Analysis
-
max time kernel
149s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
12/06/2024, 23:42
Static task
static1
Behavioral task
behavioral1
Sample
4f0e4f648fe4146d3e8f42e1da12606cde8c423a35556729d5069e241a0c1b5c.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
4f0e4f648fe4146d3e8f42e1da12606cde8c423a35556729d5069e241a0c1b5c.exe
Resource
win10v2004-20240508-en
General
-
Target
4f0e4f648fe4146d3e8f42e1da12606cde8c423a35556729d5069e241a0c1b5c.exe
-
Size
66KB
-
MD5
a878b58aacb81b190eb1c0a7de1df471
-
SHA1
801d617704eb88f0c6c3fb243ae189494b6964af
-
SHA256
4f0e4f648fe4146d3e8f42e1da12606cde8c423a35556729d5069e241a0c1b5c
-
SHA512
5533b38cdfe0f9412967278b958fc13fc9b494ac7c9f062633217a51f6bc8ae20b8a9602161c4d27d34c539aade1feeeae226656967b094ef2cf231957a1cf02
-
SSDEEP
1536:kIfgLdQAQfcfymNg33CLlAJmiRTOlfm7dxh:/ftffjmN83kAJJaMh
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 436 Logo1_.exe 2728 4f0e4f648fe4146d3e8f42e1da12606cde8c423a35556729d5069e241a0c1b5c.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Reference Assemblies\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\skins\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Spacer\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\nl-nl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\plugins\rhp\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\hu-hu\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\en-il\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\tr-tr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\pl-pl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\tool\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\he-il\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\Adobe\ARM\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\Adobe\HelpCfg\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office 15\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ne\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\vi\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\fr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\nb-no\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\themes\dark\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\amd64\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\plugins\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\cs-cz\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sk-sk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\dtplugin\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\be-BY\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactNative\Tracing\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.UI.Xaml\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ro-ro\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\pt-BR\View3d\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_neutral_split.scale-100_8wekyb3d8bbwe\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\tr-tr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\en-il\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sv-se\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\fr-fr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\en-gb\_desktop.ini Logo1_.exe File created C:\Program Files\Google\Chrome\Application\110.0.5481.104\MEIPreload\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\de-DE\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_2019.716.2313.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\es-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\en-il\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\css\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\fa-IR\View3d\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\loc_archives\en-gb\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\XboxApp.Resource\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sv-se\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\fr-ma\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ca-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example1.Diagnostics\Diagnostics\Simple\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\cs-cz\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Photo Viewer\uk-UA\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rundl132.exe 4f0e4f648fe4146d3e8f42e1da12606cde8c423a35556729d5069e241a0c1b5c.exe File created C:\Windows\Logo1_.exe 4f0e4f648fe4146d3e8f42e1da12606cde8c423a35556729d5069e241a0c1b5c.