388bd4292ed62796659d51afd0c69fb8542793182504c4f696e692c8ffb0321f

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/09/2024, 01:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ed21af234022186ccc65c22880702d9b755628f27892056b94d936029464b09b.exe
Size

72KB
MD5

cfd61ea2bcc3c9a23f231bae53f8146d
SHA1

cc9988b67245633d34bd61834aa0beb22f12ad7d
SHA256

ed21af234022186ccc65c22880702d9b755628f27892056b94d936029464b09b
SHA512

c3d5f9e4469836b4da776a483af4850c662c454d72848a8919cc19ccb59c01340e58b2f61e1b6b3986ed2c91d188d03d3d3e1dd9b8938cd85111e3061de513aa
SSDEEP

1536:p4q8Q1xZtffrb8sjPFNhTYsFFrzckH2fmit3F8w8adCG:qKtfDwsjPThTYszDH2fcwdB

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
5080	Logo1_.exe
1912	ed21af234022186ccc65c22880702d9b755628f27892056b94d936029464b09b.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeApp.exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge_pwa_launcher.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.195.15\MicrosoftEdgeUpdateComRegisterShell64.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\pwahelper.exe	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\MixedRealityPortal.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.195.15\MicrosoftEdgeComRegisterShellARM64.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_80406\java.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\wmprph.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.195.15\MicrosoftEdgeUpdateCore.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Solitaire.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{63FECC1B-8F0C-4431-8BCF-116FCD47AD2C}\chrome_installer.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Cortana.exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerElevatedAppServiceClient.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\ScreenSketch.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedgewebview2.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxTsr.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\MicrosoftEdgeUpdate.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\wmlaunch.exe	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\3DViewer.exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\WindowsCamera.exe	Logo1_.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Logo1_.exe	ed21af234022186ccc65c22880702d9b755628f27892056b94d936029464b09b.exe
File created	C:\Windows\virDll.dll	Logo1_.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ed21af234022186ccc65c22880702d9b755628f27892056b94d936029464b09b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logo1_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
5080	Logo1_.exe
5080	Logo1_.exe
5080	Logo1_.exe
5080	Logo1_.exe
5080	Logo1_.exe
5080	Logo1_.exe
5080	Logo1_.exe
5080	Logo1_.exe
5080	Logo1_.exe
5080	Logo1_.exe
5080	Logo1_.exe
5080	Logo1_.exe
5080	Logo1_.exe
5080	Logo1_.exe
5080	Logo1_.exe
5080	Logo1_.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4496 wrote to memory of 2068	4496	ed21af234022186ccc65c22880702d9b755628f27892056b94d936029464b09b.exe	83
PID 4496 wrote to memory of 2068	4496	ed21af234022186ccc65c22880702d9b755628f27892056b94d936029464b09b.exe	83
PID 4496 wrote to memory of 2068	4496	ed21af234022186ccc65c22880702d9b755628f27892056b94d936029464b09b.exe	83
PID 4496 wrote to memory of 5080	4496	ed21af234022186ccc65c22880702d9b755628f27892056b94d936029464b09b.exe	84
PID 4496 wrote to memory of 5080	4496	ed21af234022186ccc65c22880702d9b755628f27892056b94d936029464b09b.exe	84
PID 4496 wrote to memory of 5080	4496	ed21af234022186ccc65c22880702d9b755628f27892056b94d936029464b09b.exe	84
PID 5080 wrote to memory of 2964	5080	Logo1_.exe	49
PID 5080 wrote to memory of 2964	5080	Logo1_.exe	49
PID 2068 wrote to memory of 1912	2068	cmd.exe	86
PID 2068 wrote to memory of 1912	2068	cmd.exe	86
PID 2068 wrote to memory of 1912	2068	cmd.exe	86

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2964
- C:\Users\Admin\AppData\Local\Temp\ed21af234022186ccc65c22880702d9b755628f27892056b94d936029464b09b.exe
  "C:\Users\Admin\AppData\Local\Temp\ed21af234022186ccc65c22880702d9b755628f27892056b94d936029464b09b.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4496
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8CFE.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2068
  - - C:\Users\Admin\AppData\Local\Temp\ed21af234022186ccc65c22880702d9b755628f27892056b94d936029464b09b.exe
      "C:\Users\Admin\AppData\Local\Temp\ed21af234022186ccc65c22880702d9b755628f27892056b94d936029464b09b.exe"
      4⤵
      Executes dropped EXE
      PID:1912
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:5080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7zG.exe

Filesize
742KB

MD5
211bccc518cb3343546f718028b09d98

SHA1
85098c45162f10909a6144562a9e76398c63bc82

SHA256
d34964eff7bce38cdfb690b018896cbc1f45000b05730c19ed00b8d1ee37852c

SHA512
7581ebaee1b46bdb83161e829922e0aec4e2d8ff5fd2a0c33c5ffb330e96b16e52671fd0dcbf952b60a38466e822c3fc1547fd795b441902a27d45521ed240bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a8CFE.bat

Filesize
722B

MD5
30dd56d1fcf0101b50f02aeb9d836827

SHA1
1997d1e97e7623dbc37a8c0a2bea1cf6011bbc74

SHA256
9a0b1bb18d337e5aec9d9070ddcba230ff782d02ee592bc0a45babe4db06bd2c

SHA512
44d72f04e71dfa8101db01ea13ed30e2771ec64da2f0765bdd64e4498e2e4e3b1bbf26bef272dbfd8a756937c9e0163a1c5e2b4084b6979f3a10cc3c9a0cc3fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\ed21af234022186ccc65c22880702d9b755628f27892056b94d936029464b09b.exe.exe

Filesize
14KB

MD5
7f3fe65963dda82c24980483a0df32b3

SHA1
575bfd3edfea63fa34d9b90bf34138e506bc00b6

SHA256
7f2e236d9cbe2483146d07b11c9d74e6337c0a4b3d77e338f67e6385dea88f65

SHA512
9fd00c030aac9f992fcf9162855d3e7b9200c272515f8aea9f08ff36290e40fde5877aebc23a50ae844d06ce2bde5f18c4de912f1256af138fdd6e72757f3fa2

Download Submit
C:\Windows\Logo1_.exe

Filesize
58KB

MD5
13855726a688edd515f26f620ac90385

SHA1
cc3e3b22a2d6751ed99882f8b4b1c3aa3ff0cf9e

SHA256
d96a4bf25998b1cac3b90d55d9790b00f2cb988bab5bd49cdf0de5408038a5f0

SHA512
0c71909907919d2cd1c2cba23406b1f626dd4357ef7717ae59418a6a665b44c3f5cfc34e6cb1d1837e43a31dd16b2f4fdeefea30c1428db0dea9bc3a1f03f70b

Download Submit
memory/4496-6-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/5080-221-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download