0ec487f880cd65fc30755475120791fc096eae6809dd6d138de0241969a8346b

Analysis

max time kernel
149s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01-09-2024 10:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b3b9f2cbab4329d82b96f29f221071809c615a2797f82dfc3acb6c5049177f88.exe
Size

78KB
MD5

989227e985cad6220db67c3bd9de6a78
SHA1

93ee9707c4dc3911303a9b23b375714fdbbb8601
SHA256

b3b9f2cbab4329d82b96f29f221071809c615a2797f82dfc3acb6c5049177f88
SHA512

712402b3c1448c9e097faf2ce6b8c5c8412c4b2910b53e4c32aee6ceb892fa200ae8f60eff979e0fb46aa42af20ef6f9498eea6c7a6dda643f5516eb40917544
SSDEEP

1536:p4q8Q1xZtffrb8sjPFNhTYsFFrzckH2fmitNV9N+Mf1yUfw:qKtfDwsjPThTYszDH2fLV9N+c1u

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1200	Logo1_.exe
3736	b3b9f2cbab4329d82b96f29f221071809c615a2797f82dfc3acb6c5049177f88.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\notification_click_helper.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\SpeechToTextOverlay64-Retail.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\BHO\ie_to_edge_stub.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerElevatedAppServiceClient.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91656\java.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.195.15\MicrosoftEdgeUpdateOnDemand.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\cookie_exporter.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\127.0.2651.86\notification_helper.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\TCUI-App.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\elevation_service.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeBridge\SkypeBridge.exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{C4DE67E0-347D-4E90-AF69-87B120456F47}\chrome_installer.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\127.0.2651.86\msedge_proxy.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.195.15\MicrosoftEdgeUpdateComRegisterShell64.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.195.15\MicrosoftEdgeUpdateSetup.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\127.0.2651.86\cookie_exporter.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\127.0.2651.86\msedge_pwa_launcher.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\codecpacks.VP9.exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\MixedRealityPortal.Brokered.exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Maps.exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\SoundRec.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	Logo1_.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Logo1_.exe	b3b9f2cbab4329d82b96f29f221071809c615a2797f82dfc3acb6c5049177f88.exe
File created	C:\Windows\virDll.dll	Logo1_.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b3b9f2cbab4329d82b96f29f221071809c615a2797f82dfc3acb6c5049177f88.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logo1_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1200	Logo1_.exe
1200	Logo1_.exe
1200	Logo1_.exe
1200	Logo1_.exe
1200	Logo1_.exe
1200	Logo1_.exe
1200	Logo1_.exe
1200	Logo1_.exe
1200	Logo1_.exe
1200	Logo1_.exe
1200	Logo1_.exe
1200	Logo1_.exe
1200	Logo1_.exe
1200	Logo1_.exe
1200	Logo1_.exe
1200	Logo1_.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 932 wrote to memory of 4868	932	b3b9f2cbab4329d82b96f29f221071809c615a2797f82dfc3acb6c5049177f88.exe	91
PID 932 wrote to memory of 4868	932	b3b9f2cbab4329d82b96f29f221071809c615a2797f82dfc3acb6c5049177f88.exe	91
PID 932 wrote to memory of 4868	932	b3b9f2cbab4329d82b96f29f221071809c615a2797f82dfc3acb6c5049177f88.exe	91
PID 932 wrote to memory of 1200	932	b3b9f2cbab4329d82b96f29f221071809c615a2797f82dfc3acb6c5049177f88.exe	92
PID 932 wrote to memory of 1200	932	b3b9f2cbab4329d82b96f29f221071809c615a2797f82dfc3acb6c5049177f88.exe	92
PID 932 wrote to memory of 1200	932	b3b9f2cbab4329d82b96f29f221071809c615a2797f82dfc3acb6c5049177f88.exe	92
PID 1200 wrote to memory of 3420	1200	Logo1_.exe	56
PID 1200 wrote to memory of 3420	1200	Logo1_.exe	56
PID 4868 wrote to memory of 3736	4868	cmd.exe	94
PID 4868 wrote to memory of 3736	4868	cmd.exe	94

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3420
- C:\Users\Admin\AppData\Local\Temp\b3b9f2cbab4329d82b96f29f221071809c615a2797f82dfc3acb6c5049177f88.exe
  "C:\Users\Admin\AppData\Local\Temp\b3b9f2cbab4329d82b96f29f221071809c615a2797f82dfc3acb6c5049177f88.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:932
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4F63.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4868
  - - C:\Users\Admin\AppData\Local\Temp\b3b9f2cbab4329d82b96f29f221071809c615a2797f82dfc3acb6c5049177f88.exe
      "C:\Users\Admin\AppData\Local\Temp\b3b9f2cbab4329d82b96f29f221071809c615a2797f82dfc3acb6c5049177f88.exe"
      4⤵
      Executes dropped EXE
      PID:3736
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1200

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3852,i,15436195446242760253,4000484513008731869,262144 --variations-seed-version --mojo-platform-channel-handle=3784 /prefetch:8
1⤵
PID:1244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7zG.exe

Filesize
742KB

MD5
8989db2c640aec0522fdae2c32b4b371

SHA1
6633a9a9b26e43a5ef99b23fb2be74ce74a86dd7

SHA256
e71588b885af1d1fb260fc1f339be9d072e43474858f32597479977a8980b66b

SHA512
cc254993877bfcb5fdc9dbd30243fef34c89b68304c34b6daac60e2ea13388aa544627a84e6c55551a91d86458a554bb8505ea40575156cc562548aa0ec00292

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a4F63.bat

Filesize
722B

MD5
5ae9cf9a89fbe0c095ae93cee2a3959c

SHA1
82abda679d1e929ac0c5c67a9e068123cfe27382

SHA256
ad70b9543a57b9da4ef97239160bb888a3b9cade9bf2dcbff31e15890d6b58af

SHA512
945222c1610b1b3872c4d04982ee9fc8573f216dd523347d3cde3188204dcfeeb85349fd78ffe75e247ee1340af0177d67b7b55dc8ca8b19cf40cbec82571d4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\b3b9f2cbab4329d82b96f29f221071809c615a2797f82dfc3acb6c5049177f88.exe.exe

Filesize
20KB

MD5
a8b499100141742fbb90089fe4c5f90e

SHA1
32dd5fdab96a6693c27c8b6cd8914ce213164336

SHA256
d6d2a0e5cdacdbfe30eb261204a019fbb835da0c7d42d5d4d935ac37077ac179

SHA512
8782c7abbf60a1ff773d742c8e831c186d5e79c9472fa291c11f827dbe5adb04f7b24045b54eb22bdf27a1accbbbc87458ab1f3dd37054d0f68a398809aa89ce

Download Submit
C:\Windows\Logo1_.exe

Filesize
58KB

MD5
c57a5f3267ade275e3428594e70624e2

SHA1
c360261c260817fb81dbf4d8c8f91079e02a8e3c

SHA256
b98d086e9ca5a27d9b051874752fba6044dcd37cbc6e87760a7f2332e0dfaf13

SHA512
dbfd7e5c6b5d37c3bae3addd4f4b1f51584a178da3f461d00ae2b0875cb6744866a54b0ec6d4df2d0a84063f688092a79abb8611368d27b02f61456fa9c6545c

Download Submit
memory/932-7-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1200-232-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download