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\vDll.dll Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 436 Logo1_.exe 436 Logo1_.exe 436 Logo1_.exe 436 Logo1_.exe 436 Logo1_.exe 436 Logo1_.exe 436 Logo1_.exe 436 Logo1_.exe 436 Logo1_.exe 436 Logo1_.exe 436 Logo1_.exe 436 Logo1_.exe 436 Logo1_.exe 436 Logo1_.exe 436 Logo1_.exe 436 Logo1_.exe 436 Logo1_.exe 436 Logo1_.exe 436 Logo1_.exe 436 Logo1_.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1604 wrote to memory of 116 1604 4f0e4f648fe4146d3e8f42e1da12606cde8c423a35556729d5069e241a0c1b5c.exe 82 PID 1604 wrote to memory of 116 1604 4f0e4f648fe4146d3e8f42e1da12606cde8c423a35556729d5069e241a0c1b5c.exe 82 PID 1604 wrote to memory of 116 1604 4f0e4f648fe4146d3e8f42e1da12606cde8c423a35556729d5069e241a0c1b5c.exe 82 PID 1604 wrote to memory of 436 1604 4f0e4f648fe4146d3e8f42e1da12606cde8c423a35556729d5069e241a0c1b5c.exe 83 PID 1604 wrote to memory of 436 1604 4f0e4f648fe4146d3e8f42e1da12606cde8c423a35556729d5069e241a0c1b5c.exe 83 PID 1604 wrote to memory of 436 1604 4f0e4f648fe4146d3e8f42e1da12606cde8c423a35556729d5069e241a0c1b5c.exe 83 PID 436 wrote to memory of 4472 436 Logo1_.exe 84 PID 436 wrote to memory of 4472 436 Logo1_.exe 84 PID 436 wrote to memory of 4472 436 Logo1_.exe 84 PID 4472 wrote to memory of 3920 4472 net.exe 87 PID 4472 wrote to memory of 3920 4472 net.exe 87 PID 4472 wrote to memory of 3920 4472 net.exe 87 PID 116 wrote to memory of 2728 116 cmd.exe 88 PID 116 wrote to memory of 2728 116 cmd.exe 88 PID 436 wrote to memory of 3400 436 Logo1_.exe 56 PID 436 wrote to memory of 3400 436 Logo1_.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3400
-
C:\Users\Admin\AppData\Local\Temp\4f0e4f648fe4146d3e8f42e1da12606cde8c423a35556729d5069e241a0c1b5c.exe"C:\Users\Admin\AppData\Local\Temp\4f0e4f648fe4146d3e8f42e1da12606cde8c423a35556729d5069e241a0c1b5c.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4BFD.bat3⤵
- Suspicious use of WriteProcessMemory
PID:116 -
C:\Users\Admin\AppData\Local\Temp\4f0e4f648fe4146d3e8f42e1da12606cde8c423a35556729d5069e241a0c1b5c.exe"C:\Users\Admin\AppData\Local\Temp\4f0e4f648fe4146d3e8f42e1da12606cde8c423a35556729d5069e241a0c1b5c.exe"4⤵
- Executes dropped EXE
PID:2728
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:3920
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
251KB
MD5f94afa1cae163777a4ead07058d9b026
SHA1f9076e8e06e3f5eaf76ce771473be0b0045fc3e9
SHA256cd34b8f29d1c48674d4079c529efef3554200bfcef576bb55a2e3f03ce0f2362
SHA51254be6fb01f76381ecde1f9cbe7d8d80f23622833bd89e6cfd3506942aa19387acf77c9b96fb6b3375f83158c51c2b6369071a155cb084f2f92cc4ae3286c4f18
-
Filesize
317KB
MD5b1d0c7ad56549e53cc860796162d55a5
SHA152a94b46b04686ad4cc41b86c61833765aab7d93
SHA2567c377bc1ae973ebce38c5f3d473227fb647c3ab21957a937e27ea91e2fd96603
SHA51277ef248a25ac77094a36fa4eca07e512f0b707d08b383829dfca3acb0eb707e446c059f71bab10a6348cab3c8c640fe3a798219107a81bc183296ca6af4f872f
-
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
Filesize636KB
MD52500f702e2b9632127c14e4eaae5d424
SHA18726fef12958265214eeb58001c995629834b13a
SHA25682e5b0001f025ca3b8409c98e4fb06c119c68de1e4ef60a156360cb4ef61d19c
SHA512f420c62fa1f6897f51dd7a0f0e910fb54ad14d51973a2d4840eeea0448c860bf83493fb1c07be65f731efc39e19f8a99886c8cfd058cee482fe52d255a33a55c
-
Filesize
722B
MD5b54edc6369ccd03d5500538b879e526f
SHA1e117e44892e553db7bafe11d024b97b9d79f7372
SHA256518488543a3e4ab5a2a1f535b48680af1b94dd1e4e92992c919dcfe6ca1cef64
SHA51241d2ff530ace2cd8adce60c2e969937e04a80f160e30fd1640cd640e1bca85c6e6c7b5c399be08a8b6e7e05b2ce79c48edb4401fa9e4ad3619aea7edb04a7edb
-
C:\Users\Admin\AppData\Local\Temp\4f0e4f648fe4146d3e8f42e1da12606cde8c423a35556729d5069e241a0c1b5c.exe.exe
Filesize40KB
MD51bd1483a7c02d3c1b41b9b1c267ce18a
SHA15106e8b8e4c292ba6aa53e85755e42b721f4d8c7
SHA25697fe1e3fd8bd54531af1d0ec7a41428a5767ff205e3629deb0e7f6dd1d8e52ce
SHA512e0380278791f8e0c3c67375e2c9b39f9f4485698565f6f91e70b3223b8232ad842e87ad3b7e1e92c31f0e92d27e6b51102576a6ae788957b5b4e3a1fccc3f925
-
Filesize
26KB
MD5d1bd53e7079e1416e563b6787c74f3f8
SHA1dfbb7850f591cc74bcbe86418b5ef11522e9e7b0
SHA256b4a3413d2027dc45862a0959c413db5f6b7e932c3c61660c2c3df78804d1db2e
SHA512bacb9edc071341e8ea9dfd8309126f1bc29dbcc9b0cb4a9212b9ad6f6381bc2aae8f9c300eeb3e17e1519d90456e651270e316497daa5ed0f23b69a10fdd129f
-
Filesize
9B
MD51f206a052c160fd77308863abd810887
SHA13b27ec1dc4b51fb7f1793a9ca9bb0d2e53e60eb1
SHA25645129bd309ca763a88c6bf438896e82b939d6491036658c4512c57f8353938c1
SHA512bd7857c146b01a49d34d4eb84053353eeb586bee6916426179305d5e2360559adea4040fe2184a3a803943ff4e6526cc38c665f9a808355619628868d53fbed5