Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 18:39
Static task
static1
Behavioral task
behavioral1
Sample
38626b8b087432e7c9736884292a7654226327b061ab2d7c5328bd9faad491d3.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
38626b8b087432e7c9736884292a7654226327b061ab2d7c5328bd9faad491d3.exe
Resource
win10v2004-20240508-en
General
-
Target
38626b8b087432e7c9736884292a7654226327b061ab2d7c5328bd9faad491d3.exe
-
Size
3.5MB
-
MD5
20a163251d455bb56f0e34dbe85f31e5
-
SHA1
762ce8247d2cea1d049c219d50328d683e6977f6
-
SHA256
38626b8b087432e7c9736884292a7654226327b061ab2d7c5328bd9faad491d3
-
SHA512
239c94f35770bd9d517e1012673b564b75fd9d2f894313339dfbdccc5c7fa59222259b39c206270f980dc7e5e1b45db893d866327ad35d3609cc62fbc042ae1f
-
SSDEEP
49152:N7Nzho0LuviX3KGXgr4rLh5i4NSjFBhm5Tksb59AR4JGt+RxBT/b+/Eyfh/:R97KGXCMi1m5Ysb+8pTs
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
Logo1_.exe38626b8b087432e7c9736884292a7654226327b061ab2d7c5328bd9faad491d3.exepid process 1692 Logo1_.exe 1428 38626b8b087432e7c9736884292a7654226327b061ab2d7c5328bd9faad491d3.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Logo1_.exedescription ioc process File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
Processes:
Logo1_.exedescription ioc process File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\AppxMetadata\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\fr-fr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\tr\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\iadata\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\css\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Images\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\sk-sk\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ja-jp\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ca-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\hu-hu\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\it-it\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VC\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\pt-br\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\meta\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerElevatedAppServiceClient.exe Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\uz-Latn-UZ\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\es-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge_proxy.exe Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\pt-br\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ml\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\en-GB\View3d\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-100_8wekyb3d8bbwe\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ja-jp\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fr-fr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\pt-br\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\he-IL\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\zh-cn\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\root\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\View3D.ResourceResolver.exe Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Resources\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\en-gb\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ru-ru\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\ja-jp\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\nl-nl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ca-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe Logo1_.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-ae\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-il\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\tr-tr\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
Processes:
Logo1_.exe38626b8b087432e7c9736884292a7654226327b061ab2d7c5328bd9faad491d3.exedescription ioc process File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\vDll.dll Logo1_.exe File created C:\Windows\rundl132.exe 38626b8b087432e7c9736884292a7654226327b061ab2d7c5328bd9faad491d3.exe File created C:\Windows\Logo1_.exe 38626b8b087432e7c9736884292a7654226327b061ab2d7c5328bd9faad491d3.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
Logo1_.exepid process 1692 Logo1_.exe 1692 Logo1_.exe 1692 Logo1_.exe 1692 Logo1_.exe 1692 Logo1_.exe 1692 Logo1_.exe 1692 Logo1_.exe 1692 Logo1_.exe 1692 Logo1_.exe 1692 Logo1_.exe 1692 Logo1_.exe 1692 Logo1_.exe 1692 Logo1_.exe 1692 Logo1_.exe 1692 Logo1_.exe 1692 Logo1_.exe 1692 Logo1_.exe 1692 Logo1_.exe 1692 Logo1_.exe 1692 Logo1_.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
