Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 18:42
Static task
static1
Behavioral task
behavioral1
Sample
c53a5da3dc11fc53bed73e3560b1fdf748f083f662156b98847f9f6683717ae7.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
c53a5da3dc11fc53bed73e3560b1fdf748f083f662156b98847f9f6683717ae7.exe
Resource
win10v2004-20240508-en
General
-
Target
c53a5da3dc11fc53bed73e3560b1fdf748f083f662156b98847f9f6683717ae7.exe
-
Size
315KB
-
MD5
aae6ff591c23aa7c3e92d4af468e1dac
-
SHA1
e30862d6b43e82742ede4873b31f3309bfa8c280
-
SHA256
c53a5da3dc11fc53bed73e3560b1fdf748f083f662156b98847f9f6683717ae7
-
SHA512
48c083b85db4853dfc6afc5c895d0ca72ab81e974b590f3dbea6573cec52f820661f7a5d43b427d1d049727d278d47f0b3fff13254f0d1effa986e3d55ace2aa
-
SSDEEP
6144:vCFplxdBHxlO2XGytf/NMA7+wPy/Miv+kzBSICpi+jyxP/O3goa:8pHHxlO/gf/WA7DhPa
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
Logo1_.exec53a5da3dc11fc53bed73e3560b1fdf748f083f662156b98847f9f6683717ae7.exepid process 3040 Logo1_.exe 4824 c53a5da3dc11fc53bed73e3560b1fdf748f083f662156b98847f9f6683717ae7.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Logo1_.exedescription ioc process File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
Processes:
Logo1_.exedescription ioc process File created C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\pt-br\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\tr-tr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\en-il\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\nn\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ru-ru\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\co\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-us\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\zh-cn\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\zu\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\tr-tr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\tr-tr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\fi-fi\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ar-ae\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\eu-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\de-de\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\themes\dark\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\sl-si\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\de-de\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\sk-sk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-ae\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fr-ma\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\root\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ja-jp\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jre-1.8\lib\security\policy\unlimited\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ro-ro\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\pl-pl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ja-jp\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\_desktop.ini Logo1_.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\collect_feedback\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\en-il\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\Assets\Images\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-gb\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ar-ae\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ru-ru\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\da-dk\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\en-gb\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\he-il\_desktop.ini Logo1_.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\_desktop.ini Logo1_.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ro-ro\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\sv-se\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\es-es\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
Processes:
c53a5da3dc11fc53bed73e3560b1fdf748f083f662156b98847f9f6683717ae7.exeLogo1_.exedescription ioc process File created C:\Windows\rundl132.exe c53a5da3dc11fc53bed73e3560b1fdf748f083f662156b98847f9f6683717ae7.exe File created C:\Windows\Logo1_.exe c53a5da3dc11fc53bed73e3560b1fdf748f083f662156b98847f9f6683717ae7.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\vDll.dll Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
Logo1_.exepid process 3040 Logo1_.exe 3040 Logo1_.exe 3040 Logo1_.exe 3040 Logo1_.exe 3040 Logo1_.exe 3040 Logo1_.exe 3040 Logo1_.exe 3040 Logo1_.exe 3040 Logo1_.exe 3040 Logo1_.exe 3040 Logo1_.exe 3040 Logo1_.exe 3040 Logo1_.exe 3040 Logo1_.exe 3040 Logo1_.exe 3040 Logo1_.exe 3040 Logo1_.exe 3040 Logo1_.exe 3040 Logo1_.exe 3040 Logo1_.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
