to memory of 2548 2180 4f0e4f648fe4146d3e8f42e1da12606cde8c423a35556729d5069e241a0c1b5c.exe 29 PID 2180 wrote to memory of 2548 2180 4f0e4f648fe4146d3e8f42e1da12606cde8c423a35556729d5069e241a0c1b5c.exe 29 PID 2180 wrote to memory of 2548 2180 4f0e4f648fe4146d3e8f42e1da12606cde8c423a35556729d5069e241a0c1b5c.exe 29 PID 2548 wrote to memory of 2556 2548 Logo1_.exe 30 PID 2548 wrote to memory of 2556 2548 Logo1_.exe 30 PID 2548 wrote to memory of 2556 2548 Logo1_.exe 30 PID 2548 wrote to memory of 2556 2548 Logo1_.exe 30 PID 2556 wrote to memory of 2724 2556 net.exe 33 PID 2556 wrote to memory of 2724 2556 net.exe 33 PID 2556 wrote to memory of 2724 2556 net.exe 33 PID 2556 wrote to memory of 2724 2556 net.exe 33 PID 2540 wrote to memory of 2752 2540 cmd.exe 34 PID 2540 wrote to memory of 2752 2540 cmd.exe 34 PID 2540 wrote to memory of 2752 2540 cmd.exe 34 PID 2540 wrote to memory of 2752 2540 cmd.exe 34 PID 2548 wrote to memory of 1188 2548 Logo1_.exe 21 PID 2548 wrote to memory of 1188 2548 Logo1_.exe 21
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1188
-
C:\Users\Admin\AppData\Local\Temp\4f0e4f648fe4146d3e8f42e1da12606cde8c423a35556729d5069e241a0c1b5c.exe"C:\Users\Admin\AppData\Local\Temp\4f0e4f648fe4146d3e8f42e1da12606cde8c423a35556729d5069e241a0c1b5c.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\$$a2D28.bat3⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Users\Admin\AppData\Local\Temp\4f0e4f648fe4146d3e8f42e1da12606cde8c423a35556729d5069e241a0c1b5c.exe"C:\Users\Admin\AppData\Local\Temp\4f0e4f648fe4146d3e8f42e1da12606cde8c423a35556729d5069e241a0c1b5c.exe"4⤵
- Executes dropped EXE
PID:2752
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:2724
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
251KB
MD5f94afa1cae163777a4ead07058d9b026
SHA1f9076e8e06e3f5eaf76ce771473be0b0045fc3e9
SHA256cd34b8f29d1c48674d4079c529efef3554200bfcef576bb55a2e3f03ce0f2362
SHA51254be6fb01f76381ecde1f9cbe7d8d80f23622833bd89e6cfd3506942aa19387acf77c9b96fb6b3375f83158c51c2b6369071a155cb084f2f92cc4ae3286c4f18
-
Filesize
471KB
MD54cfdb20b04aa239d6f9e83084d5d0a77
SHA1f22863e04cc1fd4435f785993ede165bd8245ac6
SHA25630ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9
SHA51235b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86
-
Filesize
722B
MD5496a9277da55ccb30d99d9f8a103aefa
SHA115aea04d2bc7cadd098a3bea05e18b8029323912
SHA256aded070cafe0cb7f9784737d041f7f4ab77e0bce1ae85891ea1a0800dc2436ad
SHA512987d851bc6cd8d02d79df25fa0615ca4ef851c1b555446023ab1c2a73f4c72b0e0e7ab31581bf596fff1ec954d1c23294265eac99836ae3e77a5e1d2bc10e798
-
C:\Users\Admin\AppData\Local\Temp\4f0e4f648fe4146d3e8f42e1da12606cde8c423a35556729d5069e241a0c1b5c.exe.exe
Filesize40KB
MD51bd1483a7c02d3c1b41b9b1c267ce18a
SHA15106e8b8e4c292ba6aa53e85755e42b721f4d8c7
SHA25697fe1e3fd8bd54531af1d0ec7a41428a5767ff205e3629deb0e7f6dd1d8e52ce
SHA512e0380278791f8e0c3c67375e2c9b39f9f4485698565f6f91e70b3223b8232ad842e87ad3b7e1e92c31f0e92d27e6b51102576a6ae788957b5b4e3a1fccc3f925
-
Filesize
26KB
MD5d1bd53e7079e1416e563b6787c74f3f8
SHA1dfbb7850f591cc74bcbe86418b5ef11522e9e7b0
SHA256b4a3413d2027dc45862a0959c413db5f6b7e932c3c61660c2c3df78804d1db2e
SHA512bacb9edc071341e8ea9dfd8309126f1bc29dbcc9b0cb4a9212b9ad6f6381bc2aae8f9c300eeb3e17e1519d90456e651270e316497daa5ed0f23b69a10fdd129f
-
Filesize
9B
MD51f206a052c160fd77308863abd810887
SHA13b27ec1dc4b51fb7f1793a9ca9bb0d2e53e60eb1
SHA25645129bd309ca763a88c6bf438896e82b939d6491036658c4512c57f8353938c1
SHA512bd7857c146b01a49d34d4eb84053353eeb586bee6916426179305d5e2360559adea4040fe2184a3a803943ff4e6526cc38c665f9a808355619628868d53fbed5