Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 18:36
Static task
static1
Behavioral task
behavioral1
Sample
e97b5683b4adfe2b5c49e77d10e648a1b60a840775453e8da11d68025ba207b6.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
e97b5683b4adfe2b5c49e77d10e648a1b60a840775453e8da11d68025ba207b6.exe
Resource
win10v2004-20240508-en
General
-
Target
e97b5683b4adfe2b5c49e77d10e648a1b60a840775453e8da11d68025ba207b6.exe
-
Size
856KB
-
MD5
b5016d7f38c5576d20b903eca85429c2
-
SHA1
889fd8874b5a71b81b550e5b50274354c36ffd68
-
SHA256
e97b5683b4adfe2b5c49e77d10e648a1b60a840775453e8da11d68025ba207b6
-
SHA512
e22421128195c563cc0fbae8a0290d633ffe02f6fcddf487d83e4e9df2589a720e646d4de231933162d786522b702e0313bb5c2113c8c77ab2edb0cbe9b624cb
-
SSDEEP
24576:a79sgg7df19XFhcChLBD/OqzwyaV1qFKToggnlYFY:a71Qdf1Lb42
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
Logo1_.exee97b5683b4adfe2b5c49e77d10e648a1b60a840775453e8da11d68025ba207b6.exepid process 4244 Logo1_.exe 4780 e97b5683b4adfe2b5c49e77d10e648a1b60a840775453e8da11d68025ba207b6.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Logo1_.exedescription ioc process File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
Processes:
Logo1_.exedescription ioc process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\de-de\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\css\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Security\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\zh-cn\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\uk-ua\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\_platform_specific\win_x64\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\stickers\word_art\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_2019.716.2316.0_neutral_~_8wekyb3d8bbwe\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Defender\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\cs-cz\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ar-ae\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-white\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\_desktop.ini Logo1_.exe File created C:\Program Files\dotnet\host\fxr\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account-select\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\en-il\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\eu-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ru-ru\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\hu-hu\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\pl-pl\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\he-IL\View3d\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.ZuneMusic_2019.19071.19011.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\zh-cn\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\zh-tw\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\ja-jp\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\wa\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-200_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\hr-hr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\eu-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\fi-fi\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\is-IS\View3d\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\pt-br\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files-select\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files-select\css\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\lua\intf\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\zh-cn\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ja-jp\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jre-1.8\lib\security\policy\limited\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-black\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hu-hu\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\en-ae\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\fi-fi\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe Logo1_.exe -
Drops file in Windows directory 4 IoCs
Processes:
e97b5683b4adfe2b5c49e77d10e648a1b60a840775453e8da11d68025ba207b6.exeLogo1_.exedescription ioc process File created C:\Windows\rundl132.exe e97b5683b4adfe2b5c49e77d10e648a1b60a840775453e8da11d68025ba207b6.exe File created C:\Windows\Logo1_.exe e97b5683b4adfe2b5c49e77d10e648a1b60a840775453e8da11d68025ba207b6.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\vDll.dll Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
Logo1_.exepid process 4244 Logo1_.exe 4244 Logo1_.exe 4244 Logo1_.exe 4244 Logo1_.exe 4244 Logo1_.exe 4244 Logo1_.exe 4244 Logo1_.exe 4244 Logo1_.exe 4244 Logo1_.exe 4244 Logo1_.exe 4244 Logo1_.exe 4244 Logo1_.exe 4244 Logo1_.exe 4244 Logo1_.exe 4244 Logo1_.exe 4244 Logo1_.exe 4244 Logo1_.exe 4244 Logo1_.exe 4244 Logo1_.exe 4244 Logo1_.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
