Analysis
-
max time kernel
149s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
13/09/2024, 23:06
Static task
static1
Behavioral task
behavioral1
Sample
e52e53d01b28b219e4d73968ab622bcdaa75bbdf6d5d664c479e133041edec52.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
e52e53d01b28b219e4d73968ab622bcdaa75bbdf6d5d664c479e133041edec52.exe
Resource
win10v2004-20240802-en
General
-
Target
e52e53d01b28b219e4d73968ab622bcdaa75bbdf6d5d664c479e133041edec52.exe
-
Size
893KB
-
MD5
7ec8a9f45d3bdc8d6a4f0136395bd07c
-
SHA1
937a00b209de16bd35061796899fac691058b88f
-
SHA256
e52e53d01b28b219e4d73968ab622bcdaa75bbdf6d5d664c479e133041edec52
-
SHA512
7d58b572067b57315f4d6cce88a6cad147a8a6b9e247356b0a2cec67f119b70eec0baeb25f5f82d4dde3867bfe6ff3b2ee40cf83b4e1b194684aa782c8cb8bd6
-
SSDEEP
12288:tQcDD6i1zuxxZWm+ljKWaladVakMl9TT1fLeH2e4TQnKoCRagc:Ky6i1zuxw7ljsarakkqt4jtwR
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1432 Logo1_.exe 5108 e52e53d01b28b219e4d73968ab622bcdaa75bbdf6d5d664c479e133041edec52.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\de-de\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Photo Viewer\fr-FR\_desktop.ini Logo1_.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Lumia.AppTk.NativeDirect3d.UAP\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nl-nl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\hu-hu\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\nl-nl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\server\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ro-ro\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ko-kr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\fr-ma\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ja-jp\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\sv-se\_desktop.ini Logo1_.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\cs-cz\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\pl-pl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\ja-jp\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk-1.8\bin\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00_14.0.27323.0_x64__8wekyb3d8bbwe\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\sv-se\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\it-it\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\en-ae\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\fr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\es-es\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Portable Devices\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\pl-PL\View3d\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\sm\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\Attribution\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\hr-hr\_desktop.ini Logo1_.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\_desktop.ini Logo1_.exe File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\pl-pl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\hr-hr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Media Player\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Media Player\Skins\_desktop.ini Logo1_.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\cs\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\notetagsUI\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\it-it\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square44x44\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Store.Purchase\Resources\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\_desktop.ini Logo1_.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\fr-fr\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\vDll.dll Logo1_.exe File created C:\Windows\rundl132.exe e52e53d01b28b219e4d73968ab622bcdaa75bbdf6d5d664c479e133041edec52.exe File created C:\Windows\Logo1_.exe e52e53d01b28b219e4d73968ab622bcdaa75bbdf6d5d664c479e133041edec52.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e52e53d01b28b219e4d73968ab622bcdaa75bbdf6d5d664c479e133041edec52.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Logo1_.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 1432 Logo1_.exe 1432 Logo1_.exe 1432 Logo1_.exe 1432 Logo1_.exe 1432 Logo1_.exe 1432 Logo1_.exe 1432 Logo1_.exe 1432 Logo1_.exe 1432 Logo1_.exe 1432 Logo1_.exe 1432 Logo1_.exe 1432 Logo1_.exe 1432 Logo1_.exe 1432 Logo1_.exe 1432 Logo1_.exe 1432 Logo1_.exe 1432 Logo1_.exe 1432 Logo1_.exe 1432 Logo1_.exe 1432 Logo1_.