Analysis
-
max time kernel
150s -
max time network
53s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
12/06/2024, 23:45
Static task
static1
Behavioral task
behavioral1
Sample
cce15963cc172b1273163ab1b12e15ff4e9da9e2335ff6a7f605850df2fa79cc.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
cce15963cc172b1273163ab1b12e15ff4e9da9e2335ff6a7f605850df2fa79cc.exe
Resource
win10v2004-20240508-en
General
-
Target
cce15963cc172b1273163ab1b12e15ff4e9da9e2335ff6a7f605850df2fa79cc.exe
-
Size
959KB
-
MD5
320b5c78b7e64d692ae12690f05de524
-
SHA1
d1f7c2b3327ed56e5ff05701d3eed1f093ee485b
-
SHA256
cce15963cc172b1273163ab1b12e15ff4e9da9e2335ff6a7f605850df2fa79cc
-
SHA512
27f503c2b0cd10f8c28fd6c4d0d089c44c905980a4b37b7b3af2bbcee60a1087bdfd5a20625d650fcfe3b6f8675caf958d7a5718a8ec00864115cd5235e1a525
-
SSDEEP
12288:TRKcv8Nh7py6Rmi78gkPH3aPI9vyVg/0paQuj3IdD02fKBjtp/:cBpDRmi78gkPXlyo0G/jr
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 4824 Logo1_.exe 2968 cce15963cc172b1273163ab1b12e15ff4e9da9e2335ff6a7f605850df2fa79cc.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\plugins\rhp\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\tr-tr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\en-gb\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Notifications\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Security\BrowserCore\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows NT\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ko-kr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\en-gb\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ca-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\nb-no\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\th\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\oc\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-il\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ko-kr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\fr-ma\_desktop.ini Logo1_.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\dark\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\cs-cz\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\uk-ua\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ko-kr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\pt-br\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\dc-annotations\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\en-gb\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\he-il\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\da-DK\View3d\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\CoreEngine\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-fr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\hu-hu\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\zh-cn\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe Logo1_.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\deploy\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Defender\es-ES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sl-si\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\eu-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\tr-tr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\sl-sl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\uk-ua\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\eu\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\require\2.1.15\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sl-sl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\sk-sk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\fr-fr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\ScreenSketch.exe Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.YourPhone_2019.430.2026.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-black\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\pl-pl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ro-ro\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ko-kr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\fi-fi\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rundl132.exe cce15963cc172b1273163ab1b12e15ff4e9da9e2335ff6a7f605850df2fa79cc.exe File created C:\Windows\Logo1_.exe cce15963cc172b1273163ab1b12e15ff4e9da9e2335ff6a7f605850df2fa79cc.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\vDll.dll Logo1_.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 4824 Logo1_.exe 4824 Logo1_.exe 4824 Logo1_.exe 4824 Logo1_.exe 4824 Logo1_.exe 4824 Logo1_.exe 4824 Logo1_.exe 4824 Logo1_.exe 4824 Logo1_.exe 4824 Logo1_.exe 4824 Logo1_.exe 4824 Logo1_.exe 4824 Logo1_.exe 4824 Logo1_.exe 4824 Logo1_.exe 4824 Logo1_.exe 4824 Logo1_.exe 4824 Logo1_.exe 4824 Logo1_.exe 4824 Logo1_.