Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
13-06-2024 18:36
Static task
static1
Behavioral task
behavioral1
Sample
008b793d4b4945905e33ad61bb178d0ae07141517ea104831cc74181b666ed56.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
008b793d4b4945905e33ad61bb178d0ae07141517ea104831cc74181b666ed56.exe
Resource
win10v2004-20240508-en
General
-
Target
008b793d4b4945905e33ad61bb178d0ae07141517ea104831cc74181b666ed56.exe
-
Size
142KB
-
MD5
b2bfd79e5910e1f7bf1874b2b7c017aa
-
SHA1
ac6f97a6e24a2dc69496e7e7e3ec4e25a6d89c09
-
SHA256
008b793d4b4945905e33ad61bb178d0ae07141517ea104831cc74181b666ed56
-
SHA512
cd2ce937be65018de660ffc8026dc67e9c8dccdbb240773de46fd49e137d6731cb8f5744435f05f571552cdbef085489dde7f377f38d0b3d782f7ec4fd8b98ff
-
SSDEEP
3072:hftffhJCuU7PQtDzrFJxMpakpk13nJKMpakpA8J+MpakpF13xJi1NAMpakp613mJ:pVfhgu1DnFJxJZ13nJKJf8J+Js13xJiq
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2340 cmd.exe -
Executes dropped EXE 2 IoCs
Processes:
Logo1_.exe008b793d4b4945905e33ad61bb178d0ae07141517ea104831cc74181b666ed56.exepid process 2224 Logo1_.exe 2868 008b793d4b4945905e33ad61bb178d0ae07141517ea104831cc74181b666ed56.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 2340 cmd.exe 2340 cmd.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Logo1_.exedescription ioc process File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
Processes:
Logo1_.exedescription ioc process File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightYellow\_desktop.ini Logo1_.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\sd\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\ja-JP\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Triedit\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Outlook.en-us\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\wa\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Help\3082\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Photo Viewer\fr-FR\_desktop.ini Logo1_.exe File created C:\Program Files\Mozilla Firefox\defaults\pref\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\lua\intf\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_extractor\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Excel.en-us\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\es-ES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\it-IT\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre7\bin\jabswitch.exe Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\EURO\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Slate\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1036\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre7\bin\java.exe Logo1_.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\hr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\en-US\_desktop.ini Logo1_.exe File created C:\Program Files\Uninstall Information\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\cgg\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\FAX\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
Processes:
008b793d4b4945905e33ad61bb178d0ae07141517ea104831cc74181b666ed56.exeLogo1_.exedescription ioc process File created C:\Windows\rundl132.exe 008b793d4b4945905e33ad61bb178d0ae07141517ea104831cc74181b666ed56.exe File created C:\Windows\Logo1_.exe 008b793d4b4945905e33ad61bb178d0ae07141517ea104831cc74181b666ed56.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\vDll.dll Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
Logo1_.exepid process 2224 Logo1_.exe 2224 Logo1_.exe 2224 Logo1_.exe 2224 Logo1_.exe 2224 Logo1_.exe 2224 Logo1_.exe 2224 Logo1_.exe 2224 Logo1_.exe 2224 Logo1_.exe 2224 Logo1_.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
008b793d4b4945905e33ad61bb178d0ae07141517ea104831cc74181b666ed56.exepid process 2868 008b793d4b4945905e33ad61bb178d0ae07141517ea104831cc74181b666ed56.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
