Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
13-06-2024 18:42
Static task
static1
Behavioral task
behavioral1
Sample
d455a1011bc6c9649c5b19c0844d0527d2a9114e3c13d9f549dff582dcce9242.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
d455a1011bc6c9649c5b19c0844d0527d2a9114e3c13d9f549dff582dcce9242.exe
Resource
win10v2004-20240611-en
General
-
Target
d455a1011bc6c9649c5b19c0844d0527d2a9114e3c13d9f549dff582dcce9242.exe
-
Size
2.2MB
-
MD5
c0ee066bc5a216173aa05376775358a5
-
SHA1
bc9eaed2ae330447895996b2c345fd92622c17e9
-
SHA256
d455a1011bc6c9649c5b19c0844d0527d2a9114e3c13d9f549dff582dcce9242
-
SHA512
6027046adf3ad949e18dc65f0faf22eee748e9b71028788d133fa89f2a97613e158ab0469bf201dc96d3dbec9d9093e6bcbb39a2ccf9fe6a0a2d28cd716731e7
-
SSDEEP
24576:37/44q6wihymF4+nZqyDst/ydLOyDaAO+JtPhYbcNeHtXvGJWiF7f9/QiCzUj:37/4V6+mF4+/DKrh+rfWtXvJ+/Qwj
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1936 cmd.exe -
Executes dropped EXE 2 IoCs
Processes:
Logo1_.exed455a1011bc6c9649c5b19c0844d0527d2a9114e3c13d9f549dff582dcce9242.exepid process 3028 Logo1_.exe 2616 d455a1011bc6c9649c5b19c0844d0527d2a9114e3c13d9f549dff582dcce9242.exe -
Loads dropped DLL 8 IoCs
Processes:
cmd.exeWerFault.exepid process 1936 cmd.exe 2764 WerFault.exe 2764 WerFault.exe 2764 WerFault.exe 2764 WerFault.exe 2764 WerFault.exe 2764 WerFault.exe 2764 WerFault.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Logo1_.exedescription ioc process File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
Processes:
Logo1_.exedescription ioc process File created C:\Program Files (x86)\Reference Assemblies\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Defender\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Sort\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\css\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\shvlzm.exe Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\People\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\in_sidebar\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ps\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.EXE Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Components\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PrivateAssemblies\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\3082\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Defender\fr-FR\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CNFNOT32.EXE Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUEPRNT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\IRIS\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\HostSideAdapters\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\DVD Maker\DVDMaker.exe Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\ink\1.0\_desktop.ini Logo1_.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\wa\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\it-IT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\br\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\_desktop.ini Logo1_.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\js\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\SpiderSolitaire\it-IT\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\nb\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jre7\lib\zi\Africa\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\pt_BR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\zh_TW\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
