Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
13-06-2024 17:36
Static task
static1
Behavioral task
behavioral1
Sample
c68b0aafb3aa63494c48a941cff07fe11d58370f2e2c1915fd2cb23f3658bd34.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
c68b0aafb3aa63494c48a941cff07fe11d58370f2e2c1915fd2cb23f3658bd34.exe
Resource
win10v2004-20240226-en
General
-
Target
c68b0aafb3aa63494c48a941cff07fe11d58370f2e2c1915fd2cb23f3658bd34.exe
-
Size
1.2MB
-
MD5
e64216cb5d54d2e626b33052517dcc2a
-
SHA1
a68915744162197ffd42cdc373944b6b4cb739aa
-
SHA256
c68b0aafb3aa63494c48a941cff07fe11d58370f2e2c1915fd2cb23f3658bd34
-
SHA512
4730d03a44d9ebd6e45a7604cbb3e9464883ffe0171e425311e2990fcc2081c003d5be86d9edab46548a0f38839de360ae6e024e9f35b7d28f23c97c56149c49
-
SSDEEP
24576:x7gaWLpaiGhP1x+96UBz1ViIhTj4OHAeTkuppyLELJt/8Vh2zcxZ7W9c1SoNN0y7:x7gajiI1k9/H9SOHAmkVLk8H2GpXSyx
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2124 cmd.exe -
Executes dropped EXE 2 IoCs
Processes:
Logo1_.exec68b0aafb3aa63494c48a941cff07fe11d58370f2e2c1915fd2cb23f3658bd34.exepid process 2612 Logo1_.exe 2824 c68b0aafb3aa63494c48a941cff07fe11d58370f2e2c1915fd2cb23f3658bd34.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 2124 cmd.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Logo1_.exedescription ioc process File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
Processes:
Logo1_.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Minesweeper\it-IT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Photo Viewer\es-ES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSTORDB.EXE Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\ja-JP\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\da\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\eu\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Mail\fr-FR\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\ja-JP\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\PROOF\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\MSBuild\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Chess\de-DE\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\_desktop.ini Logo1_.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\es_MX\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\GrayCheck\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows NT\TableTextService\fr-FR\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Google\Update\Install\{5889422B-4E7B-4F63-944F-9F172CF77CBB}\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\cgg\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\Purble Place\de-DE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\am_ET\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\1033\_desktop.ini Logo1_.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInSideAdapters\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ko\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\d3d9\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\DVD Maker\es-ES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\in_sidebar\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\Mahjong\ja-JP\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\VC\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre7\bin\java.exe Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\sk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\COMPASS\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
Processes:
c68b0aafb3aa63494c48a941cff07fe11d58370f2e2c1915fd2cb23f3658bd34.exeLogo1_.exedescription ioc process File created C:\Windows\rundl132.exe c68b0aafb3aa63494c48a941cff07fe11d58370f2e2c1915fd2cb23f3658bd34.exe File created C:\Windows\Logo1_.exe c68b0aafb3aa63494c48a941cff07fe11d58370f2e2c1915fd2cb23f3658bd34.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\vDll.dll Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
Logo1_.exepid process 2612 Logo1_.exe 2612 Logo1_.exe 2612 Logo1_.exe 2612 Logo1_.exe 2612 Logo1_.exe 2612 Logo1_.exe 2612 Logo1_.exe 2612 Logo1_.exe 2612 Logo1_.exe 2612 Logo1_.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
c68b0aafb3aa63494c48a941cff07fe11d58370f2e2c1915fd2cb23f3658bd34.exepid process 2824 c68b0aafb3aa63494c48a941cff07fe11d58370f2e2c1915fd2cb23f3658bd34.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
