Analysis
-
max time kernel
150s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13/06/2024, 02:42
Static task
static1
Behavioral task
behavioral1
Sample
b81a7dba533651bdd9164ddc8b0a9168c5bd4c4e17995b0c94832c2d19879142.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
b81a7dba533651bdd9164ddc8b0a9168c5bd4c4e17995b0c94832c2d19879142.exe
Resource
win10v2004-20240508-en
General
-
Target
b81a7dba533651bdd9164ddc8b0a9168c5bd4c4e17995b0c94832c2d19879142.exe
-
Size
96KB
-
MD5
9fbea232a764499d46084b22629f2dd9
-
SHA1
7451003f3d62beee43193b6822dc8eeefc4f9e72
-
SHA256
b81a7dba533651bdd9164ddc8b0a9168c5bd4c4e17995b0c94832c2d19879142
-
SHA512
669575d4e135b2519cceeaf00a25878ecc54f8972c90fc65301f929e8220b7fffd2d6c0869f7d9a2bfef3f31040767a6a16c028bf833bc22419321824ef2ed3d
-
SSDEEP
3072:BftffjmNrcc26D7nt0lv8ecxrNDcyplEmns/5jA4ZE1F:JVfjmNgc29irNDcyplEmKpRaH
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 220 Logo1_.exe 4984 b81a7dba533651bdd9164ddc8b0a9168c5bd4c4e17995b0c94832c2d19879142.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\sl-sl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\it\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ru-ru\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\sv-se\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Media Player\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\te\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-125_8wekyb3d8bbwe\images\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\he-il\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\he-il\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\ko-kr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-il\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\uk-ua\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\sk-sk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\kk-KZ\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-il\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\en-gb\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\da-dk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\images\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\pt-br\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\ja-jp\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Media Player\de-DE\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sl-si\_desktop.ini Logo1_.exe File created C:\Program Files\Google\Chrome\Application\110.0.5481.104\WidevineCdm\_platform_specific\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\cs-cz\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\da-dk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ja-jp\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\nb-no\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\css\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_2019.716.2316.0_neutral_~_8wekyb3d8bbwe\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\eu-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\sk-sk\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jre-1.8\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Content\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-ma\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\cs-cz\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\hr-hr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\whatsnewsrc\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\sk-sk\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\fi-fi\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\sl-si\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ru-ru\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\ja-JP\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\es-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\fi-fi\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\gmp-clearkey\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rundl132.exe b81a7dba533651bdd9164ddc8b0a9168c5bd4c4e17995b0c94832c2d19879142.exe File created C:\Windows\Logo1_.exe b81a7dba533651bdd9164ddc8b0a9168c5bd4c4e17995b0c94832c2d19879142.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\vDll.dll Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 220 Logo1_.exe 220 Logo1_.exe 220 Logo1_.exe 220 Logo1_.exe 220 Logo1_.exe 220 Logo1_.exe 220 Logo1_.exe 220 Logo1_.exe 220 Logo1_.exe 220 Logo1_.exe 220 Logo1_.exe 220 Logo1_.exe 220 Logo1_.exe 220 Logo1_.exe 220 Logo1_.exe 220 Logo1_.exe 220 Logo1_.exe 220 Logo1_.exe 220 Logo1_.exe 220 Logo1_.