Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 17:36
Static task
static1
Behavioral task
behavioral1
Sample
c68b0aafb3aa63494c48a941cff07fe11d58370f2e2c1915fd2cb23f3658bd34.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
c68b0aafb3aa63494c48a941cff07fe11d58370f2e2c1915fd2cb23f3658bd34.exe
Resource
win10v2004-20240226-en
General
-
Target
c68b0aafb3aa63494c48a941cff07fe11d58370f2e2c1915fd2cb23f3658bd34.exe
-
Size
1.2MB
-
MD5
e64216cb5d54d2e626b33052517dcc2a
-
SHA1
a68915744162197ffd42cdc373944b6b4cb739aa
-
SHA256
c68b0aafb3aa63494c48a941cff07fe11d58370f2e2c1915fd2cb23f3658bd34
-
SHA512
4730d03a44d9ebd6e45a7604cbb3e9464883ffe0171e425311e2990fcc2081c003d5be86d9edab46548a0f38839de360ae6e024e9f35b7d28f23c97c56149c49
-
SSDEEP
24576:x7gaWLpaiGhP1x+96UBz1ViIhTj4OHAeTkuppyLELJt/8Vh2zcxZ7W9c1SoNN0y7:x7gajiI1k9/H9SOHAmkVLk8H2GpXSyx
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
Logo1_.exec68b0aafb3aa63494c48a941cff07fe11d58370f2e2c1915fd2cb23f3658bd34.exepid process 4480 Logo1_.exe 1692 c68b0aafb3aa63494c48a941cff07fe11d58370f2e2c1915fd2cb23f3658bd34.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Logo1_.exedescription ioc process File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
Processes:
Logo1_.exedescription ioc process File created C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.2.2_2.2.27405.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\en-il\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\zh-tw\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Voices\beeps\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Resources\RetailDemo\strings\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\_desktop.ini Logo1_.exe File created C:\Program Files\MSBuild\Microsoft\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ru-RU\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\jsaddins\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Views\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ru-ru\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\versions\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ms-MY\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_neutral_~_8wekyb3d8bbwe\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ko-kr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\zh-tw\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\es-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\tr-tr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ca-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\eu-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft\EdgeWebView\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-fr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\tr-tr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Media Player\wmprph.exe Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_neutral_~_8wekyb3d8bbwe\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ru-ru\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Photo Viewer\ja-JP\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\it-IT\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\sl-SI\View3d\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00.UWPDesktop_14.0.27629.0_x64__8wekyb3d8bbwe\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-il\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\pt-br\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\codec\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.UI.Xaml.2.0_2.1810.18004.0_x64__8wekyb3d8bbwe\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ar-ae\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ja-jp\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\si\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_extractor\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
Processes:
Logo1_.exec68b0aafb3aa63494c48a941cff07fe11d58370f2e2c1915fd2cb23f3658bd34.exedescription ioc process File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\vDll.dll Logo1_.exe File created C:\Windows\rundl132.exe c68b0aafb3aa63494c48a941cff07fe11d58370f2e2c1915fd2cb23f3658bd34.exe File created C:\Windows\Logo1_.exe c68b0aafb3aa63494c48a941cff07fe11d58370f2e2c1915fd2cb23f3658bd34.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
Logo1_.exepid process 4480 Logo1_.exe 4480 Logo1_.exe 4480 Logo1_.exe 4480 Logo1_.exe 4480 Logo1_.exe 4480 Logo1_.exe 4480 Logo1_.exe 4480 Logo1_.exe 4480 Logo1_.exe 4480 Logo1_.exe 4480 Logo1_.exe 4480 Logo1_.exe 4480 Logo1_.exe 4480 Logo1_.exe 4480 Logo1_.exe 4480 Logo1_.exe 4480 Logo1_.exe 4480 Logo1_.exe 4480 Logo1_.exe 4480 Logo1_.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
