Analysis
-
max time kernel
151s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 18:40
Static task
static1
Behavioral task
behavioral1
Sample
b2bbdce47bf1e3230dec7b5baa9a5aba384fb50e0c29f0fa34401ce42fdc9ec2.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
b2bbdce47bf1e3230dec7b5baa9a5aba384fb50e0c29f0fa34401ce42fdc9ec2.exe
Resource
win10v2004-20240226-en
General
-
Target
b2bbdce47bf1e3230dec7b5baa9a5aba384fb50e0c29f0fa34401ce42fdc9ec2.exe
-
Size
53KB
-
MD5
bb42d368117036f966ac637320573196
-
SHA1
b7bb262aa512d4fd1f534d4d931d8461bf1d24db
-
SHA256
b2bbdce47bf1e3230dec7b5baa9a5aba384fb50e0c29f0fa34401ce42fdc9ec2
-
SHA512
785e1262a293d29c89dc5abf291f5792f212bf02048a869d0ccb0e1c237b7b4f6941ad9f4928a5708f30a41b3b0f8876eb95cff9bf561126d8f1bb8b446daf20
-
SSDEEP
768:r1ODKAaDMG8H92RwZNQSwcfymNBg+g61GoLpL/QasvFEpYinAMxklal9qYi2lauQ:BfgLdQAQfcfymN1L/Uve7Hxaio7YZxG
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
Logo1_.exeb2bbdce47bf1e3230dec7b5baa9a5aba384fb50e0c29f0fa34401ce42fdc9ec2.exepid process 5036 Logo1_.exe 1088 b2bbdce47bf1e3230dec7b5baa9a5aba384fb50e0c29f0fa34401ce42fdc9ec2.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Logo1_.exedescription ioc process File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
Processes:
Logo1_.exedescription ioc process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\root\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\Trust Protection Lists\Mu\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe Logo1_.exe File created C:\Program Files\Windows Security\BrowserCore\en-US\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\AppCS\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\de-de\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\he\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sl-sl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\Notifications\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\as_IN\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\es-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ko-kr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\pl-pl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\hu-hu\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\sk-sk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-ma\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\da-dk\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-il\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\root\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\uk-ua\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\zh-tw\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Google\Update\Offline\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\sl-sl\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-white\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-ae\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ca-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\nl-nl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ko-kr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\1033\_desktop.ini Logo1_.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\bin\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\it-it\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ja-jp\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ko-kr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\nl-nl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\sl-sl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\th\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\nb-NO\View3d\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\he-il\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_~_8wekyb3d8bbwe\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\nl-nl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\jfr\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\uz\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\meta\art\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fi-fi\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\nb-no\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ca-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\en-il\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows NT\Accessories\en-US\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
Processes:
Logo1_.exeb2bbdce47bf1e3230dec7b5baa9a5aba384fb50e0c29f0fa34401ce42fdc9ec2.exedescription ioc process File created C:\Windows\vDll.dll Logo1_.exe File created C:\Windows\rundl132.exe b2bbdce47bf1e3230dec7b5baa9a5aba384fb50e0c29f0fa34401ce42fdc9ec2.exe File created C:\Windows\Logo1_.exe b2bbdce47bf1e3230dec7b5baa9a5aba384fb50e0c29f0fa34401ce42fdc9ec2.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
