Analysis
-
max time kernel
149s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
13-06-2024 18:36
Static task
static1
Behavioral task
behavioral1
Sample
9e2c235f77468ae3906a9c5cbe3ec043732e485492144e7636dbdd091e58b1be.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
9e2c235f77468ae3906a9c5cbe3ec043732e485492144e7636dbdd091e58b1be.exe
Resource
win10v2004-20240226-en
General
-
Target
9e2c235f77468ae3906a9c5cbe3ec043732e485492144e7636dbdd091e58b1be.exe
-
Size
694KB
-
MD5
54fe70bf380d8e2fa31ce15b0dc15bf4
-
SHA1
f8d5f8c6096273233a1b19ffd96fa6c321d7ac30
-
SHA256
9e2c235f77468ae3906a9c5cbe3ec043732e485492144e7636dbdd091e58b1be
-
SHA512
49c034b64bfd0c0714fc79d2dd3b8ad115756fc2872ff7d3a826d04da4e81c362152737aaba5ba41e36c3f3034731c0525366d9438cf0dc089b3a1e6b3e8459c
-
SSDEEP
12288:A7+fNcKAEJ6RLtx4c8PF39A55nJTuxGfqseVF+J92QpCgGy9RTPq6xy3NhYhYUnX:A7iNcKAEJ6Rpx4c8PF39A55nJMGfqsem
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1580 cmd.exe -
Executes dropped EXE 2 IoCs
Processes:
Logo1_.exe9e2c235f77468ae3906a9c5cbe3ec043732e485492144e7636dbdd091e58b1be.exepid process 3008 Logo1_.exe 2656 9e2c235f77468ae3906a9c5cbe3ec043732e485492144e7636dbdd091e58b1be.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 1580 cmd.exe 1580 cmd.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Logo1_.exedescription ioc process File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
Processes:
Logo1_.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\DEEPBLUE\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\es-ES\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Biscay\_desktop.ini Logo1_.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\hr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Swirl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\OneNote.en-us\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SPRING\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\InfoPathOMFormServicesV12\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\es-ES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ESEN\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\pa\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EXPEDITN\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SCANPST.EXE Logo1_.exe File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre7\bin\unpack200.exe Logo1_.exe File opened for modification C:\Program Files\Windows Journal\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\_desktop.ini Logo1_.exe File created C:\Program Files\7-Zip\Lang\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\de-DE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\ja-JP\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\lua\http\dialogs\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\audio_output\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Defender\es-ES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre7\bin\tnameserv.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Media Player\wmpshare.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
Processes:
9e2c235f77468ae3906a9c5cbe3ec043732e485492144e7636dbdd091e58b1be.exeLogo1_.exedescription ioc process File created C:\Windows\rundl132.exe 9e2c235f77468ae3906a9c5cbe3ec043732e485492144e7636dbdd091e58b1be.exe File created C:\Windows\Logo1_.exe 9e2c235f77468ae3906a9c5cbe3ec043732e485492144e7636dbdd091e58b1be.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\vDll.dll Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
Logo1_.exepid process 3008 Logo1_.exe 3008 Logo1_.exe 3008 Logo1_.exe 3008 Logo1_.exe 3008 Logo1_.exe 3008 Logo1_.exe 3008 Logo1_.exe 3008 Logo1_.exe 3008 Logo1_.exe 3008 Logo1_.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