38626b8b087432e7c9736884292a7654226327b061ab2d7c5328bd9faad491d3.exeLogo1_.exenet.exedescription pid process target process PID 216 wrote to memory of 1816 216 38626b8b087432e7c9736884292a7654226327b061ab2d7c5328bd9faad491d3.exe cmd.exe PID 216 wrote to memory of 1816 216 38626b8b087432e7c9736884292a7654226327b061ab2d7c5328bd9faad491d3.exe cmd.exe PID 216 wrote to memory of 1816 216 38626b8b087432e7c9736884292a7654226327b061ab2d7c5328bd9faad491d3.exe cmd.exe PID 216 wrote to memory of 1692 216 38626b8b087432e7c9736884292a7654226327b061ab2d7c5328bd9faad491d3.exe Logo1_.exe PID 216 wrote to memory of 1692 216 38626b8b087432e7c9736884292a7654226327b061ab2d7c5328bd9faad491d3.exe Logo1_.exe PID 216 wrote to memory of 1692 216 38626b8b087432e7c9736884292a7654226327b061ab2d7c5328bd9faad491d3.exe Logo1_.exe PID 1692 wrote to memory of 2832 1692 Logo1_.exe net.exe PID 1692 wrote to memory of 2832 1692 Logo1_.exe net.exe PID 1692 wrote to memory of 2832 1692 Logo1_.exe net.exe PID 2832 wrote to memory of 1080 2832 net.exe net1.exe PID 2832 wrote to memory of 1080 2832 net.exe net1.exe PID 2832 wrote to memory of 1080 2832 net.exe net1.exe PID 1692 wrote to memory of 3420 1692 Logo1_.exe Explorer.EXE PID 1692 wrote to memory of 3420 1692 Logo1_.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3420
-
C:\Users\Admin\AppData\Local\Temp\38626b8b087432e7c9736884292a7654226327b061ab2d7c5328bd9faad491d3.exe"C:\Users\Admin\AppData\Local\Temp\38626b8b087432e7c9736884292a7654226327b061ab2d7c5328bd9faad491d3.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:216 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4A67.bat3⤵PID:1816
-
C:\Users\Admin\AppData\Local\Temp\38626b8b087432e7c9736884292a7654226327b061ab2d7c5328bd9faad491d3.exe"C:\Users\Admin\AppData\Local\Temp\38626b8b087432e7c9736884292a7654226327b061ab2d7c5328bd9faad491d3.exe"4⤵
- Executes dropped EXE
PID:1428 -
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:1080
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
251KB
MD549a62820d1efb4519dd944dcd70fc628
SHA169dbe72b903c993214fccd5f46033dce498dd6da
SHA256f44d841a27e818cb49961212d433665decc5343cde83bc1ac30d6814e88cf478
SHA5126c1b7a75b1256d747ef45aa848366b90b400685ef9658bd6c1b9de92a010633caca4c575d4973cd4bb90dfdfc28bb557516935c5609e586630bd2e12589f2d9d
-
Filesize
570KB
MD5d4f4df98f0488e6217665871836a9402
SHA1782c9259f527de11e8f5e66847995f23e2bd7e41
SHA2565fb7f631558f71a0907e4792fc692ed3e70f4527d7f947b73a6701699b2a0253
SHA51215cf15aa042eb81e325b9e0d700330c1e30e80fb78aa1654b5e9061f127ecafc459f35511a837aa98ee75da197e6e69ce9178bfe605009c3eb5b2e66a4f784a9
-
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
Filesize636KB
MD52500f702e2b9632127c14e4eaae5d424
SHA18726fef12958265214eeb58001c995629834b13a
SHA25682e5b0001f025ca3b8409c98e4fb06c119c68de1e4ef60a156360cb4ef61d19c
SHA512f420c62fa1f6897f51dd7a0f0e910fb54ad14d51973a2d4840eeea0448c860bf83493fb1c07be65f731efc39e19f8a99886c8cfd058cee482fe52d255a33a55c
-
Filesize
722B
MD52647861e742341c2727c5727a6592963
SHA13bfadd25c4eeda96502140f36b2da1e1c701e0b7
SHA2569ddb743380d66c6cc26a78ee62cd2afe69b8a44a8a8306da17f8b2bbb87e4ed3
SHA512d22bb4e170c564257903a63a626c4b86fa08e522c2fda0c724924952c226797ba32b73937329c0add590f648a3db1e76620c52b38f18c786416db1fd6e5c897f
-
C:\Users\Admin\AppData\Local\Temp\38626b8b087432e7c9736884292a7654226327b061ab2d7c5328bd9faad491d3.exe.exe
Filesize3.5MB
MD5d9f3e7d65208d33072ca8508f3e1a1ed
SHA1900a44cb8c3e67983fa048d63a3e826c987ea8d6
SHA256449882e178a951857ab9e242fd4b4fdb974d3c8a4c7c36a4e037c46b20f73d6d
SHA512a992e0d4ab3f26205720042a24ad6886eec3c05e27637ede1ad9630dc8d5a1aa6c46b7e298946fa2035f4b14442693e9bbda53c51fd9a5701cd0a408f194a117
-
Filesize
26KB
MD5869d76e7fc9dfbd34eb7ef916d28097f
SHA146a09541d845c9252cf299b3baa7d987ce65e91e
SHA25689ef653086b94ea01573ce95d15a76aa140fd9a8a34e9ded6d642a53541674d3
SHA5120a6e0273375df97c9258ff48b21b022b8dfd3d0831db0518f21abd38f54c5d724d950f6fbb43cd492330121b614f488c3c90aa679e9d0257c0570b59443df254
-
Filesize
9B
MD54f2460b507685f7d7bfe6393f335f1c9
SHA1378d42f114b1515872e58de6662373af31ab8c7b
SHA25647a22297ce31d17b0f37251ce63cf2eb146700451caab6dd0aa710d2526c8e42
SHA51275dcca6b81ac47511b847a5c35be4bddbee425436f7bfd1347115e18b84f52a16a5c517bda0a5f5d0a1f2541aab80d764932d8018538cb112fa3b6c9977e95eb