Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
13-06-2024 18:39
Static task
static1
Behavioral task
behavioral1
Sample
38626b8b087432e7c9736884292a7654226327b061ab2d7c5328bd9faad491d3.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
38626b8b087432e7c9736884292a7654226327b061ab2d7c5328bd9faad491d3.exe
Resource
win10v2004-20240508-en
General
-
Target
38626b8b087432e7c9736884292a7654226327b061ab2d7c5328bd9faad491d3.exe
-
Size
3.5MB
-
MD5
20a163251d455bb56f0e34dbe85f31e5
-
SHA1
762ce8247d2cea1d049c219d50328d683e6977f6
-
SHA256
38626b8b087432e7c9736884292a7654226327b061ab2d7c5328bd9faad491d3
-
SHA512
239c94f35770bd9d517e1012673b564b75fd9d2f894313339dfbdccc5c7fa59222259b39c206270f980dc7e5e1b45db893d866327ad35d3609cc62fbc042ae1f
-
SSDEEP
49152:N7Nzho0LuviX3KGXgr4rLh5i4NSjFBhm5Tksb59AR4JGt+RxBT/b+/Eyfh/:R97KGXCMi1m5Ysb+8pTs
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2864 cmd.exe -
Executes dropped EXE 2 IoCs
Processes:
Logo1_.exe38626b8b087432e7c9736884292a7654226327b061ab2d7c5328bd9faad491d3.exepid process 1752 Logo1_.exe 2748 38626b8b087432e7c9736884292a7654226327b061ab2d7c5328bd9faad491d3.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 2864 cmd.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Logo1_.exedescription ioc process File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
Processes:
Logo1_.exedescription ioc process File created C:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\es-ES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\JOURNAL\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PROOF\3082\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\js\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jre7\lib\images\cursors\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jre7\lib\zi\Asia\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\js\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\video_output\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\spu\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\Chess\es-ES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ug\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSTORDB.EXE Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe Logo1_.exe File opened for modification C:\Program Files\7-Zip\Lang\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\Chess\ja-JP\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Media Player\Skins\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows NT\TableTextService\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jre7\lib\jfr\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\Multiplayer\Checkers\de-DE\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\Bibliography\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Uninstall Information\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\es\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\zu\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jre7\lib\zi\Antarctica\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\my\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\Multiplayer\Backgammon\ja-JP\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\am_ET\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\it\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Journal\de-DE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Media Player\wmpshare.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre7\lib\images\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
Processes:
38626b8b087432e7c9736884292a7654226327b061ab2d7c5328bd9faad491d3.exeLogo1_.exedescription ioc process File created C:\Windows\Logo1_.exe 38626b8b087432e7c9736884292a7654226327b061ab2d7c5328bd9faad491d3.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\vDll.dll Logo1_.exe File created C:\Windows\rundl132.exe 38626b8b087432e7c9736884292a7654226327b061ab2d7c5328bd9faad491d3.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
Logo1_.exepid process 1752 Logo1_.exe 1752 Logo1_.exe 1752 Logo1_.exe 1752 Logo1_.exe 1752 Logo1_.exe 1752 Logo1_.exe 1752 Logo1_.exe 1752 Logo1_.exe 1752 Logo1_.exe 1752 Logo1_.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