c68b0aafb3aa63494c48a941cff07fe11d58370f2e2c1915fd2cb23f3658bd34.exeLogo1_.execmd.exenet.exedescription pid process target process PID 2204 wrote to memory of 2124 2204 c68b0aafb3aa63494c48a941cff07fe11d58370f2e2c1915fd2cb23f3658bd34.exe cmd.exe PID 2204 wrote to memory of 2124 2204 c68b0aafb3aa63494c48a941cff07fe11d58370f2e2c1915fd2cb23f3658bd34.exe cmd.exe PID 2204 wrote to memory of 2124 2204 c68b0aafb3aa63494c48a941cff07fe11d58370f2e2c1915fd2cb23f3658bd34.exe cmd.exe PID 2204 wrote to memory of 2124 2204 c68b0aafb3aa63494c48a941cff07fe11d58370f2e2c1915fd2cb23f3658bd34.exe cmd.exe PID 2204 wrote to memory of 2612 2204 c68b0aafb3aa63494c48a941cff07fe11d58370f2e2c1915fd2cb23f3658bd34.exe Logo1_.exe PID 2204 wrote to memory of 2612 2204 c68b0aafb3aa63494c48a941cff07fe11d58370f2e2c1915fd2cb23f3658bd34.exe Logo1_.exe PID 2204 wrote to memory of 2612 2204 c68b0aafb3aa63494c48a941cff07fe11d58370f2e2c1915fd2cb23f3658bd34.exe Logo1_.exe PID 2204 wrote to memory of 2612 2204 c68b0aafb3aa63494c48a941cff07fe11d58370f2e2c1915fd2cb23f3658bd34.exe Logo1_.exe PID 2612 wrote to memory of 2760 2612 Logo1_.exe net.exe PID 2612 wrote to memory of 2760 2612 Logo1_.exe net.exe PID 2612 wrote to memory of 2760 2612 Logo1_.exe net.exe PID 2612 wrote to memory of 2760 2612 Logo1_.exe net.exe PID 2124 wrote to memory of 2824 2124 cmd.exe c68b0aafb3aa63494c48a941cff07fe11d58370f2e2c1915fd2cb23f3658bd34.exe PID 2124 wrote to memory of 2824 2124 cmd.exe c68b0aafb3aa63494c48a941cff07fe11d58370f2e2c1915fd2cb23f3658bd34.exe PID 2124 wrote to memory of 2824 2124 cmd.exe c68b0aafb3aa63494c48a941cff07fe11d58370f2e2c1915fd2cb23f3658bd34.exe PID 2124 wrote to memory of 2824 2124 cmd.exe c68b0aafb3aa63494c48a941cff07fe11d58370f2e2c1915fd2cb23f3658bd34.exe PID 2124 wrote to memory of 2824 2124 cmd.exe c68b0aafb3aa63494c48a941cff07fe11d58370f2e2c1915fd2cb23f3658bd34.exe PID 2124 wrote to memory of 2824 2124 cmd.exe c68b0aafb3aa63494c48a941cff07fe11d58370f2e2c1915fd2cb23f3658bd34.exe PID 2124 wrote to memory of 2824 2124 cmd.exe c68b0aafb3aa63494c48a941cff07fe11d58370f2e2c1915fd2cb23f3658bd34.exe PID 2760 wrote to memory of 2480 2760 net.exe net1.exe PID 2760 wrote to memory of 2480 2760 net.exe net1.exe PID 2760 wrote to memory of 2480 2760 net.exe net1.exe PID 2760 wrote to memory of 2480 2760 net.exe net1.exe PID 2612 wrote to memory of 1344 2612 Logo1_.exe Explorer.EXE PID 2612 wrote to memory of 1344 2612 Logo1_.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1344
-
C:\Users\Admin\AppData\Local\Temp\c68b0aafb3aa63494c48a941cff07fe11d58370f2e2c1915fd2cb23f3658bd34.exe"C:\Users\Admin\AppData\Local\Temp\c68b0aafb3aa63494c48a941cff07fe11d58370f2e2c1915fd2cb23f3658bd34.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\$$a6AE3.bat3⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Users\Admin\AppData\Local\Temp\c68b0aafb3aa63494c48a941cff07fe11d58370f2e2c1915fd2cb23f3658bd34.exe"C:\Users\Admin\AppData\Local\Temp\c68b0aafb3aa63494c48a941cff07fe11d58370f2e2c1915fd2cb23f3658bd34.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:2824 -
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:2480
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
251KB
MD5cafcc9d7c72ff567e107a878c793cf0e
SHA107d0589ee9faf37b77b47695f316d317baf81246
SHA256e850f4e1eff89030de3b4e1c529770ec3d102547699f5687699cc10042bca715
SHA512fe341d07fbe64548e5050c3294392848eaf28d975c7bf2ce41d57511d2bb45da05f6f53ae4c4871163f2000c64a721475a77daa5458f4c7de35d637654c7dd1b
-
Filesize
471KB
MD5c6c8fde27f649c91ddaab8cb9ca344a6
SHA15e4865aec432a18107182f47edda176e8c566152
SHA25632c3fed53bfc1d890e9bd1d771fdc7e2c81480e03f1425bce07b4045a192d100
SHA512a8df7d1e852d871d7f16bae10c4ff049359583da88cc85a039f0298525839040d5363ce5ef4cbdb92a12a25785f73df83cf0df07752b78e6e6444f32160a2155
-
Filesize
722B
MD55ea9b0d8eb3edd7a6780662d58269ad0
SHA10e52df5d0867bb8d25935e4fc9e3af4c490f0d56
SHA256e68720262562c21dcc2625c6732d0f926d64d8d27b16371b8a6a8d56baf92534
SHA512574771fb0e19bbf1d205efb781ff5c0488caeea9c39ccf84e5ba0170ace6e21ef1f9d1ab36f3c3a54b59a3454f6a3d80b7bdaecd92d378beb441568ac8c87eb9
-
C:\Users\Admin\AppData\Local\Temp\c68b0aafb3aa63494c48a941cff07fe11d58370f2e2c1915fd2cb23f3658bd34.exe.exe
Filesize1.1MB
MD5fabe184f6721e640474e1497c69ffc98
SHA12f23a6389470db5d0dd2095d64939657d8d3ea9d
SHA256759aa04d5b03ebeee13ba01df554e8c962ca339c74f56627c8bed6984bb7ef80
SHA5122924fd60f5dd636f643b68d402b65c2bfab5536122aa688ebba5ae142c7d04ce8b1c8e078f54db8adadce9d5c6fa74c0794604ecc16a4c5489f9ca70a6d9e1c4
-
Filesize
26KB
MD58ba3b10246e04d4b57287e690f77057b
SHA1356eb7a62df1fdfb78711f5bb7d1347df5bbe797
SHA2561c8c64333fcd85341531abb72c7673109683f519ae0e7fc228e51d9a082708cc
SHA512eb79e2861d0ebc95ca0b9db177770ebaf5ea528f98efb018a7bc57c576cff11f4a71bc047c047b3ee04314b821b8481f59bfb36d3449838ee2579d51f0e9bcf5
-
Filesize
9B
MD54f2460b507685f7d7bfe6393f335f1c9
SHA1378d42f114b1515872e58de6662373af31ab8c7b
SHA25647a22297ce31d17b0f37251ce63cf2eb146700451caab6dd0aa710d2526c8e42
SHA51275dcca6b81ac47511b847a5c35be4bddbee425436f7bfd1347115e18b84f52a16a5c517bda0a5f5d0a1f2541aab80d764932d8018538cb112fa3b6c9977e95eb