Processes:
d455a1011bc6c9649c5b19c0844d0527d2a9114e3c13d9f549dff582dcce9242.exeLogo1_.exedescription ioc process File created C:\Windows\rundl132.exe d455a1011bc6c9649c5b19c0844d0527d2a9114e3c13d9f549dff582dcce9242.exe File created C:\Windows\Logo1_.exe d455a1011bc6c9649c5b19c0844d0527d2a9114e3c13d9f549dff582dcce9242.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\vDll.dll Logo1_.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2764 2616 WerFault.exe d455a1011bc6c9649c5b19c0844d0527d2a9114e3c13d9f549dff582dcce9242.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
Logo1_.exepid process 3028 Logo1_.exe 3028 Logo1_.exe 3028 Logo1_.exe 3028 Logo1_.exe 3028 Logo1_.exe 3028 Logo1_.exe 3028 Logo1_.exe 3028 Logo1_.exe 3028 Logo1_.exe 3028 Logo1_.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
d455a1011bc6c9649c5b19c0844d0527d2a9114e3c13d9f549dff582dcce9242.execmd.exeLogo1_.exed455a1011bc6c9649c5b19c0844d0527d2a9114e3c13d9f549dff582dcce9242.exenet.exedescription pid process target process PID 2072 wrote to memory of 1936 2072 d455a1011bc6c9649c5b19c0844d0527d2a9114e3c13d9f549dff582dcce9242.exe cmd.exe PID 2072 wrote to memory of 1936 2072 d455a1011bc6c9649c5b19c0844d0527d2a9114e3c13d9f549dff582dcce9242.exe cmd.exe PID 2072 wrote to memory of 1936 2072 d455a1011bc6c9649c5b19c0844d0527d2a9114e3c13d9f549dff582dcce9242.exe cmd.exe PID 2072 wrote to memory of 1936 2072 d455a1011bc6c9649c5b19c0844d0527d2a9114e3c13d9f549dff582dcce9242.exe cmd.exe PID 2072 wrote to memory of 3028 2072 d455a1011bc6c9649c5b19c0844d0527d2a9114e3c13d9f549dff582dcce9242.exe Logo1_.exe PID 2072 wrote to memory of 3028 2072 d455a1011bc6c9649c5b19c0844d0527d2a9114e3c13d9f549dff582dcce9242.exe Logo1_.exe PID 2072 wrote to memory of 3028 2072 d455a1011bc6c9649c5b19c0844d0527d2a9114e3c13d9f549dff582dcce9242.exe Logo1_.exe PID 2072 wrote to memory of 3028 2072 d455a1011bc6c9649c5b19c0844d0527d2a9114e3c13d9f549dff582dcce9242.exe Logo1_.exe PID 1936 wrote to memory of 2616 1936 cmd.exe d455a1011bc6c9649c5b19c0844d0527d2a9114e3c13d9f549dff582dcce9242.exe PID 1936 wrote to memory of 2616 1936 cmd.exe d455a1011bc6c9649c5b19c0844d0527d2a9114e3c13d9f549dff582dcce9242.exe PID 1936 wrote to memory of 2616 1936 cmd.exe d455a1011bc6c9649c5b19c0844d0527d2a9114e3c13d9f549dff582dcce9242.exe PID 1936 wrote to memory of 2616 1936 cmd.exe d455a1011bc6c9649c5b19c0844d0527d2a9114e3c13d9f549dff582dcce9242.exe PID 1936 wrote to memory of 2616 1936 cmd.exe d455a1011bc6c9649c5b19c0844d0527d2a9114e3c13d9f549dff582dcce9242.exe PID 1936 wrote to memory of 2616 1936 cmd.exe d455a1011bc6c9649c5b19c0844d0527d2a9114e3c13d9f549dff582dcce9242.exe PID 1936 wrote to memory of 2616 1936 cmd.exe d455a1011bc6c9649c5b19c0844d0527d2a9114e3c13d9f549dff582dcce9242.exe PID 3028 wrote to memory of 2892 3028 Logo1_.exe net.exe PID 3028 wrote to memory of 2892 3028 Logo1_.exe net.exe PID 3028 wrote to memory of 2892 3028 Logo1_.exe net.exe PID 3028 wrote to memory of 2892 3028 Logo1_.exe net.exe PID 2616 wrote to memory of 2764 2616 d455a1011bc6c9649c5b19c0844d0527d2a9114e3c13d9f549dff582dcce9242.exe WerFault.exe PID 2616 wrote to memory of 2764 2616 