c68b0aafb3aa63494c48a941cff07fe11d58370f2e2c1915fd2cb23f3658bd34.exeLogo1_.exenet.execmd.exedescription pid process target process PID 3352 wrote to memory of 2992 3352 c68b0aafb3aa63494c48a941cff07fe11d58370f2e2c1915fd2cb23f3658bd34.exe cmd.exe PID 3352 wrote to memory of 2992 3352 c68b0aafb3aa63494c48a941cff07fe11d58370f2e2c1915fd2cb23f3658bd34.exe cmd.exe PID 3352 wrote to memory of 2992 3352 c68b0aafb3aa63494c48a941cff07fe11d58370f2e2c1915fd2cb23f3658bd34.exe cmd.exe PID 3352 wrote to memory of 4480 3352 c68b0aafb3aa63494c48a941cff07fe11d58370f2e2c1915fd2cb23f3658bd34.exe Logo1_.exe PID 3352 wrote to memory of 4480 3352 c68b0aafb3aa63494c48a941cff07fe11d58370f2e2c1915fd2cb23f3658bd34.exe Logo1_.exe PID 3352 wrote to memory of 4480 3352 c68b0aafb3aa63494c48a941cff07fe11d58370f2e2c1915fd2cb23f3658bd34.exe Logo1_.exe PID 4480 wrote to memory of 2180 4480 Logo1_.exe net.exe PID 4480 wrote to memory of 2180 4480 Logo1_.exe net.exe PID 4480 wrote to memory of 2180 4480 Logo1_.exe net.exe PID 2180 wrote to memory of 2216 2180 net.exe net1.exe PID 2180 wrote to memory of 2216 2180 net.exe net1.exe PID 2180 wrote to memory of 2216 2180 net.exe net1.exe PID 2992 wrote to memory of 1692 2992 cmd.exe c68b0aafb3aa63494c48a941cff07fe11d58370f2e2c1915fd2cb23f3658bd34.exe PID 2992 wrote to memory of 1692 2992 cmd.exe c68b0aafb3aa63494c48a941cff07fe11d58370f2e2c1915fd2cb23f3658bd34.exe PID 2992 wrote to memory of 1692 2992 cmd.exe c68b0aafb3aa63494c48a941cff07fe11d58370f2e2c1915fd2cb23f3658bd34.exe PID 4480 wrote to memory of 3268 4480 Logo1_.exe Explorer.EXE PID 4480 wrote to memory of 3268 4480 Logo1_.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3268
-
C:\Users\Admin\AppData\Local\Temp\c68b0aafb3aa63494c48a941cff07fe11d58370f2e2c1915fd2cb23f3658bd34.exe"C:\Users\Admin\AppData\Local\Temp\c68b0aafb3aa63494c48a941cff07fe11d58370f2e2c1915fd2cb23f3658bd34.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3352 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aEF71.bat3⤵
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Users\Admin\AppData\Local\Temp\c68b0aafb3aa63494c48a941cff07fe11d58370f2e2c1915fd2cb23f3658bd34.exe"C:\Users\Admin\AppData\Local\Temp\c68b0aafb3aa63494c48a941cff07fe11d58370f2e2c1915fd2cb23f3658bd34.exe"4⤵
- Executes dropped EXE
PID:1692 -
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:2216
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4244 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:81⤵PID:4376
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
251KB
MD5cafcc9d7c72ff567e107a878c793cf0e
SHA107d0589ee9faf37b77b47695f316d317baf81246
SHA256e850f4e1eff89030de3b4e1c529770ec3d102547699f5687699cc10042bca715
SHA512fe341d07fbe64548e5050c3294392848eaf28d975c7bf2ce41d57511d2bb45da05f6f53ae4c4871163f2000c64a721475a77daa5458f4c7de35d637654c7dd1b
-
Filesize
570KB
MD5859572e823adf5ef7ff8ec5e740e7ce1
SHA1c09b84ef6f87adc56949b6efb4cb76ec57cf13b7
SHA256ef4902886e0e13f37c815cfbbfd13d3d8a6e891e0011fa1dce5cebcbc3a87df8
SHA51205b66c66785bf27a27f201e1e0788e5476eae89cfc33c9f51d5f4d73bd106d4c9c8ef7da6261e8449cedf7a100e4665dfad3d202cfd104fbf567d80adbbcd9af
-
Filesize
722B
MD57b2095935b73831a334a9ef13e181089
SHA19c8cec5b0bcd3d4eac64e63118288d34607bea85
SHA25615da5fccb36165a6d38aac5773a03db61a75ea82f1222c6471669b20940941e3
SHA512e8fbb9027657989d78680e6de8ebd3a55387e80fd1c7ba4886627e43d6c16422f79670fe238639bfe7d6267d126b8acd87a0e4968d68ae7e6b8b9c18d72bc8fb
-
C:\Users\Admin\AppData\Local\Temp\c68b0aafb3aa63494c48a941cff07fe11d58370f2e2c1915fd2cb23f3658bd34.exe.exe
Filesize1.1MB
MD5fabe184f6721e640474e1497c69ffc98
SHA12f23a6389470db5d0dd2095d64939657d8d3ea9d
SHA256759aa04d5b03ebeee13ba01df554e8c962ca339c74f56627c8bed6984bb7ef80
SHA5122924fd60f5dd636f643b68d402b65c2bfab5536122aa688ebba5ae142c7d04ce8b1c8e078f54db8adadce9d5c6fa74c0794604ecc16a4c5489f9ca70a6d9e1c4
-
Filesize
26KB
MD58ba3b10246e04d4b57287e690f77057b
SHA1356eb7a62df1fdfb78711f5bb7d1347df5bbe797
SHA2561c8c64333fcd85341531abb72c7673109683f519ae0e7fc228e51d9a082708cc
SHA512eb79e2861d0ebc95ca0b9db177770ebaf5ea528f98efb018a7bc57c576cff11f4a71bc047c047b3ee04314b821b8481f59bfb36d3449838ee2579d51f0e9bcf5
-
Filesize
9B
MD54f2460b507685f7d7bfe6393f335f1c9
SHA1378d42f114b1515872e58de6662373af31ab8c7b
SHA25647a22297ce31d17b0f37251ce63cf2eb146700451caab6dd0aa710d2526c8e42
SHA51275dcca6b81ac47511b847a5c35be4bddbee425436f7bfd1347115e18b84f52a16a5c517bda0a5f5d0a1f2541aab80d764932d8018538cb112fa3b6c9977e95eb