Analysis
-
max time kernel
149s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
13/06/2024, 04:36
Static task
static1
Behavioral task
behavioral1
Sample
a02420dab560800c6d86285ce39f1da859ac2f76e3ddd19fd0aab82f6919ab90.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
a02420dab560800c6d86285ce39f1da859ac2f76e3ddd19fd0aab82f6919ab90.exe
Resource
win10v2004-20240508-en
General
-
Target
a02420dab560800c6d86285ce39f1da859ac2f76e3ddd19fd0aab82f6919ab90.exe
-
Size
275KB
-
MD5
80a879a0679ed4ec53fde4ff1b0cb978
-
SHA1
bbb4713485c283a9c7b2c565e69105a1075fcebe
-
SHA256
a02420dab560800c6d86285ce39f1da859ac2f76e3ddd19fd0aab82f6919ab90
-
SHA512
eb5eab0e960e2d801cca2ae48ccb79f3ae256482e16873e33c64c637a41b5a33a4e98acc0d1b245404924628c4a72c0f1696a329f3589870cf01de19f52617fa
-
SSDEEP
6144:0VfjmNSO94ruMQfK+4Z33Hs2t0EyL+ta+d:27+SiM1t9ERKE+d
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2196 cmd.exe -
Executes dropped EXE 3 IoCs
pid Process 2208 Logo1_.exe 2600 a02420dab560800c6d86285ce39f1da859ac2f76e3ddd19fd0aab82f6919ab90.exe 2832 Un_A.exe -
Loads dropped DLL 6 IoCs
pid Process 2196 cmd.exe 2600 a02420dab560800c6d86285ce39f1da859ac2f76e3ddd19fd0aab82f6919ab90.exe 2832 Un_A.exe 2832 Un_A.exe 2832 Un_A.exe 2832 Un_A.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\FreeCell\fr-FR\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\nb\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Outlook.en-us\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Esl\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Oasis\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\TextConv\de-DE\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Defender\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Filters\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\codec\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Photo Viewer\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\sq\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Help\1049\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\js\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\Purble Place\es-ES\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Mail\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VBA\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Journal\PDIALOG.exe Logo1_.exe File opened for modification C:\Program Files\Windows Mail\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Internet Explorer\es-ES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Library\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RMNSQUE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATER\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Mail\WinMail.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\de-DE\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Chess\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Computers\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\d3d9\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Templates\1033\FAX\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATERMAR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\Mahjong\es-ES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\si\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\NETWORK\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rundl132.exe a02420dab560800c6d86285ce39f1da859ac2f76e3ddd19fd0aab82f6919ab90.exe File created C:\Windows\Logo1_.exe a02420dab560800c6d86285ce39f1da859ac2f76e3ddd19fd0aab82f6919ab90.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\vDll.dll Logo1_.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 2208 Logo1_.exe 2208 Logo1_.exe 2208 Logo1_.exe 2208 Logo1_.exe 2208 Logo1_.exe 2208 Logo1_.exe 2208 Logo1_.exe 2208 Logo1_.exe 2208 Logo1_.exe 2208 Logo1_.exe 2832 Un_A.exe 2832 Un_A.exe 2832 Un_A.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 1540 wrote to memory of 2196 1540 a02420dab560800c6d86285ce39f1da859ac2f76e3ddd19fd0aab82f6919ab90.exe 28 PID 1540 wrote to memory of 2196 1540 a02420dab560800c6d86285ce39f1da859ac2f76e3ddd19fd0aab82f6919ab90.exe 28 PID 1540 wrote to memory of 2196 1540 a02420dab560800c6d86285ce39f1da859ac2f76e3ddd19fd0aab82f6919ab90.exe 28 PID 1540 wrote to memory of 2196 1540 a02420dab560800c6d86285ce39f1da859ac2f76e3ddd19fd0aab82f6919ab90.exe 28 PID 1540 wrote to memory of 2208 1540 a02420dab560800c6d86285ce39f1da859ac2f76e3ddd19fd0aab82f6919ab90.exe 30 PID 1540 wrote to memory of 2208 1540 a02420dab560800c6d86285ce39f1da859ac2f76e3ddd19fd0aab82f6919ab90.exe 30 PID 1540 wrote to memory of 2208 1540 a02420dab560800c6d86285ce39f1da859ac2f76e3ddd19fd0aab82f6919ab90.exe 30 PID 1540 wrote to memory of 2208 1540 a02420dab560800c6d86285ce39f1da859ac2f76e3ddd19fd0aab82f6919ab90.exe 30 