Analysis
-
max time kernel
154s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 18:36
Static task
static1
Behavioral task
behavioral1
Sample
9e2c235f77468ae3906a9c5cbe3ec043732e485492144e7636dbdd091e58b1be.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
9e2c235f77468ae3906a9c5cbe3ec043732e485492144e7636dbdd091e58b1be.exe
Resource
win10v2004-20240226-en
General
-
Target
9e2c235f77468ae3906a9c5cbe3ec043732e485492144e7636dbdd091e58b1be.exe
-
Size
694KB
-
MD5
54fe70bf380d8e2fa31ce15b0dc15bf4
-
SHA1
f8d5f8c6096273233a1b19ffd96fa6c321d7ac30
-
SHA256
9e2c235f77468ae3906a9c5cbe3ec043732e485492144e7636dbdd091e58b1be
-
SHA512
49c034b64bfd0c0714fc79d2dd3b8ad115756fc2872ff7d3a826d04da4e81c362152737aaba5ba41e36c3f3034731c0525366d9438cf0dc089b3a1e6b3e8459c
-
SSDEEP
12288:A7+fNcKAEJ6RLtx4c8PF39A55nJTuxGfqseVF+J92QpCgGy9RTPq6xy3NhYhYUnX:A7iNcKAEJ6Rpx4c8PF39A55nJMGfqsem
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
Logo1_.exe9e2c235f77468ae3906a9c5cbe3ec043732e485492144e7636dbdd091e58b1be.exepid process 5076 Logo1_.exe 3396 9e2c235f77468ae3906a9c5cbe3ec043732e485492144e7636dbdd091e58b1be.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Logo1_.exedescription ioc process File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
Processes:
Logo1_.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\Trust Protection Lists\Mu\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\it-IT\View3d\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\he-il\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ko-kr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\hr-hr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\it\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nb-no\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\plugins\_desktop.ini Logo1_.exe File created C:\Program Files\dotnet\host\fxr\8.0.0\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\te-IN\View3d\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\it-it\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\eu-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ja-jp\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\fi-fi\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\ResiliencyLinks\Locales\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\spu\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\fr-FR\View3d\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\fi-fi\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\si\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_2019.716.2316.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\it-it\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\en-ae\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\LayersControl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ko-kr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\es-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\fi-fi\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-gb\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\Scripts\Me\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\fr-ma\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\fr-ma\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\msedge_proxy.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\hu-hu\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\audio_output\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-125_8wekyb3d8bbwe\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\js\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-black\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ro-ro\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Toolkit\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\hr-hr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Offline\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-125_8wekyb3d8bbwe\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ro-ro\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\pt-br\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\nl-nl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\es-es\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
Processes:
Logo1_.exe9e2c235f77468ae3906a9c5cbe3ec043732e485492144e7636dbdd091e58b1be.exedescription ioc process File created C:\Windows\vDll.dll Logo1_.exe File created C:\Windows\rundl132.exe 9e2c235f77468ae3906a9c5cbe3ec043732e485492144e7636dbdd091e58b1be.exe File created C:\Windows\Logo1_.exe 9e2c235f77468ae3906a9c5cbe3ec043732e485492144e7636dbdd091e58b1be.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
