Analysis
-
max time kernel
149s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
12/06/2024, 23:45
Static task
static1
Behavioral task
behavioral1
Sample
f67af8326404894cda907d6635622e50c68d6ede1e3f93b36c6f7d37be11306c.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
f67af8326404894cda907d6635622e50c68d6ede1e3f93b36c6f7d37be11306c.exe
Resource
win10v2004-20240611-en
General
-
Target
f67af8326404894cda907d6635622e50c68d6ede1e3f93b36c6f7d37be11306c.exe
-
Size
713KB
-
MD5
5b52622eed2c2a2ea6d9dc212d28a839
-
SHA1
2e3291c80690f460f6dfefe0ed1d01d60b3e9221
-
SHA256
f67af8326404894cda907d6635622e50c68d6ede1e3f93b36c6f7d37be11306c
-
SHA512
0c62e222119b9b89a2590aa74159ca485450ac03d0da8098459156e0059a5467daaf5670d7878343e06b4b70c8b4638e57e39586940ff14aaf5f703b32632ecc
-
SSDEEP
12288:CfC6Aj+TN5uixZN+8rKhUdTC/wE1ZD0Ca5ZIXV:+LOS2opPIXV
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 3320 Logo1_.exe 1424 f67af8326404894cda907d6635622e50c68d6ede1e3f93b36c6f7d37be11306c.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Microsoft.Advertising\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-200_8wekyb3d8bbwe\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account-select\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\fr-ma\_desktop.ini Logo1_.exe File created C:\Program Files\MsEdgeCrashpad\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\nn\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Win32Bridge.Server.exe Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\da-dk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\ResiliencyLinks\MEIPreload\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\ResiliencyLinks\WidevineCdm\_platform_specific\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Google\Update\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\fi-fi\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\themes\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\af\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Examples\Validator\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\it-IT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\da-dk\_desktop.ini Logo1_.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\sl-si\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\eu-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\kn\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\es-ES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ar-ae\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files-select\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Voices\en-GB\en-GB_female_TTS\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\fr-fr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\hu-hu\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\resources\strings\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-black\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe Logo1_.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-100_8wekyb3d8bbwe\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\cgg\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ar-SA\View3d\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\eu-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ko-kr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\en-ae\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\de-de\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\EBWebView\x86\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\zh-cn\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\ResiliencyLinks\identity_proxy\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\kn\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\vDll.dll Logo1_.exe File created C:\Windows\rundl132.exe f67af8326404894cda907d6635622e50c68d6ede1e3f93b36c6f7d37be11306c.exe File created C:\Windows\Logo1_.exe f67af8326404894cda907d6635622e50c68d6ede1e3f93b36c6f7d37be11306c.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 3320 Logo1_.exe 3320 Logo1_.exe 3320 Logo1_.exe 3320 Logo1_.exe 3320 Logo1_.exe 3320 Logo1_.exe 3320 Logo1_.exe 3320 Logo1_.exe 3320 Logo1_.exe 3320 Logo1_.exe 3320 Logo1_.exe 3320 Logo1_.exe 3320 Logo1_.exe 3320 Logo1_.exe 3320 Logo1_.exe 3320 Logo1_.exe 3320 Logo1_.exe 3320 Logo1_.exe 3320 Logo1_.exe 3320 Logo1_.