Logo1_.exepid process 5036 Logo1_.exe 5036 Logo1_.exe 5036 Logo1_.exe 5036 Logo1_.exe 5036 Logo1_.exe 5036 Logo1_.exe 5036 Logo1_.exe 5036 Logo1_.exe 5036 Logo1_.exe 5036 Logo1_.exe 5036 Logo1_.exe 5036 Logo1_.exe 5036 Logo1_.exe 5036 Logo1_.exe 5036 Logo1_.exe 5036 Logo1_.exe 5036 Logo1_.exe 5036 Logo1_.exe 5036 Logo1_.exe 5036 Logo1_.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
b2bbdce47bf1e3230dec7b5baa9a5aba384fb50e0c29f0fa34401ce42fdc9ec2.exeLogo1_.execmd.exenet.exedescription pid process target process PID 3292 wrote to memory of 3544 3292 b2bbdce47bf1e3230dec7b5baa9a5aba384fb50e0c29f0fa34401ce42fdc9ec2.exe cmd.exe PID 3292 wrote to memory of 3544 3292 b2bbdce47bf1e3230dec7b5baa9a5aba384fb50e0c29f0fa34401ce42fdc9ec2.exe cmd.exe PID 3292 wrote to memory of 3544 3292 b2bbdce47bf1e3230dec7b5baa9a5aba384fb50e0c29f0fa34401ce42fdc9ec2.exe cmd.exe PID 3292 wrote to memory of 5036 3292 b2bbdce47bf1e3230dec7b5baa9a5aba384fb50e0c29f0fa34401ce42fdc9ec2.exe Logo1_.exe PID 3292 wrote to memory of 5036 3292 b2bbdce47bf1e3230dec7b5baa9a5aba384fb50e0c29f0fa34401ce42fdc9ec2.exe Logo1_.exe PID 3292 wrote to memory of 5036 3292 b2bbdce47bf1e3230dec7b5baa9a5aba384fb50e0c29f0fa34401ce42fdc9ec2.exe Logo1_.exe PID 5036 wrote to memory of 2672 5036 Logo1_.exe net.exe PID 5036 wrote to memory of 2672 5036 Logo1_.exe net.exe PID 5036 wrote to memory of 2672 5036 Logo1_.exe net.exe PID 3544 wrote to memory of 1088 3544 cmd.exe b2bbdce47bf1e3230dec7b5baa9a5aba384fb50e0c29f0fa34401ce42fdc9ec2.exe PID 3544 wrote to memory of 1088 3544 cmd.exe b2bbdce47bf1e3230dec7b5baa9a5aba384fb50e0c29f0fa34401ce42fdc9ec2.exe PID 3544 wrote to memory of 1088 3544 cmd.exe b2bbdce47bf1e3230dec7b5baa9a5aba384fb50e0c29f0fa34401ce42fdc9ec2.exe PID 2672 wrote to memory of 960 2672 net.exe net1.exe PID 2672 wrote to memory of 960 2672 net.exe net1.exe PID 2672 wrote to memory of 960 2672 net.exe net1.exe PID 5036 wrote to memory of 3332 5036 Logo1_.exe Explorer.EXE PID 5036 wrote to memory of 3332 5036 Logo1_.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3332
-
C:\Users\Admin\AppData\Local\Temp\b2bbdce47bf1e3230dec7b5baa9a5aba384fb50e0c29f0fa34401ce42fdc9ec2.exe"C:\Users\Admin\AppData\Local\Temp\b2bbdce47bf1e3230dec7b5baa9a5aba384fb50e0c29f0fa34401ce42fdc9ec2.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3292 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a11CE.bat3⤵
- Suspicious use of WriteProcessMemory
PID:3544 -
C:\Users\Admin\AppData\Local\Temp\b2bbdce47bf1e3230dec7b5baa9a5aba384fb50e0c29f0fa34401ce42fdc9ec2.exe"C:\Users\Admin\AppData\Local\Temp\b2bbdce47bf1e3230dec7b5baa9a5aba384fb50e0c29f0fa34401ce42fdc9ec2.exe"4⤵
- Executes dropped EXE
PID:1088 -
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:960
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4232 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:81⤵PID:4312
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
251KB
MD5a33a8079a96b84fb107ee4603ea5a431
SHA14d57eace6522d58ce571c31103ce1335cac7a334
SHA2563ca9dbf486bbdef38ddf2102a532563ab20f4d767c5e6228f39e606e626e76d8
SHA51229ec766ea39de2e24661a6444590fcd3421dfaf8e2f9edc6b7420331b455e9726759add01d9f53862341b7563042f089c64703edfcc38afa5f26e1e4bb64709b
-
Filesize
570KB
MD530008560b9177bfb052f3a9762fdeae3
SHA1f2efbe2b8d8cdc97929a61e68aea51b7e1b1a255
SHA2567df732e0ff8923eab2f1206791b2a9b88d834fc10333dbde8f4ed8c47b23f3fe
SHA5127468e1f8e8acd12dd0a97d21350cf5e6fe0463819bdd897a5158bce5186757189b363c4b2b926c048548a3fb76f415b4635e11ad50912da0ac3a57e0922f4b0b
-
Filesize
722B
MD597d0a3fae6be4ca9fbb1feb03ee27d9f
SHA123c3a2cb348b8c6971b9506f57d28ff9ab2a4b4e
SHA2566f3d26028d309ab9206d65ed99d2dea7c1d11f7ae8f5cb4be255c984ec3b40c2
SHA5129658bcce2044f7bcca2a319c11c84acbc8d34e826757aff1473b07734234b5c719ccbd3960ff4f86a130f037c92e7257768171059e7cd0e7af8ab044061c751d
-
C:\Users\Admin\AppData\Local\Temp\b2bbdce47bf1e3230dec7b5baa9a5aba384fb50e0c29f0fa34401ce42fdc9ec2.exe.exe
Filesize26KB
MD59e4d73e24d912baa6e20a98fa4f98df3
SHA1965fbbbaa4156dcb5c6391df4d245bbf94d62c0f
SHA25628c6ce3582292ca5df81b9f8996369e82d489cc894cba9ed6b3e6678e67fc7f1
SHA5120fc58e74c7a0773a6338c35656484f2e5682a55a9c6ca03bc479728c617afc99295a3dcb52d7d414d8f5cb9c37704886f54e26acf47a3d69ebb931ce2e3bd4f2
-
Filesize
26KB
MD52fa7d646424dcabdc763a482ed72338a
SHA12917f669560129d017d689b255ff05b848a6fcd0
SHA256b6e3f8544ab9ccaaf1cb6cc51639b7173edb46f7fc186b908d8bcd50b731da69
SHA51202230628e90c8ae3397fa1c1908c9d4d27c112c7986ab6630608ce16054b1731bb06f3a129657c25a32214bd2451fe36b3f0e649073f5b8b6c86dca42d4b317b
-
Filesize
9B
MD54f2460b507685f7d7bfe6393f335f1c9
SHA1378d42f114b1515872e58de6662373af31ab8c7b
SHA25647a22297ce31d17b0f37251ce63cf2eb146700451caab6dd0aa710d2526c8e42
SHA51275dcca6b81ac47511b847a5c35be4bddbee425436f7bfd1347115e18b84f52a16a5c517bda0a5f5d0a1f2541aab80d764932d8018538cb112fa3b6c9977e95eb