Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 18:36
Static task
static1
Behavioral task
behavioral1
Sample
008b793d4b4945905e33ad61bb178d0ae07141517ea104831cc74181b666ed56.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
008b793d4b4945905e33ad61bb178d0ae07141517ea104831cc74181b666ed56.exe
Resource
win10v2004-20240508-en
General
-
Target
008b793d4b4945905e33ad61bb178d0ae07141517ea104831cc74181b666ed56.exe
-
Size
142KB
-
MD5
b2bfd79e5910e1f7bf1874b2b7c017aa
-
SHA1
ac6f97a6e24a2dc69496e7e7e3ec4e25a6d89c09
-
SHA256
008b793d4b4945905e33ad61bb178d0ae07141517ea104831cc74181b666ed56
-
SHA512
cd2ce937be65018de660ffc8026dc67e9c8dccdbb240773de46fd49e137d6731cb8f5744435f05f571552cdbef085489dde7f377f38d0b3d782f7ec4fd8b98ff
-
SSDEEP
3072:hftffhJCuU7PQtDzrFJxMpakpk13nJKMpakpA8J+MpakpF13xJi1NAMpakp613mJ:pVfhgu1DnFJxJZ13nJKJf8J+Js13xJiq
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
Logo1_.exe008b793d4b4945905e33ad61bb178d0ae07141517ea104831cc74181b666ed56.exepid process 440 Logo1_.exe 2488 008b793d4b4945905e33ad61bb178d0ae07141517ea104831cc74181b666ed56.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Logo1_.exedescription ioc process File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
Processes:
Logo1_.exedescription ioc process File opened for modification C:\Program Files\Java\jdk-1.8\include\win32\bridge\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-black\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\eu-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\fr-ma\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ru-ru\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\VideoEditor.Common\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\ResiliencyLinks\Extensions\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\fr-FR\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\sl-si\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\he-il\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ro-ro\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\sk-sk\_desktop.ini Logo1_.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\Fonts\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-black\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\bin\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Media Player\Skins\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ta-IN\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Examples\Calculator\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pl-pl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\an\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\video_filter\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Multimedia Platform\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\uk-ua\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\ja-jp\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Google\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\images\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\zh-cn\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\MSBuild\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\en-ae\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\zh-tw\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\124.0.2478.80\BHO\ie_to_edge_stub.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\ext\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sl-si\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Mail\wabmig.exe Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Configuration\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\en-gb\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\nl-nl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-black\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\Assets\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\0.2.2\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\ext\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\dc-annotations\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-il\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ko-kr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\de-de\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
Processes:
Logo1_.exe008b793d4b4945905e33ad61bb178d0ae07141517ea104831cc74181b666ed56.exedescription ioc process File created C:\Windows\vDll.dll Logo1_.exe File created C:\Windows\rundl132.exe 008b793d4b4945905e33ad61bb178d0ae07141517ea104831cc74181b666ed56.exe File created C:\Windows\Logo1_.exe 008b793d4b4945905e33ad61bb178d0ae07141517ea104831cc74181b666ed56.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
Logo1_.exepid process 440 Logo1_.exe 440 Logo1_.exe 440 Logo1_.exe 440 Logo1_.exe 440 Logo1_.exe 440 Logo1_.exe 440 Logo1_.exe 440 Logo1_.exe 440 Logo1_.exe 440 Logo1_.exe 440 Logo1_.exe 440 Logo1_.exe 440 Logo1_.exe 440 Logo1_.exe 440 Logo1_.exe 440 Logo1_.exe 440 Logo1_.exe 440 Logo1_.exe 440 Logo1_.exe 440 Logo1_.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