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1180 wrote to memory of 1200 1180 f67af8326404894cda907d6635622e50c68d6ede1e3f93b36c6f7d37be11306c.exe 89 PID 1180 wrote to memory of 1200 1180 f67af8326404894cda907d6635622e50c68d6ede1e3f93b36c6f7d37be11306c.exe 89 PID 1180 wrote to memory of 1200 1180 f67af8326404894cda907d6635622e50c68d6ede1e3f93b36c6f7d37be11306c.exe 89 PID 1180 wrote to memory of 3320 1180 f67af8326404894cda907d6635622e50c68d6ede1e3f93b36c6f7d37be11306c.exe 90 PID 1180 wrote to memory of 3320 1180 f67af8326404894cda907d6635622e50c68d6ede1e3f93b36c6f7d37be11306c.exe 90 PID 1180 wrote to memory of 3320 1180 f67af8326404894cda907d6635622e50c68d6ede1e3f93b36c6f7d37be11306c.exe 90 PID 3320 wrote to memory of 1976 3320 Logo1_.exe 91 PID 3320 wrote to memory of 1976 3320 Logo1_.exe 91 PID 3320 wrote to memory of 1976 3320 Logo1_.exe 91 PID 1976 wrote to memory of 1280 1976 net.exe 94 PID 1976 wrote to memory of 1280 1976 net.exe 94 PID 1976 wrote to memory of 1280 1976 net.exe 94 PID 1200 wrote to memory of 1424 1200 cmd.exe 95 PID 1200 wrote to memory of 1424 1200 cmd.exe 95 PID 3320 wrote to memory of 3500 3320 Logo1_.exe 56 PID 3320 wrote to memory of 3500 3320 Logo1_.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3500
-
C:\Users\Admin\AppData\Local\Temp\f67af8326404894cda907d6635622e50c68d6ede1e3f93b36c6f7d37be11306c.exe"C:\Users\Admin\AppData\Local\Temp\f67af8326404894cda907d6635622e50c68d6ede1e3f93b36c6f7d37be11306c.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aFFEB.bat3⤵
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Users\Admin\AppData\Local\Temp\f67af8326404894cda907d6635622e50c68d6ede1e3f93b36c6f7d37be11306c.exe"C:\Users\Admin\AppData\Local\Temp\f67af8326404894cda907d6635622e50c68d6ede1e3f93b36c6f7d37be11306c.exe"4⤵
- Executes dropped EXE
PID:1424
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3320 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:1280
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1440,i,3549704109630749084,1975543916261970610,262144 --variations-seed-version --mojo-platform-channel-handle=4060 /prefetch:81⤵PID:4248
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
254KB
MD548b536408ac1a66263ed8da4ec21add8
SHA162d20d73d6035d5ce1e1bf1068ff3bf52d609c3b
SHA256fbc2cf414606174f3555d76fe647557b72ac47e6bda0864fd8c5dad738df1733
SHA51244f09df70cb4cafa63f88899b0b0fa07bf8fcd5d0106a9a945453de7570c37985039c4a7267708815b6c707539e9a4472d329f010f6a692c5c1fcaab6c41f1c0
-
Filesize
573KB
MD570c4e6e39f45b3c462a19493e22a89e6
SHA1a1b00301c3deedabdb6a835d9cf3660aaf8502af
SHA25649d406bec2126ed4f1d6ea4ec7a64f33175753629b34a8da54e46f89bce1c77d
SHA5124d192c0e8a63addfc044f923d34c12704ec2ec9cedbf6489838bd5a0960c4f38ff89560f684aeae5a4666d0b19f271d4f830a5a482d9a80a58de3a49d7a9a4eb
-
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
Filesize639KB
MD5f1a31b2ce27caa12b0c83698d2266dbe
SHA141d0f0731185588db910853ce965e677bd2e53e5
SHA256c013780783b3c6105da7ffd4b46452fadec0336c22a310fc20a3b67778855105
SHA512a12d12be843f39c38bc6e596c08760744bf07f4a06636a592a883989ec4467b76b9ca6b859bfd997a9d6cb85e3abbac82729e71ea989df9d3ba065e740e12206
-
Filesize
722B
MD5c8f43d3a8ab3a30309732ba703265dac
SHA16ef265912564ef8c1ba4b9a6ef648adfc70399af
SHA256615f8d40099b7a9efab2422e5ef7278eabf52e7ec521517966fb79c178c13e38
SHA5123031ed1fe3835733b248c999262a02404e9999f4f83ae4f7bb3ef89a66a5bb19e5a342af7a033fe946cd07a35975481b4cf4a9b34d8b69d17913d0e94689384b
-
C:\Users\Admin\AppData\Local\Temp\f67af8326404894cda907d6635622e50c68d6ede1e3f93b36c6f7d37be11306c.exe.exe
Filesize684KB
MD550f289df0c19484e970849aac4e6f977
SHA13dc77c8830836ab844975eb002149b66da2e10be
SHA256b9b179b305c5268ad428b6ae59de10b4fe99cf0199bbc89b7017181905e97305
SHA512877d852ea1062b90e2fd2f3c4dc7d05d9697e9a9b2929c830a770b62741f6a11e06de73275eb871113f11143faf1cb40d99f7c247862ffb778d26833ed5d7e38
-
Filesize
29KB
MD59fcfb6b631b5a62c2af6f852de61dc71
SHA102149b5ae9d7c72cc2df500a9cf25ef4234614e1
SHA256470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a
SHA51269076244e4c53b09a9d3595e6b53201013ce006da986542f8375223640e5ce66d000c9f02c71d3856ea0f3f788c139fce670ae26c571bd71d801bd67e15cb66a
-
Filesize
9B
MD51f206a052c160fd77308863abd810887
SHA13b27ec1dc4b51fb7f1793a9ca9bb0d2e53e60eb1
SHA25645129bd309ca763a88c6bf438896e82b939d6491036658c4512c57f8353938c1
SHA512bd7857c146b01a49d34d4eb84053353eeb586bee6916426179305d5e2360559adea4040fe2184a3a803943ff4e6526cc38c665f9a808355619628868d53fbed5