38626b8b087432e7c9736884292a7654226327b061ab2d7c5328bd9faad491d3.exeLogo1_.exenet.exedescription pid process target process PID 1200 wrote to memory of 2864 1200 38626b8b087432e7c9736884292a7654226327b061ab2d7c5328bd9faad491d3.exe cmd.exe PID 1200 wrote to memory of 2864 1200 38626b8b087432e7c9736884292a7654226327b061ab2d7c5328bd9faad491d3.exe cmd.exe PID 1200 wrote to memory of 2864 1200 38626b8b087432e7c9736884292a7654226327b061ab2d7c5328bd9faad491d3.exe cmd.exe PID 1200 wrote to memory of 2864 1200 38626b8b087432e7c9736884292a7654226327b061ab2d7c5328bd9faad491d3.exe cmd.exe PID 1200 wrote to memory of 1752 1200 38626b8b087432e7c9736884292a7654226327b061ab2d7c5328bd9faad491d3.exe Logo1_.exe PID 1200 wrote to memory of 1752 1200 38626b8b087432e7c9736884292a7654226327b061ab2d7c5328bd9faad491d3.exe Logo1_.exe PID 1200 wrote to memory of 1752 1200 38626b8b087432e7c9736884292a7654226327b061ab2d7c5328bd9faad491d3.exe Logo1_.exe PID 1200 wrote to memory of 1752 1200 38626b8b087432e7c9736884292a7654226327b061ab2d7c5328bd9faad491d3.exe Logo1_.exe PID 1752 wrote to memory of 2776 1752 Logo1_.exe net.exe PID 1752 wrote to memory of 2776 1752 Logo1_.exe net.exe PID 1752 wrote to memory of 2776 1752 Logo1_.exe net.exe PID 1752 wrote to memory of 2776 1752 Logo1_.exe net.exe PID 2776 wrote to memory of 2012 2776 net.exe net1.exe PID 2776 wrote to memory of 2012 2776 net.exe net1.exe PID 2776 wrote to memory of 2012 2776 net.exe net1.exe PID 2776 wrote to memory of 2012 2776 net.exe net1.exe PID 1752 wrote to memory of 1268 1752 Logo1_.exe Explorer.EXE PID 1752 wrote to memory of 1268 1752 Logo1_.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1268
-
C:\Users\Admin\AppData\Local\Temp\38626b8b087432e7c9736884292a7654226327b061ab2d7c5328bd9faad491d3.exe"C:\Users\Admin\AppData\Local\Temp\38626b8b087432e7c9736884292a7654226327b061ab2d7c5328bd9faad491d3.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\$$a5D9A.bat3⤵
- Deletes itself
- Loads dropped DLL
PID:2864 -
C:\Users\Admin\AppData\Local\Temp\38626b8b087432e7c9736884292a7654226327b061ab2d7c5328bd9faad491d3.exe"C:\Users\Admin\AppData\Local\Temp\38626b8b087432e7c9736884292a7654226327b061ab2d7c5328bd9faad491d3.exe"4⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:2012
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
251KB
MD549a62820d1efb4519dd944dcd70fc628
SHA169dbe72b903c993214fccd5f46033dce498dd6da
SHA256f44d841a27e818cb49961212d433665decc5343cde83bc1ac30d6814e88cf478
SHA5126c1b7a75b1256d747ef45aa848366b90b400685ef9658bd6c1b9de92a010633caca4c575d4973cd4bb90dfdfc28bb557516935c5609e586630bd2e12589f2d9d
-
Filesize
471KB
MD54cfdb20b04aa239d6f9e83084d5d0a77
SHA1f22863e04cc1fd4435f785993ede165bd8245ac6
SHA25630ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9
SHA51235b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86
-
Filesize
722B
MD57b48269d50c2ced00d27ab89fb0721dd
SHA1f0c96fd3fda6d91ca7aaf3b6e343d4d4c84a51b0
SHA256610781b120933b36dce46a11be8011b0963fdf2154c242d6e9ebafb819a083d2
SHA5126fc85459dbd0ac554bc41af6d1a84fddda90bd71f5296913bd87a939d0b91d8b7a87073aad501f1fdbe980df624316be1e1da81bc4031901e2f15e6b276f4d19
-
C:\Users\Admin\AppData\Local\Temp\38626b8b087432e7c9736884292a7654226327b061ab2d7c5328bd9faad491d3.exe.exe
Filesize3.5MB
MD5d9f3e7d65208d33072ca8508f3e1a1ed
SHA1900a44cb8c3e67983fa048d63a3e826c987ea8d6
SHA256449882e178a951857ab9e242fd4b4fdb974d3c8a4c7c36a4e037c46b20f73d6d
SHA512a992e0d4ab3f26205720042a24ad6886eec3c05e27637ede1ad9630dc8d5a1aa6c46b7e298946fa2035f4b14442693e9bbda53c51fd9a5701cd0a408f194a117
-
Filesize
26KB
MD5869d76e7fc9dfbd34eb7ef916d28097f
SHA146a09541d845c9252cf299b3baa7d987ce65e91e
SHA25689ef653086b94ea01573ce95d15a76aa140fd9a8a34e9ded6d642a53541674d3
SHA5120a6e0273375df97c9258ff48b21b022b8dfd3d0831db0518f21abd38f54c5d724d950f6fbb43cd492330121b614f488c3c90aa679e9d0257c0570b59443df254
-
Filesize
9B
MD54f2460b507685f7d7bfe6393f335f1c9
SHA1378d42f114b1515872e58de6662373af31ab8c7b
SHA25647a22297ce31d17b0f37251ce63cf2eb146700451caab6dd0aa710d2526c8e42
SHA51275dcca6b81ac47511b847a5c35be4bddbee425436f7bfd1347115e18b84f52a16a5c517bda0a5f5d0a1f2541aab80d764932d8018538cb112fa3b6c9977e95eb