Analysis
-
max time kernel
149s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 18:42
Static task
static1
Behavioral task
behavioral1
Sample
baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9.exe
Resource
win10v2004-20240508-en
General
-
Target
baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9.exe
-
Size
1007KB
-
MD5
b6b4b30b82e3cc4d31844b73d89ad496
-
SHA1
d295439b929266922024307c4503c3a824851ea2
-
SHA256
baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9
-
SHA512
b56e6cd35f5f6c3271bc89b0f9649157cf704279b616e85ad85827175dc5936f669e5217dc4b4a41360c12fbe7940757e8a320e4b97ec65f529233e67a353943
-
SSDEEP
12288:K7+PZK9I7MNmnx6Fg7kbiKFtC+eHNXXuz8sxKp7hIxLBy8omtm0/jG8Dqc:K7SiL28btC+co3LBy8omo07G8Dqc
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
Logo1_.exebaae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9.exepid process 4788 Logo1_.exe 2000 baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Logo1_.exedescription ioc process File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
Processes:
Logo1_.exedescription ioc process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\root\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\km\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\mk\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\zu\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ca-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\pl-pl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\fr-fr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fi-fi\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Examples\Calculator\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe Logo1_.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\sv-se\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\pt-br\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\sq-AL\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-white\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ca-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\nb-no\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\Services\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre8\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\cs-cz\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\mk-MK\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Lumia.MagicEdit\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\nl-nl\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Fonts\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\plugins\rhp\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ca-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\fi-fi\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\lua\modules\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\applet\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Viewpoints\Light\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\Assets\Images\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Toolkit\Images\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\ja\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sk-sk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ko-kr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\zh-tw\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\bg\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\lt\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-white\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\nl-nl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\root\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\sv-se\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\hu-hu\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\sl-si\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk-1.8\include\win32\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-black\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Place\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
Processes:
baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9.exeLogo1_.exedescription ioc process File created C:\Windows\Logo1_.exe baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\vDll.dll Logo1_.exe File created C:\Windows\rundl132.exe baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
