388bd4292ed62796659d51afd0c69fb8542793182504c4f696e692c8ffb0321f

Analysis

max time kernel
150s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
02/09/2024, 01:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ed21af234022186ccc65c22880702d9b755628f27892056b94d936029464b09b.exe
Size

72KB
MD5

cfd61ea2bcc3c9a23f231bae53f8146d
SHA1

cc9988b67245633d34bd61834aa0beb22f12ad7d
SHA256

ed21af234022186ccc65c22880702d9b755628f27892056b94d936029464b09b
SHA512

c3d5f9e4469836b4da776a483af4850c662c454d72848a8919cc19ccb59c01340e58b2f61e1b6b3986ed2c91d188d03d3d3e1dd9b8938cd85111e3061de513aa
SSDEEP

1536:p4q8Q1xZtffrb8sjPFNhTYsFFrzckH2fmit3F8w8adCG:qKtfDwsjPThTYszDH2fcwdB

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2744	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1936	Logo1_.exe
2820	ed21af234022186ccc65c22880702d9b755628f27892056b94d936029464b09b.exe

Loads dropped DLL 1 IoCs

pid	Process
2744	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SELFCERT.EXE	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	Logo1_.exe
File opened for modification	C:\Program Files\Windows Journal\PDIALOG.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSACCESS.EXE	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\INFOPATH.EXE	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CNFNOT32.EXE	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\WMPDMC.exe	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\Hearts.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\Mahjong.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\WORDICON.EXE	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{8EA3FE23-8E0B-4836-8777-C2D6ED0590DC}\chrome_installer.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSTORE.EXE	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\wmpenc.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\MineSweeper.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSTORDB.EXE	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OIS.EXE	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	Logo1_.exe
File opened for modification	C:\Program Files\Windows Mail\WinMail.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SETLANG.EXE	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\setup_wm.exe	Logo1_.exe
File opened for modification	C:\Program Files\Windows Defender\MpCmdRun.exe	Logo1_.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\virDll.dll	Logo1_.exe
File created	C:\Windows\Logo1_.exe	ed21af234022186ccc65c22880702d9b755628f27892056b94d936029464b09b.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ed21af234022186ccc65c22880702d9b755628f27892056b94d936029464b09b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logo1_.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1936	Logo1_.exe
1936	Logo1_.exe
1936	Logo1_.exe
1936	Logo1_.exe
1936	Logo1_.exe
1936	Logo1_.exe
1936	Logo1_.exe
1936	Logo1_.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1848 wrote to memory of 2744	1848	ed21af234022186ccc65c22880702d9b755628f27892056b94d936029464b09b.exe	30
PID 1848 wrote to memory of 2744	1848	ed21af234022186ccc65c22880702d9b755628f27892056b94d936029464b09b.exe	30
PID 1848 wrote to memory of 2744	1848	ed21af234022186ccc65c22880702d9b755628f27892056b94d936029464b09b.exe	30
PID 1848 wrote to memory of 2744	1848	ed21af234022186ccc65c22880702d9b755628f27892056b94d936029464b09b.exe	30
PID 1848 wrote to memory of 1936	1848	ed21af234022186ccc65c22880702d9b755628f27892056b94d936029464b09b.exe	31
PID 1848 wrote to memory of 1936	1848	ed21af234022186ccc65c22880702d9b755628f27892056b94d936029464b09b.exe	31
PID 1848 wrote to memory of 1936	1848	ed21af234022186ccc65c22880702d9b755628f27892056b94d936029464b09b.exe	31
PID 1848 wrote to memory of 1936	1848	ed21af234022186ccc65c22880702d9b755628f27892056b94d936029464b09b.exe	31
PID 1936 wrote to memory of 1184	1936	Logo1_.exe	21
PID 1936 wrote to memory of 1184	1936	Logo1_.exe	21
PID 2744 wrote to memory of 2820	2744	cmd.exe	33
PID 2744 wrote to memory of 2820	2744	cmd.exe	33
PID 2744 wrote to memory of 2820	2744	cmd.exe	33
PID 2744 wrote to memory of 2820	2744	cmd.exe	33

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1184
- C:\Users\Admin\AppData\Local\Temp\ed21af234022186ccc65c22880702d9b755628f27892056b94d936029464b09b.exe
  "C:\Users\Admin\AppData\Local\Temp\ed21af234022186ccc65c22880702d9b755628f27892056b94d936029464b09b.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1848
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a932B.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2744
  - - C:\Users\Admin\AppData\Local\Temp\ed21af234022186ccc65c22880702d9b755628f27892056b94d936029464b09b.exe
      "C:\Users\Admin\AppData\Local\Temp\ed21af234022186ccc65c22880702d9b755628f27892056b94d936029464b09b.exe"
      4⤵
      Executes dropped EXE
      PID:2820
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$a932B.bat

Filesize
722B

MD5
583409ee353ed734633195eefe2fcf6e

SHA1
49f7248aa86db367cbf55efdeaa70e820c2ff2cc

SHA256
1feddaae3596fab15dca479c068e5d09bd9736c3598fdad2a6382d735464a515

SHA512
f2d3ab2d23b1ffb9b632273b4fb2357dfc0b47e7c466b9bf4dda2991cc4930b9cc4991ebdd6cde987c9bbbe961f6dadc02718f6efd4cd568cb74674648cd87bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ed21af234022186ccc65c22880702d9b755628f27892056b94d936029464b09b.exe.exe

Filesize
14KB

MD5
7f3fe65963dda82c24980483a0df32b3

SHA1
575bfd3edfea63fa34d9b90bf34138e506bc00b6

SHA256
7f2e236d9cbe2483146d07b11c9d74e6337c0a4b3d77e338f67e6385dea88f65

SHA512
9fd00c030aac9f992fcf9162855d3e7b9200c272515f8aea9f08ff36290e40fde5877aebc23a50ae844d06ce2bde5f18c4de912f1256af138fdd6e72757f3fa2

Download Submit
C:\Windows\Logo1_.exe

Filesize
58KB

MD5
13855726a688edd515f26f620ac90385

SHA1
cc3e3b22a2d6751ed99882f8b4b1c3aa3ff0cf9e

SHA256
d96a4bf25998b1cac3b90d55d9790b00f2cb988bab5bd49cdf0de5408038a5f0

SHA512
0c71909907919d2cd1c2cba23406b1f626dd4357ef7717ae59418a6a665b44c3f5cfc34e6cb1d1837e43a31dd16b2f4fdeefea30c1428db0dea9bc3a1f03f70b

Download Submit
memory/1184-18-0x0000000002A30000-0x0000000002A31000-memory.dmp

Filesize
4KB

Download
memory/1848-13-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1936-240-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download