Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 18:46
Static task
static1
Behavioral task
behavioral1
Sample
360b8c6910f7a56942239e644d9a181dc956ab41109a854b8bc79009068bb2eb.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
360b8c6910f7a56942239e644d9a181dc956ab41109a854b8bc79009068bb2eb.exe
Resource
win10v2004-20240611-en
General
-
Target
360b8c6910f7a56942239e644d9a181dc956ab41109a854b8bc79009068bb2eb.exe
-
Size
179KB
-
MD5
90c70ce48bd5cb8fe9b438cdfde863e1
-
SHA1
89450efff9f839759d71c856d3d88138e863c98b
-
SHA256
360b8c6910f7a56942239e644d9a181dc956ab41109a854b8bc79009068bb2eb
-
SHA512
aa8b988debd456000774166d8fbf1a6d23deea43d5be69642df349406e6c77259a45596b98219641589c471bc3c793e48b996242141d0556e60fe688a857a546
-
SSDEEP
3072:2IhftffjmNthi4jX2XUa7tOXN90sVfEzCVnuDgbACrwJ:3VfjmNtPjULOdu4nlbFr6
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
Logo1_.exe360b8c6910f7a56942239e644d9a181dc956ab41109a854b8bc79009068bb2eb.exepid process 3356 Logo1_.exe 452 360b8c6910f7a56942239e644d9a181dc956ab41109a854b8bc79009068bb2eb.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Logo1_.exedescription ioc process File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
Processes:
Logo1_.exedescription ioc process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\kn\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ro\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\audio_output\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\es-ES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sk-sk\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\Adobe\HelpCfg\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Media Player\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\fi-fi\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\ja-jp\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\pt_PT\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\contrast-black\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\sl-si\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\themes\dark\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\versions\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\eu-es\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\sr-cyrl-cs\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\x64\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Media Player\it-IT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\jfr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\dotnet\host\fxr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\EBWebView\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\ImmersiveVideoPlayback\Content\Shaders\LoadedModelShaders\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\fr-fr\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.1813.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\de-de\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x86\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ko-kr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\EBWebView\x64\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\hr-hr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\uk-ua\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\fr-fr\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\ja\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ko-kr\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\wa\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\zh-tw\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\es-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\zh-cn\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\en-ae\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Multimedia Platform\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\eu-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ru-ru\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-fr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\fr-FR\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\zh-tw\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\cy\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\zh_CN\LC_MESSAGES\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
Processes:
360b8c6910f7a56942239e644d9a181dc956ab41109a854b8bc79009068bb2eb.exeLogo1_.exedescription ioc process File created C:\Windows\rundl132.exe 360b8c6910f7a56942239e644d9a181dc956ab41109a854b8bc79009068bb2eb.exe File created C:\Windows\Logo1_.exe 360b8c6910f7a56942239e644d9a181dc956ab41109a854b8bc79009068bb2eb.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\vDll.dll Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