9e2c235f77468ae3906a9c5cbe3ec043732e485492144e7636dbdd091e58b1be.exeLogo1_.execmd.exenet.exedescription pid process target process PID 1752 wrote to memory of 1580 1752 9e2c235f77468ae3906a9c5cbe3ec043732e485492144e7636dbdd091e58b1be.exe cmd.exe PID 1752 wrote to memory of 1580 1752 9e2c235f77468ae3906a9c5cbe3ec043732e485492144e7636dbdd091e58b1be.exe cmd.exe PID 1752 wrote to memory of 1580 1752 9e2c235f77468ae3906a9c5cbe3ec043732e485492144e7636dbdd091e58b1be.exe cmd.exe PID 1752 wrote to memory of 1580 1752 9e2c235f77468ae3906a9c5cbe3ec043732e485492144e7636dbdd091e58b1be.exe cmd.exe PID 1752 wrote to memory of 3008 1752 9e2c235f77468ae3906a9c5cbe3ec043732e485492144e7636dbdd091e58b1be.exe Logo1_.exe PID 1752 wrote to memory of 3008 1752 9e2c235f77468ae3906a9c5cbe3ec043732e485492144e7636dbdd091e58b1be.exe Logo1_.exe PID 1752 wrote to memory of 3008 1752 9e2c235f77468ae3906a9c5cbe3ec043732e485492144e7636dbdd091e58b1be.exe Logo1_.exe PID 1752 wrote to memory of 3008 1752 9e2c235f77468ae3906a9c5cbe3ec043732e485492144e7636dbdd091e58b1be.exe Logo1_.exe PID 3008 wrote to memory of 2540 3008 Logo1_.exe net.exe PID 3008 wrote to memory of 2540 3008 Logo1_.exe net.exe PID 3008 wrote to memory of 2540 3008 Logo1_.exe net.exe PID 3008 wrote to memory of 2540 3008 Logo1_.exe net.exe PID 1580 wrote to memory of 2656 1580 cmd.exe 9e2c235f77468ae3906a9c5cbe3ec043732e485492144e7636dbdd091e58b1be.exe PID 1580 wrote to memory of 2656 1580 cmd.exe 9e2c235f77468ae3906a9c5cbe3ec043732e485492144e7636dbdd091e58b1be.exe PID 1580 wrote to memory of 2656 1580 cmd.exe 9e2c235f77468ae3906a9c5cbe3ec043732e485492144e7636dbdd091e58b1be.exe PID 1580 wrote to memory of 2656 1580 cmd.exe 9e2c235f77468ae3906a9c5cbe3ec043732e485492144e7636dbdd091e58b1be.exe PID 2540 wrote to memory of 2600 2540 net.exe net1.exe PID 2540 wrote to memory of 2600 2540 net.exe net1.exe PID 2540 wrote to memory of 2600 2540 net.exe net1.exe PID 2540 wrote to memory of 2600 2540 net.exe net1.exe PID 3008 wrote to memory of 1400 3008 Logo1_.exe Explorer.EXE PID 3008 wrote to memory of 1400 3008 Logo1_.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1400
-
C:\Users\Admin\AppData\Local\Temp\9e2c235f77468ae3906a9c5cbe3ec043732e485492144e7636dbdd091e58b1be.exe"C:\Users\Admin\AppData\Local\Temp\9e2c235f77468ae3906a9c5cbe3ec043732e485492144e7636dbdd091e58b1be.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\$$a1748.bat3⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Users\Admin\AppData\Local\Temp\9e2c235f77468ae3906a9c5cbe3ec043732e485492144e7636dbdd091e58b1be.exe"C:\Users\Admin\AppData\Local\Temp\9e2c235f77468ae3906a9c5cbe3ec043732e485492144e7636dbdd091e58b1be.exe"4⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:2600
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
251KB
MD5baefd80d920c46144c270e5bc13ce8f9
SHA1a9dfeeaea77073b1f031a94457e1b436795c2230
SHA256908015e6f4700ed4fe9817143e5afc0d3bd6820692fabc15df0a7c480a6b4754
SHA512e363bf05e54048637ca57c4d0ae7da4b8f061098a04a8d8a85d5fd24bc52757901db9c9c14bebd2f57e2e51e1d365bf10f4ef88acd1bc27e1ec4fc8004ebc25b
-
Filesize
471KB
MD54cfdb20b04aa239d6f9e83084d5d0a77
SHA1f22863e04cc1fd4435f785993ede165bd8245ac6
SHA25630ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9
SHA51235b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86
-
Filesize
722B
MD5c96b99086956f8e73bf433bb66e8b433
SHA1f4ea4e6f6b03ae379111a4931c9e97759cf340fe
SHA256f6001c1e6c27d28b1581bec90d62430cdd87f2cb354f02a8d7fad6e5d3dc5d88
SHA5121dad084196b9454da91ca162446953c6e3588c8c36c77a1525d26dd947445d9aa577fcf61213e1c17e11ece5861975005a657ff6b4de3d71d69c02ec0ae07e01
-
C:\Users\Admin\AppData\Local\Temp\9e2c235f77468ae3906a9c5cbe3ec043732e485492144e7636dbdd091e58b1be.exe.exe
Filesize667KB
MD5c904e884cc991c35da2f09423322c6a5
SHA165c1ed3c9177f8a1d61a6fc52b46361434e34187
SHA25625673cd4933a85bc98db759d37a2aecdbf06aff2cd3045be8b3f7e0593d35366
SHA512773408889e3d3c6ef7772509ac648d4ed9a2c24588041dc406910dddc66e69b8120244b7bd69af5d3ad7101010de9f60c8bf3071492ae89b75bc925d52870b52
-
Filesize
26KB
MD5d49b1ebb885d8df62f516abeaf81eb8d
SHA1b35b293a2b9aae438e3fe7a63c695d74767d2d5d
SHA2569a9ebdf3d499ba4b221c15f154018f0fe6d5f97bfdd924d9a7b5aad9d1e39827
SHA5122af67b0693f1215cedfab5f078d7e349ac282d32c5b4e3654e3feeb110ab410bc84d79ebba61f6314aae1c6cc69929a2a0177cdfea37dce9e4745289994c6d5c
-
Filesize
9B
MD54f2460b507685f7d7bfe6393f335f1c9
SHA1378d42f114b1515872e58de6662373af31ab8c7b
SHA25647a22297ce31d17b0f37251ce63cf2eb146700451caab6dd0aa710d2526c8e42
SHA51275dcca6b81ac47511b847a5c35be4bddbee425436f7bfd1347115e18b84f52a16a5c517bda0a5f5d0a1f2541aab80d764932d8018538cb112fa3b6c9977e95eb