Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
12-06-2024 23:45
Static task
static1
Behavioral task
behavioral1
Sample
d479d075ea4e7bde7e322fe334a8677640ca5de55eae6be6e7178558725370b5.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
d479d075ea4e7bde7e322fe334a8677640ca5de55eae6be6e7178558725370b5.exe
Resource
win10v2004-20240508-en
General
-
Target
d479d075ea4e7bde7e322fe334a8677640ca5de55eae6be6e7178558725370b5.exe
-
Size
43KB
-
MD5
b3ec6ca07bc2a5f781791c3045ee4a0a
-
SHA1
6ab0a16eb0cbb6ab49125fab0fd8b56087ee6107
-
SHA256
d479d075ea4e7bde7e322fe334a8677640ca5de55eae6be6e7178558725370b5
-
SHA512
66011790a42c4787eb2da2961ab859b832c9f60958832e27b19142e78efe3d2e94aa73045b6dc5b8c8afe22cd276b0428258795468ad2e75387510a4397ae343
-
SSDEEP
768:phHv16GVRu1yK9fMnJG2V9dHS8/WQ3655Kv1X/qY1MSd:pp93SHuJV9NDHqaNrFd
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2980 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2976 Logo1_.exe 2668 d479d075ea4e7bde7e322fe334a8677640ca5de55eae6be6e7178558725370b5.exe -
Loads dropped DLL 1 IoCs
pid Process 2980 cmd.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Portal\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\Mahjong\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Library\SOLVER\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SpringGreen\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Internet Explorer\it-IT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\de-DE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe Logo1_.exe File opened for modification C:\Program Files\Windows Journal\PDIALOG.exe Logo1_.exe File created C:\Program Files\Microsoft Games\Solitaire\es-ES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATERMAR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\kn\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe Logo1_.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Portable Devices\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CANYON\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\lua\modules\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\fr-FR\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\sv\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\access_output\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Esl\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\lua\meta\art\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Help\1041\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ARFR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\js\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AFTRNOON\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\nb\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rundl132.exe d479d075ea4e7bde7e322fe334a8677640ca5de55eae6be6e7178558725370b5.exe File created C:\Windows\Logo1_.exe d479d075ea4e7bde7e322fe334a8677640ca5de55eae6be6e7178558725370b5.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\vDll.dll Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 2976 Logo1_.exe 2976 Logo1_.exe 2976 Logo1_.exe 2976 Logo1_.exe 2976 Logo1_.exe 2976 Logo1_.exe 2976 Logo1_.exe 2976 Logo1_.exe 2976 Logo1_.exe 2976 Logo1_.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2668 d479d075ea4e7bde7e322fe334a8677640ca5de55eae6be6e7178558725370b5.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 2372 wrote to memory of 2980 2372 d479d075ea4e7bde7e322fe334a8677640ca5de55eae6be6e7178558725370b5.exe 28 PID 2372 wrote to memory of 2980 2372 d479d075ea4e7bde7e322fe334a8677640ca5de55eae6be6e7178558725370b5.exe 28 PID 2372 wrote to memory of 2980 2372 d479d075ea4e7bde7e322fe334a8677640ca5de55eae6be6e7178558725370b5.exe 28 PID 2372 wrote to memory of 2980 2372 d479d075ea4e7bde7e322fe334a8677640ca5de55eae6be6e7178558725370b5.exe 28 PID 2372 wrote to memory of 2976 2372 d479d075ea4e7bde7e322fe334a8677640ca5de55eae6be6e7178558725370b5.exe 