Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
13-06-2024 18:43
Static task
static1
Behavioral task
behavioral1
Sample
c1c3cb25dc5499c6d203c41310307ef99fdc739ad6eebd25d73554491cd01258.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
c1c3cb25dc5499c6d203c41310307ef99fdc739ad6eebd25d73554491cd01258.exe
Resource
win10v2004-20240508-en
General
-
Target
c1c3cb25dc5499c6d203c41310307ef99fdc739ad6eebd25d73554491cd01258.exe
-
Size
204KB
-
MD5
5e2cce25d7b597a153412d3b57c26630
-
SHA1
a30338d312dcf642f790cdde47c42b048d3998ed
-
SHA256
c1c3cb25dc5499c6d203c41310307ef99fdc739ad6eebd25d73554491cd01258
-
SHA512
49c7a388c2ded6bf6055ed32e635905b2933f2094894ea9fe77c38f3f325863fcb000613dfcf8a9330dfdb3ac8ce9ce4b131c97643c24c6539eb48f92d5b3480
-
SSDEEP
6144:8VfjmNz95gdyGuj5TflV/zcgqoKjuHowPAYM64V:+7+z94yGuj5TflV/ggSuHow1M64V
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1276 cmd.exe -
Executes dropped EXE 2 IoCs
Processes:
Logo1_.exec1c3cb25dc5499c6d203c41310307ef99fdc739ad6eebd25d73554491cd01258.exepid process 1196 Logo1_.exe 2020 c1c3cb25dc5499c6d203c41310307ef99fdc739ad6eebd25d73554491cd01258.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 1276 cmd.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Logo1_.exedescription ioc process File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
Processes:
Logo1_.exedescription ioc process File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUEPRNT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Mail\fr-FR\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre7\bin\rmid.exe Logo1_.exe File created C:\Program Files\Microsoft Games\Mahjong\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\SpeechEngines\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Portal\1033\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\es-ES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Triedit\es-ES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\mk\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\si\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Biscay\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\STS2\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Office14\STARTUP\_desktop.ini Logo1_.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\DVD Maker\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Publisher.en-us\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\GrayCheck\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\_desktop.ini Logo1_.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_desktop.ini Logo1_.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\More Games\it-IT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\logger\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Oasis\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\sv\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\1033\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Lime\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Photo Viewer\es-ES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SpringGreen\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Minesweeper\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\uz\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\css\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\si\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\js\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\js\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
Processes:
c1c3cb25dc5499c6d203c41310307ef99fdc739ad6eebd25d73554491cd01258.exeLogo1_.exedescription ioc process File created C:\Windows\rundl132.exe c1c3cb25dc5499c6d203c41310307ef99fdc739ad6eebd25d73554491cd01258.exe File created C:\Windows\Logo1_.exe c1c3cb25dc5499c6d203c41310307ef99fdc739ad6eebd25d73554491cd01258.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\vDll.dll Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
Logo1_.exepid process 1196 Logo1_.exe 1196 Logo1_.exe 1196 Logo1_.exe 1196 Logo1_.exe 1196 Logo1_.exe 1196 Logo1_.exe 1196 Logo1_.exe 1196 Logo1_.exe 1196 Logo1_.exe 1196 Logo1_.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