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1912 wrote to memory of 3624 1912 e52e53d01b28b219e4d73968ab622bcdaa75bbdf6d5d664c479e133041edec52.exe 83 PID 1912 wrote to memory of 3624 1912 e52e53d01b28b219e4d73968ab622bcdaa75bbdf6d5d664c479e133041edec52.exe 83 PID 1912 wrote to memory of 3624 1912 e52e53d01b28b219e4d73968ab622bcdaa75bbdf6d5d664c479e133041edec52.exe 83 PID 1912 wrote to memory of 1432 1912 e52e53d01b28b219e4d73968ab622bcdaa75bbdf6d5d664c479e133041edec52.exe 84 PID 1912 wrote to memory of 1432 1912 e52e53d01b28b219e4d73968ab622bcdaa75bbdf6d5d664c479e133041edec52.exe 84 PID 1912 wrote to memory of 1432 1912 e52e53d01b28b219e4d73968ab622bcdaa75bbdf6d5d664c479e133041edec52.exe 84 PID 1432 wrote to memory of 1904 1432 Logo1_.exe 86 PID 1432 wrote to memory of 1904 1432 Logo1_.exe 86 PID 1432 wrote to memory of 1904 1432 Logo1_.exe 86 PID 1904 wrote to memory of 1404 1904 net.exe 88 PID 1904 wrote to memory of 1404 1904 net.exe 88 PID 1904 wrote to memory of 1404 1904 net.exe 88 PID 3624 wrote to memory of 5108 3624 cmd.exe 89 PID 3624 wrote to memory of 5108 3624 cmd.exe 89 PID 1432 wrote to memory of 3492 1432 Logo1_.exe 56 PID 1432 wrote to memory of 3492 1432 Logo1_.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3492
-
C:\Users\Admin\AppData\Local\Temp\e52e53d01b28b219e4d73968ab622bcdaa75bbdf6d5d664c479e133041edec52.exe"C:\Users\Admin\AppData\Local\Temp\e52e53d01b28b219e4d73968ab622bcdaa75bbdf6d5d664c479e133041edec52.exe"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7261.bat3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3624 -
C:\Users\Admin\AppData\Local\Temp\e52e53d01b28b219e4d73968ab622bcdaa75bbdf6d5d664c479e133041edec52.exe"C:\Users\Admin\AppData\Local\Temp\e52e53d01b28b219e4d73968ab622bcdaa75bbdf6d5d664c479e133041edec52.exe"4⤵
- Executes dropped EXE
PID:5108
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵
- System Location Discovery: System Language Discovery
PID:1404
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
247KB
MD5e440b5bbbbcce84e067fd7e5ea90ab24
SHA1b1479b7652e9775e459133e69e0f9b90a1b2a785
SHA256a8480343324ee591d772de83c6d956258cb7d37c505b9155e9a7aef4df5aa3ff
SHA512e28e2546486cbb1b59b4ab93a5d8a202e6d6eab8cbfa4e96b3436694a47a5b9e7628b55eb473be19d16ecd751ac81b7a4a622f598ee81e2275b7c9a7a7582e20
-
Filesize
573KB
MD52ab6e8b7aab48ca2c3ce6355d99e0412
SHA10497cb4608490d89e0d6d142fec80495041aa79c
SHA2567fc89158149be43ce900c001fa51b3136f604268cab2e249a51b2d51aca30d15
SHA51277db9d50da415b7d632b350df9dfe3d0de67bb33ca9cacba81531be1c32fdf72a87bbfe0aa18d222abff4c613326d81d3682a3c6065c91ba4c358e039ae74b08
-
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
Filesize639KB
MD5ad5a7e5eb1a1cdd791957e07c93748ae
SHA16e4f8c5f4d791327e11d0d68ca6f514554af8481
SHA256cfee92d916fbbb95d8282c3264d3708ad1ddfdd9db4daaf00e0c96a22854c4dc
SHA512a8acd191aec48dac8d5808a93ee973ea52793140e318b4d870fb10e4e8ba0756fe95654134dd1c175168375a0f7caebfd8a7d46a9b3dc71006f830b53dd9fefe
-
Filesize
722B
MD5c3fd272de949ac3f48dcab5a65b810e5
SHA11899e4da7ecc14dd968bde91f49858bf786ed0b6
SHA256ca9548cae97b76b16c0967eb292ed9b123538bb1813333745fa10bc09dc0203b
SHA51288102d215174e241d4353d406821fa203dfb2d24434eff3e8ddfef8d5f290b795a072f73e048954baa9a6c79f05654c4e801bab00f73003c2ce13537d8bd072d
-
C:\Users\Admin\AppData\Local\Temp\e52e53d01b28b219e4d73968ab622bcdaa75bbdf6d5d664c479e133041edec52.exe.exe
Filesize864KB
MD536f5184e70e96529ee2273fd22e769d7
SHA10657d9d4eb0a2984ad472f2836af61f3108fef2c
SHA256c6bf34306539cb5a72392a1d1299e1d90a52f3d1f074c9475732ca8354d048bf
SHA512bab68dcc8f94722cec4ba4b3001754b767f8a9836f07e6aef0d6f3c82e0cd9a8aa073b4dd92df6b6039e800028fb508f97bfd8b1699c0656033245dc591aecc2
-
Filesize
29KB
MD5e204efa82c4df71160c451caec4787e5
SHA1e56ddb6d0afdb9aa1bf4808765b25cf4a2fdc279
SHA2564ff7272e95a79354eb6d72c784593bd6a0820fe9e512ff176a51fef8929b5bd9
SHA5126ee14cc010de5b04eee707242a6f4471739cc62bf86a332d5c0e90f15a778fe2ef1d8e1bf7f86a603cbf00fa8e302c09f533f837f5d67f62743396074ed030c9
-
Filesize
9B
MD5475984718232cf008bb73666d834f1f4
SHA112f23c9301c222f599a279e02a811d274d0f4abc
SHA256a5b32591119f87eb3c8a00c0c39e26ea6d6414aa9887d85fcb4903e1c14921b5
SHA51280235dc2560b7991d79f9550cdeca6ac02c00cee6bf186f8f20d4ff3fbd7718be937b73ab768d71c4027e153557b08bbfd95ea88d2e0857a7c70cf1da6fa9937