Analysis
-
max time kernel
149s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 18:43
Static task
static1
Behavioral task
behavioral1
Sample
c1c3cb25dc5499c6d203c41310307ef99fdc739ad6eebd25d73554491cd01258.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
c1c3cb25dc5499c6d203c41310307ef99fdc739ad6eebd25d73554491cd01258.exe
Resource
win10v2004-20240508-en
General
-
Target
c1c3cb25dc5499c6d203c41310307ef99fdc739ad6eebd25d73554491cd01258.exe
-
Size
204KB
-
MD5
5e2cce25d7b597a153412d3b57c26630
-
SHA1
a30338d312dcf642f790cdde47c42b048d3998ed
-
SHA256
c1c3cb25dc5499c6d203c41310307ef99fdc739ad6eebd25d73554491cd01258
-
SHA512
49c7a388c2ded6bf6055ed32e635905b2933f2094894ea9fe77c38f3f325863fcb000613dfcf8a9330dfdb3ac8ce9ce4b131c97643c24c6539eb48f92d5b3480
-
SSDEEP
6144:8VfjmNz95gdyGuj5TflV/zcgqoKjuHowPAYM64V:+7+z94yGuj5TflV/ggSuHow1M64V
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
Logo1_.exec1c3cb25dc5499c6d203c41310307ef99fdc739ad6eebd25d73554491cd01258.exepid process 3376 Logo1_.exe 4084 c1c3cb25dc5499c6d203c41310307ef99fdc739ad6eebd25d73554491cd01258.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Logo1_.exedescription ioc process File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
Processes:
Logo1_.exedescription ioc process File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Videos\SmartSelect\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Examples\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nl-nl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\nl-nl\_desktop.ini Logo1_.exe File created C:\Program Files\Mozilla Firefox\browser\features\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\nb-no\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\pt-br\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\sr\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-ae\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\da-dk\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\root\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ar-ae\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\nl-nl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.YourPhone_2019.430.2026.0_neutral_~_8wekyb3d8bbwe\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\ja-jp\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\sl-si\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-white\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ml\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\sv-se\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\it-it\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\root\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\da-dk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Viewpoints\Dark\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\he-IL\View3d\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Text\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_neutral_~_8wekyb3d8bbwe\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\de-de\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ar-ae\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\sl-sl\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ky\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\root\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Photo Viewer\ja-JP\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\fr-fr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\ar-ae\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\Oracle\Java\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe Logo1_.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\de-DE\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\my\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ja\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\da-dk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\sl-si\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe Logo1_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteshare.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\da-dk\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\amd64\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.2.2_2.2.27328.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\VideoFrameExtractor\Views\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sk-sk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-ae\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\{AD0E89CA-0C10-4B2E-B184-BD6C20B5B257}\MicrosoftEdgeUpdateSetup_X86_1.3.187.37.exe Logo1_.exe File created C:\Program Files\Java\jdk-1.8\bin\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\uk-ua\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
Processes:
c1c3cb25dc5499c6d203c41310307ef99fdc739ad6eebd25d73554491cd01258.exeLogo1_.exedescription ioc process File created C:\Windows\rundl132.exe c1c3cb25dc5499c6d203c41310307ef99fdc739ad6eebd25d73554491cd01258.exe File created C:\Windows\Logo1_.exe c1c3cb25dc5499c6d203c41310307ef99fdc739ad6eebd25d73554491cd01258.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\vDll.dll Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
