Analysis
-
max time kernel
149s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
17-08-2024 06:21
Static task
static1
Behavioral task
behavioral1
Sample
3fcffa0ad0d8d8b9dc47372872e106db12b82fdba724e1f57c0422abc5d3af88.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
3fcffa0ad0d8d8b9dc47372872e106db12b82fdba724e1f57c0422abc5d3af88.exe
Resource
win10v2004-20240802-en
General
-
Target
3fcffa0ad0d8d8b9dc47372872e106db12b82fdba724e1f57c0422abc5d3af88.exe
-
Size
2.8MB
-
MD5
23e682f4cd8bb3e77a15ea3a9438d56e
-
SHA1
2b90e1c8f926753eca86897a746f1b62b757ef7f
-
SHA256
3fcffa0ad0d8d8b9dc47372872e106db12b82fdba724e1f57c0422abc5d3af88
-
SHA512
607e922421f0dad25ad58e416c08f987091d5a7484ff20df7d5144cc4bd80d09bb445b1340dd2e6571d7a76e10aef064eb818e0e9f2f47aa719407d66fa67a9d
-
SSDEEP
49152:F7lbybaNvP+Y7PezVcKvgvIUXVD49aPW0YDEPcx+Goq3to:DbybaFiiKvgwW5m/Ul
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2932 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2672 Logo1_.exe 2632 3fcffa0ad0d8d8b9dc47372872e106db12b82fdba724e1f57c0422abc5d3af88.exe -
Loads dropped DLL 1 IoCs
pid Process 2932 cmd.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 3fcffa0ad0d8d8b9dc47372872e106db12b82fdba724e1f57c0422abc5d3af88.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\fr-FR\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\.data\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\es_MX\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\lua\http\dialogs\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre7\bin\pack200.exe Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\Adobe\Help\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STUDIO\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\1033\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\sidebar.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre7\lib\jfr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BREEZE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\js\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\lt\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\STS2\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Media Player\wmpenc.exe Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\css\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Desert\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Slate\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\Mahjong\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECLIPSE\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\GrayCheck\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\_desktop.ini Logo1_.exe File created C:\Program Files\DVD Maker\es-ES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\ja-JP\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\COMPASS\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\JOURNAL\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\js\_desktop.ini Logo1_.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\css\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Logo1_.exe 3fcffa0ad0d8d8b9dc47372872e106db12b82fdba724e1f57c0422abc5d3af88.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\vDll.dll Logo1_.exe File created C:\Windows\rundl132.exe 3fcffa0ad0d8d8b9dc47372872e106db12b82fdba724e1f57c0422abc5d3af88.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3fcffa0ad0d8d8b9dc47372872e106db12b82fdba724e1f57c0422abc5d3af88.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3fcffa0ad0d8d8b9dc47372872e106db12b82fdba724e1f57c0422abc5d3af88.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 2672 Logo1_.exe 2672 Logo1_.exe 2672 Logo1_.exe 2672 Logo1_.exe 2672 Logo1_.exe 2672 Logo1_.exe 2672 Logo1_.exe 2672 Logo1_.exe 2672 Logo1_.exe 2672 Logo1_.