Analysis
-
max time kernel
149s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
16-06-2024 20:22
Static task
static1
Behavioral task
behavioral1
Sample
e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf.exe
Resource
win10v2004-20240508-en
General
-
Target
e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf.exe
-
Size
357KB
-
MD5
bcf80fd61a963f4569a0f11ab02c6572
-
SHA1
58194f80a70e08de6f074fc7843f414b7ed2de00
-
SHA256
e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf
-
SHA512
412ed65291397134cb39823fcb2569c75d875b9b86571646850f50b3262491d31ae0336e1ab1e3d2de88e30050f92b7f2ec30315c6df686d58d6bd39204eb734
-
SSDEEP
6144:9VfjmN4shCYLrMTaN8wSEQKRzOALPmB3tl3HAO8fYkL1o:b7+4shC2N8wSEQKdjyBdRHy1o
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2928 cmd.exe -
Executes dropped EXE 2 IoCs
Processes:
Logo1_.exee84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf.exepid process 2120 Logo1_.exe 2652 e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 2928 cmd.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Logo1_.exedescription ioc process File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf.exedescription ioc process File opened for modification \??\PhysicalDrive0 e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf.exe -
Drops file in Program Files directory 64 IoCs
Processes:
Logo1_.exedescription ioc process File opened for modification C:\Program Files\Mozilla Firefox\defaults\pref\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Fancy\_desktop.ini Logo1_.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA6\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Library\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\_desktop.ini Logo1_.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\de-DE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SubsetList\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\css\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\it-IT\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\on_desktop\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STRTEDGE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\_desktop.ini Logo1_.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Word.en-us\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightOrange\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Library\Analysis\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jre7\lib\zi\America\Indiana\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\uz\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\js\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\REFINED\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Library\SOLVER\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\css\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\et\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ja\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Mail\ja-JP\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\es-ES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\ja-JP\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\7-Zip\7z.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre7\bin\unpack200.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Uninstall Information\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\css\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\am_ET\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
Processes:
e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf.exeLogo1_.exedescription ioc process File created C:\Windows\rundl132.exe e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf.exe File created C:\Windows\Logo1_.exe e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\vDll.dll Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
Logo1_.exepid process 2120 Logo1_.exe 2120 Logo1_.exe 2120 Logo1_.exe 2120 Logo1_.exe 2120 Logo1_.exe 2120 Logo1_.exe 2120 Logo1_.exe 2120 Logo1_.exe 2120 Logo1_.exe 2120 Logo1_.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf.exeLogo1_.execmd.exenet.exedescription pid process target process PID 2932 wrote to memory of 2928 2932 e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf.exe cmd.exe PID 2932 wrote to memory of 2928 2932 e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf.exe cmd.exe PID 2932 wrote to memory of 2928 2932 e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf.exe cmd.exe PID 2932 wrote to memory of 2928 2932 e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf.exe cmd.exe PID 2932 wrote to memory of 2120 2932 e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf.exe Logo1_.exe PID 2932 wrote to memory of 2120 2932 e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf.exe Logo1_.exe PID 2932 wrote to memory of 2120 2932 e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf.exe Logo1_.exe PID 2932 wrote to memory of 2120 2932 e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf.exe Logo1_.exe PID 2120 wrote to memory of 2656 2120 Logo1_.exe net.exe PID 2120 wrote to memory of 2656 2120 Logo1_.exe net.exe PID 2120 wrote to memory of 2656 2120 Logo1_.exe net.exe PID 2120 wrote to memory of 2656 2120 Logo1_.exe net.exe PID 2928 wrote to memory of 2652 2928 cmd.exe e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf.exe PID 2928 wrote to memory of 2652 2928 cmd.exe e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf.exe PID 2928 wrote to memory of 2652 2928 cmd.exe e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf.exe PID 2928 wrote to memory of 2652 2928 cmd.exe e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf.exe PID 2656 wrote to memory of 2620 2656 net.exe net1.exe PID 2656 wrote to memory of 2620 2656 net.exe net1.exe PID 2656 wrote to memory of 2620 2656 net.exe net1.exe PID 2656 wrote to memory of 2620 2656 net.exe net1.exe PID 2120 wrote to memory of 1284 2120 Logo1_.exe Explorer.EXE PID 2120 wrote to memory of 1284 2120 Logo1_.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1284
-
C:\Users\Admin\AppData\Local\Temp\e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf.exe"C:\Users\Admin\AppData\Local\Temp\e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\$$a5F8E.bat3⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Users\Admin\AppData\Local\Temp\e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf.exe"C:\Users\Admin\AppData\Local\Temp\e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf.exe"4⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:2652 -
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:2620
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
251KB
MD5baf165adaab6392d033d7f32319cabcb
SHA1fa4b6413108c9b552b158ae614b63565509cece4
SHA256c134d2515194f237193d125b905c679da1fe6baef94e7449c93c7ed387ba66e6
SHA5120400ff9363143c589e5cf1172d6d4c971fd936de9e640d80e563b5e0136b772fa048497a0e6d79f51c02bf7b8ccda0d367180bf6cb91a35d9f21c320648c3a38
-
Filesize
471KB
MD54cfdb20b04aa239d6f9e83084d5d0a77
SHA1f22863e04cc1fd4435f785993ede165bd8245ac6
SHA25630ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9
SHA51235b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86
-
Filesize
722B
MD5c702a9fd04d1218510900cd3492c4c3d
SHA197d2e0dd4bc91c4c91df2522a251ed3c9d98834c
SHA256f3d9237f3050d868c5875d3c86a2e0e2362bdbdad6b157b25a8f0244bdc6d518
SHA512194fd67cdc70295a763d3db73dc7641f891dc808f34175d96bc309f2edf8da7ac43a06867c9184c8f98631cb62626939197adc9dd46d849898e4def448caca21
-
C:\Users\Admin\AppData\Local\Temp\e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf.exe.exe
Filesize331KB
MD525c40a58d31194af030d2856153fc490
SHA19361a68e4a5585c4f03026165d61f5f588515128
SHA256ea31aeb14e8542ea87d01839d10b4b8933ea5444af49c2536051d979bc924168
SHA5123b19c2642f235b3da033a84539339f0338a4fec0de5656e925bba7e7d505fb877d02b06c636b34bc45fd5e95271741eef6eceb91a14f8e684243bdbdeec12f32
-
Filesize
26KB
MD5c96a70874a471376780d70d7ad6b255a
SHA15b19ded6314cc223bac30dd4a1ee3041fa3cfa26
SHA2561ae40b73fe2ab7e5f0282d11052dff7e4eff746da740d0dd75f7468638b0b7ef
SHA5123a4d3a94f2535b3ce74bbd510119b0d99f37e888da05245d34482a5a76919b3e5c518a0445cf3098e9e443267250fbf339812d5315b70d34302a9131e5c00d88
-
Filesize
9B
MD51884bfdeea71ff22db39c196f4447c9c
SHA13eafc7e6e17ba6ce7a087a3588fb1efb596da038
SHA256163167bc5a01ad6b3ed4406c2a9a1baaf2c0ef4620ab7d5b39aeddf976ca776d
SHA512b22124aa3a912462e6face7f71ad3dfec4b27dab16b2e20e3a0adc277f89f631ec889c91b185ac4b9b670933d881b8fd26c25d6f405e465aa8148cdbb7f7c3e2