Analysis
-
max time kernel
150s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
13/06/2024, 02:42
Static task
static1
Behavioral task
behavioral1
Sample
b81a7dba533651bdd9164ddc8b0a9168c5bd4c4e17995b0c94832c2d19879142.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
b81a7dba533651bdd9164ddc8b0a9168c5bd4c4e17995b0c94832c2d19879142.exe
Resource
win10v2004-20240508-en
General
-
Target
b81a7dba533651bdd9164ddc8b0a9168c5bd4c4e17995b0c94832c2d19879142.exe
-
Size
96KB
-
MD5
9fbea232a764499d46084b22629f2dd9
-
SHA1
7451003f3d62beee43193b6822dc8eeefc4f9e72
-
SHA256
b81a7dba533651bdd9164ddc8b0a9168c5bd4c4e17995b0c94832c2d19879142
-
SHA512
669575d4e135b2519cceeaf00a25878ecc54f8972c90fc65301f929e8220b7fffd2d6c0869f7d9a2bfef3f31040767a6a16c028bf833bc22419321824ef2ed3d
-
SSDEEP
3072:BftffjmNrcc26D7nt0lv8ecxrNDcyplEmns/5jA4ZE1F:JVfjmNgc29irNDcyplEmKpRaH
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2216 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2460 Logo1_.exe 2692 b81a7dba533651bdd9164ddc8b0a9168c5bd4c4e17995b0c94832c2d19879142.exe -
Loads dropped DLL 1 IoCs
pid Process 2216 cmd.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows NT\TableTextService\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jre7\lib\zi\Africa\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\ja-JP\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\Mahjong\it-IT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\demux\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\js\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\fr\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\sr\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\am_ET\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Slate\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\STS2\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\css\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ku_IQ\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\Contracts\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Office14\ACCWIZ\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\gd\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\css\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\lt\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\d3d9\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\hu\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Library\Analysis\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\lg\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\services_discovery\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\zh_CN\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Mail\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Media Player\wmprph.exe Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Help\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rundl132.exe b81a7dba533651bdd9164ddc8b0a9168c5bd4c4e17995b0c94832c2d19879142.exe File created C:\Windows\Logo1_.exe b81a7dba533651bdd9164ddc8b0a9168c5bd4c4e17995b0c94832c2d19879142.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\vDll.dll Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 2460 Logo1_.exe 2460 Logo1_.exe 2460 Logo1_.exe 2460 Logo1_.exe 2460 Logo1_.exe 2460 Logo1_.exe 2460 Logo1_.exe 2460 Logo1_.exe 2460 Logo1_.exe 2460 Logo1_.