008b793d4b4945905e33ad61bb178d0ae07141517ea104831cc74181b666ed56.exepid process 2488 008b793d4b4945905e33ad61bb178d0ae07141517ea104831cc74181b666ed56.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
008b793d4b4945905e33ad61bb178d0ae07141517ea104831cc74181b666ed56.exeLogo1_.exenet.execmd.exedescription pid process target process PID 4616 wrote to memory of 2968 4616 008b793d4b4945905e33ad61bb178d0ae07141517ea104831cc74181b666ed56.exe cmd.exe PID 4616 wrote to memory of 2968 4616 008b793d4b4945905e33ad61bb178d0ae07141517ea104831cc74181b666ed56.exe cmd.exe PID 4616 wrote to memory of 2968 4616 008b793d4b4945905e33ad61bb178d0ae07141517ea104831cc74181b666ed56.exe cmd.exe PID 4616 wrote to memory of 440 4616 008b793d4b4945905e33ad61bb178d0ae07141517ea104831cc74181b666ed56.exe Logo1_.exe PID 4616 wrote to memory of 440 4616 008b793d4b4945905e33ad61bb178d0ae07141517ea104831cc74181b666ed56.exe Logo1_.exe PID 4616 wrote to memory of 440 4616 008b793d4b4945905e33ad61bb178d0ae07141517ea104831cc74181b666ed56.exe Logo1_.exe PID 440 wrote to memory of 752 440 Logo1_.exe net.exe PID 440 wrote to memory of 752 440 Logo1_.exe net.exe PID 440 wrote to memory of 752 440 Logo1_.exe net.exe PID 752 wrote to memory of 2324 752 net.exe net1.exe PID 752 wrote to memory of 2324 752 net.exe net1.exe PID 752 wrote to memory of 2324 752 net.exe net1.exe PID 2968 wrote to memory of 2488 2968 cmd.exe 008b793d4b4945905e33ad61bb178d0ae07141517ea104831cc74181b666ed56.exe PID 2968 wrote to memory of 2488 2968 cmd.exe 008b793d4b4945905e33ad61bb178d0ae07141517ea104831cc74181b666ed56.exe PID 2968 wrote to memory of 2488 2968 cmd.exe 008b793d4b4945905e33ad61bb178d0ae07141517ea104831cc74181b666ed56.exe PID 440 wrote to memory of 3420 440 Logo1_.exe Explorer.EXE PID 440 wrote to memory of 3420 440 Logo1_.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3420
-
C:\Users\Admin\AppData\Local\Temp\008b793d4b4945905e33ad61bb178d0ae07141517ea104831cc74181b666ed56.exe"C:\Users\Admin\AppData\Local\Temp\008b793d4b4945905e33ad61bb178d0ae07141517ea104831cc74181b666ed56.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aE697.bat3⤵
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Users\Admin\AppData\Local\Temp\008b793d4b4945905e33ad61bb178d0ae07141517ea104831cc74181b666ed56.exe"C:\Users\Admin\AppData\Local\Temp\008b793d4b4945905e33ad61bb178d0ae07141517ea104831cc74181b666ed56.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2488 -
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:440 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:752 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:2324
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3960,i,14221647728265121051,6840906015709541562,262144 --variations-seed-version --mojo-platform-channel-handle=4100 /prefetch:81⤵PID:5056
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
251KB
MD58127727596399cf19c53447f179b38bc
SHA1c58115bd548eb653598b2509554646794a98f396
SHA256b39519f128db77ff20cbbbfee07e54cab923592a46e9e75d45f40a8312135580
SHA512a88d06e6e11e9b3a107199ddad875062995383bbeae90b487077630041b358bbfe8464af69ef4fd205980fd6769fa84ae7b496aa0df4226f795a9d639f08e9bc
-
Filesize
570KB
MD54e7100f1e12d0db9a7f734f8aeb8028b
SHA1fd89a577f9c712575552427989c8bde36e183d6c
SHA25612170265e750d261bc60c321d076c7fb1c03491cb5a3743e62c85e55a3b8be75
SHA512f7b93b9aaaa47e4da25f9c9cc10aa3b186b533a327d22a7b0525c938426a11c289af7d9e5a28fb1abb41f159c5f3533aaa5499271fd3934e4d14f39f2dd50c71
-
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
Filesize636KB
MD5d82ffc872aed7c85cf936dcdcc2e6372
SHA150ca56cb4a429ce1532afaa2732f61833fc2b54f
SHA256a487733710d946abff1a93a23ae6bbafd6c0800bc78e4d5e3cac36e2a14ddace
SHA5120b0031418275c6be01f7757111058cd5bd3e5f4862e0631e2e28c5e7ffbb271446abdc2a88a7953ae55112799bc4a051becc2b14491e0d1760e336498665cc8b
-
Filesize
722B
MD57568959f0440788ba38afa43c94da155
SHA1b37e6839433e946cc6730667fda489177668ee61
SHA256fab9b1babbfdbb2c88400150bdb39c09d4f447c255715897986df4d9d6093e26
SHA5125a0ea1be37171d0e134b3cc8d0904fa350f5f391ffbc8dad2fc084e222733f432137b9a1568eb5aba3b90f75c50390ab74997c941a264e7738d1859591ab3117
-
C:\Users\Admin\AppData\Local\Temp\008b793d4b4945905e33ad61bb178d0ae07141517ea104831cc74181b666ed56.exe.exe
Filesize116KB
MD50c17c996f9ef8fdcb768f9aa1fbb85a5
SHA1da090853e2cef892bbec3a24c560facd7e94c798
SHA256dc82f3aa6a62edeeb6fc519f83fe9ac7ea645176576ac42f0c04753d7d342418
SHA512a87238e80292ee6a81b0cecd6ff3bce1bbca944890de2171730d54513e1ae28fc0375e4a1a993d3ce8e8565fa7d35e716b6800a3ed06e7bb7c3bfefe963fc962
-
Filesize
26KB
MD5f4e54f43ef0126564e829fa90765bed8
SHA17cf265bec52cd543eae7b87b6fa4aa3409226f33
SHA2564f8b78bfed5a47f51ab5eb9a8e43196e504e6cdfe9660cd75cd5607f2dcf9fa5
SHA5123ddb20d41a801f8b39d5f43a01055f0d9d6a5aa7094c0762aa32b76d74bdc90dd9ffa3a459056788fc3370b0f1964495936711ba25b7e838eef1cbdead2435d8
-
Filesize
9B
MD54f2460b507685f7d7bfe6393f335f1c9
SHA1378d42f114b1515872e58de6662373af31ab8c7b
SHA25647a22297ce31d17b0f37251ce63cf2eb146700451caab6dd0aa710d2526c8e42
SHA51275dcca6b81ac47511b847a5c35be4bddbee425436f7bfd1347115e18b84f52a16a5c517bda0a5f5d0a1f2541aab80d764932d8018538cb112fa3b6c9977e95eb