Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
13-06-2024 18:36
Static task
static1
Behavioral task
behavioral1
Sample
e97b5683b4adfe2b5c49e77d10e648a1b60a840775453e8da11d68025ba207b6.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
e97b5683b4adfe2b5c49e77d10e648a1b60a840775453e8da11d68025ba207b6.exe
Resource
win10v2004-20240508-en
General
-
Target
e97b5683b4adfe2b5c49e77d10e648a1b60a840775453e8da11d68025ba207b6.exe
-
Size
856KB
-
MD5
b5016d7f38c5576d20b903eca85429c2
-
SHA1
889fd8874b5a71b81b550e5b50274354c36ffd68
-
SHA256
e97b5683b4adfe2b5c49e77d10e648a1b60a840775453e8da11d68025ba207b6
-
SHA512
e22421128195c563cc0fbae8a0290d633ffe02f6fcddf487d83e4e9df2589a720e646d4de231933162d786522b702e0313bb5c2113c8c77ab2edb0cbe9b624cb
-
SSDEEP
24576:a79sgg7df19XFhcChLBD/OqzwyaV1qFKToggnlYFY:a71Qdf1Lb42
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2880 cmd.exe -
Executes dropped EXE 2 IoCs
Processes:
Logo1_.exee97b5683b4adfe2b5c49e77d10e648a1b60a840775453e8da11d68025ba207b6.exepid process 2876 Logo1_.exe 2684 e97b5683b4adfe2b5c49e77d10e648a1b60a840775453e8da11d68025ba207b6.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 2880 cmd.exe 2880 cmd.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Logo1_.exedescription ioc process File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
Processes:
Logo1_.exedescription ioc process File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\HostSideAdapters\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\js\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\ja-JP\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSOHTMED.EXE Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Defender\es-ES\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jre7\lib\zi\Indian\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\SpiderSolitaire\it-IT\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\JOURNAL\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\it-IT\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Shared Gadgets\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre7\lib\management\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\cy\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EDGE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\js\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\QUAD\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\GrayCheck\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jre7\lib\zi\Asia\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows NT\Accessories\de-DE\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Internet Explorer\it-IT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\css\_desktop.ini Logo1_.exe File created C:\Program Files\Mozilla Firefox\browser\VisualElements\_desktop.ini Logo1_.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\PurblePlace.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\AccessWeb\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre7\bin\ktab.exe Logo1_.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows NT\Accessories\ja-JP\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\it-IT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
Processes:
e97b5683b4adfe2b5c49e77d10e648a1b60a840775453e8da11d68025ba207b6.exeLogo1_.exedescription ioc process File created C:\Windows\rundl132.exe e97b5683b4adfe2b5c49e77d10e648a1b60a840775453e8da11d68025ba207b6.exe File created C:\Windows\Logo1_.exe e97b5683b4adfe2b5c49e77d10e648a1b60a840775453e8da11d68025ba207b6.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\vDll.dll Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
Logo1_.exepid process 2876 Logo1_.exe 2876 Logo1_.exe 2876 Logo1_.exe 2876 Logo1_.exe 2876 Logo1_.exe 2876 Logo1_.exe 2876 Logo1_.exe 2876 Logo1_.exe 2876 Logo1_.exe 2876 Logo1_.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
