Analysis
-
max time kernel
119s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
09/10/2024, 00:48
Static task
static1
Behavioral task
behavioral1
Sample
f21d807a2ded3f7f70a83ee43cd7e123cc6867c2ec5a34300f47d5a9a21625daN.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
f21d807a2ded3f7f70a83ee43cd7e123cc6867c2ec5a34300f47d5a9a21625daN.exe
Resource
win10v2004-20241007-en
General
-
Target
f21d807a2ded3f7f70a83ee43cd7e123cc6867c2ec5a34300f47d5a9a21625daN.exe
-
Size
70KB
-
MD5
1dc00e49cb06687846c07e0a14f3d640
-
SHA1
ff4374d2e0310e11dcbde268470afdacb286713b
-
SHA256
f21d807a2ded3f7f70a83ee43cd7e123cc6867c2ec5a34300f47d5a9a21625da
-
SHA512
095cb3a16438fb6a5ba0abb3763bb0c315e43aeb5f34311fd8cb8daf683a21a13f59ce3b45af49b3fd327e14445ba9fd8533795a8d266028f57e932f15c9a14a
-
SSDEEP
1536:SfgLdQAQfcfymNUH5Dt9iY4W8P4b4oOUzHir1v0IIKx:SftffjmNUH5DtaOWr1v0
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 108 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2680 Logo1_.exe 2592 f21d807a2ded3f7f70a83ee43cd7e123cc6867c2ec5a34300f47d5a9a21625daN.exe -
Loads dropped DLL 1 IoCs
pid Process 108 cmd.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jre7\lib\ext\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\mn\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\cgg\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\visualization\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Mail\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\7-Zip\Lang\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\video_splitter\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\More Games\ja-JP\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\spu\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Journal\it-IT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\css\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\it\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java.exe Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Google\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ms\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\si\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\stream_out\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Photo Viewer\it-IT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Atlantic\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Minesweeper\es-ES\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\Solitaire\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ku_IQ\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\Minesweeper\en-US\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\it-IT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\am_ET\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ga\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Defender\en-US\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\7-Zip\7z.exe Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jre7\lib\fonts\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\audio_filter\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe Logo1_.exe File created C:\Program Files\DVD Maker\en-US\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rundl132.exe f21d807a2ded3f7f70a83ee43cd7e123cc6867c2ec5a34300f47d5a9a21625daN.exe File created C:\Windows\Logo1_.exe f21d807a2ded3f7f70a83ee43cd7e123cc6867c2ec5a34300f47d5a9a21625daN.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\vDll.dll Logo1_.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f21d807a2ded3f7f70a83ee43cd7e123cc6867c2ec5a34300f47d5a9a21625daN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Logo1_.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 2680 Logo1_.exe 2680 Logo1_.exe 2680 Logo1_.exe 2680 Logo1_.exe 2680 Logo1_.exe 2680 Logo1_.exe 2680 Logo1_.exe 2680 Logo1_.exe 2680 Logo1_.exe 2680 Logo1_.