Analysis
-
max time kernel
149s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
09/09/2024, 16:36
Static task
static1
Behavioral task
behavioral1
Sample
bba091b2d7cb12b2ff0e6152615652370092a0746208c956509876c1f04d620a.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
bba091b2d7cb12b2ff0e6152615652370092a0746208c956509876c1f04d620a.exe
Resource
win10v2004-20240802-en
General
-
Target
bba091b2d7cb12b2ff0e6152615652370092a0746208c956509876c1f04d620a.exe
-
Size
247KB
-
MD5
7ec52ed75f36e9c33b70aea7680b2d0c
-
SHA1
3785037b48c3eabfe1c788770101fb8babad1397
-
SHA256
bba091b2d7cb12b2ff0e6152615652370092a0746208c956509876c1f04d620a
-
SHA512
bab64bcaf30b49a35cbaa2b4cd2e976365dc43462ff7b9dd8a02c128bfa999b70cf67ec4cc867be67da657bdd60010255dcb0c21747695d2ddc12f5a2b51cde1
-
SSDEEP
6144:SuJWqml5a6EdkQxiUmRQColKGAOPQK2GwIgfx+qSfF0:Pml5a6EdkQgUmR7G9QK3wJx+qSfF0
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1728 Logo1_.exe 1176 bba091b2d7cb12b2ff0e6152615652370092a0746208c956509876c1f04d620a.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_neutral_~_8wekyb3d8bbwe\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\zh-cn\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-ae\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\cy\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-il\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\nb-no\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\pt-br\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ja-jp\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ja-jp\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\nb-no\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ja-jp\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\cs-cz\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\ca-es\_desktop.ini Logo1_.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\pl-pl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\es-ES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\zh_CN\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-us\pages\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\x64\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\it-it\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\es-ES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\zh-cn\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\it-it\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\control\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Defender\ja-JP\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\nl-nl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ja-jp\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\plugin2\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\dev\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ro-ro\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Photo Viewer\ImagingDevices.exe Logo1_.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Text\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hu-hu\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ro-ro\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe Logo1_.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ar-ae\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\mr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-ma\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\pl-pl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows NT\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\lua\modules\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ca-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\fi-fi\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\eu-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\hu-hu\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\VisualElements\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rundl132.exe bba091b2d7cb12b2ff0e6152615652370092a0746208c956509876c1f04d620a.exe File created C:\Windows\Logo1_.exe bba091b2d7cb12b2ff0e6152615652370092a0746208c956509876c1f04d620a.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\vDll.dll Logo1_.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bba091b2d7cb12b2ff0e6152615652370092a0746208c956509876c1f04d620a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bba091b2d7cb12b2ff0e6152615652370092a0746208c956509876c1f04d620a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 1728 Logo1_.exe 1728 Logo1_.exe 1728 Logo1_.exe 1728 Logo1_.exe 1728 Logo1_.exe 1728 Logo1_.exe 1728 Logo1_.exe 1728 Logo1_.exe 1728 Logo1_.exe 1728 Logo1_.exe 1728 Logo1_.exe 1728 Logo1_.exe 1728 Logo1_.exe 1728 Logo1_.exe 1728 Logo1_.exe 1728 Logo1_.exe 1728 Logo1_.exe 1728 Logo1_.exe 1728 Logo1_.exe 1728 Logo1_.