29 PID 2372 wrote to memory of 2976 2372 d479d075ea4e7bde7e322fe334a8677640ca5de55eae6be6e7178558725370b5.exe 29 PID 2372 wrote to memory of 2976 2372 d479d075ea4e7bde7e322fe334a8677640ca5de55eae6be6e7178558725370b5.exe 29 PID 2372 wrote to memory of 2976 2372 d479d075ea4e7bde7e322fe334a8677640ca5de55eae6be6e7178558725370b5.exe 29 PID 2976 wrote to memory of 2116 2976 Logo1_.exe 31 PID 2976 wrote to memory of 2116 2976 Logo1_.exe 31 PID 2976 wrote to memory of 2116 2976 Logo1_.exe 31 PID 2976 wrote to memory of 2116 2976 Logo1_.exe 31 PID 2980 wrote to memory of 2668 2980 cmd.exe 33 PID 2980 wrote to memory of 2668 2980 cmd.exe 33 PID 2980 wrote to memory of 2668 2980 cmd.exe 33 PID 2980 wrote to memory of 2668 2980 cmd.exe 33 PID 2980 wrote to memory of 2668 2980 cmd.exe 33 PID 2980 wrote to memory of 2668 2980 cmd.exe 33 PID 2980 wrote to memory of 2668 2980 cmd.exe 33 PID 2116 wrote to memory of 2600 2116 net.exe 34 PID 2116 wrote to memory of 2600 2116 net.exe 34 PID 2116 wrote to memory of 2600 2116 net.exe 34 PID 2116 wrote to memory of 2600 2116 net.exe 34 PID 2976 wrote to memory of 1352 2976 Logo1_.exe 21 PID 2976 wrote to memory of 1352 2976 Logo1_.exe 21
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1352
-
C:\Users\Admin\AppData\Local\Temp\d479d075ea4e7bde7e322fe334a8677640ca5de55eae6be6e7178558725370b5.exe"C:\Users\Admin\AppData\Local\Temp\d479d075ea4e7bde7e322fe334a8677640ca5de55eae6be6e7178558725370b5.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\$$a10.bat3⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Users\Admin\AppData\Local\Temp\d479d075ea4e7bde7e322fe334a8677640ca5de55eae6be6e7178558725370b5.exe"C:\Users\Admin\AppData\Local\Temp\d479d075ea4e7bde7e322fe334a8677640ca5de55eae6be6e7178558725370b5.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:2668
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:2600
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
254KB
MD5a93821e61328d1457e5817e2ebd59b62
SHA160535b8ae1c0750360a6cd86443a8fcbaa1dc61b
SHA256f7cbad10c3bdb1157962fc9fa7c2ee1660f89d82e0baa903a4d7314475dfc212
SHA51214da8e53583cdd33c6e9b59a3110869b1d2a1b6d097e4fa692584e4a7ac76a6ed56460cc5ef95ffd8e709fca791cb0ba040dbb1217064f64bd9c20abf67a0668
-
Filesize
474KB
MD5de4228cb7a5a7f082477f6a504b822a7
SHA1dfd84f0b6f4977bfda43b1827aa747a9a5a8a38b
SHA2568c5089a062734aa1a66e70700d4f33f2f54157c4bb3ed4d6ce1a852de8b6f90b
SHA512a3b64b10a22dedebfa48e7705e148d50df480fa9bb0669bc06951ab0ff5f97657f72dc8b71db610499ee38ecae9ae494265841a737806bed7c061d0b634913c8
-
Filesize
720B
MD5eebd831da5030ceec86d4e8428e554f7
SHA1607aed93afb07acf1422beff4f1d47fbb5e37a51
SHA256086fb8c8f7e9ab2a6bb889a058f40fd4ecbf96d969251147f29a06d895b575b4
SHA512496da5573d7fe837318d619720b8671b66d8e577d11c82142dec8e949905e0dc81140a2e1e51fe56c35b1dad56237de2318bee8b86252a580d96010db5fa7389
-
C:\Users\Admin\AppData\Local\Temp\d479d075ea4e7bde7e322fe334a8677640ca5de55eae6be6e7178558725370b5.exe.exe
Filesize14KB
MD5ad782ffac62e14e2269bf1379bccbaae
SHA19539773b550e902a35764574a2be2d05bc0d8afc
SHA2561c8a77db924ebeb952052334dc95add388700c02b073b07973cd8fe0a0a360b8
SHA512a1e9d6316ffc55f4751090961733e98c93b2a391666ff50b50e9dea39783746e501d14127e7ee9343926976d7e3cd224f13736530354d8466ea995dab35c8dc2
-
Filesize
29KB
MD5efa1b8e122e58a40f07e63f5a644c70c
SHA190fdff8f2a9e2ebda62cccfd865e0970f9db629d
SHA256f49584ffc209f455b93be597e42289952e26a11e55566dc16efd2e20732c5f94
SHA512c252786d121b82af686b3e80ed5a577f455911ec67984415641f6166411b050e07bc80135de59a81ff1c0772173b705ff6f00438a935ad7f1276521325392830
-
Filesize
9B
MD51f206a052c160fd77308863abd810887
SHA13b27ec1dc4b51fb7f1793a9ca9bb0d2e53e60eb1
SHA25645129bd309ca763a88c6bf438896e82b939d6491036658c4512c57f8353938c1
SHA512bd7857c146b01a49d34d4eb84053353eeb586bee6916426179305d5e2360559adea4040fe2184a3a803943ff4e6526cc38c665f9a808355619628868d53fbed5