Logo1_.exepid process 5076 Logo1_.exe 5076 Logo1_.exe 5076 Logo1_.exe 5076 Logo1_.exe 5076 Logo1_.exe 5076 Logo1_.exe 5076 Logo1_.exe 5076 Logo1_.exe 5076 Logo1_.exe 5076 Logo1_.exe 5076 Logo1_.exe 5076 Logo1_.exe 5076 Logo1_.exe 5076 Logo1_.exe 5076 Logo1_.exe 5076 Logo1_.exe 5076 Logo1_.exe 5076 Logo1_.exe 5076 Logo1_.exe 5076 Logo1_.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
9e2c235f77468ae3906a9c5cbe3ec043732e485492144e7636dbdd091e58b1be.exeLogo1_.execmd.exenet.exedescription pid process target process PID 2432 wrote to memory of 668 2432 9e2c235f77468ae3906a9c5cbe3ec043732e485492144e7636dbdd091e58b1be.exe cmd.exe PID 2432 wrote to memory of 668 2432 9e2c235f77468ae3906a9c5cbe3ec043732e485492144e7636dbdd091e58b1be.exe cmd.exe PID 2432 wrote to memory of 668 2432 9e2c235f77468ae3906a9c5cbe3ec043732e485492144e7636dbdd091e58b1be.exe cmd.exe PID 2432 wrote to memory of 5076 2432 9e2c235f77468ae3906a9c5cbe3ec043732e485492144e7636dbdd091e58b1be.exe Logo1_.exe PID 2432 wrote to memory of 5076 2432 9e2c235f77468ae3906a9c5cbe3ec043732e485492144e7636dbdd091e58b1be.exe Logo1_.exe PID 2432 wrote to memory of 5076 2432 9e2c235f77468ae3906a9c5cbe3ec043732e485492144e7636dbdd091e58b1be.exe Logo1_.exe PID 5076 wrote to memory of 3496 5076 Logo1_.exe net.exe PID 5076 wrote to memory of 3496 5076 Logo1_.exe net.exe PID 5076 wrote to memory of 3496 5076 Logo1_.exe net.exe PID 668 wrote to memory of 3396 668 cmd.exe 9e2c235f77468ae3906a9c5cbe3ec043732e485492144e7636dbdd091e58b1be.exe PID 668 wrote to memory of 3396 668 cmd.exe 9e2c235f77468ae3906a9c5cbe3ec043732e485492144e7636dbdd091e58b1be.exe PID 668 wrote to memory of 3396 668 cmd.exe 9e2c235f77468ae3906a9c5cbe3ec043732e485492144e7636dbdd091e58b1be.exe PID 3496 wrote to memory of 3000 3496 net.exe net1.exe PID 3496 wrote to memory of 3000 3496 net.exe net1.exe PID 3496 wrote to memory of 3000 3496 net.exe net1.exe PID 5076 wrote to memory of 3372 5076 Logo1_.exe Explorer.EXE PID 5076 wrote to memory of 3372 5076 Logo1_.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3372
-
C:\Users\Admin\AppData\Local\Temp\9e2c235f77468ae3906a9c5cbe3ec043732e485492144e7636dbdd091e58b1be.exe"C:\Users\Admin\AppData\Local\Temp\9e2c235f77468ae3906a9c5cbe3ec043732e485492144e7636dbdd091e58b1be.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a1836.bat3⤵
- Suspicious use of WriteProcessMemory
PID:668 -
C:\Users\Admin\AppData\Local\Temp\9e2c235f77468ae3906a9c5cbe3ec043732e485492144e7636dbdd091e58b1be.exe"C:\Users\Admin\AppData\Local\Temp\9e2c235f77468ae3906a9c5cbe3ec043732e485492144e7636dbdd091e58b1be.exe"4⤵
- Executes dropped EXE
PID:3396 -
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:3496 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:3000
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:81⤵PID:3148
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
251KB
MD5baefd80d920c46144c270e5bc13ce8f9
SHA1a9dfeeaea77073b1f031a94457e1b436795c2230
SHA256908015e6f4700ed4fe9817143e5afc0d3bd6820692fabc15df0a7c480a6b4754
SHA512e363bf05e54048637ca57c4d0ae7da4b8f061098a04a8d8a85d5fd24bc52757901db9c9c14bebd2f57e2e51e1d365bf10f4ef88acd1bc27e1ec4fc8004ebc25b
-
Filesize
570KB
MD5f5285ac9d939519a5baee61dc332f4d0
SHA149b16d664d40e0a2ca0ed549bfdfe14de77c2845
SHA2561e612247296072b71e66ea5afe9629e2ed56ed215d08086451bb416742f840fa
SHA512cc642cf22504d1f4204fd3ca26f348e4f1fbeb5b122a1e442ecaebb4012e71388e7d68b749353d4146962bbbbb8e7a7cb650ae040949cc97fdcc4d03b6648934
-
Filesize
722B
MD54dc3ff8e48ea8e2c89b7947e1e8d5b0e
SHA1ddf5559b00a8bff7adc42b9ce1319018dc352c59
SHA2566b1095a9eb3f788e1d1b6e8aff58262b2e31584c7cf22d8305ccf0e83c0ddb0f
SHA512ac0746afc7b14361bc9cf47ec4c76c1b95be40314f10decec7d97e6878359fbd2a2b69040cc4fad4e6c813b33cc00cc000c1b01c0784b639e6c3aa8abd422136
-
C:\Users\Admin\AppData\Local\Temp\9e2c235f77468ae3906a9c5cbe3ec043732e485492144e7636dbdd091e58b1be.exe.exe
Filesize667KB
MD5c904e884cc991c35da2f09423322c6a5
SHA165c1ed3c9177f8a1d61a6fc52b46361434e34187
SHA25625673cd4933a85bc98db759d37a2aecdbf06aff2cd3045be8b3f7e0593d35366
SHA512773408889e3d3c6ef7772509ac648d4ed9a2c24588041dc406910dddc66e69b8120244b7bd69af5d3ad7101010de9f60c8bf3071492ae89b75bc925d52870b52
-
Filesize
26KB
MD5d49b1ebb885d8df62f516abeaf81eb8d
SHA1b35b293a2b9aae438e3fe7a63c695d74767d2d5d
SHA2569a9ebdf3d499ba4b221c15f154018f0fe6d5f97bfdd924d9a7b5aad9d1e39827
SHA5122af67b0693f1215cedfab5f078d7e349ac282d32c5b4e3654e3feeb110ab410bc84d79ebba61f6314aae1c6cc69929a2a0177cdfea37dce9e4745289994c6d5c
-
Filesize
9B
MD54f2460b507685f7d7bfe6393f335f1c9
SHA1378d42f114b1515872e58de6662373af31ab8c7b
SHA25647a22297ce31d17b0f37251ce63cf2eb146700451caab6dd0aa710d2526c8e42
SHA51275dcca6b81ac47511b847a5c35be4bddbee425436f7bfd1347115e18b84f52a16a5c517bda0a5f5d0a1f2541aab80d764932d8018538cb112fa3b6c9977e95eb