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1680 wrote to memory of 1628 1680 b81a7dba533651bdd9164ddc8b0a9168c5bd4c4e17995b0c94832c2d19879142.exe 82 PID 1680 wrote to memory of 1628 1680 b81a7dba533651bdd9164ddc8b0a9168c5bd4c4e17995b0c94832c2d19879142.exe 82 PID 1680 wrote to memory of 1628 1680 b81a7dba533651bdd9164ddc8b0a9168c5bd4c4e17995b0c94832c2d19879142.exe 82 PID 1680 wrote to memory of 220 1680 b81a7dba533651bdd9164ddc8b0a9168c5bd4c4e17995b0c94832c2d19879142.exe 83 PID 1680 wrote to memory of 220 1680 b81a7dba533651bdd9164ddc8b0a9168c5bd4c4e17995b0c94832c2d19879142.exe 83 PID 1680 wrote to memory of 220 1680 b81a7dba533651bdd9164ddc8b0a9168c5bd4c4e17995b0c94832c2d19879142.exe 83 PID 220 wrote to memory of 4744 220 Logo1_.exe 84 PID 220 wrote to memory of 4744 220 Logo1_.exe 84 PID 220 wrote to memory of 4744 220 Logo1_.exe 84 PID 4744 wrote to memory of 1888 4744 net.exe 87 PID 4744 wrote to memory of 1888 4744 net.exe 87 PID 4744 wrote to memory of 1888 4744 net.exe 87 PID 1628 wrote to memory of 4984 1628 cmd.exe 88 PID 1628 wrote to memory of 4984 1628 cmd.exe 88 PID 1628 wrote to memory of 4984 1628 cmd.exe 88 PID 220 wrote to memory of 3360 220 Logo1_.exe 55 PID 220 wrote to memory of 3360 220 Logo1_.exe 55
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3360
-
C:\Users\Admin\AppData\Local\Temp\b81a7dba533651bdd9164ddc8b0a9168c5bd4c4e17995b0c94832c2d19879142.exe"C:\Users\Admin\AppData\Local\Temp\b81a7dba533651bdd9164ddc8b0a9168c5bd4c4e17995b0c94832c2d19879142.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a49AB.bat3⤵
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Users\Admin\AppData\Local\Temp\b81a7dba533651bdd9164ddc8b0a9168c5bd4c4e17995b0c94832c2d19879142.exe"C:\Users\Admin\AppData\Local\Temp\b81a7dba533651bdd9164ddc8b0a9168c5bd4c4e17995b0c94832c2d19879142.exe"4⤵
- Executes dropped EXE
PID:4984
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:220 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:4744 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:1888
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
251KB
MD5a33a8079a96b84fb107ee4603ea5a431
SHA14d57eace6522d58ce571c31103ce1335cac7a334
SHA2563ca9dbf486bbdef38ddf2102a532563ab20f4d767c5e6228f39e606e626e76d8
SHA51229ec766ea39de2e24661a6444590fcd3421dfaf8e2f9edc6b7420331b455e9726759add01d9f53862341b7563042f089c64703edfcc38afa5f26e1e4bb64709b
-
Filesize
570KB
MD530008560b9177bfb052f3a9762fdeae3
SHA1f2efbe2b8d8cdc97929a61e68aea51b7e1b1a255
SHA2567df732e0ff8923eab2f1206791b2a9b88d834fc10333dbde8f4ed8c47b23f3fe
SHA5127468e1f8e8acd12dd0a97d21350cf5e6fe0463819bdd897a5158bce5186757189b363c4b2b926c048548a3fb76f415b4635e11ad50912da0ac3a57e0922f4b0b
-
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
Filesize636KB
MD52500f702e2b9632127c14e4eaae5d424
SHA18726fef12958265214eeb58001c995629834b13a
SHA25682e5b0001f025ca3b8409c98e4fb06c119c68de1e4ef60a156360cb4ef61d19c
SHA512f420c62fa1f6897f51dd7a0f0e910fb54ad14d51973a2d4840eeea0448c860bf83493fb1c07be65f731efc39e19f8a99886c8cfd058cee482fe52d255a33a55c
-
Filesize
722B
MD50a73c915a399614347238e18eef84530
SHA113c0aed5194bd9ba5903c5afa96dfe6fac1bfdd3
SHA25648237b5a955f9b90c06a52c0bc269a8210c718e2d4b8482f4473c58a3a7ca0aa
SHA512b64279e7fd457d7d740567374f019b35022b69a2629ec3c6036ade3a34d67f00d3f3732ab7dcbe4cac892091cc6ab3d830c78eac88038215410490fc233d8dc4
-
C:\Users\Admin\AppData\Local\Temp\b81a7dba533651bdd9164ddc8b0a9168c5bd4c4e17995b0c94832c2d19879142.exe.exe
Filesize69KB
MD5b74d8eadf894a17d2d9280d2aba9e718
SHA103ee3be120a52750e0858f837440858d2af5534b
SHA256a32980008050dec43ec7e5610b8edea436d8b750b42b0e2112b2275af610c63b
SHA512319b11cdc1952842f48df4e8d2dec0fe54f08a41cc7a2d249d64a00ea989047ec12281e78cdb7c1bbd6c406b6d107e36a9cca02621d068808dec94d2d707c693
-
Filesize
26KB
MD52fa7d646424dcabdc763a482ed72338a
SHA12917f669560129d017d689b255ff05b848a6fcd0
SHA256b6e3f8544ab9ccaaf1cb6cc51639b7173edb46f7fc186b908d8bcd50b731da69
SHA51202230628e90c8ae3397fa1c1908c9d4d27c112c7986ab6630608ce16054b1731bb06f3a129657c25a32214bd2451fe36b3f0e649073f5b8b6c86dca42d4b317b
-
Filesize
9B
MD54f2460b507685f7d7bfe6393f335f1c9
SHA1378d42f114b1515872e58de6662373af31ab8c7b
SHA25647a22297ce31d17b0f37251ce63cf2eb146700451caab6dd0aa710d2526c8e42
SHA51275dcca6b81ac47511b847a5c35be4bddbee425436f7bfd1347115e18b84f52a16a5c517bda0a5f5d0a1f2541aab80d764932d8018538cb112fa3b6c9977e95eb