c1c3cb25dc5499c6d203c41310307ef99fdc739ad6eebd25d73554491cd01258.exeLogo1_.execmd.exenet.exedescription pid process target process PID 1848 wrote to memory of 1276 1848 c1c3cb25dc5499c6d203c41310307ef99fdc739ad6eebd25d73554491cd01258.exe cmd.exe PID 1848 wrote to memory of 1276 1848 c1c3cb25dc5499c6d203c41310307ef99fdc739ad6eebd25d73554491cd01258.exe cmd.exe PID 1848 wrote to memory of 1276 1848 c1c3cb25dc5499c6d203c41310307ef99fdc739ad6eebd25d73554491cd01258.exe cmd.exe PID 1848 wrote to memory of 1276 1848 c1c3cb25dc5499c6d203c41310307ef99fdc739ad6eebd25d73554491cd01258.exe cmd.exe PID 1848 wrote to memory of 1196 1848 c1c3cb25dc5499c6d203c41310307ef99fdc739ad6eebd25d73554491cd01258.exe Logo1_.exe PID 1848 wrote to memory of 1196 1848 c1c3cb25dc5499c6d203c41310307ef99fdc739ad6eebd25d73554491cd01258.exe Logo1_.exe PID 1848 wrote to memory of 1196 1848 c1c3cb25dc5499c6d203c41310307ef99fdc739ad6eebd25d73554491cd01258.exe Logo1_.exe PID 1848 wrote to memory of 1196 1848 c1c3cb25dc5499c6d203c41310307ef99fdc739ad6eebd25d73554491cd01258.exe Logo1_.exe PID 1196 wrote to memory of 2256 1196 Logo1_.exe net.exe PID 1196 wrote to memory of 2256 1196 Logo1_.exe net.exe PID 1196 wrote to memory of 2256 1196 Logo1_.exe net.exe PID 1196 wrote to memory of 2256 1196 Logo1_.exe net.exe PID 1276 wrote to memory of 2020 1276 cmd.exe c1c3cb25dc5499c6d203c41310307ef99fdc739ad6eebd25d73554491cd01258.exe PID 1276 wrote to memory of 2020 1276 cmd.exe c1c3cb25dc5499c6d203c41310307ef99fdc739ad6eebd25d73554491cd01258.exe PID 1276 wrote to memory of 2020 1276 cmd.exe c1c3cb25dc5499c6d203c41310307ef99fdc739ad6eebd25d73554491cd01258.exe PID 1276 wrote to memory of 2020 1276 cmd.exe c1c3cb25dc5499c6d203c41310307ef99fdc739ad6eebd25d73554491cd01258.exe PID 2256 wrote to memory of 2640 2256 net.exe net1.exe PID 2256 wrote to memory of 2640 2256 net.exe net1.exe PID 2256 wrote to memory of 2640 2256 net.exe net1.exe PID 2256 wrote to memory of 2640 2256 net.exe net1.exe PID 1196 wrote to memory of 1368 1196 Logo1_.exe Explorer.EXE PID 1196 wrote to memory of 1368 1196 Logo1_.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1368
-
C:\Users\Admin\AppData\Local\Temp\c1c3cb25dc5499c6d203c41310307ef99fdc739ad6eebd25d73554491cd01258.exe"C:\Users\Admin\AppData\Local\Temp\c1c3cb25dc5499c6d203c41310307ef99fdc739ad6eebd25d73554491cd01258.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\$$a195A.bat3⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Users\Admin\AppData\Local\Temp\c1c3cb25dc5499c6d203c41310307ef99fdc739ad6eebd25d73554491cd01258.exe"C:\Users\Admin\AppData\Local\Temp\c1c3cb25dc5499c6d203c41310307ef99fdc739ad6eebd25d73554491cd01258.exe"4⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:2640
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
251KB
MD5017b5ff3fe0c3468438be2ec74cebc30
SHA16c3d43933b458fc53062a5d51b8d9570be6d3e2d
SHA256f23e73059d7cbbe7cc9f6a50932f5aa26d25feaf6e1a32c35cd01fa49183a619
SHA512cb317a0becd259af4982ae63e97a1205c250a9cf09b47fbb0460eb2bcbe93421014f49f72c33b51dcd7517034be9b95b09ab7c0312cd79bf5b41b4fd8df6ac77
-
Filesize
471KB
MD599ea9b604a7a734d3087fa6159684c42
SHA1709fa1068ad4d560fe03e05b68056f1b0bedbfc8
SHA2563f733f9e6fec7c4165ca8ba41eb23f604a248babe794c4ad2c6c3ce8032aab1c
SHA5127af8008c7e187f925c62efc97e1891a7a38d089302dba39fbde137fb895e0592847ed0982c824c2075be8e6b95b6ce165ecb848ab85adf53779ebef613410fbb
-
Filesize
722B
MD582e823011c5740429e9f8c61a4413b9b
SHA183f2530ea2cc5b0d013db1a9bce7feec7357d257
SHA256326ac4c389c668739522863c380ccee5f93e4f57f7970253d968eaa2a90614f5
SHA512c1b1f85f072f73d1f1008e7bd0736c5a9d0a549c25552d217949993314d1610ee821512cf766f8bfab5c3d495ef973af748fede944784853e16cc6406f6e4804
-
C:\Users\Admin\AppData\Local\Temp\c1c3cb25dc5499c6d203c41310307ef99fdc739ad6eebd25d73554491cd01258.exe.exe
Filesize177KB
MD58384d636427e81096ee6db17a64a847e
SHA1b9d40e60d82f56abb2944204fcbae94b6ee42a8c
SHA2568d167888dc06dd6dc5ac1066019b5d43c117b910699693106e55e555851dc906
SHA512690bf431168139b6e3151cd8d4c8a697717fddc39cf737b00def6719bfd82380b2c49e6ee863dd0098904b3535ab6e452243f0395ddb0549228d9653f406d31f
-
Filesize
26KB
MD5d375bd04f866e1b3276ba3b9779966ad
SHA11da9855e29a5384522563e0c4bdac786712d8b12
SHA256a540c3c24ac2e3e353f3e0376889b61d7c11c926b29c8f0b8c768aea37daf7be
SHA51278aa0651eeebb8475328fb7090ef3bdc8984ea22c888365727fd7c09533d59873599fc172d291fbadc55e04034fa62e7be405cd501df063105b0c03d7638de10
-
Filesize
9B
MD54f2460b507685f7d7bfe6393f335f1c9
SHA1378d42f114b1515872e58de6662373af31ab8c7b
SHA25647a22297ce31d17b0f37251ce63cf2eb146700451caab6dd0aa710d2526c8e42
SHA51275dcca6b81ac47511b847a5c35be4bddbee425436f7bfd1347115e18b84f52a16a5c517bda0a5f5d0a1f2541aab80d764932d8018538cb112fa3b6c9977e95eb