Logo1_.exepid process 4788 Logo1_.exe 4788 Logo1_.exe 4788 Logo1_.exe 4788 Logo1_.exe 4788 Logo1_.exe 4788 Logo1_.exe 4788 Logo1_.exe 4788 Logo1_.exe 4788 Logo1_.exe 4788 Logo1_.exe 4788 Logo1_.exe 4788 Logo1_.exe 4788 Logo1_.exe 4788 Logo1_.exe 4788 Logo1_.exe 4788 Logo1_.exe 4788 Logo1_.exe 4788 Logo1_.exe 4788 Logo1_.exe 4788 Logo1_.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9.exeLogo1_.exenet.execmd.exedescription pid process target process PID 972 wrote to memory of 2352 972 baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9.exe cmd.exe PID 972 wrote to memory of 2352 972 baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9.exe cmd.exe PID 972 wrote to memory of 2352 972 baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9.exe cmd.exe PID 972 wrote to memory of 4788 972 baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9.exe Logo1_.exe PID 972 wrote to memory of 4788 972 baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9.exe Logo1_.exe PID 972 wrote to memory of 4788 972 baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9.exe Logo1_.exe PID 4788 wrote to memory of 620 4788 Logo1_.exe net.exe PID 4788 wrote to memory of 620 4788 Logo1_.exe net.exe PID 4788 wrote to memory of 620 4788 Logo1_.exe net.exe PID 620 wrote to memory of 2796 620 net.exe net1.exe PID 620 wrote to memory of 2796 620 net.exe net1.exe PID 620 wrote to memory of 2796 620 net.exe net1.exe PID 2352 wrote to memory of 2000 2352 cmd.exe baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9.exe PID 2352 wrote to memory of 2000 2352 cmd.exe baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9.exe PID 2352 wrote to memory of 2000 2352 cmd.exe baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9.exe PID 4788 wrote to memory of 3404 4788 Logo1_.exe Explorer.EXE PID 4788 wrote to memory of 3404 4788 Logo1_.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3404
-
C:\Users\Admin\AppData\Local\Temp\baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9.exe"C:\Users\Admin\AppData\Local\Temp\baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4268.bat3⤵
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Users\Admin\AppData\Local\Temp\baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9.exe"C:\Users\Admin\AppData\Local\Temp\baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9.exe"4⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4788 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:620 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:2796
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
251KB
MD5412c84a84ee1f753aab61983dab81871
SHA13ff6d44a264e52f0bc0c644fe399ec99bf9ef013
SHA2561cfea775593e7ce2c698a171a33c7e21fb545e2c67ba6c47777d8e461ac8f1c4
SHA5123c52c6534a62bf11eedc332810e04d8854392f546f33736cc88fdaaf9fba0744269bbfd4e75545c0b50f6d0556bb3b855df407bc54e6c5a54f4cbbe5f9b07dd9
-
Filesize
570KB
MD5ae4a0b79964b8785cfae2eb5fa11e34a
SHA15c14a9bc200fa19b4863aa8aed3e8356a3a5ae9d
SHA256dc35631c1a06060be298409e2cf36395641714e2e7edf18de0fdf41794cbcf7e
SHA5129e8e01d697d8c404894981ab54a602cb2d1d0c4ed75736382edff6b2c1260da9ffa692cc13790a63e775356976e39f699af226ce53e05bea94d285cb3d952fb5
-
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
Filesize636KB
MD553ee62011469b286a2a1b5658c86b9bf
SHA19bdac0b23b0a965947c780c6a6b48fc7122f9ade
SHA2567125735e4e8595f1c17ff3235bc65dacabc2ec874b29ac7ba8eddd80ad10b3c0
SHA512c9c24e578da0a38048e71548fac66465bcb624e971f745bba559e8c49fd621752e718d4c983a90a97277407bb23348ca109436e1eeebef030c3b599c712ff236
-
Filesize
722B
MD5645d6f0b64166a20914803773469f65d
SHA1999a31422dff925f3d1277afc14d84fed4cea4f8
SHA2569c5277c6044ab4203d90b20dcf36220197bcf7828c245829b888f0cf47f31e04
SHA5124fa983bbe691a1f7be876b212e43af3e4457460931ee35cb4f1a897f7b60db8f42943a887667d7b0b7a7e554f184afd6574c116e9f18b244e36459aeb2b83f87
-
C:\Users\Admin\AppData\Local\Temp\baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9.exe.exe
Filesize981KB
MD57f3528cd8c220c32eb5453c2e50c2435
SHA1e7434bb57eec4bbfcb6375ee8c33d5d0a8a1d4e5
SHA256e83b0a57520815815e5e2e1fb8014f5d340369a2252a1ff97ab67d099c9a4315
SHA512b73aee0b78051f1b16535282bec757ce516d3a25d9af67cd358100663f352a9a571a6413846a46b96f3ac5b3137bfac418941c79e87ff7b58d41cdaa73051d6f
-
Filesize
26KB
MD5f0eb54d6d17689ab4e229ce122317bbc
SHA193a5a82c43c6d4089ccccfc434985a9c3baa1dc4
SHA25680da141e0ba00151479dedc491ae3a1d967e9e30f06b29a4eda22d6fd1ba03b6
SHA512cd5c2bc37516daa390924b54f1108551437988303c4ce7aa33c2bb44418e78a7d68d129fa6769a3eae9fb7aa5281730e8282ab75c06a5cb63cc211f88a213f37
-
Filesize
9B
MD54f2460b507685f7d7bfe6393f335f1c9
SHA1378d42f114b1515872e58de6662373af31ab8c7b
SHA25647a22297ce31d17b0f37251ce63cf2eb146700451caab6dd0aa710d2526c8e42
SHA51275dcca6b81ac47511b847a5c35be4bddbee425436f7bfd1347115e18b84f52a16a5c517bda0a5f5d0a1f2541aab80d764932d8018538cb112fa3b6c9977e95eb