e97b5683b4adfe2b5c49e77d10e648a1b60a840775453e8da11d68025ba207b6.exeLogo1_.exenet.execmd.exedescription pid process target process PID 4460 wrote to memory of 3228 4460 e97b5683b4adfe2b5c49e77d10e648a1b60a840775453e8da11d68025ba207b6.exe cmd.exe PID 4460 wrote to memory of 3228 4460 e97b5683b4adfe2b5c49e77d10e648a1b60a840775453e8da11d68025ba207b6.exe cmd.exe PID 4460 wrote to memory of 3228 4460 e97b5683b4adfe2b5c49e77d10e648a1b60a840775453e8da11d68025ba207b6.exe cmd.exe PID 4460 wrote to memory of 4244 4460 e97b5683b4adfe2b5c49e77d10e648a1b60a840775453e8da11d68025ba207b6.exe Logo1_.exe PID 4460 wrote to memory of 4244 4460 e97b5683b4adfe2b5c49e77d10e648a1b60a840775453e8da11d68025ba207b6.exe Logo1_.exe PID 4460 wrote to memory of 4244 4460 e97b5683b4adfe2b5c49e77d10e648a1b60a840775453e8da11d68025ba207b6.exe Logo1_.exe PID 4244 wrote to memory of 1136 4244 Logo1_.exe net.exe PID 4244 wrote to memory of 1136 4244 Logo1_.exe net.exe PID 4244 wrote to memory of 1136 4244 Logo1_.exe net.exe PID 1136 wrote to memory of 3364 1136 net.exe net1.exe PID 1136 wrote to memory of 3364 1136 net.exe net1.exe PID 1136 wrote to memory of 3364 1136 net.exe net1.exe PID 3228 wrote to memory of 4780 3228 cmd.exe e97b5683b4adfe2b5c49e77d10e648a1b60a840775453e8da11d68025ba207b6.exe PID 3228 wrote to memory of 4780 3228 cmd.exe e97b5683b4adfe2b5c49e77d10e648a1b60a840775453e8da11d68025ba207b6.exe PID 3228 wrote to memory of 4780 3228 cmd.exe e97b5683b4adfe2b5c49e77d10e648a1b60a840775453e8da11d68025ba207b6.exe PID 4244 wrote to memory of 3420 4244 Logo1_.exe Explorer.EXE PID 4244 wrote to memory of 3420 4244 Logo1_.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3420
-
C:\Users\Admin\AppData\Local\Temp\e97b5683b4adfe2b5c49e77d10e648a1b60a840775453e8da11d68025ba207b6.exe"C:\Users\Admin\AppData\Local\Temp\e97b5683b4adfe2b5c49e77d10e648a1b60a840775453e8da11d68025ba207b6.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4A28.bat3⤵
- Suspicious use of WriteProcessMemory
PID:3228 -
C:\Users\Admin\AppData\Local\Temp\e97b5683b4adfe2b5c49e77d10e648a1b60a840775453e8da11d68025ba207b6.exe"C:\Users\Admin\AppData\Local\Temp\e97b5683b4adfe2b5c49e77d10e648a1b60a840775453e8da11d68025ba207b6.exe"4⤵
- Executes dropped EXE
PID:4780 -
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4244 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:3364
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
251KB
MD520e13208a5f0e6252a355d77c795f2a4
SHA1b887496d627eb4661fdd562b4de8e662fe41d1e5
SHA256cd3b50670cf733b2bc7e6f976994e022436935d5b9c02c85221e3be38c5030de
SHA512031a58e2db6743b623b2292b3a4db0f304ff4a0fdabc93418dd400b792d15bad8d387f280e360992ac3dd28a2f5562bcfe29e54981920809458f161c3f1c001c
-
Filesize
570KB
MD530403450a9bb0784a9183dba63a212e7
SHA1ab49ff6fbc58a59bdc5f4f0cf120eeec04ac38cf
SHA256d7c988696adfe1d7d6d1c6d4c93d8c6e261ccd56c2a79b6e4b2dfb85efd3b7fd
SHA51243490c417b3a676e7d8d6b0b033db8bf013f7ebaf4b7df61d159072fd818d36c05c694d120ab6a0756fb52bcd8d21ffd0fadd73118f82c3a2992de241b8a4c4f
-
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
Filesize636KB
MD52500f702e2b9632127c14e4eaae5d424
SHA18726fef12958265214eeb58001c995629834b13a
SHA25682e5b0001f025ca3b8409c98e4fb06c119c68de1e4ef60a156360cb4ef61d19c
SHA512f420c62fa1f6897f51dd7a0f0e910fb54ad14d51973a2d4840eeea0448c860bf83493fb1c07be65f731efc39e19f8a99886c8cfd058cee482fe52d255a33a55c
-
Filesize
722B
MD59efb76440ec9191215e4c6a2e5af85f2
SHA149b2ce731f2757a4568a4fc9192e72783c83c2e3
SHA2563b772d90419a00a8ebb7c67dd1901577038f5ab8465da4f11d4af47f1ab0397f
SHA5127610f1ece7f3c6c88f370ab098fec4ad75c288527e090ae0a96da16142122a31fac448faf61408032a41fd1291fe749778f7e751afa2c33f4b69f709af7341c8
-
C:\Users\Admin\AppData\Local\Temp\e97b5683b4adfe2b5c49e77d10e648a1b60a840775453e8da11d68025ba207b6.exe.exe
Filesize830KB
MD52231ee7865043e3fc6c24e30fc4a6463
SHA1c9e70bd67ae43166d3389625824f689bf1c50a57
SHA2564e28bf0babce84d1408229a2adb37ed7a57b81ee087304f3e5cd82327bd6c18b
SHA51289ff2434f0f173961b53663056b13964ac28233eac2a1df0df4e851aa698ee2bade6f116f60ae760ec2aabce1df5b0f9b6f99cb79d90ddf8db77cdfe796209a8
-
Filesize
26KB
MD5263ad45da407327c35b16d5ba364b3dc
SHA1a4f126fadc50281f2ab4d3daec7466ee300373f2
SHA2566e6e8616254a317bfc26678980eeb6e46c8601f527d35544e6313e3976cea832
SHA5120333a3749a86376f2b048f604e588f492b0e7433bf1423b12862da129ad8269c9b2b68879aa0afcd9dce5b9ff285e3da440c5001692576ca3ffb88f713aa012d
-
Filesize
9B
MD54f2460b507685f7d7bfe6393f335f1c9
SHA1378d42f114b1515872e58de6662373af31ab8c7b
SHA25647a22297ce31d17b0f37251ce63cf2eb146700451caab6dd0aa710d2526c8e42
SHA51275dcca6b81ac47511b847a5c35be4bddbee425436f7bfd1347115e18b84f52a16a5c517bda0a5f5d0a1f2541aab80d764932d8018538cb112fa3b6c9977e95eb