Analysis
-
max time kernel
150s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
23/07/2024, 01:48
Static task
static1
Behavioral task
behavioral1
Sample
b4897e55d06a33fe6e2d9b2fa9b587d3ae1a97ea03a2b9e77719b121424c4948.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
b4897e55d06a33fe6e2d9b2fa9b587d3ae1a97ea03a2b9e77719b121424c4948.exe
Resource
win10v2004-20240709-en
General
-
Target
b4897e55d06a33fe6e2d9b2fa9b587d3ae1a97ea03a2b9e77719b121424c4948.exe
-
Size
68KB
-
MD5
94aeea7408449f314a70fd6d703f515a
-
SHA1
7a69a1c807711cba0b449469c6c47e4d8bbb3ad2
-
SHA256
b4897e55d06a33fe6e2d9b2fa9b587d3ae1a97ea03a2b9e77719b121424c4948
-
SHA512
063c8ab821f97644d53844d52d5618b76c33c2e51cc46b576833c5a39c9279ad9287621bf0daba39b6cc4d79c2a1d777c776ceae48e8eac189ce8cf9466bd9c4
-
SSDEEP
1536:r3SHmLKarIpYeEToa9D4ZQKbgZi1dst7x9PxQ:rkF3pdlZQKbgZi1St7xQ
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2368 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2144 Logo1_.exe 2860 b4897e55d06a33fe6e2d9b2fa9b587d3ae1a97ea03a2b9e77719b121424c4948.exe -
Loads dropped DLL 1 IoCs
pid Process 2368 cmd.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ps\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Outlook.en-us\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1036\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Lime\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Defender\es-ES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Internet Explorer\de-DE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Stationery\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSACCESS.EXE Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE Logo1_.exe File opened for modification C:\Program Files\Windows Mail\it-IT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\lv\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\sw\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\_desktop.ini Logo1_.exe File created C:\Program Files\DVD Maker\de-DE\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\audio_filter\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\lua\http\dialogs\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Media Player\es-ES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\Purble Place\de-DE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\MSBuild\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Media Player\WMPDMC.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\es-ES\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jre7\lib\images\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\eu\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ky\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Desert\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENFR\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Logo1_.exe b4897e55d06a33fe6e2d9b2fa9b587d3ae1a97ea03a2b9e77719b121424c4948.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\vDll.dll Logo1_.exe File created C:\Windows\rundl132.exe b4897e55d06a33fe6e2d9b2fa9b587d3ae1a97ea03a2b9e77719b121424c4948.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 2144 Logo1_.exe 2144 Logo1_.exe 2144 Logo1_.exe 2144 Logo1_.exe 2144 Logo1_.exe 2144 Logo1_.exe 2144 Logo1_.exe 2144 Logo1_.exe 2144 Logo1_.exe 2144 Logo1_.