008b793d4b4945905e33ad61bb178d0ae07141517ea104831cc74181b666ed56.exeLogo1_.exenet.execmd.exedescription pid process target process PID 3016 wrote to memory of 2340 3016 008b793d4b4945905e33ad61bb178d0ae07141517ea104831cc74181b666ed56.exe cmd.exe PID 3016 wrote to memory of 2340 3016 008b793d4b4945905e33ad61bb178d0ae07141517ea104831cc74181b666ed56.exe cmd.exe PID 3016 wrote to memory of 2340 3016 008b793d4b4945905e33ad61bb178d0ae07141517ea104831cc74181b666ed56.exe cmd.exe PID 3016 wrote to memory of 2340 3016 008b793d4b4945905e33ad61bb178d0ae07141517ea104831cc74181b666ed56.exe cmd.exe PID 3016 wrote to memory of 2224 3016 008b793d4b4945905e33ad61bb178d0ae07141517ea104831cc74181b666ed56.exe Logo1_.exe PID 3016 wrote to memory of 2224 3016 008b793d4b4945905e33ad61bb178d0ae07141517ea104831cc74181b666ed56.exe Logo1_.exe PID 3016 wrote to memory of 2224 3016 008b793d4b4945905e33ad61bb178d0ae07141517ea104831cc74181b666ed56.exe Logo1_.exe PID 3016 wrote to memory of 2224 3016 008b793d4b4945905e33ad61bb178d0ae07141517ea104831cc74181b666ed56.exe Logo1_.exe PID 2224 wrote to memory of 2144 2224 Logo1_.exe net.exe PID 2224 wrote to memory of 2144 2224 Logo1_.exe net.exe PID 2224 wrote to memory of 2144 2224 Logo1_.exe net.exe PID 2224 wrote to memory of 2144 2224 Logo1_.exe net.exe PID 2144 wrote to memory of 2292 2144 net.exe net1.exe PID 2144 wrote to memory of 2292 2144 net.exe net1.exe PID 2144 wrote to memory of 2292 2144 net.exe net1.exe PID 2144 wrote to memory of 2292 2144 net.exe net1.exe PID 2340 wrote to memory of 2868 2340 cmd.exe 008b793d4b4945905e33ad61bb178d0ae07141517ea104831cc74181b666ed56.exe PID 2340 wrote to memory of 2868 2340 cmd.exe 008b793d4b4945905e33ad61bb178d0ae07141517ea104831cc74181b666ed56.exe PID 2340 wrote to memory of 2868 2340 cmd.exe 008b793d4b4945905e33ad61bb178d0ae07141517ea104831cc74181b666ed56.exe PID 2340 wrote to memory of 2868 2340 cmd.exe 008b793d4b4945905e33ad61bb178d0ae07141517ea104831cc74181b666ed56.exe PID 2224 wrote to memory of 1204 2224 Logo1_.exe Explorer.EXE PID 2224 wrote to memory of 1204 2224 Logo1_.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1204
-
C:\Users\Admin\AppData\Local\Temp\008b793d4b4945905e33ad61bb178d0ae07141517ea104831cc74181b666ed56.exe"C:\Users\Admin\AppData\Local\Temp\008b793d4b4945905e33ad61bb178d0ae07141517ea104831cc74181b666ed56.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\$$a24A0.bat3⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Users\Admin\AppData\Local\Temp\008b793d4b4945905e33ad61bb178d0ae07141517ea104831cc74181b666ed56.exe"C:\Users\Admin\AppData\Local\Temp\008b793d4b4945905e33ad61bb178d0ae07141517ea104831cc74181b666ed56.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2868 -
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:2292
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
251KB
MD58127727596399cf19c53447f179b38bc
SHA1c58115bd548eb653598b2509554646794a98f396
SHA256b39519f128db77ff20cbbbfee07e54cab923592a46e9e75d45f40a8312135580
SHA512a88d06e6e11e9b3a107199ddad875062995383bbeae90b487077630041b358bbfe8464af69ef4fd205980fd6769fa84ae7b496aa0df4226f795a9d639f08e9bc
-
Filesize
471KB
MD5f9fc019eacb573ec828d2d9ff6a48318
SHA1b91958dc8d178b6eeb35e829bab84d0fb12c2280
SHA256bf9ba3df2bad76d15f4efe42c0c59f37b9454907958892df8ab996552658934e
SHA512998ba7bc7cdd5df3e1acfda6f4f92ec9d27732e1e182177dff310f3c918f3be99626a3526bebdff5bb7eb980640434baf56e0f08bfd125168c0a9e37e7239305
-
Filesize
722B
MD5848edb8a77bfb5093e0543b5f2cfaa61
SHA14fd5f1fad631e0a8e807924e685443b8e0e8b40b
SHA256ad16e02c0126fa58e926d3d4d94c46886462f0d7874aedf5e7c3b583ecaf1575
SHA512b55ffcecafc6f1605aeda2d1ed77f07c952274e44e64c45d3430488fdbd49a2ccea93bf910d4d0ff26004d5af3b81d47b31ad5fbe55a2487689f2efe0195c5a9
-
C:\Users\Admin\AppData\Local\Temp\008b793d4b4945905e33ad61bb178d0ae07141517ea104831cc74181b666ed56.exe.exe
Filesize116KB
MD50c17c996f9ef8fdcb768f9aa1fbb85a5
SHA1da090853e2cef892bbec3a24c560facd7e94c798
SHA256dc82f3aa6a62edeeb6fc519f83fe9ac7ea645176576ac42f0c04753d7d342418
SHA512a87238e80292ee6a81b0cecd6ff3bce1bbca944890de2171730d54513e1ae28fc0375e4a1a993d3ce8e8565fa7d35e716b6800a3ed06e7bb7c3bfefe963fc962
-
Filesize
26KB
MD5f4e54f43ef0126564e829fa90765bed8
SHA17cf265bec52cd543eae7b87b6fa4aa3409226f33
SHA2564f8b78bfed5a47f51ab5eb9a8e43196e504e6cdfe9660cd75cd5607f2dcf9fa5
SHA5123ddb20d41a801f8b39d5f43a01055f0d9d6a5aa7094c0762aa32b76d74bdc90dd9ffa3a459056788fc3370b0f1964495936711ba25b7e838eef1cbdead2435d8
-
Filesize
9B
MD54f2460b507685f7d7bfe6393f335f1c9
SHA1378d42f114b1515872e58de6662373af31ab8c7b
SHA25647a22297ce31d17b0f37251ce63cf2eb146700451caab6dd0aa710d2526c8e42
SHA51275dcca6b81ac47511b847a5c35be4bddbee425436f7bfd1347115e18b84f52a16a5c517bda0a5f5d0a1f2541aab80d764932d8018538cb112fa3b6c9977e95eb