c53a5da3dc11fc53bed73e3560b1fdf748f083f662156b98847f9f6683717ae7.exeLogo1_.exenet.execmd.exedescription pid process target process PID 2512 wrote to memory of 684 2512 c53a5da3dc11fc53bed73e3560b1fdf748f083f662156b98847f9f6683717ae7.exe cmd.exe PID 2512 wrote to memory of 684 2512 c53a5da3dc11fc53bed73e3560b1fdf748f083f662156b98847f9f6683717ae7.exe cmd.exe PID 2512 wrote to memory of 684 2512 c53a5da3dc11fc53bed73e3560b1fdf748f083f662156b98847f9f6683717ae7.exe cmd.exe PID 2512 wrote to memory of 3040 2512 c53a5da3dc11fc53bed73e3560b1fdf748f083f662156b98847f9f6683717ae7.exe Logo1_.exe PID 2512 wrote to memory of 3040 2512 c53a5da3dc11fc53bed73e3560b1fdf748f083f662156b98847f9f6683717ae7.exe Logo1_.exe PID 2512 wrote to memory of 3040 2512 c53a5da3dc11fc53bed73e3560b1fdf748f083f662156b98847f9f6683717ae7.exe Logo1_.exe PID 3040 wrote to memory of 3164 3040 Logo1_.exe net.exe PID 3040 wrote to memory of 3164 3040 Logo1_.exe net.exe PID 3040 wrote to memory of 3164 3040 Logo1_.exe net.exe PID 3164 wrote to memory of 4348 3164 net.exe net1.exe PID 3164 wrote to memory of 4348 3164 net.exe net1.exe PID 3164 wrote to memory of 4348 3164 net.exe net1.exe PID 684 wrote to memory of 4824 684 cmd.exe c53a5da3dc11fc53bed73e3560b1fdf748f083f662156b98847f9f6683717ae7.exe PID 684 wrote to memory of 4824 684 cmd.exe c53a5da3dc11fc53bed73e3560b1fdf748f083f662156b98847f9f6683717ae7.exe PID 3040 wrote to memory of 3456 3040 Logo1_.exe Explorer.EXE PID 3040 wrote to memory of 3456 3040 Logo1_.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3456
-
C:\Users\Admin\AppData\Local\Temp\c53a5da3dc11fc53bed73e3560b1fdf748f083f662156b98847f9f6683717ae7.exe"C:\Users\Admin\AppData\Local\Temp\c53a5da3dc11fc53bed73e3560b1fdf748f083f662156b98847f9f6683717ae7.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a687E.bat3⤵
- Suspicious use of WriteProcessMemory
PID:684 -
C:\Users\Admin\AppData\Local\Temp\c53a5da3dc11fc53bed73e3560b1fdf748f083f662156b98847f9f6683717ae7.exe"C:\Users\Admin\AppData\Local\Temp\c53a5da3dc11fc53bed73e3560b1fdf748f083f662156b98847f9f6683717ae7.exe"4⤵
- Executes dropped EXE
PID:4824 -
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:3164 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:4348
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
252KB
MD50b2679dc1eb882abf56d11ca591aeb76
SHA17a5c7ff9a42f9c84873d269d1e776a89045a1f45
SHA2563d1b129d45f7fe6c861e380906a0c97576a804240426a0d2408f131cbaedc354
SHA5128661ecb16631ac033db4d7ee8aa291647ca3311888988693633acd1a69fd9d6eb890c94c97656602c47964219a082f875bce41710fe036cf546c29ae49e2e114
-
Filesize
571KB
MD514a1606ee014690541ddd1c51169cba2
SHA12a75e583a802f1737912793c4977721b976a29b8
SHA25641a57fc5677fdb1ae06acc8ad9c88f8ca184d986ef55a0551c5558372da8e065
SHA512cd36672cd1ad94990e928c81e872d2ec9fa0cb0765b0002b5b676d62f801ac6df077ab042eb978a1f9fef644e92d08ef2cdc6f860d2161b0e12848108fa7fef7
-
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
Filesize637KB
MD59cba1e86016b20490fff38fb45ff4963
SHA1378720d36869d50d06e9ffeef87488fbc2a8c8f7
SHA256a22e6d0f5c7d44fefc2204e0f7c7b048e1684f6cf249ba98c006bbf791c22d19
SHA5122f3737d29ea3925d10ea5c717786425f6434be732974586328f03691a35cd1539828e3301685749e5c4135b8094f15b87fb9659915de63678a25749e2f8f5765
-
Filesize
722B
MD57d85496401503f3fda0d7e4eaf898608
SHA1e42950ca88e6f7caa24089b4a7f718e372b6a7b5
SHA256631971f8bf3ecedb1c075bd1f57a1fe71fbf824fdbdc2eb790a5644a58662f2c
SHA5126ce08b8bb4ee29ca0b29377cdf6768a25e6233dacf0fee2fa1bac3221b0f36dffab7895e668abb32f50f314e1bf02065cd73930f49ca8d0bd09978f6a6577626
-
C:\Users\Admin\AppData\Local\Temp\c53a5da3dc11fc53bed73e3560b1fdf748f083f662156b98847f9f6683717ae7.exe.exe
Filesize288KB
MD5bf261e4750c3149989422b64ca0a8c61
SHA1d4de22caa39df29160c0d74ca43aa0a124add689
SHA256bbb18f78f5b4892c1e8d0d5285b1c2ecd744b9bd44ecf614117b4b4694d5a5af
SHA5123c7e86ab252b9132ff3d9ebeebb1597f8a5860a2e664ba9f99dafbb54b10bd807cf7ba3a1e7ff0fac3ecaa39edc6613fd5a4735275862326d30b3a80c573113f
-
Filesize
27KB
MD5d0d42004d5e14fecf764dc99963c82fa
SHA12b05a3b17e23a16df2a838d31d8c4113993dd833
SHA256fe58d080c6a43f69deaec1b3fa9ffa2963dd9a3384b6f3aa9895c4dd2c485a8f
SHA51272f9b71e46512dfcec9bd294930cc9a01acdb8c5b33a3c9a48c9475889f300e35d13191e5868c9798fd335af5a32793f19180b9d015ec18d2b112d0ac1749bee
-
Filesize
9B
MD54f2460b507685f7d7bfe6393f335f1c9
SHA1378d42f114b1515872e58de6662373af31ab8c7b
SHA25647a22297ce31d17b0f37251ce63cf2eb146700451caab6dd0aa710d2526c8e42
SHA51275dcca6b81ac47511b847a5c35be4bddbee425436f7bfd1347115e18b84f52a16a5c517bda0a5f5d0a1f2541aab80d764932d8018538cb112fa3b6c9977e95eb