Analysis
-
max time kernel
150s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
08-08-2024 22:49
Static task
static1
Behavioral task
behavioral1
Sample
e4301c87297cfd518af57a203ed6a08a465d1888ce71ed1d3dd4e5dd85ce781a.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
e4301c87297cfd518af57a203ed6a08a465d1888ce71ed1d3dd4e5dd85ce781a.exe
Resource
win10v2004-20240802-en
General
-
Target
e4301c87297cfd518af57a203ed6a08a465d1888ce71ed1d3dd4e5dd85ce781a.exe
-
Size
151KB
-
MD5
3967f385eeae03acc910861a648dd6b4
-
SHA1
bef061f0dabd297cc2f492b3daaa7dcedb7639d2
-
SHA256
e4301c87297cfd518af57a203ed6a08a465d1888ce71ed1d3dd4e5dd85ce781a
-
SHA512
626d5baca8f26ec307122538d6ef66eb85e6094f7d030c47000af74f81c8998b0c3718d183d4a38ab03a6aeef987b2752a77e3a7d977c492b0107b8440f95d0f
-
SSDEEP
3072:5ftffjmNF9GEy/g+bll7eE92TkvDOb9VO:RVfjmNxGR/92VW
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 3068 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 3000 Logo1_.exe 2908 e4301c87297cfd518af57a203ed6a08a465d1888ce71ed1d3dd4e5dd85ce781a.exe -
Loads dropped DLL 1 IoCs
pid Process 3068 cmd.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Library\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CAPSULES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe Logo1_.exe File created C:\Program Files (x86)\Windows Defender\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\css\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\am\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Discussion\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Defender\de-DE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Minesweeper\de-DE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre7\bin\jabswitch.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PROOF\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Chess\en-US\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\Mahjong\it-IT\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre7\bin\server\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\sr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\FreeCell\fr-FR\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\css\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\sv\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ne\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\css\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\hi\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SELFCERT.EXE Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\Components\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\More Games\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Mail\de-DE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\zu\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SubsetList\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ie\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\fr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\de-DE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rundl132.exe e4301c87297cfd518af57a203ed6a08a465d1888ce71ed1d3dd4e5dd85ce781a.exe File created C:\Windows\Logo1_.exe e4301c87297cfd518af57a203ed6a08a465d1888ce71ed1d3dd4e5dd85ce781a.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\vDll.dll Logo1_.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Logo1_.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e4301c87297cfd518af57a203ed6a08a465d1888ce71ed1d3dd4e5dd85ce781a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e4301c87297cfd518af57a203ed6a08a465d1888ce71ed1d3dd4e5dd85ce781a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 3000 Logo1_.exe 3000 Logo1_.exe 3000 Logo1_.exe 3000 Logo1_.exe 3000 Logo1_.exe 3000 Logo1_.exe 3000 Logo1_.exe 3000 Logo1_.exe 3000 Logo1_.exe 3000 Logo1_.