PID 2208 wrote to memory of 1876 2208 Logo1_.exe 31 PID 2208 wrote to memory of 1876 2208 Logo1_.exe 31 PID 2208 wrote to memory of 1876 2208 Logo1_.exe 31 PID 2208 wrote to memory of 1876 2208 Logo1_.exe 31 PID 2196 wrote to memory of 2600 2196 cmd.exe 33 PID 2196 wrote to memory of 2600 2196 cmd.exe 33 PID 2196 wrote to memory of 2600 2196 cmd.exe 33 PID 2196 wrote to memory of 2600 2196 cmd.exe 33 PID 1876 wrote to memory of 2664 1876 net.exe 34 PID 1876 wrote to memory of 2664 1876 net.exe 34 PID 1876 wrote to memory of 2664 1876 net.exe 34 PID 1876 wrote to memory of 2664 1876 net.exe 34 PID 2600 wrote to memory of 2832 2600 a02420dab560800c6d86285ce39f1da859ac2f76e3ddd19fd0aab82f6919ab90.exe 35 PID 2600 wrote to memory of 2832 2600 a02420dab560800c6d86285ce39f1da859ac2f76e3ddd19fd0aab82f6919ab90.exe 35 PID 2600 wrote to memory of 2832 2600 a02420dab560800c6d86285ce39f1da859ac2f76e3ddd19fd0aab82f6919ab90.exe 35 PID 2600 wrote to memory of 2832 2600 a02420dab560800c6d86285ce39f1da859ac2f76e3ddd19fd0aab82f6919ab90.exe 35 PID 2208 wrote to memory of 1348 2208 Logo1_.exe 21 PID 2208 wrote to memory of 1348 2208 Logo1_.exe 21
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1348
-
C:\Users\Admin\AppData\Local\Temp\a02420dab560800c6d86285ce39f1da859ac2f76e3ddd19fd0aab82f6919ab90.exe"C:\Users\Admin\AppData\Local\Temp\a02420dab560800c6d86285ce39f1da859ac2f76e3ddd19fd0aab82f6919ab90.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\$$a7AE.bat3⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Users\Admin\AppData\Local\Temp\a02420dab560800c6d86285ce39f1da859ac2f76e3ddd19fd0aab82f6919ab90.exe"C:\Users\Admin\AppData\Local\Temp\a02420dab560800c6d86285ce39f1da859ac2f76e3ddd19fd0aab82f6919ab90.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe"C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Users\Admin\AppData\Local\Temp\5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2832
-
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:2664
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
251KB
MD58c76d8209d2e719930c9ba1c3aec96a4
SHA1688649466318e5e496c8256fd3168039b3b330aa
SHA256ac040dc7f1ccb3b1a1a0ba7f57c5f1787081c64b56d3af79fdfc24aa69759a9f
SHA51219744836971e4202ee281738f0b895e0b96150642499067e1b51a7434865be790f6a1c65f2163cdbd108adbc7f44ca812c6647eb1952a9925b152b13007ab269
-
Filesize
471KB
MD528f6479e5c0b7a32e8ae773b9221a22a
SHA1882e24734f4d42c4e0b95bb695c921ee66ae2042
SHA2565ec41e0b29c00dd288859df2f583b0e771c11c01d8fd519fe2bd8921b3bed4f3
SHA512d27c5c01bfe526652af0083bc17c4a3212fc00d594344b6a1a39999248623fba1ae14c79ec849c3567d1bf952cdf7e1e4fd5b22fde938227d89338529fb43685
-
Filesize
721B
MD56d47c60a07364dfdcf05ba7dc9b1c21d
SHA1d7959fa249615843a926c05e436136cf01310da0
SHA256014d8485936d7c364c1554786f0e1dc478fc69445f5d874b193e56e2ba0a6549
SHA5123c33e6ff222d41b0094604b91224eefe501ae3e706b9670f1c56c7ba388d7a8bdfa1794d3dae234ea2fa0a77c4b81f7d5254776226e18856c1498c6552e6f843
-
C:\Users\Admin\AppData\Local\Temp\a02420dab560800c6d86285ce39f1da859ac2f76e3ddd19fd0aab82f6919ab90.exe.exe
Filesize248KB
MD547a6c51c0904f930c3ea2acd11843598
SHA166dbd0a1bef915d2efbf405b5da32a0eed93a62c
SHA2564cb64e345f2ccf5bb6b3493dc55b11048ef249baed3645b09033758c652734af
SHA512455d26fdaf4396106096c6e1698bf58864ffbff1b073adfafb2c8f66dbfcca502ce452011064bc4ccf38341b848cbd7b02a3471331356ffb8a117ec0bc1a428e
-
Filesize
4KB
MD5f0438a894f3a7e01a4aae8d1b5dd0289
SHA1b058e3fcfb7b550041da16bf10d8837024c38bf6
SHA25630c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11
SHA512f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7
-
Filesize
26KB
MD5803416611d3ff9892e3e5c729d18a4cf
SHA1bc99a7db9810cc6c08c4c1eee041d666396a00a8
SHA25644dd551c7c131158282194d127971c71fa4e16b60b526f3886427bdd1b52eae9
SHA51202ad74b45ef2338c97df02d421951b43730531db1c9cc88e85ab294ebf94f7cd0f2991278a4e6e9c4af3dac0f7952e7f2ea09ed14a3ce6b16990371c3d5ec083
-
Filesize
9B
MD54f2460b507685f7d7bfe6393f335f1c9
SHA1378d42f114b1515872e58de6662373af31ab8c7b
SHA25647a22297ce31d17b0f37251ce63cf2eb146700451caab6dd0aa710d2526c8e42
SHA51275dcca6b81ac47511b847a5c35be4bddbee425436f7bfd1347115e18b84f52a16a5c517bda0a5f5d0a1f2541aab80d764932d8018538cb112fa3b6c9977e95eb
-
Filesize
100KB
MD5c6a6e03f77c313b267498515488c5740
SHA13d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA5129870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803
-
Filesize
12KB
MD50d7ad4f45dc6f5aa87f606d0331c6901
SHA148df0911f0484cbe2a8cdd5362140b63c41ee457
SHA2563eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9
-
Filesize
3KB
MD51cc7c37b7e0c8cd8bf04b6cc283e1e56
SHA10b9519763be6625bd5abce175dcc59c96d100d4c
SHA2569be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6
SHA5127acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f