Analysis
-
max time kernel
149s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
13-06-2024 18:46
Static task
static1
Behavioral task
behavioral1
Sample
360b8c6910f7a56942239e644d9a181dc956ab41109a854b8bc79009068bb2eb.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
360b8c6910f7a56942239e644d9a181dc956ab41109a854b8bc79009068bb2eb.exe
Resource
win10v2004-20240611-en
General
-
Target
360b8c6910f7a56942239e644d9a181dc956ab41109a854b8bc79009068bb2eb.exe
-
Size
179KB
-
MD5
90c70ce48bd5cb8fe9b438cdfde863e1
-
SHA1
89450efff9f839759d71c856d3d88138e863c98b
-
SHA256
360b8c6910f7a56942239e644d9a181dc956ab41109a854b8bc79009068bb2eb
-
SHA512
aa8b988debd456000774166d8fbf1a6d23deea43d5be69642df349406e6c77259a45596b98219641589c471bc3c793e48b996242141d0556e60fe688a857a546
-
SSDEEP
3072:2IhftffjmNthi4jX2XUa7tOXN90sVfEzCVnuDgbACrwJ:3VfjmNtPjULOdu4nlbFr6
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1752 cmd.exe -
Executes dropped EXE 2 IoCs
Processes:
Logo1_.exe360b8c6910f7a56942239e644d9a181dc956ab41109a854b8bc79009068bb2eb.exepid process 3068 Logo1_.exe 2484 360b8c6910f7a56942239e644d9a181dc956ab41109a854b8bc79009068bb2eb.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 1752 cmd.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Logo1_.exedescription ioc process File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
Processes:
Logo1_.exedescription ioc process File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Help\1049\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUECALM\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Media Player\wmplayer.exe Logo1_.exe File created C:\Program Files (x86)\Windows Media Player\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\lua\sd\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1036\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\kk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.en\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\QUERIES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Argentina\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre7\lib\images\cursors\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\NETWORK\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE Logo1_.exe File created C:\Program Files (x86)\Microsoft Synchronization Services\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\kn\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\XLICONS.EXE Logo1_.exe File opened for modification C:\Program Files\7-Zip\7zG.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jre7\lib\jfr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre7\bin\plugin2\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\uz\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre7\lib\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\ja-JP\_desktop.ini Logo1_.exe File created C:\Program Files\Google\Chrome\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe Logo1_.exe File created C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\FreeCell\de-DE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\css\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\video_output\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Things\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\de-DE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
Processes:
360b8c6910f7a56942239e644d9a181dc956ab41109a854b8bc79009068bb2eb.exeLogo1_.exedescription ioc process File created C:\Windows\rundl132.exe 360b8c6910f7a56942239e644d9a181dc956ab41109a854b8bc79009068bb2eb.exe File created C:\Windows\Logo1_.exe 360b8c6910f7a56942239e644d9a181dc956ab41109a854b8bc79009068bb2eb.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\vDll.dll Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
Logo1_.exepid process 3068 Logo1_.exe 3068 Logo1_.exe 3068 Logo1_.exe 3068 Logo1_.exe 3068 Logo1_.exe 3068 Logo1_.exe 3068 Logo1_.exe 3068 Logo1_.exe 3068 Logo1_.exe 3068 Logo1_.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