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 2024 wrote to memory of 3068 2024 e4301c87297cfd518af57a203ed6a08a465d1888ce71ed1d3dd4e5dd85ce781a.exe 30 PID 2024 wrote to memory of 3068 2024 e4301c87297cfd518af57a203ed6a08a465d1888ce71ed1d3dd4e5dd85ce781a.exe 30 PID 2024 wrote to memory of 3068 2024 e4301c87297cfd518af57a203ed6a08a465d1888ce71ed1d3dd4e5dd85ce781a.exe 30 PID 2024 wrote to memory of 3068 2024 e4301c87297cfd518af57a203ed6a08a465d1888ce71ed1d3dd4e5dd85ce781a.exe 30 PID 2024 wrote to memory of 3000 2024 e4301c87297cfd518af57a203ed6a08a465d1888ce71ed1d3dd4e5dd85ce781a.exe 31 PID 2024 wrote to memory of 3000 2024 e4301c87297cfd518af57a203ed6a08a465d1888ce71ed1d3dd4e5dd85ce781a.exe 31 PID 2024 wrote to memory of 3000 2024 e4301c87297cfd518af57a203ed6a08a465d1888ce71ed1d3dd4e5dd85ce781a.exe 31 PID 2024 wrote to memory of 3000 2024 e4301c87297cfd518af57a203ed6a08a465d1888ce71ed1d3dd4e5dd85ce781a.exe 31 PID 3068 wrote to memory of 2908 3068 cmd.exe 34 PID 3068 wrote to memory of 2908 3068 cmd.exe 34 PID 3068 wrote to memory of 2908 3068 cmd.exe 34 PID 3068 wrote to memory of 2908 3068 cmd.exe 34 PID 3000 wrote to memory of 2904 3000 Logo1_.exe 33 PID 3000 wrote to memory of 2904 3000 Logo1_.exe 33 PID 3000 wrote to memory of 2904 3000 Logo1_.exe 33 PID 3000 wrote to memory of 2904 3000 Logo1_.exe 33 PID 2904 wrote to memory of 2108 2904 net.exe 36 PID 2904 wrote to memory of 2108 2904 net.exe 36 PID 2904 wrote to memory of 2108 2904 net.exe 36 PID 2904 wrote to memory of 2108 2904 net.exe 36 PID 3000 wrote to memory of 1220 3000 Logo1_.exe 21 PID 3000 wrote to memory of 1220 3000 Logo1_.exe 21
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1220
-
C:\Users\Admin\AppData\Local\Temp\e4301c87297cfd518af57a203ed6a08a465d1888ce71ed1d3dd4e5dd85ce781a.exe"C:\Users\Admin\AppData\Local\Temp\e4301c87297cfd518af57a203ed6a08a465d1888ce71ed1d3dd4e5dd85ce781a.exe"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\$$aCD2E.bat3⤵
- Deletes itself
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Users\Admin\AppData\Local\Temp\e4301c87297cfd518af57a203ed6a08a465d1888ce71ed1d3dd4e5dd85ce781a.exe"C:\Users\Admin\AppData\Local\Temp\e4301c87297cfd518af57a203ed6a08a465d1888ce71ed1d3dd4e5dd85ce781a.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2908
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵
- System Location Discovery: System Language Discovery
PID:2108
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
251KB
MD5cf60447b5a5d7b2e800c5389c00686b9
SHA1537bd6ffe4c8393f09faf07ce7e67c6355a29683
SHA25615ca4a536e83e6637b34d89a07be1aa47f19c24eb4ed8cc8ce4f7cd5a7d6e6be
SHA512ed7c4691f3ffec6a19538b872525758d17c4b72de2efe24b49da3197d1454e07ca4c9cfbcc02db692d4adada71936ecdcb4e44e1508aea778d80028430d831ac
-
Filesize
471KB
MD54cfdb20b04aa239d6f9e83084d5d0a77
SHA1f22863e04cc1fd4435f785993ede165bd8245ac6
SHA25630ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9
SHA51235b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86
-
Filesize
722B
MD5c9cb73b2f80bcc7b213f1af900795724
SHA11c8174876c8a1c3fba94c079bed66fc4df80bf04
SHA2564f38cf29af7a0a8f7591e147d85d54c841ffa829551971044083838f048b924a
SHA51274b9dafd7bc2efcf444045cc1e9bab5ee102f4ea1718ef54a0028ba2290f48c4e6fa592c416e4d1f57b84f666fc870a5fbb2be09439cec33ab3d75d66ec0bc73
-
C:\Users\Admin\AppData\Local\Temp\e4301c87297cfd518af57a203ed6a08a465d1888ce71ed1d3dd4e5dd85ce781a.exe.exe
Filesize124KB
MD56dd728836c46dffc93e66b6139889f98
SHA1b29496cd2432f2d7de076f06915dae49f4cb1827
SHA2562975c97b27cf0e8717587ea58a07da6a2f646e4fb42c7b8db479268b011e5a88
SHA51204aec32fc1b98321e584a0ec8b7a57b2e2709ffefa278f7193a119ad2f5c677f8b6abe3d118f1fb1424cb847aceff2b517b8799355acd7d751c072c0d3937896
-
Filesize
26KB
MD536b3f02b659eb0ad5fddf054af96b525
SHA117eab1988b6601611ae0683bb8b26ec04c377cb9
SHA256a1822df7617c493bc4dca454e06a5f93d3dac7b6133b5a8dca37866d3cd3c1c6
SHA512e20e9add4525449be31da571226255cb3cb06bf1f2efe84591e77972283407c783321b676f2e3bc78dd85dcfb0f20db77a40bcd179599cdd0f453534acf9dbaf
-
Filesize
8B
MD5a451cf229ab77d19c624b2e48ac11ec8
SHA10f3002921952d4e528750030d6340b77d10b5fc9
SHA25696a8bb2a4a11f6596cd7c59eee4a5ea4dcfb02550aadc0b233e6cc269883f222
SHA512699a221508bfee448d09720da926c818de965de39253e6c82fe79343d2916c59edb97ae5dc6d1e3b6343928fcefb636f5dfa13507e5ec53b3c4eeb1266caa3cd