Logo1_.exepid process 3356 Logo1_.exe 3356 Logo1_.exe 3356 Logo1_.exe 3356 Logo1_.exe 3356 Logo1_.exe 3356 Logo1_.exe 3356 Logo1_.exe 3356 Logo1_.exe 3356 Logo1_.exe 3356 Logo1_.exe 3356 Logo1_.exe 3356 Logo1_.exe 3356 Logo1_.exe 3356 Logo1_.exe 3356 Logo1_.exe 3356 Logo1_.exe 3356 Logo1_.exe 3356 Logo1_.exe 3356 Logo1_.exe 3356 Logo1_.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
360b8c6910f7a56942239e644d9a181dc956ab41109a854b8bc79009068bb2eb.exeLogo1_.exenet.exedescription pid process target process PID 4588 wrote to memory of 996 4588 360b8c6910f7a56942239e644d9a181dc956ab41109a854b8bc79009068bb2eb.exe cmd.exe PID 4588 wrote to memory of 996 4588 360b8c6910f7a56942239e644d9a181dc956ab41109a854b8bc79009068bb2eb.exe cmd.exe PID 4588 wrote to memory of 996 4588 360b8c6910f7a56942239e644d9a181dc956ab41109a854b8bc79009068bb2eb.exe cmd.exe PID 4588 wrote to memory of 3356 4588 360b8c6910f7a56942239e644d9a181dc956ab41109a854b8bc79009068bb2eb.exe Logo1_.exe PID 4588 wrote to memory of 3356 4588 360b8c6910f7a56942239e644d9a181dc956ab41109a854b8bc79009068bb2eb.exe Logo1_.exe PID 4588 wrote to memory of 3356 4588 360b8c6910f7a56942239e644d9a181dc956ab41109a854b8bc79009068bb2eb.exe Logo1_.exe PID 3356 wrote to memory of 408 3356 Logo1_.exe net.exe PID 3356 wrote to memory of 408 3356 Logo1_.exe net.exe PID 3356 wrote to memory of 408 3356 Logo1_.exe net.exe PID 408 wrote to memory of 2576 408 net.exe net1.exe PID 408 wrote to memory of 2576 408 net.exe net1.exe PID 408 wrote to memory of 2576 408 net.exe net1.exe PID 3356 wrote to memory of 3512 3356 Logo1_.exe Explorer.EXE PID 3356 wrote to memory of 3512 3356 Logo1_.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3512
-
C:\Users\Admin\AppData\Local\Temp\360b8c6910f7a56942239e644d9a181dc956ab41109a854b8bc79009068bb2eb.exe"C:\Users\Admin\AppData\Local\Temp\360b8c6910f7a56942239e644d9a181dc956ab41109a854b8bc79009068bb2eb.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3597.bat3⤵PID:996
-
C:\Users\Admin\AppData\Local\Temp\360b8c6910f7a56942239e644d9a181dc956ab41109a854b8bc79009068bb2eb.exe"C:\Users\Admin\AppData\Local\Temp\360b8c6910f7a56942239e644d9a181dc956ab41109a854b8bc79009068bb2eb.exe"4⤵
- Executes dropped EXE
PID:452 -
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3356 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:408 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:2576
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
251KB
MD5d3e8a267133d83c4bd585a13e8135ef1
SHA153afe847d8eeccacd442d930ac0fc52d18be2f62
SHA2569f5d1aa6322230f568f5ec1dcce9829f666bf330d5e05b177b6612a175fd51c8
SHA51201f8f44d20447a39c2e1a8d850e3738e387a44b725fa342dd351b0abf9b654aa7888b08ec4b347950a0d2cc781ecdd8f332e12467fc5e0265f9e92b27c6b320b
-
Filesize
570KB
MD53b0afe33f12a60c5f7969be9ed5bfe8d
SHA1efb2b25056d4156e183211c5c6b8f134c0dc7fc2
SHA256ea479029a1af8a9f421a8d1fcbc266f952d996db20ad568f63af1ba7a6763134
SHA5126941a088bc8f40a73e3d20378ce317aa39ee8711b5b843884db3a6914ba5229a957e497e59209394c7dc63225dbc40042d030a4b73c832feff258180a46acb95
-
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
Filesize636KB
MD52500f702e2b9632127c14e4eaae5d424
SHA18726fef12958265214eeb58001c995629834b13a
SHA25682e5b0001f025ca3b8409c98e4fb06c119c68de1e4ef60a156360cb4ef61d19c
SHA512f420c62fa1f6897f51dd7a0f0e910fb54ad14d51973a2d4840eeea0448c860bf83493fb1c07be65f731efc39e19f8a99886c8cfd058cee482fe52d255a33a55c
-
Filesize
722B
MD55b42e59c0f124bbdd83d6f11eed7bed5
SHA127e54c26fa9c96286a17a3f04dfe73aeb67d60bc
SHA256a58e30e8a3409ad7c1de2caa123dec5fcef20dda12331ac1afd29944790e857b
SHA512b2b5c64b059f3dac16e9c117bbcf0a7793dd99baa064dfbf2add0c22e600260efaf17de3dc0e4b6ea6d016a49fc74f555671b94adcada8b378667f09ad718c22
-
C:\Users\Admin\AppData\Local\Temp\360b8c6910f7a56942239e644d9a181dc956ab41109a854b8bc79009068bb2eb.exe.exe
Filesize153KB
MD5248e4fcfb8cb29146f73dce2880441f1
SHA13f83a3e61f56224aa946263d68029e8862d981b2
SHA25642433b2358e677dba21525bfa84d3469afd6cc750821c2d81576c1146a032272
SHA512350e2d24af22a8a2ae9fd744660843b9c2cb79e5fd95a66ed759b0df75cd05c8c12b390f8f8e84ce0dcb539597c5e79302728bac39d064256bdd07eef7757005
-
Filesize
26KB
MD5ea93d9d4c57b19e96eabc55fa2a44c93
SHA16dfbe57a710e593304d00f7ea80c7275291fff6d
SHA256d123ca9f2bf2eb799707b93ab1695e53ea778feda574774a3adee615b4c53ffb
SHA5129a440dfcaff1018e00eb371dfc7afd9864cc303821594ea09d8feb795f89148b222711ac6d1f6d818c9d9c0a8adb2adcf801700be89a14a6c93d9449a8e4ad4a
-
Filesize
9B
MD54f2460b507685f7d7bfe6393f335f1c9
SHA1378d42f114b1515872e58de6662373af31ab8c7b
SHA25647a22297ce31d17b0f37251ce63cf2eb146700451caab6dd0aa710d2526c8e42
SHA51275dcca6b81ac47511b847a5c35be4bddbee425436f7bfd1347115e18b84f52a16a5c517bda0a5f5d0a1f2541aab80d764932d8018538cb112fa3b6c9977e95eb