360b8c6910f7a56942239e644d9a181dc956ab41109a854b8bc79009068bb2eb.exeLogo1_.exenet.exedescription pid process target process PID 2868 wrote to memory of 1752 2868 360b8c6910f7a56942239e644d9a181dc956ab41109a854b8bc79009068bb2eb.exe cmd.exe PID 2868 wrote to memory of 1752 2868 360b8c6910f7a56942239e644d9a181dc956ab41109a854b8bc79009068bb2eb.exe cmd.exe PID 2868 wrote to memory of 1752 2868 360b8c6910f7a56942239e644d9a181dc956ab41109a854b8bc79009068bb2eb.exe cmd.exe PID 2868 wrote to memory of 1752 2868 360b8c6910f7a56942239e644d9a181dc956ab41109a854b8bc79009068bb2eb.exe cmd.exe PID 2868 wrote to memory of 3068 2868 360b8c6910f7a56942239e644d9a181dc956ab41109a854b8bc79009068bb2eb.exe Logo1_.exe PID 2868 wrote to memory of 3068 2868 360b8c6910f7a56942239e644d9a181dc956ab41109a854b8bc79009068bb2eb.exe Logo1_.exe PID 2868 wrote to memory of 3068 2868 360b8c6910f7a56942239e644d9a181dc956ab41109a854b8bc79009068bb2eb.exe Logo1_.exe PID 2868 wrote to memory of 3068 2868 360b8c6910f7a56942239e644d9a181dc956ab41109a854b8bc79009068bb2eb.exe Logo1_.exe PID 3068 wrote to memory of 2632 3068 Logo1_.exe net.exe PID 3068 wrote to memory of 2632 3068 Logo1_.exe net.exe PID 3068 wrote to memory of 2632 3068 Logo1_.exe net.exe PID 3068 wrote to memory of 2632 3068 Logo1_.exe net.exe PID 2632 wrote to memory of 2636 2632 net.exe net1.exe PID 2632 wrote to memory of 2636 2632 net.exe net1.exe PID 2632 wrote to memory of 2636 2632 net.exe net1.exe PID 2632 wrote to memory of 2636 2632 net.exe net1.exe PID 3068 wrote to memory of 1268 3068 Logo1_.exe Explorer.EXE PID 3068 wrote to memory of 1268 3068 Logo1_.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1268
-
C:\Users\Admin\AppData\Local\Temp\360b8c6910f7a56942239e644d9a181dc956ab41109a854b8bc79009068bb2eb.exe"C:\Users\Admin\AppData\Local\Temp\360b8c6910f7a56942239e644d9a181dc956ab41109a854b8bc79009068bb2eb.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\$$a58DA.bat3⤵
- Deletes itself
- Loads dropped DLL
PID:1752 -
C:\Users\Admin\AppData\Local\Temp\360b8c6910f7a56942239e644d9a181dc956ab41109a854b8bc79009068bb2eb.exe"C:\Users\Admin\AppData\Local\Temp\360b8c6910f7a56942239e644d9a181dc956ab41109a854b8bc79009068bb2eb.exe"4⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:2636
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
251KB
MD5d3e8a267133d83c4bd585a13e8135ef1
SHA153afe847d8eeccacd442d930ac0fc52d18be2f62
SHA2569f5d1aa6322230f568f5ec1dcce9829f666bf330d5e05b177b6612a175fd51c8
SHA51201f8f44d20447a39c2e1a8d850e3738e387a44b725fa342dd351b0abf9b654aa7888b08ec4b347950a0d2cc781ecdd8f332e12467fc5e0265f9e92b27c6b320b
-
Filesize
471KB
MD54cfdb20b04aa239d6f9e83084d5d0a77
SHA1f22863e04cc1fd4435f785993ede165bd8245ac6
SHA25630ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9
SHA51235b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86
-
Filesize
722B
MD508bd0b3d81b187db8cd359fd1ab32678
SHA1891c8247acc6fa014cb0d1f9e77788728a38f600
SHA2564be78546f64cbb66145568e65418194e51d1d30e1c6a7602710f719c763067b6
SHA51205379e9bbe279779829dfb283e2d5b95aaa1e0eb9d4ef84b8dc6097fa9eb6bee1b285d0528ca484c6c00f24a1b2d1b43720e77be8cfcd9135c83095eed8c4123
-
Filesize
26KB
MD5ea93d9d4c57b19e96eabc55fa2a44c93
SHA16dfbe57a710e593304d00f7ea80c7275291fff6d
SHA256d123ca9f2bf2eb799707b93ab1695e53ea778feda574774a3adee615b4c53ffb
SHA5129a440dfcaff1018e00eb371dfc7afd9864cc303821594ea09d8feb795f89148b222711ac6d1f6d818c9d9c0a8adb2adcf801700be89a14a6c93d9449a8e4ad4a
-
Filesize
9B
MD54f2460b507685f7d7bfe6393f335f1c9
SHA1378d42f114b1515872e58de6662373af31ab8c7b
SHA25647a22297ce31d17b0f37251ce63cf2eb146700451caab6dd0aa710d2526c8e42
SHA51275dcca6b81ac47511b847a5c35be4bddbee425436f7bfd1347115e18b84f52a16a5c517bda0a5f5d0a1f2541aab80d764932d8018538cb112fa3b6c9977e95eb
-
\Users\Admin\AppData\Local\Temp\360b8c6910f7a56942239e644d9a181dc956ab41109a854b8bc79009068bb2eb.exe
Filesize153KB
MD5248e4fcfb8cb29146f73dce2880441f1
SHA13f83a3e61f56224aa946263d68029e8862d981b2
SHA25642433b2358e677dba21525bfa84d3469afd6cc750821c2d81576c1146a032272
SHA512350e2d24af22a8a2ae9fd744660843b9c2cb79e5fd95a66ed759b0df75cd05c8c12b390f8f8e84ce0dcb539597c5e79302728bac39d064256bdd07eef7757005