Analysis
-
max time kernel
153s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 18:36
Static task
static1
Behavioral task
behavioral1
Sample
fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exe
Resource
win10v2004-20240226-en
General
-
Target
fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exe
-
Size
417KB
-
MD5
99eceb281f12da13cda991a03c298be8
-
SHA1
31d93c4b71d8960313a18cf1b024ea7ef8f7cbe9
-
SHA256
fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516
-
SHA512
ab61b735272d58e1613f6d6ea41364026458cf4cd9499fb6a064e2c77ceb452fefec70d9481781bb8cdfcaaa26b698b19d5cf01866c4d433bd8511ad6e8dc8dd
-
SSDEEP
6144:guJ45eaB+K7A1LBDejpRTxLn1gUkIJsTk0l2mI:S57B9A1dDURTxLyUkIJok0lPI
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
Logo1_.exefd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exepid process 3568 Logo1_.exe 5552 fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Logo1_.exedescription ioc process File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
Processes:
Logo1_.exedescription ioc process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\oc\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\pstn\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\Scripts\Me\MeControl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ko-kr\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\resources\strings\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-black\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\XboxApp.Telemetry\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\sl-sl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\nl-nl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\zh-cn\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\text_renderer\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\de-de\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\pl-pl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\sl-sl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sl-si\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\themes\dark\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ja-jp\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\de\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-125_8wekyb3d8bbwe\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\ja-JP\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-gb\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.17\MicrosoftEdgeUpdate.exe Logo1_.exe File created C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\identity_proxy\win11\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\identity_proxy\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\de-DE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\da-dk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\tr-tr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\sk-sk\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.1813.0_neutral_~_8wekyb3d8bbwe\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ko-kr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\nl-nl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk-1.8\include\win32\bridge\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe Logo1_.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\de-DE\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ru-ru\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\en-US\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\pt-br\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\sl-sl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\zh-cn\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files-select\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\en-il\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\fonts\_desktop.ini Logo1_.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\PdfPreview\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\ResiliencyLinks\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\demux\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\XboxApp.UI\Resources\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
Processes:
fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exeLogo1_.exedescription ioc process File created C:\Windows\rundl132.exe fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exe File created C:\Windows\Logo1_.exe fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\vDll.dll Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
Logo1_.exepid process 3568 Logo1_.exe 3568 Logo1_.exe 3568 Logo1_.exe 3568 Logo1_.exe 3568 Logo1_.exe 3568 Logo1_.exe 3568 Logo1_.exe 3568 Logo1_.exe 3568 Logo1_.exe 3568 Logo1_.exe 3568 Logo1_.exe 3568 Logo1_.exe 3568 Logo1_.exe 3568 Logo1_.exe 3568 Logo1_.exe 3568 Logo1_.exe 3568 Logo1_.exe 3568 Logo1_.exe 3568 Logo1_.exe 3568 Logo1_.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.execmd.exeLogo1_.exenet.exedescription pid process target process PID 904 wrote to memory of 1428 904 fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exe cmd.exe PID 904 wrote to memory of 1428 904 fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exe cmd.exe PID 904 wrote to memory of 1428 904 fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exe cmd.exe PID 904 wrote to memory of 3568 904 fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exe Logo1_.exe PID 904 wrote to memory of 3568 904 fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exe Logo1_.exe PID 904 wrote to memory of 3568 904 fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exe Logo1_.exe PID 1428 wrote to memory of 5552 1428 cmd.exe fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exe PID 1428 wrote to memory of 5552 1428 cmd.exe fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exe PID 1428 wrote to memory of 5552 1428 cmd.exe fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exe PID 3568 wrote to memory of 4040 3568 Logo1_.exe net.exe PID 3568 wrote to memory of 4040 3568 Logo1_.exe net.exe PID 3568 wrote to memory of 4040 3568 Logo1_.exe net.exe PID 4040 wrote to memory of 2556 4040 net.exe net1.exe PID 4040 wrote to memory of 2556 4040 net.exe net1.exe PID 4040 wrote to memory of 2556 4040 net.exe net1.exe PID 3568 wrote to memory of 3196 3568 Logo1_.exe Explorer.EXE PID 3568 wrote to memory of 3196 3568 Logo1_.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3196
-
C:\Users\Admin\AppData\Local\Temp\fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exe"C:\Users\Admin\AppData\Local\Temp\fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:904 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a1587.bat3⤵
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Users\Admin\AppData\Local\Temp\fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exe"C:\Users\Admin\AppData\Local\Temp\fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exe"4⤵
- Executes dropped EXE
PID:5552 -
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3568 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:4040 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:2556
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3996 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:81⤵PID:432
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
254KB
MD5432aa5b6bcd692caa88869c8bdc43681
SHA1aeb7c43781d43851f7f127b4e5adc46f743d1b14
SHA25686cfebefaf5ede042543c8a48550b01fe7ef3b6b7812000c3888319ae9dc3d2f
SHA5124f160f737ac1f8a879bbcfffc37d499ed1e26cd21f7798cc8cc430b2d0c3fa83f6f30d1c5ddc6010523c32f9a81e8756a5c723b880e61f63135f4d42b79c9058
-
Filesize
573KB
MD5451d320c4693c75e5440cb4d9c47a77f
SHA1eb33d16b45402ffab95c3735479cd3070892e03f
SHA256ee272f52273d86c5612ac01738c5dbf9467aa805560258e77c1de59bc9bebfca
SHA51293cbaba8c9793e66a210b0c4f1f788b15d011b8170feee09275ec5cfd22b972999186d1172ccbc0ddb448c1a563cd3d289f17fc8fb665932d3db5477234aa33f
-
Filesize
722B
MD52ef5b15f576885b0b500c7616d94e4f1
SHA1149ca6a7a882d01ffadd819454c8b0e72da6bb39
SHA256caa38c9f2e6a4d83081090cb0bd9bf79dc9d7c3b6df84521f278ae50dc6d9f44
SHA512ab73e8e79290ff4301766020378635d073185c73d2de0c3a48a03a635731cd7c049ead82dd25736a37a375676f9455ce542c5eea6d6ffa57548e03f706318c86
-
C:\Users\Admin\AppData\Local\Temp\fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exe.exe
Filesize388KB
MD5766721f110f52057319fb87a2f1d4225
SHA16b2d5b226224567f726fe5c641f4a55e575a1781
SHA2564ed35a2d5af16c722524f9f012dcfa7281744b9d223fc9e03040f9066ee2c66f
SHA51249d9dc340f7d8fb9396c50cccb948215a6b427075beb7ffe007ecadaa5ada99778b0dfdb9a44ce1da13c3c3703b23536a81d9fcb2dbb2c753bc3989d19441fb9
-
Filesize
29KB
MD5dccda60757967a88ad8a9a89f813748b
SHA130342bac716279dc71135ca51c669c25940a8684
SHA25673bb214769970609319af0d08f3d0938a9cad1d1fc864b23527c9474cca5b2f2
SHA512b022e816473dd0c16723393e1381ef9e99298fc6e85724eb451271c62a1f1e77541543fe02cb5e9cc7d758a3793103930288c36e7becfb7ff2716893ee228816
-
Filesize
9B
MD54f2460b507685f7d7bfe6393f335f1c9
SHA1378d42f114b1515872e58de6662373af31ab8c7b
SHA25647a22297ce31d17b0f37251ce63cf2eb146700451caab6dd0aa710d2526c8e42
SHA51275dcca6b81ac47511b847a5c35be4bddbee425436f7bfd1347115e18b84f52a16a5c517bda0a5f5d0a1f2541aab80d764932d8018538cb112fa3b6c9977e95eb