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 2564 wrote to memory of 2368 2564 b4897e55d06a33fe6e2d9b2fa9b587d3ae1a97ea03a2b9e77719b121424c4948.exe 29 PID 2564 wrote to memory of 2368 2564 b4897e55d06a33fe6e2d9b2fa9b587d3ae1a97ea03a2b9e77719b121424c4948.exe 29 PID 2564 wrote to memory of 2368 2564 b4897e55d06a33fe6e2d9b2fa9b587d3ae1a97ea03a2b9e77719b121424c4948.exe 29 PID 2564 wrote to memory of 2368 2564 b4897e55d06a33fe6e2d9b2fa9b587d3ae1a97ea03a2b9e77719b121424c4948.exe 29 PID 2564 wrote to memory of 2144 2564 b4897e55d06a33fe6e2d9b2fa9b587d3ae1a97ea03a2b9e77719b121424c4948.exe 30 PID 2564 wrote to memory of 2144 2564 b4897e55d06a33fe6e2d9b2fa9b587d3ae1a97ea03a2b9e77719b121424c4948.exe 30 PID 2564 wrote to memory of 2144 2564 b4897e55d06a33fe6e2d9b2fa9b587d3ae1a97ea03a2b9e77719b121424c4948.exe 30 PID 2564 wrote to memory of 2144 2564 b4897e55d06a33fe6e2d9b2fa9b587d3ae1a97ea03a2b9e77719b121424c4948.exe 30 PID 2144 wrote to memory of 2720 2144 Logo1_.exe 32 PID 2144 wrote to memory of 2720 2144 Logo1_.exe 32 PID 2144 wrote to memory of 2720 2144 Logo1_.exe 32 PID 2144 wrote to memory of 2720 2144 Logo1_.exe 32 PID 2720 wrote to memory of 2844 2720 net.exe 34 PID 2720 wrote to memory of 2844 2720 net.exe 34 PID 2720 wrote to memory of 2844 2720 net.exe 34 PID 2720 wrote to memory of 2844 2720 net.exe 34 PID 2368 wrote to memory of 2860 2368 cmd.exe 35 PID 2368 wrote to memory of 2860 2368 cmd.exe 35 PID 2368 wrote to memory of 2860 2368 cmd.exe 35 PID 2368 wrote to memory of 2860 2368 cmd.exe 35 PID 2144 wrote to memory of 1212 2144 Logo1_.exe 20 PID 2144 wrote to memory of 1212 2144 Logo1_.exe 20
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1212
-
C:\Users\Admin\AppData\Local\Temp\b4897e55d06a33fe6e2d9b2fa9b587d3ae1a97ea03a2b9e77719b121424c4948.exe"C:\Users\Admin\AppData\Local\Temp\b4897e55d06a33fe6e2d9b2fa9b587d3ae1a97ea03a2b9e77719b121424c4948.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\$$a4EDB.bat3⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Users\Admin\AppData\Local\Temp\b4897e55d06a33fe6e2d9b2fa9b587d3ae1a97ea03a2b9e77719b121424c4948.exe"C:\Users\Admin\AppData\Local\Temp\b4897e55d06a33fe6e2d9b2fa9b587d3ae1a97ea03a2b9e77719b121424c4948.exe"4⤵
- Executes dropped EXE
PID:2860
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:2844
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
252KB
MD53b6ab73ad7d6d27bbc1f2b09b6a7a13a
SHA1a9adb49e14c018f19837e90e2d5cd930cd3c8d40
SHA256996c71e8a6f399e7895e24bb031067770cad117cd9569743244ba32c97a310f8
SHA512ce509a807c60da7faa8c579f0228195334decf42787fc578e384a6d77e10ba17d7e2f5781ac75578b31278612587a48bdd8d5c8e93481c0dc4376a0d41ef5ed9
-
Filesize
722B
MD57ab5ef1c2aba5b39cf86ff29c592f403
SHA14f519902dfe9d61587818e9b3469ccb7e4200118
SHA2564b00beb0dc086a08975e4f938112368611eeef332824ebfab778182f40aa5011
SHA51209de02f04a8171c308a0d751cb1960c187e62325f2be9b3e3f70037ebf26b292fceb664b0cffcea83a4c8c16235b9418215698dc23e233856905597a4ecb232e
-
C:\Users\Admin\AppData\Local\Temp\b4897e55d06a33fe6e2d9b2fa9b587d3ae1a97ea03a2b9e77719b121424c4948.exe.exe
Filesize41KB
MD5977e405c109268909fd24a94cc23d4f0
SHA1af5d032c2b6caa2164cf298e95b09060665c4188
SHA256cd24c61fe7dc3896c6c928c92a2adc58fab0a3ff61ef7ddcac1ba794182ab12f
SHA51212b4b59c1a8e65e72aa07ee4b6b6cd9fdedead01d5ce8e30f16ca26b5d733655e23a71c1d273a950a5b1a6cce810b696612de4a1148ac5f468ddf05d4549eed5
-
Filesize
27KB
MD5faa537da04333b1d2264b5e74336142e
SHA18ac278558286edcbe5b0648d0052dc98e148aa40
SHA2569c1055873c600ca7e5e6d55aff2bc1287d91b6e7e7dd73af40175e27cdc8c131
SHA51291ba1be7a655d818e3ba62c5bb1c023ce19e5105a5d1b798d9da1faf6dded3c0ea4507617ed56dbf911f2a235547f02f4ecf1fd353e0451ea0870eb6605f2dd1
-
Filesize
9B
MD5ece8e24737d1957fb4e94d8890ee8d02
SHA16c79bfb99f560a2102a903116f5a0c195f7885e4
SHA256d920366b3c62a677cf0cf1f267a7c2f3dd693f2ff60ee023091bf9c39c5e30b8
SHA512ccf58b4da1ad1379a546f307bca8dc4452a61a3cb443814f4d9566b8d8d35cc9d794ada4d1a13296ed5bc0248ba5ef538e5dc5e22861c2ead3f479beeb5c2d37