e97b5683b4adfe2b5c49e77d10e648a1b60a840775453e8da11d68025ba207b6.exeLogo1_.exenet.execmd.exedescription pid process target process PID 2480 wrote to memory of 2880 2480 e97b5683b4adfe2b5c49e77d10e648a1b60a840775453e8da11d68025ba207b6.exe cmd.exe PID 2480 wrote to memory of 2880 2480 e97b5683b4adfe2b5c49e77d10e648a1b60a840775453e8da11d68025ba207b6.exe cmd.exe PID 2480 wrote to memory of 2880 2480 e97b5683b4adfe2b5c49e77d10e648a1b60a840775453e8da11d68025ba207b6.exe cmd.exe PID 2480 wrote to memory of 2880 2480 e97b5683b4adfe2b5c49e77d10e648a1b60a840775453e8da11d68025ba207b6.exe cmd.exe PID 2480 wrote to memory of 2876 2480 e97b5683b4adfe2b5c49e77d10e648a1b60a840775453e8da11d68025ba207b6.exe Logo1_.exe PID 2480 wrote to memory of 2876 2480 e97b5683b4adfe2b5c49e77d10e648a1b60a840775453e8da11d68025ba207b6.exe Logo1_.exe PID 2480 wrote to memory of 2876 2480 e97b5683b4adfe2b5c49e77d10e648a1b60a840775453e8da11d68025ba207b6.exe Logo1_.exe PID 2480 wrote to memory of 2876 2480 e97b5683b4adfe2b5c49e77d10e648a1b60a840775453e8da11d68025ba207b6.exe Logo1_.exe PID 2876 wrote to memory of 2696 2876 Logo1_.exe net.exe PID 2876 wrote to memory of 2696 2876 Logo1_.exe net.exe PID 2876 wrote to memory of 2696 2876 Logo1_.exe net.exe PID 2876 wrote to memory of 2696 2876 Logo1_.exe net.exe PID 2696 wrote to memory of 2676 2696 net.exe net1.exe PID 2696 wrote to memory of 2676 2696 net.exe net1.exe PID 2696 wrote to memory of 2676 2696 net.exe net1.exe PID 2696 wrote to memory of 2676 2696 net.exe net1.exe PID 2880 wrote to memory of 2684 2880 cmd.exe e97b5683b4adfe2b5c49e77d10e648a1b60a840775453e8da11d68025ba207b6.exe PID 2880 wrote to memory of 2684 2880 cmd.exe e97b5683b4adfe2b5c49e77d10e648a1b60a840775453e8da11d68025ba207b6.exe PID 2880 wrote to memory of 2684 2880 cmd.exe e97b5683b4adfe2b5c49e77d10e648a1b60a840775453e8da11d68025ba207b6.exe PID 2880 wrote to memory of 2684 2880 cmd.exe e97b5683b4adfe2b5c49e77d10e648a1b60a840775453e8da11d68025ba207b6.exe PID 2876 wrote to memory of 1392 2876 Logo1_.exe Explorer.EXE PID 2876 wrote to memory of 1392 2876 Logo1_.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1392
-
C:\Users\Admin\AppData\Local\Temp\e97b5683b4adfe2b5c49e77d10e648a1b60a840775453e8da11d68025ba207b6.exe"C:\Users\Admin\AppData\Local\Temp\e97b5683b4adfe2b5c49e77d10e648a1b60a840775453e8da11d68025ba207b6.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\$$a1CA5.bat3⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Users\Admin\AppData\Local\Temp\e97b5683b4adfe2b5c49e77d10e648a1b60a840775453e8da11d68025ba207b6.exe"C:\Users\Admin\AppData\Local\Temp\e97b5683b4adfe2b5c49e77d10e648a1b60a840775453e8da11d68025ba207b6.exe"4⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:2676
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
251KB
MD520e13208a5f0e6252a355d77c795f2a4
SHA1b887496d627eb4661fdd562b4de8e662fe41d1e5
SHA256cd3b50670cf733b2bc7e6f976994e022436935d5b9c02c85221e3be38c5030de
SHA512031a58e2db6743b623b2292b3a4db0f304ff4a0fdabc93418dd400b792d15bad8d387f280e360992ac3dd28a2f5562bcfe29e54981920809458f161c3f1c001c
-
Filesize
471KB
MD54cfdb20b04aa239d6f9e83084d5d0a77
SHA1f22863e04cc1fd4435f785993ede165bd8245ac6
SHA25630ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9
SHA51235b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86
-
Filesize
722B
MD52f7051f068c8fd75f6ce46a8232f79e0
SHA11f7153efc7300cc06d164148e4c050e149207b99
SHA256b71119d5d3613add83ae49ed03e62abcfcdd8845956cdc40cfebca3872da87b5
SHA512b26ba5d6fda98a5e2884a48bd0a6dea0aecc5607df5eaf2e24a5029842a3988dc0d180c6719e63881bd21350133b591e89126483f3ea5b8977f56fbb0c2d705b
-
C:\Users\Admin\AppData\Local\Temp\e97b5683b4adfe2b5c49e77d10e648a1b60a840775453e8da11d68025ba207b6.exe.exe
Filesize830KB
MD52231ee7865043e3fc6c24e30fc4a6463
SHA1c9e70bd67ae43166d3389625824f689bf1c50a57
SHA2564e28bf0babce84d1408229a2adb37ed7a57b81ee087304f3e5cd82327bd6c18b
SHA51289ff2434f0f173961b53663056b13964ac28233eac2a1df0df4e851aa698ee2bade6f116f60ae760ec2aabce1df5b0f9b6f99cb79d90ddf8db77cdfe796209a8
-
Filesize
26KB
MD5263ad45da407327c35b16d5ba364b3dc
SHA1a4f126fadc50281f2ab4d3daec7466ee300373f2
SHA2566e6e8616254a317bfc26678980eeb6e46c8601f527d35544e6313e3976cea832
SHA5120333a3749a86376f2b048f604e588f492b0e7433bf1423b12862da129ad8269c9b2b68879aa0afcd9dce5b9ff285e3da440c5001692576ca3ffb88f713aa012d
-
Filesize
9B
MD54f2460b507685f7d7bfe6393f335f1c9
SHA1378d42f114b1515872e58de6662373af31ab8c7b
SHA25647a22297ce31d17b0f37251ce63cf2eb146700451caab6dd0aa710d2526c8e42
SHA51275dcca6b81ac47511b847a5c35be4bddbee425436f7bfd1347115e18b84f52a16a5c517bda0a5f5d0a1f2541aab80d764932d8018538cb112fa3b6c9977e95eb