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 540 wrote to memory of 4400 540 bba091b2d7cb12b2ff0e6152615652370092a0746208c956509876c1f04d620a.exe 83 PID 540 wrote to memory of 4400 540 bba091b2d7cb12b2ff0e6152615652370092a0746208c956509876c1f04d620a.exe 83 PID 540 wrote to memory of 4400 540 bba091b2d7cb12b2ff0e6152615652370092a0746208c956509876c1f04d620a.exe 83 PID 540 wrote to memory of 1728 540 bba091b2d7cb12b2ff0e6152615652370092a0746208c956509876c1f04d620a.exe 84 PID 540 wrote to memory of 1728 540 bba091b2d7cb12b2ff0e6152615652370092a0746208c956509876c1f04d620a.exe 84 PID 540 wrote to memory of 1728 540 bba091b2d7cb12b2ff0e6152615652370092a0746208c956509876c1f04d620a.exe 84 PID 1728 wrote to memory of 3644 1728 Logo1_.exe 86 PID 1728 wrote to memory of 3644 1728 Logo1_.exe 86 PID 1728 wrote to memory of 3644 1728 Logo1_.exe 86 PID 3644 wrote to memory of 3008 3644 net.exe 89 PID 3644 wrote to memory of 3008 3644 net.exe 89 PID 3644 wrote to memory of 3008 3644 net.exe 89 PID 4400 wrote to memory of 1176 4400 cmd.exe 90 PID 4400 wrote to memory of 1176 4400 cmd.exe 90 PID 4400 wrote to memory of 1176 4400 cmd.exe 90 PID 1728 wrote to memory of 3464 1728 Logo1_.exe 56 PID 1728 wrote to memory of 3464 1728 Logo1_.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3464
-
C:\Users\Admin\AppData\Local\Temp\bba091b2d7cb12b2ff0e6152615652370092a0746208c956509876c1f04d620a.exe"C:\Users\Admin\AppData\Local\Temp\bba091b2d7cb12b2ff0e6152615652370092a0746208c956509876c1f04d620a.exe"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9B27.bat3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Users\Admin\AppData\Local\Temp\bba091b2d7cb12b2ff0e6152615652370092a0746208c956509876c1f04d620a.exe"C:\Users\Admin\AppData\Local\Temp\bba091b2d7cb12b2ff0e6152615652370092a0746208c956509876c1f04d620a.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1176
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3644 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵
- System Location Discovery: System Language Discovery
PID:3008
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
573KB
MD53b8937ea077f65ec012e6849c202cfdb
SHA17fae29716bcc111d9d3c299363b561d4ea385d04
SHA25678db9398d45a9b977b8dd0128b8bd2e41bb5cbdaf9929d639e27351ed98f2e7c
SHA5128725be06ded6b4a9f485a1219f2d9de3ae657e8a85794c2c8009ec082c5663bc57611f55b539d801814220709a55765304ec1b04765fc336d14b5343fa1278db
-
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
Filesize639KB
MD5ad5a7e5eb1a1cdd791957e07c93748ae
SHA16e4f8c5f4d791327e11d0d68ca6f514554af8481
SHA256cfee92d916fbbb95d8282c3264d3708ad1ddfdd9db4daaf00e0c96a22854c4dc
SHA512a8acd191aec48dac8d5808a93ee973ea52793140e318b4d870fb10e4e8ba0756fe95654134dd1c175168375a0f7caebfd8a7d46a9b3dc71006f830b53dd9fefe
-
Filesize
722B
MD549bc658c2079e15c53204fb9377fb24a
SHA18505fcc752aa48ad45ffb8a99b9f4935f9c903d6
SHA2561aa8f9f7182c8b632fedcd73a9c11709cafdc586baa3e4ad7b617a53c19c4059
SHA512092383ddf5a478b7a0388969b6467b8202f2048727d016a525a08bdc603c789c0c5b7ccc8d99b79bda802594061caa7c4e70d6588f83c69bbc027fd1a3078842
-
C:\Users\Admin\AppData\Local\Temp\bba091b2d7cb12b2ff0e6152615652370092a0746208c956509876c1f04d620a.exe.exe
Filesize217KB
MD5021c57c74de40f7c3b4fcf58a54d3649
SHA1ef363ab45b6fe3dd5b768655adc4188aadf6b6fd
SHA25604adf40ba58d0ab892091c188822191f2597bc47dab8b92423e8fc546dc437ef
SHA51277e3bbb08c661285a49a66e8090a54f535727731c44b7253ea09ffe9548bae9d120ef38a67dfa8a5d8da170dde3e9c1928b96c64dfc07b7f67f93b478937c018
-
Filesize
29KB
MD53d2370b1a6ab3ea2c9edd2ea27d8bc5c
SHA13be9754c3a1305ab58337e7412a384259d1da910
SHA25646d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87
SHA512b02ae7cafe3469a4a5a03a19862774e52186a0b7305865807457af1d828c0dfbc52755c89b0c0caaab7fe9828fe948d91b8ea8a1ff1a9a5a73efc7a334faa805
-
Filesize
8B
MD55d65d1288c9ecedfd5f28d17a01a30bc
SHA1e5bb89b8ad5c73516abf7e3baeaf1855154381dc
SHA2563501728ad227b52ce4d4f85ddd0e6d28dfa7acce977ae27f1e337be209825a5f
SHA5126177ce001dd535382c3bae5e8c3cfda85d8d8b76b68bce10fa8e5e1e748fd1512a531ffc93fef1316f2c27d93b5b4a5b60a6391f0e131ccc5cc0a65c2755868e