Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
13-06-2024 18:42
Static task
static1
Behavioral task
behavioral1
Sample
baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9.exe
Resource
win10v2004-20240508-en
General
-
Target
baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9.exe
-
Size
1007KB
-
MD5
b6b4b30b82e3cc4d31844b73d89ad496
-
SHA1
d295439b929266922024307c4503c3a824851ea2
-
SHA256
baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9
-
SHA512
b56e6cd35f5f6c3271bc89b0f9649157cf704279b616e85ad85827175dc5936f669e5217dc4b4a41360c12fbe7940757e8a320e4b97ec65f529233e67a353943
-
SSDEEP
12288:K7+PZK9I7MNmnx6Fg7kbiKFtC+eHNXXuz8sxKp7hIxLBy8omtm0/jG8Dqc:K7SiL28btC+co3LBy8omo07G8Dqc
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2812 cmd.exe -
Executes dropped EXE 2 IoCs
Processes:
Logo1_.exebaae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9.exepid process 2080 Logo1_.exe 2676 baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 2812 cmd.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Logo1_.exedescription ioc process File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
Processes:
Logo1_.exedescription ioc process File opened for modification C:\Program Files\Microsoft Games\Purble Place\es-ES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\js\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\1033\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre7\bin\rmid.exe Logo1_.exe File opened for modification C:\Program Files\Windows Defender\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\_desktop.ini Logo1_.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\1033\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Oasis\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\css\_desktop.ini Logo1_.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jre7\lib\zi\America\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\Mahjong\es-ES\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\Minesweeper\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_extractor\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PAPYRUS\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\_desktop.ini Logo1_.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ast\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUEPRNT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Defender\ja-JP\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\lua\modules\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\People\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\Multiplayer\Checkers\es-ES\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jre7\lib\cmm\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre7\lib\images\cursors\_desktop.ini Logo1_.exe File created C:\Program Files\MSBuild\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\wa\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Media Player\setup_wm.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Media Player\ja-JP\_desktop.ini Logo1_.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\gu\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
Processes:
baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9.exeLogo1_.exedescription ioc process File created C:\Windows\rundl132.exe baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9.exe File created C:\Windows\Logo1_.exe baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\vDll.dll Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