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 2660 wrote to memory of 2932 2660 3fcffa0ad0d8d8b9dc47372872e106db12b82fdba724e1f57c0422abc5d3af88.exe 30 PID 2660 wrote to memory of 2932 2660 3fcffa0ad0d8d8b9dc47372872e106db12b82fdba724e1f57c0422abc5d3af88.exe 30 PID 2660 wrote to memory of 2932 2660 3fcffa0ad0d8d8b9dc47372872e106db12b82fdba724e1f57c0422abc5d3af88.exe 30 PID 2660 wrote to memory of 2932 2660 3fcffa0ad0d8d8b9dc47372872e106db12b82fdba724e1f57c0422abc5d3af88.exe 30 PID 2660 wrote to memory of 2672 2660 3fcffa0ad0d8d8b9dc47372872e106db12b82fdba724e1f57c0422abc5d3af88.exe 31 PID 2660 wrote to memory of 2672 2660 3fcffa0ad0d8d8b9dc47372872e106db12b82fdba724e1f57c0422abc5d3af88.exe 31 PID 2660 wrote to memory of 2672 2660 3fcffa0ad0d8d8b9dc47372872e106db12b82fdba724e1f57c0422abc5d3af88.exe 31 PID 2660 wrote to memory of 2672 2660 3fcffa0ad0d8d8b9dc47372872e106db12b82fdba724e1f57c0422abc5d3af88.exe 31 PID 2672 wrote to memory of 2680 2672 Logo1_.exe 33 PID 2672 wrote to memory of 2680 2672 Logo1_.exe 33 PID 2672 wrote to memory of 2680 2672 Logo1_.exe 33 PID 2672 wrote to memory of 2680 2672 Logo1_.exe 33 PID 2680 wrote to memory of 2692 2680 net.exe 35 PID 2680 wrote to memory of 2692 2680 net.exe 35 PID 2680 wrote to memory of 2692 2680 net.exe 35 PID 2680 wrote to memory of 2692 2680 net.exe 35 PID 2932 wrote to memory of 2632 2932 cmd.exe 36 PID 2932 wrote to memory of 2632 2932 cmd.exe 36 PID 2932 wrote to memory of 2632 2932 cmd.exe 36 PID 2932 wrote to memory of 2632 2932 cmd.exe 36 PID 2932 wrote to memory of 2632 2932 cmd.exe 36 PID 2932 wrote to memory of 2632 2932 cmd.exe 36 PID 2932 wrote to memory of 2632 2932 cmd.exe 36 PID 2672 wrote to memory of 1244 2672 Logo1_.exe 21 PID 2672 wrote to memory of 1244 2672 Logo1_.exe 21
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1244
-
C:\Users\Admin\AppData\Local\Temp\3fcffa0ad0d8d8b9dc47372872e106db12b82fdba724e1f57c0422abc5d3af88.exe"C:\Users\Admin\AppData\Local\Temp\3fcffa0ad0d8d8b9dc47372872e106db12b82fdba724e1f57c0422abc5d3af88.exe"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\$$aD3A.bat3⤵
- Deletes itself
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Users\Admin\AppData\Local\Temp\3fcffa0ad0d8d8b9dc47372872e106db12b82fdba724e1f57c0422abc5d3af88.exe"C:\Users\Admin\AppData\Local\Temp\3fcffa0ad0d8d8b9dc47372872e106db12b82fdba724e1f57c0422abc5d3af88.exe"4⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
PID:2632
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵
- System Location Discovery: System Language Discovery
PID:2692
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
251KB
MD5b7477cfdb499f53e1e71ecdb04dd5c08
SHA1244ede942d0d6523466f9ed60b2ef59b06084094
SHA256181a9e3b7da400428ba584f1b4b4fe76f6142d3c1cceb93d07be55b8f0f08927
SHA512ecaf1bc01a7dc37d2a44be30dc48ff3de55921914174940f2bbd43758c41b524b823858f33a27d147707476c786dbdc256a50856c51fe46bba43dc9a4b647799
-
Filesize
471KB
MD54cfdb20b04aa239d6f9e83084d5d0a77
SHA1f22863e04cc1fd4435f785993ede165bd8245ac6
SHA25630ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9
SHA51235b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86
-
Filesize
721B
MD5bb668279dd030fa271e6b76ec9d4a7c3
SHA10adb2608844460d73c03b472d42e5b58ddfcdeaf
SHA2569632c5fa0bc28ab9d112ac7476a5d5012e6ce0f524e2ad6560e81df3390aaed7
SHA5127528f0cdfa5b0770b0ab5da8fb252e5cab0d7ec56e28e7da6411bde66ebc9b0a1a3e0010b9f9e98d0f1fb715d00ea74176cb8c6954a6bf5acd8ece43c21509ea
-
C:\Users\Admin\AppData\Local\Temp\3fcffa0ad0d8d8b9dc47372872e106db12b82fdba724e1f57c0422abc5d3af88.exe
Filesize2.7MB
MD5e72c3792eeca960eb226ce7617af496e
SHA1313450b94d7992aeb75d6974befe640211bd4c0a
SHA256f7fb426e37a4dca83f0282b0414935ed7c34041d9399d2e653bc1db3db052c39
SHA51214f834719da9211197e7b64ce4e30436d91583fb244eecf992ad2fe394f5a0df5904ff3817c1c713bfa4baa49357df55f4e2a81e380a7dacca2ee313dffef31a
-
Filesize
26KB
MD5ef9a234000c71dec7218ebd161c31528
SHA1665974a14335eca0a7bfa7f31a9be5030bf648bc
SHA256019a31bff074fe18b08b5658fd9785b4ddda40f31cb22960b4763419d60832de
SHA5122a00ed53cb840fe75c2afa52e0f136d7fd1c0da4727e0d59961d839b6f6285cff93b462948ba3c01ac4fc1f815127ca976709f3ec2ce18495e01bde7098d1a8f
-
Filesize
9B
MD5fab909adf44de1f9f5c010f5b08064fc
SHA166c566239c73b8f0695b54a16d46a19f91a35530
SHA256da68d59f0202ebe993c367c926227dbf018434225163ab2f6121c12f2cdc5f65
SHA51201bd95ec2c9e61e637533d76965e8c81bfd4309a208cd823ee01158511e0e9db298e55c833c1a60732ddfedf085c157f70924b6a1550dc9297826186be547fad