Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
13-06-2024 18:36
Static task
static1
Behavioral task
behavioral1
Sample
fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exe
Resource
win10v2004-20240226-en
General
-
Target
fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exe
-
Size
417KB
-
MD5
99eceb281f12da13cda991a03c298be8
-
SHA1
31d93c4b71d8960313a18cf1b024ea7ef8f7cbe9
-
SHA256
fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516
-
SHA512
ab61b735272d58e1613f6d6ea41364026458cf4cd9499fb6a064e2c77ceb452fefec70d9481781bb8cdfcaaa26b698b19d5cf01866c4d433bd8511ad6e8dc8dd
-
SSDEEP
6144:guJ45eaB+K7A1LBDejpRTxLn1gUkIJsTk0l2mI:S57B9A1dDURTxLyUkIJok0lPI
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2488 cmd.exe -
Executes dropped EXE 2 IoCs
Processes:
Logo1_.exefd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exepid process 2068 Logo1_.exe 2736 fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 2488 cmd.exe 2488 cmd.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Logo1_.exedescription ioc process File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
Processes:
Logo1_.exedescription ioc process File opened for modification C:\Program Files\7-Zip\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Esl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Triedit\it-IT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Minesweeper\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Journal\Templates\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\es-ES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Office14\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Help\2052\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSClientDataMgr\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ast\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\mr\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\lua\intf\modules\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe Logo1_.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe Logo1_.exe File created C:\Program Files\VideoLAN\VLC\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInViews\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Stationery\1033\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ff\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\css\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\en-US\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ug\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Wordconv.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Triedit\fr-FR\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\uz\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EVRGREEN\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Mail\wabmig.exe Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Publisher.en-us\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe Logo1_.exe -
Drops file in Windows directory 4 IoCs
Processes:
fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exeLogo1_.exedescription ioc process File created C:\Windows\rundl132.exe fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exe File created C:\Windows\Logo1_.exe fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\vDll.dll Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
Logo1_.exepid process 2068 Logo1_.exe 2068 Logo1_.exe 2068 Logo1_.exe 2068 Logo1_.exe 2068 Logo1_.exe 2068 Logo1_.exe 2068 Logo1_.exe 2068 Logo1_.exe 2068 Logo1_.exe 2068 Logo1_.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.execmd.exeLogo1_.exenet.exedescription pid process target process PID 2436 wrote to memory of 2488 2436 fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exe cmd.exe PID 2436 wrote to memory of 2488 2436 fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exe cmd.exe PID 2436 wrote to memory of 2488 2436 fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exe cmd.exe PID 2436 wrote to memory of 2488 2436 fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exe cmd.exe PID 2436 wrote to memory of 2068 2436 fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exe Logo1_.exe PID 2436 wrote to memory of 2068 2436 fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exe Logo1_.exe PID 2436 wrote to memory of 2068 2436 fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exe Logo1_.exe PID 2436 wrote to memory of 2068 2436 fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exe Logo1_.exe PID 2488 wrote to memory of 2736 2488 cmd.exe fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exe PID 2488 wrote to memory of 2736 2488 cmd.exe fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exe PID 2488 wrote to memory of 2736 2488 cmd.exe fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exe PID 2488 wrote to memory of 2736 2488 cmd.exe fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exe PID 2068 wrote to memory of 2748 2068 Logo1_.exe net.exe PID 2068 wrote to memory of 2748 2068 Logo1_.exe net.exe PID 2068 wrote to memory of 2748 2068 Logo1_.exe net.exe PID 2068 wrote to memory of 2748 2068 Logo1_.exe net.exe PID 2748 wrote to memory of 2756 2748 net.exe net1.exe PID 2748 wrote to memory of 2756 2748 net.exe net1.exe PID 2748 wrote to memory of 2756 2748 net.exe net1.exe PID 2748 wrote to memory of 2756 2748 net.exe net1.exe PID 2068 wrote to memory of 1196 2068 Logo1_.exe Explorer.EXE PID 2068 wrote to memory of 1196 2068 Logo1_.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1196
-
C:\Users\Admin\AppData\Local\Temp\fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exe"C:\Users\Admin\AppData\Local\Temp\fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\$$a1ED6.bat3⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Users\Admin\AppData\Local\Temp\fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exe"C:\Users\Admin\AppData\Local\Temp\fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exe"4⤵
- Executes dropped EXE
PID:2736 -
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:2756
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
254KB
MD5432aa5b6bcd692caa88869c8bdc43681
SHA1aeb7c43781d43851f7f127b4e5adc46f743d1b14
SHA25686cfebefaf5ede042543c8a48550b01fe7ef3b6b7812000c3888319ae9dc3d2f
SHA5124f160f737ac1f8a879bbcfffc37d499ed1e26cd21f7798cc8cc430b2d0c3fa83f6f30d1c5ddc6010523c32f9a81e8756a5c723b880e61f63135f4d42b79c9058
-
Filesize
474KB
MD56f0ec1ca208b0521f58bcd694897df06
SHA1808a16d524301513af8ee772936f6bdcf41623a6
SHA25653b5d4205b0f2ae4ba0051244fffcaf0cfecbf78dfc448e4d2e68e53e15f15bf
SHA512d8318484059a9988dae4b8a53d1ccec1a54ed825e1937d70fccc9bd26222a0c4b23718f368e6d193e6dd7b9d999e5e8d5f23717ea160468b6287004a722503f2
-
Filesize
722B
MD5496f1eaff8540238b19125aaf606e3a8
SHA106b5298b4b896fec3519f4d7841bf30e366f415b
SHA2560868fa58a1af9f4ef3ba6e622ea3ca2fe06945b69cae2b208af58e79a2c881e4
SHA512d214de9c59364f41bfd0aa000cf299e49ecd7701a2223425803987b12dc87f885d6f34555089d58094b0b6c8a280f4fa4874c589c47f77d69fbe9876769158c6
-
C:\Users\Admin\AppData\Local\Temp\fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exe.exe
Filesize388KB
MD5766721f110f52057319fb87a2f1d4225
SHA16b2d5b226224567f726fe5c641f4a55e575a1781
SHA2564ed35a2d5af16c722524f9f012dcfa7281744b9d223fc9e03040f9066ee2c66f
SHA51249d9dc340f7d8fb9396c50cccb948215a6b427075beb7ffe007ecadaa5ada99778b0dfdb9a44ce1da13c3c3703b23536a81d9fcb2dbb2c753bc3989d19441fb9
-
Filesize
29KB
MD5dccda60757967a88ad8a9a89f813748b
SHA130342bac716279dc71135ca51c669c25940a8684
SHA25673bb214769970609319af0d08f3d0938a9cad1d1fc864b23527c9474cca5b2f2
SHA512b022e816473dd0c16723393e1381ef9e99298fc6e85724eb451271c62a1f1e77541543fe02cb5e9cc7d758a3793103930288c36e7becfb7ff2716893ee228816
-
Filesize
9B
MD54f2460b507685f7d7bfe6393f335f1c9
SHA1378d42f114b1515872e58de6662373af31ab8c7b
SHA25647a22297ce31d17b0f37251ce63cf2eb146700451caab6dd0aa710d2526c8e42
SHA51275dcca6b81ac47511b847a5c35be4bddbee425436f7bfd1347115e18b84f52a16a5c517bda0a5f5d0a1f2541aab80d764932d8018538cb112fa3b6c9977e95eb