d455a1011bc6c9649c5b19c0844d0527d2a9114e3c13d9f549dff582dcce9242.exe WerFault.exe PID 2616 wrote to memory of 2764 2616 d455a1011bc6c9649c5b19c0844d0527d2a9114e3c13d9f549dff582dcce9242.exe WerFault.exe PID 2616 wrote to memory of 2764 2616 d455a1011bc6c9649c5b19c0844d0527d2a9114e3c13d9f549dff582dcce9242.exe WerFault.exe PID 2892 wrote to memory of 2780 2892 net.exe net1.exe PID 2892 wrote to memory of 2780 2892 net.exe net1.exe PID 2892 wrote to memory of 2780 2892 net.exe net1.exe PID 2892 wrote to memory of 2780 2892 net.exe net1.exe PID 3028 wrote to memory of 1268 3028 Logo1_.exe Explorer.EXE PID 3028 wrote to memory of 1268 3028 Logo1_.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1268
-
C:\Users\Admin\AppData\Local\Temp\d455a1011bc6c9649c5b19c0844d0527d2a9114e3c13d9f549dff582dcce9242.exe"C:\Users\Admin\AppData\Local\Temp\d455a1011bc6c9649c5b19c0844d0527d2a9114e3c13d9f549dff582dcce9242.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\$$a5F30.bat3⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Users\Admin\AppData\Local\Temp\d455a1011bc6c9649c5b19c0844d0527d2a9114e3c13d9f549dff582dcce9242.exe"C:\Users\Admin\AppData\Local\Temp\d455a1011bc6c9649c5b19c0844d0527d2a9114e3c13d9f549dff582dcce9242.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2616 -s 365⤵
- Loads dropped DLL
- Program crash
PID:2764 -
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:2780
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
251KB
MD59e2f82a085e3726de31190aa4dbe28b5
SHA15fc4712e1f9b969fb204063b0f0a0417bb14dea8
SHA2565dc4b2d6b1d33e6abdf260204f1c9ed517799e850eaaf3ed4871be38e1203a42
SHA51266d05f0b653f37ce019a08206bd42791f64da99f45df18172fc0aea99722fe8da82b3f8368c18d1eaef59e8a04a8777a0a38493f821fb755f9330b1693c51b45
-
Filesize
471KB
MD54cfdb20b04aa239d6f9e83084d5d0a77
SHA1f22863e04cc1fd4435f785993ede165bd8245ac6
SHA25630ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9
SHA51235b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86
-
Filesize
722B
MD5d36918314757bcb7c17a84ade148d1f6
SHA17123469c761866e17d8eb69c94e8e7a790c6779a
SHA2568a3747e90bdcee93d41057c5d8690f18166ee34d1b85696873b5a2a06f5b0639
SHA51268a636951cab2f27278034492d1886f9b3e65c61e3c6b85a5b78805d6acb8beff66399d0957e76d509cecea83bf474db2a0266e70bb56a2860cc34a81c79761f
-
C:\Users\Admin\AppData\Local\Temp\d455a1011bc6c9649c5b19c0844d0527d2a9114e3c13d9f549dff582dcce9242.exe.exe
Filesize2.1MB
MD57c525f67655a15d0cc3b9efc5b6aa36a
SHA16da8db550dc66ea8b3af3b5481bbf371e299d9db
SHA2564a6abfc44d987f6eaf67d67fce93f87c56dc80ec8a6486c775e8e91925b7ca5d
SHA51291ed3dcf3387e0188c39e434fa6c4649a48a853b594b7ef4ffc3ec00dff7094403b8caaf9570f8037c35bee2f168f0fb0365f5fbf79ce192fcf2d156bdaef448
-
Filesize
26KB
MD5f6f9088a009b9ec60ae2ff543d3c3672
SHA1b39efa01bfcd494db3ecd5248d1969718614fa1d
SHA25663b2baf83767d6b0742089b97e28685666ee0d056dc6d0a50561fca8400fc9ee
SHA51213fe37e946f4939e93dd83f5713b49523917c91f6562f6038493f6a16c85b20ae3d288e916c4df9131871d2e62cadeb0d16c8b5341770c1f06a1d47a618bdee7
-
Filesize
9B
MD54f2460b507685f7d7bfe6393f335f1c9
SHA1378d42f114b1515872e58de6662373af31ab8c7b
SHA25647a22297ce31d17b0f37251ce63cf2eb146700451caab6dd0aa710d2526c8e42
SHA51275dcca6b81ac47511b847a5c35be4bddbee425436f7bfd1347115e18b84f52a16a5c517bda0a5f5d0a1f2541aab80d764932d8018538cb112fa3b6c9977e95eb