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 2984 wrote to memory of 2216 2984 b81a7dba533651bdd9164ddc8b0a9168c5bd4c4e17995b0c94832c2d19879142.exe 28 PID 2984 wrote to memory of 2216 2984 b81a7dba533651bdd9164ddc8b0a9168c5bd4c4e17995b0c94832c2d19879142.exe 28 PID 2984 wrote to memory of 2216 2984 b81a7dba533651bdd9164ddc8b0a9168c5bd4c4e17995b0c94832c2d19879142.exe 28 PID 2984 wrote to memory of 2216 2984 b81a7dba533651bdd9164ddc8b0a9168c5bd4c4e17995b0c94832c2d19879142.exe 28 PID 2984 wrote to memory of 2460 2984 b81a7dba533651bdd9164ddc8b0a9168c5bd4c4e17995b0c94832c2d19879142.exe 29 PID 2984 wrote to memory of 2460 2984 b81a7dba533651bdd9164ddc8b0a9168c5bd4c4e17995b0c94832c2d19879142.exe 29 PID 2984 wrote to memory of 2460 2984 b81a7dba533651bdd9164ddc8b0a9168c5bd4c4e17995b0c94832c2d19879142.exe 29 PID 2984 wrote to memory of 2460 2984 b81a7dba533651bdd9164ddc8b0a9168c5bd4c4e17995b0c94832c2d19879142.exe 29 PID 2216 wrote to memory of 2692 2216 cmd.exe 32 PID 2216 wrote to memory of 2692 2216 cmd.exe 32 PID 2216 wrote to memory of 2692 2216 cmd.exe 32 PID 2216 wrote to memory of 2692 2216 cmd.exe 32 PID 2460 wrote to memory of 2628 2460 Logo1_.exe 31 PID 2460 wrote to memory of 2628 2460 Logo1_.exe 31 PID 2460 wrote to memory of 2628 2460 Logo1_.exe 31 PID 2460 wrote to memory of 2628 2460 Logo1_.exe 31 PID 2628 wrote to memory of 2752 2628 net.exe 34 PID 2628 wrote to memory of 2752 2628 net.exe 34 PID 2628 wrote to memory of 2752 2628 net.exe 34 PID 2628 wrote to memory of 2752 2628 net.exe 34 PID 2460 wrote to memory of 1216 2460 Logo1_.exe 21 PID 2460 wrote to memory of 1216 2460 Logo1_.exe 21
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1216
-
C:\Users\Admin\AppData\Local\Temp\b81a7dba533651bdd9164ddc8b0a9168c5bd4c4e17995b0c94832c2d19879142.exe"C:\Users\Admin\AppData\Local\Temp\b81a7dba533651bdd9164ddc8b0a9168c5bd4c4e17995b0c94832c2d19879142.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\$$a32F2.bat3⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Users\Admin\AppData\Local\Temp\b81a7dba533651bdd9164ddc8b0a9168c5bd4c4e17995b0c94832c2d19879142.exe"C:\Users\Admin\AppData\Local\Temp\b81a7dba533651bdd9164ddc8b0a9168c5bd4c4e17995b0c94832c2d19879142.exe"4⤵
- Executes dropped EXE
PID:2692
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:2752
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
251KB
MD5a33a8079a96b84fb107ee4603ea5a431
SHA14d57eace6522d58ce571c31103ce1335cac7a334
SHA2563ca9dbf486bbdef38ddf2102a532563ab20f4d767c5e6228f39e606e626e76d8
SHA51229ec766ea39de2e24661a6444590fcd3421dfaf8e2f9edc6b7420331b455e9726759add01d9f53862341b7563042f089c64703edfcc38afa5f26e1e4bb64709b
-
Filesize
471KB
MD54cfdb20b04aa239d6f9e83084d5d0a77
SHA1f22863e04cc1fd4435f785993ede165bd8245ac6
SHA25630ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9
SHA51235b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86
-
Filesize
722B
MD53acad97b9f458b505c478afe90ee7a6d
SHA17315927d925424599c26d51080d8a3aeda4fc532
SHA2569868b35fed66fb625c3494ae34ef65353bb0353495024bc6fa03933b4bea995a
SHA5123492e07ddc7bf38d51173de4e02c0937352b291f5bfcb1098e7472ba600c551cf9ba6f47530b450cdb766ea1f1814456ddbfe229aa0fbaa0cd115002f7d7c616
-
C:\Users\Admin\AppData\Local\Temp\b81a7dba533651bdd9164ddc8b0a9168c5bd4c4e17995b0c94832c2d19879142.exe.exe
Filesize69KB
MD5b74d8eadf894a17d2d9280d2aba9e718
SHA103ee3be120a52750e0858f837440858d2af5534b
SHA256a32980008050dec43ec7e5610b8edea436d8b750b42b0e2112b2275af610c63b
SHA512319b11cdc1952842f48df4e8d2dec0fe54f08a41cc7a2d249d64a00ea989047ec12281e78cdb7c1bbd6c406b6d107e36a9cca02621d068808dec94d2d707c693
-
Filesize
26KB
MD52fa7d646424dcabdc763a482ed72338a
SHA12917f669560129d017d689b255ff05b848a6fcd0
SHA256b6e3f8544ab9ccaaf1cb6cc51639b7173edb46f7fc186b908d8bcd50b731da69
SHA51202230628e90c8ae3397fa1c1908c9d4d27c112c7986ab6630608ce16054b1731bb06f3a129657c25a32214bd2451fe36b3f0e649073f5b8b6c86dca42d4b317b
-
Filesize
9B
MD54f2460b507685f7d7bfe6393f335f1c9
SHA1378d42f114b1515872e58de6662373af31ab8c7b
SHA25647a22297ce31d17b0f37251ce63cf2eb146700451caab6dd0aa710d2526c8e42
SHA51275dcca6b81ac47511b847a5c35be4bddbee425436f7bfd1347115e18b84f52a16a5c517bda0a5f5d0a1f2541aab80d764932d8018538cb112fa3b6c9977e95eb