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeRestorePrivilege 2968 cce15963cc172b1273163ab1b12e15ff4e9da9e2335ff6a7f605850df2fa79cc.exe Token: 35 2968 cce15963cc172b1273163ab1b12e15ff4e9da9e2335ff6a7f605850df2fa79cc.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 3784 wrote to memory of 2804 3784 cce15963cc172b1273163ab1b12e15ff4e9da9e2335ff6a7f605850df2fa79cc.exe 82 PID 3784 wrote to memory of 2804 3784 cce15963cc172b1273163ab1b12e15ff4e9da9e2335ff6a7f605850df2fa79cc.exe 82 PID 3784 wrote to memory of 2804 3784 cce15963cc172b1273163ab1b12e15ff4e9da9e2335ff6a7f605850df2fa79cc.exe 82 PID 3784 wrote to memory of 4824 3784 cce15963cc172b1273163ab1b12e15ff4e9da9e2335ff6a7f605850df2fa79cc.exe 83 PID 3784 wrote to memory of 4824 3784 cce15963cc172b1273163ab1b12e15ff4e9da9e2335ff6a7f605850df2fa79cc.exe 83 PID 3784 wrote to memory of 4824 3784 cce15963cc172b1273163ab1b12e15ff4e9da9e2335ff6a7f605850df2fa79cc.exe 83 PID 4824 wrote to memory of 4120 4824 Logo1_.exe 84 PID 4824 wrote to memory of 4120 4824 Logo1_.exe 84 PID 4824 wrote to memory of 4120 4824 Logo1_.exe 84 PID 4120 wrote to memory of 3408 4120 net.exe 87 PID 4120 wrote to memory of 3408 4120 net.exe 87 PID 4120 wrote to memory of 3408 4120 net.exe 87 PID 2804 wrote to memory of 2968 2804 cmd.exe 88 PID 2804 wrote to memory of 2968 2804 cmd.exe 88 PID 4824 wrote to memory of 3452 4824 Logo1_.exe 56 PID 4824 wrote to memory of 3452 4824 Logo1_.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3452
-
C:\Users\Admin\AppData\Local\Temp\cce15963cc172b1273163ab1b12e15ff4e9da9e2335ff6a7f605850df2fa79cc.exe"C:\Users\Admin\AppData\Local\Temp\cce15963cc172b1273163ab1b12e15ff4e9da9e2335ff6a7f605850df2fa79cc.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3784 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a44F8.bat3⤵
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Users\Admin\AppData\Local\Temp\cce15963cc172b1273163ab1b12e15ff4e9da9e2335ff6a7f605850df2fa79cc.exe"C:\Users\Admin\AppData\Local\Temp\cce15963cc172b1273163ab1b12e15ff4e9da9e2335ff6a7f605850df2fa79cc.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2968
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:4120 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:3408
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
254KB
MD548b536408ac1a66263ed8da4ec21add8
SHA162d20d73d6035d5ce1e1bf1068ff3bf52d609c3b
SHA256fbc2cf414606174f3555d76fe647557b72ac47e6bda0864fd8c5dad738df1733
SHA51244f09df70cb4cafa63f88899b0b0fa07bf8fcd5d0106a9a945453de7570c37985039c4a7267708815b6c707539e9a4472d329f010f6a692c5c1fcaab6c41f1c0
-
Filesize
233KB
MD5bdb223d942e000b1229db39952ae447d
SHA186fbe7a34a91eaaff613ad0d5d75278a54bd2c21
SHA25697f5bfd796c2c4567c298cc8d0777dcaaec78f029e0d25a8d1e75f27bbce9faa
SHA512fd1bdecdc3c81dd2f9e21c1469d1077a49bf85203bb2f633aabe9f6d56a4a88e46584bb1eadb06578939a9098b877aa4acfb0c0e535618c15ee78ee72c36fab1
-
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
Filesize639KB
MD5f1a31b2ce27caa12b0c83698d2266dbe
SHA141d0f0731185588db910853ce965e677bd2e53e5
SHA256c013780783b3c6105da7ffd4b46452fadec0336c22a310fc20a3b67778855105
SHA512a12d12be843f39c38bc6e596c08760744bf07f4a06636a592a883989ec4467b76b9ca6b859bfd997a9d6cb85e3abbac82729e71ea989df9d3ba065e740e12206
-
Filesize
722B
MD5d264e741456b0dc9708b88ac67d6d96a
SHA1989b2d48ac9a9ac07388c44cc1b57d43bad36be2
SHA25643ac8ba8345f87f50d49e0f1a8f9254489aa86cee28ff599f5b5b527828210c3
SHA512ccf6d68068b1ab8342085d4ce2629999c7c285448bd42bf6aa83e8e5480d6c9dba2ac1eb1f6dd13f970f1b56250e40697f9c55015489af0cc88f67f72c32afc6
-
C:\Users\Admin\AppData\Local\Temp\cce15963cc172b1273163ab1b12e15ff4e9da9e2335ff6a7f605850df2fa79cc.exe.exe
Filesize930KB
MD530ac0b832d75598fb3ec37b6f2a8c86a
SHA16f47dbfd6ff36df7ba581a4cef024da527dc3046
SHA2561ea0839c8dc95ad2c060af7d042c40c0daed58ce8e4524c0fba12fd73e4afb74
SHA512505870601a4389b7ed2c8fecf85835adfd2944cbc10801f74bc4e08f5a0d6ecc9a52052fc37e216304cd1655129021862294a698ed36b3b43d428698f7263057
-
Filesize
29KB
MD59fcfb6b631b5a62c2af6f852de61dc71
SHA102149b5ae9d7c72cc2df500a9cf25ef4234614e1
SHA256470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a
SHA51269076244e4c53b09a9d3595e6b53201013ce006da986542f8375223640e5ce66d000c9f02c71d3856ea0f3f788c139fce670ae26c571bd71d801bd67e15cb66a
-
Filesize
9B
MD51f206a052c160fd77308863abd810887
SHA13b27ec1dc4b51fb7f1793a9ca9bb0d2e53e60eb1
SHA25645129bd309ca763a88c6bf438896e82b939d6491036658c4512c57f8353938c1
SHA512bd7857c146b01a49d34d4eb84053353eeb586bee6916426179305d5e2360559adea4040fe2184a3a803943ff4e6526cc38c665f9a808355619628868d53fbed5