Logo1_.exepid process 3376 Logo1_.exe 3376 Logo1_.exe 3376 Logo1_.exe 3376 Logo1_.exe 3376 Logo1_.exe 3376 Logo1_.exe 3376 Logo1_.exe 3376 Logo1_.exe 3376 Logo1_.exe 3376 Logo1_.exe 3376 Logo1_.exe 3376 Logo1_.exe 3376 Logo1_.exe 3376 Logo1_.exe 3376 Logo1_.exe 3376 Logo1_.exe 3376 Logo1_.exe 3376 Logo1_.exe 3376 Logo1_.exe 3376 Logo1_.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
c1c3cb25dc5499c6d203c41310307ef99fdc739ad6eebd25d73554491cd01258.exeLogo1_.exenet.execmd.exedescription pid process target process PID 4588 wrote to memory of 2664 4588 c1c3cb25dc5499c6d203c41310307ef99fdc739ad6eebd25d73554491cd01258.exe cmd.exe PID 4588 wrote to memory of 2664 4588 c1c3cb25dc5499c6d203c41310307ef99fdc739ad6eebd25d73554491cd01258.exe cmd.exe PID 4588 wrote to memory of 2664 4588 c1c3cb25dc5499c6d203c41310307ef99fdc739ad6eebd25d73554491cd01258.exe cmd.exe PID 4588 wrote to memory of 3376 4588 c1c3cb25dc5499c6d203c41310307ef99fdc739ad6eebd25d73554491cd01258.exe Logo1_.exe PID 4588 wrote to memory of 3376 4588 c1c3cb25dc5499c6d203c41310307ef99fdc739ad6eebd25d73554491cd01258.exe Logo1_.exe PID 4588 wrote to memory of 3376 4588 c1c3cb25dc5499c6d203c41310307ef99fdc739ad6eebd25d73554491cd01258.exe Logo1_.exe PID 3376 wrote to memory of 1180 3376 Logo1_.exe net.exe PID 3376 wrote to memory of 1180 3376 Logo1_.exe net.exe PID 3376 wrote to memory of 1180 3376 Logo1_.exe net.exe PID 1180 wrote to memory of 4572 1180 net.exe net1.exe PID 1180 wrote to memory of 4572 1180 net.exe net1.exe PID 1180 wrote to memory of 4572 1180 net.exe net1.exe PID 2664 wrote to memory of 4084 2664 cmd.exe c1c3cb25dc5499c6d203c41310307ef99fdc739ad6eebd25d73554491cd01258.exe PID 2664 wrote to memory of 4084 2664 cmd.exe c1c3cb25dc5499c6d203c41310307ef99fdc739ad6eebd25d73554491cd01258.exe PID 2664 wrote to memory of 4084 2664 cmd.exe c1c3cb25dc5499c6d203c41310307ef99fdc739ad6eebd25d73554491cd01258.exe PID 3376 wrote to memory of 3556 3376 Logo1_.exe Explorer.EXE PID 3376 wrote to memory of 3556 3376 Logo1_.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3556
-
C:\Users\Admin\AppData\Local\Temp\c1c3cb25dc5499c6d203c41310307ef99fdc739ad6eebd25d73554491cd01258.exe"C:\Users\Admin\AppData\Local\Temp\c1c3cb25dc5499c6d203c41310307ef99fdc739ad6eebd25d73554491cd01258.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4863.bat3⤵
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Users\Admin\AppData\Local\Temp\c1c3cb25dc5499c6d203c41310307ef99fdc739ad6eebd25d73554491cd01258.exe"C:\Users\Admin\AppData\Local\Temp\c1c3cb25dc5499c6d203c41310307ef99fdc739ad6eebd25d73554491cd01258.exe"4⤵
- Executes dropped EXE
PID:4084 -
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3376 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:4572
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
251KB
MD5017b5ff3fe0c3468438be2ec74cebc30
SHA16c3d43933b458fc53062a5d51b8d9570be6d3e2d
SHA256f23e73059d7cbbe7cc9f6a50932f5aa26d25feaf6e1a32c35cd01fa49183a619
SHA512cb317a0becd259af4982ae63e97a1205c250a9cf09b47fbb0460eb2bcbe93421014f49f72c33b51dcd7517034be9b95b09ab7c0312cd79bf5b41b4fd8df6ac77
-
Filesize
570KB
MD5662ac2ff73a0428213e4fb19ccd5fec3
SHA1bec0ee8e1d7bd1496959d9ef9f043eac07611379
SHA25647f518a26a7052c0d89c3e33c9480ad79557c0aec94b65d6ae6d346234118966
SHA5127b9086833001c5aac552606736d85fc60697c37a13ad606479b1c4de9c12082799de6285c1a6f994dc9b79fc57416c5dddc858d0c54aed4e44bde9c02e825ef1
-
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
Filesize636KB
MD553ee62011469b286a2a1b5658c86b9bf
SHA19bdac0b23b0a965947c780c6a6b48fc7122f9ade
SHA2567125735e4e8595f1c17ff3235bc65dacabc2ec874b29ac7ba8eddd80ad10b3c0
SHA512c9c24e578da0a38048e71548fac66465bcb624e971f745bba559e8c49fd621752e718d4c983a90a97277407bb23348ca109436e1eeebef030c3b599c712ff236
-
Filesize
722B
MD56a76072d57093b2211056ba6f3c2eeb8
SHA19146a43669f8fe6a7809d341fcb3fac9889026c0
SHA256f8878e0ee35ee9a791ce08b5a61ae9f8bfc3fd18afc5f0c6d797ab71ef304819
SHA5124c929a14e160710d8e69cd6d8855bf4428c41d9badecd69071eb1b795216d455170dc05535e2a006e008bab5a89bedfe80663e5b90fa9593f16601db84ccb396
-
C:\Users\Admin\AppData\Local\Temp\c1c3cb25dc5499c6d203c41310307ef99fdc739ad6eebd25d73554491cd01258.exe.exe
Filesize177KB
MD58384d636427e81096ee6db17a64a847e
SHA1b9d40e60d82f56abb2944204fcbae94b6ee42a8c
SHA2568d167888dc06dd6dc5ac1066019b5d43c117b910699693106e55e555851dc906
SHA512690bf431168139b6e3151cd8d4c8a697717fddc39cf737b00def6719bfd82380b2c49e6ee863dd0098904b3535ab6e452243f0395ddb0549228d9653f406d31f
-
Filesize
26KB
MD5d375bd04f866e1b3276ba3b9779966ad
SHA11da9855e29a5384522563e0c4bdac786712d8b12
SHA256a540c3c24ac2e3e353f3e0376889b61d7c11c926b29c8f0b8c768aea37daf7be
SHA51278aa0651eeebb8475328fb7090ef3bdc8984ea22c888365727fd7c09533d59873599fc172d291fbadc55e04034fa62e7be405cd501df063105b0c03d7638de10
-
Filesize
9B
MD54f2460b507685f7d7bfe6393f335f1c9
SHA1378d42f114b1515872e58de6662373af31ab8c7b
SHA25647a22297ce31d17b0f37251ce63cf2eb146700451caab6dd0aa710d2526c8e42
SHA51275dcca6b81ac47511b847a5c35be4bddbee425436f7bfd1347115e18b84f52a16a5c517bda0a5f5d0a1f2541aab80d764932d8018538cb112fa3b6c9977e95eb