Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
13-06-2024 18:42
Static task
static1
Behavioral task
behavioral1
Sample
c53a5da3dc11fc53bed73e3560b1fdf748f083f662156b98847f9f6683717ae7.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
c53a5da3dc11fc53bed73e3560b1fdf748f083f662156b98847f9f6683717ae7.exe
Resource
win10v2004-20240508-en
General
-
Target
c53a5da3dc11fc53bed73e3560b1fdf748f083f662156b98847f9f6683717ae7.exe
-
Size
315KB
-
MD5
aae6ff591c23aa7c3e92d4af468e1dac
-
SHA1
e30862d6b43e82742ede4873b31f3309bfa8c280
-
SHA256
c53a5da3dc11fc53bed73e3560b1fdf748f083f662156b98847f9f6683717ae7
-
SHA512
48c083b85db4853dfc6afc5c895d0ca72ab81e974b590f3dbea6573cec52f820661f7a5d43b427d1d049727d278d47f0b3fff13254f0d1effa986e3d55ace2aa
-
SSDEEP
6144:vCFplxdBHxlO2XGytf/NMA7+wPy/Miv+kzBSICpi+jyxP/O3goa:8pHHxlO/gf/WA7DhPa
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2928 cmd.exe -
Executes dropped EXE 2 IoCs
Processes:
Logo1_.exec53a5da3dc11fc53bed73e3560b1fdf748f083f662156b98847f9f6683717ae7.exepid process 2936 Logo1_.exe 2976 c53a5da3dc11fc53bed73e3560b1fdf748f083f662156b98847f9f6683717ae7.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 2928 cmd.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Logo1_.exedescription ioc process File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
Processes:
Logo1_.exedescription ioc process File created C:\Program Files\Microsoft Games\More Games\ja-JP\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\MSClientDataMgr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre7\bin\klist.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Servers\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\de-DE\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\hr\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\cgg\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ca\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\et\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\js\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\js\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\Multiplayer\Spades\en-US\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\lo\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Defender\fr-FR\_desktop.ini Logo1_.exe File created C:\Program Files\Java\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jre7\lib\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\js\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ku_IQ\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\zu\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft.NET\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.WW\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\HWRCustomization\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\stream_out\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RMNSQUE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre7\bin\rmiregistry.exe Logo1_.exe File created C:\Program Files\Microsoft Games\Solitaire\de-DE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FRAR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Oasis\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\.data\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Defender\fr-FR\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\_desktop.ini Logo1_.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\sr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Library\SOLVER\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
Processes:
c53a5da3dc11fc53bed73e3560b1fdf748f083f662156b98847f9f6683717ae7.exeLogo1_.exedescription ioc process File created C:\Windows\rundl132.exe c53a5da3dc11fc53bed73e3560b1fdf748f083f662156b98847f9f6683717ae7.exe File created C:\Windows\Logo1_.exe c53a5da3dc11fc53bed73e3560b1fdf748f083f662156b98847f9f6683717ae7.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\vDll.dll Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
Logo1_.exepid process 2936 Logo1_.exe 2936 Logo1_.exe 2936 Logo1_.exe 2936 Logo1_.exe 2936 Logo1_.exe 2936 Logo1_.exe 2936 Logo1_.exe 2936 Logo1_.exe 2936 Logo1_.exe 2936 Logo1_.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