Logo1_.exepid process 2080 Logo1_.exe 2080 Logo1_.exe 2080 Logo1_.exe 2080 Logo1_.exe 2080 Logo1_.exe 2080 Logo1_.exe 2080 Logo1_.exe 2080 Logo1_.exe 2080 Logo1_.exe 2080 Logo1_.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9.execmd.exeLogo1_.exenet.exedescription pid process target process PID 3012 wrote to memory of 2812 3012 baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9.exe cmd.exe PID 3012 wrote to memory of 2812 3012 baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9.exe cmd.exe PID 3012 wrote to memory of 2812 3012 baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9.exe cmd.exe PID 3012 wrote to memory of 2812 3012 baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9.exe cmd.exe PID 3012 wrote to memory of 2080 3012 baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9.exe Logo1_.exe PID 3012 wrote to memory of 2080 3012 baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9.exe Logo1_.exe PID 3012 wrote to memory of 2080 3012 baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9.exe Logo1_.exe PID 3012 wrote to memory of 2080 3012 baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9.exe Logo1_.exe PID 2812 wrote to memory of 2676 2812 cmd.exe baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9.exe PID 2812 wrote to memory of 2676 2812 cmd.exe baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9.exe PID 2812 wrote to memory of 2676 2812 cmd.exe baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9.exe PID 2812 wrote to memory of 2676 2812 cmd.exe baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9.exe PID 2080 wrote to memory of 2660 2080 Logo1_.exe net.exe PID 2080 wrote to memory of 2660 2080 Logo1_.exe net.exe PID 2080 wrote to memory of 2660 2080 Logo1_.exe net.exe PID 2080 wrote to memory of 2660 2080 Logo1_.exe net.exe PID 2660 wrote to memory of 2756 2660 net.exe net1.exe PID 2660 wrote to memory of 2756 2660 net.exe net1.exe PID 2660 wrote to memory of 2756 2660 net.exe net1.exe PID 2660 wrote to memory of 2756 2660 net.exe net1.exe PID 2080 wrote to memory of 1152 2080 Logo1_.exe Explorer.EXE PID 2080 wrote to memory of 1152 2080 Logo1_.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1152
-
C:\Users\Admin\AppData\Local\Temp\baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9.exe"C:\Users\Admin\AppData\Local\Temp\baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\$$a1390.bat3⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Users\Admin\AppData\Local\Temp\baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9.exe"C:\Users\Admin\AppData\Local\Temp\baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9.exe"4⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:2756
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
251KB
MD5412c84a84ee1f753aab61983dab81871
SHA13ff6d44a264e52f0bc0c644fe399ec99bf9ef013
SHA2561cfea775593e7ce2c698a171a33c7e21fb545e2c67ba6c47777d8e461ac8f1c4
SHA5123c52c6534a62bf11eedc332810e04d8854392f546f33736cc88fdaaf9fba0744269bbfd4e75545c0b50f6d0556bb3b855df407bc54e6c5a54f4cbbe5f9b07dd9
-
Filesize
471KB
MD599ea9b604a7a734d3087fa6159684c42
SHA1709fa1068ad4d560fe03e05b68056f1b0bedbfc8
SHA2563f733f9e6fec7c4165ca8ba41eb23f604a248babe794c4ad2c6c3ce8032aab1c
SHA5127af8008c7e187f925c62efc97e1891a7a38d089302dba39fbde137fb895e0592847ed0982c824c2075be8e6b95b6ce165ecb848ab85adf53779ebef613410fbb
-
Filesize
722B
MD5164471303740d63fb439151d662d3b12
SHA1a0b53746bc5de13c907a7bc02954737673797b5b
SHA25601da07db47e31cb7f06ea6dc9b5d958823de11e5a2d089b08ed1e0541d66463f
SHA512d3ebab2fe586736dcee709f3bb0694b8d73f9d27e3bedf026ce22a1c86f3f623db12737f011769ec3e4c69d87e094be63ea90e7b13a36a6f3976462887686cc9
-
C:\Users\Admin\AppData\Local\Temp\baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9.exe.exe
Filesize981KB
MD57f3528cd8c220c32eb5453c2e50c2435
SHA1e7434bb57eec4bbfcb6375ee8c33d5d0a8a1d4e5
SHA256e83b0a57520815815e5e2e1fb8014f5d340369a2252a1ff97ab67d099c9a4315
SHA512b73aee0b78051f1b16535282bec757ce516d3a25d9af67cd358100663f352a9a571a6413846a46b96f3ac5b3137bfac418941c79e87ff7b58d41cdaa73051d6f
-
Filesize
26KB
MD5f0eb54d6d17689ab4e229ce122317bbc
SHA193a5a82c43c6d4089ccccfc434985a9c3baa1dc4
SHA25680da141e0ba00151479dedc491ae3a1d967e9e30f06b29a4eda22d6fd1ba03b6
SHA512cd5c2bc37516daa390924b54f1108551437988303c4ce7aa33c2bb44418e78a7d68d129fa6769a3eae9fb7aa5281730e8282ab75c06a5cb63cc211f88a213f37
-
Filesize
9B
MD54f2460b507685f7d7bfe6393f335f1c9
SHA1378d42f114b1515872e58de6662373af31ab8c7b
SHA25647a22297ce31d17b0f37251ce63cf2eb146700451caab6dd0aa710d2526c8e42
SHA51275dcca6b81ac47511b847a5c35be4bddbee425436f7bfd1347115e18b84f52a16a5c517bda0a5f5d0a1f2541aab80d764932d8018538cb112fa3b6c9977e95eb