0ec487f880cd65fc30755475120791fc096eae6809dd6d138de0241969a8346b

Analysis

max time kernel
149s
max time network
20s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
01-09-2024 10:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b3b9f2cbab4329d82b96f29f221071809c615a2797f82dfc3acb6c5049177f88.exe
Size

78KB
MD5

989227e985cad6220db67c3bd9de6a78
SHA1

93ee9707c4dc3911303a9b23b375714fdbbb8601
SHA256

b3b9f2cbab4329d82b96f29f221071809c615a2797f82dfc3acb6c5049177f88
SHA512

712402b3c1448c9e097faf2ce6b8c5c8412c4b2910b53e4c32aee6ceb892fa200ae8f60eff979e0fb46aa42af20ef6f9498eea6c7a6dda643f5516eb40917544
SSDEEP

1536:p4q8Q1xZtffrb8sjPFNhTYsFFrzckH2fmitNV9N+Mf1yUfw:qKtfDwsjPThTYszDH2fLV9N+c1u

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3036	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
3048	Logo1_.exe
2796	b3b9f2cbab4329d82b96f29f221071809c615a2797f82dfc3acb6c5049177f88.exe

Loads dropped DLL 1 IoCs

pid	Process
3036	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\WORDICON.EXE	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaire.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\Mahjong.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\Solitaire.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	Logo1_.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\ImagingDevices.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\wmpshare.exe	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	Logo1_.exe
File opened for modification	C:\Program Files\Windows Mail\WinMail.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SCANPST.EXE	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\MineSweeper.exe	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\wab.exe	Logo1_.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\virDll.dll	Logo1_.exe
File created	C:\Windows\Logo1_.exe	b3b9f2cbab4329d82b96f29f221071809c615a2797f82dfc3acb6c5049177f88.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b3b9f2cbab4329d82b96f29f221071809c615a2797f82dfc3acb6c5049177f88.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logo1_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3048	Logo1_.exe
3048	Logo1_.exe
3048	Logo1_.exe
3048	Logo1_.exe
3048	Logo1_.exe
3048	Logo1_.exe
3048	Logo1_.exe
3048	Logo1_.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1768 wrote to memory of 3036	1768	b3b9f2cbab4329d82b96f29f221071809c615a2797f82dfc3acb6c5049177f88.exe	29
PID 1768 wrote to memory of 3036	1768	b3b9f2cbab4329d82b96f29f221071809c615a2797f82dfc3acb6c5049177f88.exe	29
PID 1768 wrote to memory of 3036	1768	b3b9f2cbab4329d82b96f29f221071809c615a2797f82dfc3acb6c5049177f88.exe	29
PID 1768 wrote to memory of 3036	1768	b3b9f2cbab4329d82b96f29f221071809c615a2797f82dfc3acb6c5049177f88.exe	29
PID 1768 wrote to memory of 3048	1768	b3b9f2cbab4329d82b96f29f221071809c615a2797f82dfc3acb6c5049177f88.exe	30
PID 1768 wrote to memory of 3048	1768	b3b9f2cbab4329d82b96f29f221071809c615a2797f82dfc3acb6c5049177f88.exe	30
PID 1768 wrote to memory of 3048	1768	b3b9f2cbab4329d82b96f29f221071809c615a2797f82dfc3acb6c5049177f88.exe	30
PID 1768 wrote to memory of 3048	1768	b3b9f2cbab4329d82b96f29f221071809c615a2797f82dfc3acb6c5049177f88.exe	30
PID 3048 wrote to memory of 1392	3048	Logo1_.exe	20
PID 3048 wrote to memory of 1392	3048	Logo1_.exe	20
PID 3036 wrote to memory of 2796	3036	cmd.exe	32
PID 3036 wrote to memory of 2796	3036	cmd.exe	32
PID 3036 wrote to memory of 2796	3036	cmd.exe	32
PID 3036 wrote to memory of 2796	3036	cmd.exe	32

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1392
- C:\Users\Admin\AppData\Local\Temp\b3b9f2cbab4329d82b96f29f221071809c615a2797f82dfc3acb6c5049177f88.exe
  "C:\Users\Admin\AppData\Local\Temp\b3b9f2cbab4329d82b96f29f221071809c615a2797f82dfc3acb6c5049177f88.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1768
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a4395.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3036
  - - C:\Users\Admin\AppData\Local\Temp\b3b9f2cbab4329d82b96f29f221071809c615a2797f82dfc3acb6c5049177f88.exe
      "C:\Users\Admin\AppData\Local\Temp\b3b9f2cbab4329d82b96f29f221071809c615a2797f82dfc3acb6c5049177f88.exe"
      4⤵
      Executes dropped EXE
      PID:2796
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$a4395.bat

Filesize
722B

MD5
29f3b9cbb52a0d5c8040d90cf977dcbc

SHA1
a33f4d286f0430295d66506f4d4bb53ea56e4d4f

SHA256
65569a79797ea9fecb18fd8d3c887f3c719e2d13d990212342cfade77fccd498

SHA512
b0e7404d054abe982bf8d2fb79537f20d6d6be20f48b6fa7a2d8aef1961c5c89249c8f7d5f48c567be8751190a2ac5ae99841bb5e4db1d107916f13a664d3523

Download Submit
C:\Users\Admin\AppData\Local\Temp\b3b9f2cbab4329d82b96f29f221071809c615a2797f82dfc3acb6c5049177f88.exe.exe

Filesize
20KB

MD5
a8b499100141742fbb90089fe4c5f90e

SHA1
32dd5fdab96a6693c27c8b6cd8914ce213164336

SHA256
d6d2a0e5cdacdbfe30eb261204a019fbb835da0c7d42d5d4d935ac37077ac179

SHA512
8782c7abbf60a1ff773d742c8e831c186d5e79c9472fa291c11f827dbe5adb04f7b24045b54eb22bdf27a1accbbbc87458ab1f3dd37054d0f68a398809aa89ce

Download Submit
C:\Windows\Logo1_.exe

Filesize
58KB

MD5
c57a5f3267ade275e3428594e70624e2

SHA1
c360261c260817fb81dbf4d8c8f91079e02a8e3c

SHA256
b98d086e9ca5a27d9b051874752fba6044dcd37cbc6e87760a7f2332e0dfaf13

SHA512
dbfd7e5c6b5d37c3bae3addd4f4b1f51584a178da3f461d00ae2b0875cb6744866a54b0ec6d4df2d0a84063f688092a79abb8611368d27b02f61456fa9c6545c

Download Submit
memory/1392-20-0x0000000002100000-0x0000000002101000-memory.dmp

Filesize
4KB

Download
memory/1768-13-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3048-242-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download