c53a5da3dc11fc53bed73e3560b1fdf748f083f662156b98847f9f6683717ae7.exeLogo1_.execmd.exenet.exedescription pid process target process PID 2444 wrote to memory of 2928 2444 c53a5da3dc11fc53bed73e3560b1fdf748f083f662156b98847f9f6683717ae7.exe cmd.exe PID 2444 wrote to memory of 2928 2444 c53a5da3dc11fc53bed73e3560b1fdf748f083f662156b98847f9f6683717ae7.exe cmd.exe PID 2444 wrote to memory of 2928 2444 c53a5da3dc11fc53bed73e3560b1fdf748f083f662156b98847f9f6683717ae7.exe cmd.exe PID 2444 wrote to memory of 2928 2444 c53a5da3dc11fc53bed73e3560b1fdf748f083f662156b98847f9f6683717ae7.exe cmd.exe PID 2444 wrote to memory of 2936 2444 c53a5da3dc11fc53bed73e3560b1fdf748f083f662156b98847f9f6683717ae7.exe Logo1_.exe PID 2444 wrote to memory of 2936 2444 c53a5da3dc11fc53bed73e3560b1fdf748f083f662156b98847f9f6683717ae7.exe Logo1_.exe PID 2444 wrote to memory of 2936 2444 c53a5da3dc11fc53bed73e3560b1fdf748f083f662156b98847f9f6683717ae7.exe Logo1_.exe PID 2444 wrote to memory of 2936 2444 c53a5da3dc11fc53bed73e3560b1fdf748f083f662156b98847f9f6683717ae7.exe Logo1_.exe PID 2936 wrote to memory of 2200 2936 Logo1_.exe net.exe PID 2936 wrote to memory of 2200 2936 Logo1_.exe net.exe PID 2936 wrote to memory of 2200 2936 Logo1_.exe net.exe PID 2936 wrote to memory of 2200 2936 Logo1_.exe net.exe PID 2928 wrote to memory of 2976 2928 cmd.exe c53a5da3dc11fc53bed73e3560b1fdf748f083f662156b98847f9f6683717ae7.exe PID 2928 wrote to memory of 2976 2928 cmd.exe c53a5da3dc11fc53bed73e3560b1fdf748f083f662156b98847f9f6683717ae7.exe PID 2928 wrote to memory of 2976 2928 cmd.exe c53a5da3dc11fc53bed73e3560b1fdf748f083f662156b98847f9f6683717ae7.exe PID 2928 wrote to memory of 2976 2928 cmd.exe c53a5da3dc11fc53bed73e3560b1fdf748f083f662156b98847f9f6683717ae7.exe PID 2200 wrote to memory of 2624 2200 net.exe net1.exe PID 2200 wrote to memory of 2624 2200 net.exe net1.exe PID 2200 wrote to memory of 2624 2200 net.exe net1.exe PID 2200 wrote to memory of 2624 2200 net.exe net1.exe PID 2936 wrote to memory of 1200 2936 Logo1_.exe Explorer.EXE PID 2936 wrote to memory of 1200 2936 Logo1_.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1200
-
C:\Users\Admin\AppData\Local\Temp\c53a5da3dc11fc53bed73e3560b1fdf748f083f662156b98847f9f6683717ae7.exe"C:\Users\Admin\AppData\Local\Temp\c53a5da3dc11fc53bed73e3560b1fdf748f083f662156b98847f9f6683717ae7.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\$$a1C18.bat3⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Users\Admin\AppData\Local\Temp\c53a5da3dc11fc53bed73e3560b1fdf748f083f662156b98847f9f6683717ae7.exe"C:\Users\Admin\AppData\Local\Temp\c53a5da3dc11fc53bed73e3560b1fdf748f083f662156b98847f9f6683717ae7.exe"4⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:2624
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
252KB
MD50b2679dc1eb882abf56d11ca591aeb76
SHA17a5c7ff9a42f9c84873d269d1e776a89045a1f45
SHA2563d1b129d45f7fe6c861e380906a0c97576a804240426a0d2408f131cbaedc354
SHA5128661ecb16631ac033db4d7ee8aa291647ca3311888988693633acd1a69fd9d6eb890c94c97656602c47964219a082f875bce41710fe036cf546c29ae49e2e114
-
Filesize
472KB
MD588eb1bca8c399bc3f46e99cdde2f047e
SHA155fafbceb011e1af2edced978686a90971bd95f2
SHA25642fd78c05bc240d4ded16ac974f17c336f6ae3a1814d548021c48a942cc30428
SHA512149d4de0c024e25a13a7bb17471e6f48391d4f26b1c8388672320eed1c255f84219ad7b72bbebc531ae558d5192dd4bb6d0dddd6c65a45300c8e8348a4fb3728
-
Filesize
722B
MD51b7db488ee12fd97bcb8cf29a582e12f
SHA114552a3f990f3e31c4f2bfe0b4a1bd6bbcc992f6
SHA256bef61d81f288e3ec4522e9926adfeee6bb753b8f3c03d7e2b8d94efefb456cdf
SHA51271da7c1e70914d5f637c6a10ac0175637dc07c634de0b51e0e466c73fc47bcd2bc22313840ffefae8eff28a72ab6c84ad0ac7846e5d510e2465ac00bb07e1cb4
-
C:\Users\Admin\AppData\Local\Temp\c53a5da3dc11fc53bed73e3560b1fdf748f083f662156b98847f9f6683717ae7.exe.exe
Filesize288KB
MD5bf261e4750c3149989422b64ca0a8c61
SHA1d4de22caa39df29160c0d74ca43aa0a124add689
SHA256bbb18f78f5b4892c1e8d0d5285b1c2ecd744b9bd44ecf614117b4b4694d5a5af
SHA5123c7e86ab252b9132ff3d9ebeebb1597f8a5860a2e664ba9f99dafbb54b10bd807cf7ba3a1e7ff0fac3ecaa39edc6613fd5a4735275862326d30b3a80c573113f
-
Filesize
27KB
MD5d0d42004d5e14fecf764dc99963c82fa
SHA12b05a3b17e23a16df2a838d31d8c4113993dd833
SHA256fe58d080c6a43f69deaec1b3fa9ffa2963dd9a3384b6f3aa9895c4dd2c485a8f
SHA51272f9b71e46512dfcec9bd294930cc9a01acdb8c5b33a3c9a48c9475889f300e35d13191e5868c9798fd335af5a32793f19180b9d015ec18d2b112d0ac1749bee
-
Filesize
9B
MD54f2460b507685f7d7bfe6393f335f1c9
SHA1378d42f114b1515872e58de6662373af31ab8c7b
SHA25647a22297ce31d17b0f37251ce63cf2eb146700451caab6dd0aa710d2526c8e42
SHA51275dcca6b81ac47511b847a5c35be4bddbee425436f7bfd1347115e18b84f52a16a5c517bda0a5f5d0a1f2541aab80d764932d8018538cb112fa3b6c9977e95eb