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 1780 wrote to memory of 108 1780 f21d807a2ded3f7f70a83ee43cd7e123cc6867c2ec5a34300f47d5a9a21625daN.exe 31 PID 1780 wrote to memory of 108 1780 f21d807a2ded3f7f70a83ee43cd7e123cc6867c2ec5a34300f47d5a9a21625daN.exe 31 PID 1780 wrote to memory of 108 1780 f21d807a2ded3f7f70a83ee43cd7e123cc6867c2ec5a34300f47d5a9a21625daN.exe 31 PID 1780 wrote to memory of 108 1780 f21d807a2ded3f7f70a83ee43cd7e123cc6867c2ec5a34300f47d5a9a21625daN.exe 31 PID 1780 wrote to memory of 2680 1780 f21d807a2ded3f7f70a83ee43cd7e123cc6867c2ec5a34300f47d5a9a21625daN.exe 32 PID 1780 wrote to memory of 2680 1780 f21d807a2ded3f7f70a83ee43cd7e123cc6867c2ec5a34300f47d5a9a21625daN.exe 32 PID 1780 wrote to memory of 2680 1780 f21d807a2ded3f7f70a83ee43cd7e123cc6867c2ec5a34300f47d5a9a21625daN.exe 32 PID 1780 wrote to memory of 2680 1780 f21d807a2ded3f7f70a83ee43cd7e123cc6867c2ec5a34300f47d5a9a21625daN.exe 32 PID 2680 wrote to memory of 3012 2680 Logo1_.exe 34 PID 2680 wrote to memory of 3012 2680 Logo1_.exe 34 PID 2680 wrote to memory of 3012 2680 Logo1_.exe 34 PID 2680 wrote to memory of 3012 2680 Logo1_.exe 34 PID 3012 wrote to memory of 2824 3012 net.exe 36 PID 3012 wrote to memory of 2824 3012 net.exe 36 PID 3012 wrote to memory of 2824 3012 net.exe 36 PID 3012 wrote to memory of 2824 3012 net.exe 36 PID 108 wrote to memory of 2592 108 cmd.exe 37 PID 108 wrote to memory of 2592 108 cmd.exe 37 PID 108 wrote to memory of 2592 108 cmd.exe 37 PID 108 wrote to memory of 2592 108 cmd.exe 37 PID 2680 wrote to memory of 1124 2680 Logo1_.exe 20 PID 2680 wrote to memory of 1124 2680 Logo1_.exe 20
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1124
-
C:\Users\Admin\AppData\Local\Temp\f21d807a2ded3f7f70a83ee43cd7e123cc6867c2ec5a34300f47d5a9a21625daN.exe"C:\Users\Admin\AppData\Local\Temp\f21d807a2ded3f7f70a83ee43cd7e123cc6867c2ec5a34300f47d5a9a21625daN.exe"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\$$aE13B.bat3⤵
- Deletes itself
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:108 -
C:\Users\Admin\AppData\Local\Temp\f21d807a2ded3f7f70a83ee43cd7e123cc6867c2ec5a34300f47d5a9a21625daN.exe"C:\Users\Admin\AppData\Local\Temp\f21d807a2ded3f7f70a83ee43cd7e123cc6867c2ec5a34300f47d5a9a21625daN.exe"4⤵
- Executes dropped EXE
PID:2592
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵
- System Location Discovery: System Language Discovery
PID:2824
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
728B
MD5c10532bb167878959cffeb5cecb1f06a
SHA1d5eabd32f02d948c7cc493d33b1c01df6a922eda
SHA256a586775a64d0ca9ca85f418a4cc8d59818ca6beb0bd3da2a969f0b9d867afdfc
SHA512c6b80152c075cad9f2b4be46fe31119347d97b46c25a0bda3772b52c1bbe69264c58ea9e76e01d9885fd7179b3a23aedf3b30ff3cf995b36ddd0ab154f65cab1
-
C:\Users\Admin\AppData\Local\Temp\f21d807a2ded3f7f70a83ee43cd7e123cc6867c2ec5a34300f47d5a9a21625daN.exe.exe
Filesize43KB
MD5f97a48d68afad7deeda7449820a6c352
SHA19d3091d9aa1a13f14f88c97f9f4274b3a67ce022
SHA2560a868fc0cec233ae33c92485e4c8ce4a7659cfc8103d857b211e550b051be1c2
SHA512f865b055c3527dda5fbf0cabfb7c32e46f0bfeb763325392448f0bcc2a0de977c34f96e331d4ce508b2e0d6b8fca6d672dec79a07dd1ff5ecc32ea5e67269422
-
Filesize
85B
MD558cedd0e28e265118c31bf9f1312cbe9
SHA11a4e69ff9413c81a01f9278381f6a30f8e482da5
SHA256f63b858fe8f2336949fc25ff2be3b33f1ff73ba2bc5cbe61d4395c44739705d4
SHA512fd2a57dd07595681341022b72aa6c4ad83bf2880eafcb01222ec906f2b48bc477ccb498a603455b7264775ab9650e6275bcb39a3424e3b6388b0b516900d9bc3
-
Filesize
26KB
MD541b7498859ec2514d5251c99701a5abb
SHA12d2c8d30b0d3232bdcb6ce0ae531120af2adfc87
SHA2561e29412173e57496c61a4a9f8685d3fc9b4be142a3252cd198fa819dd2105130
SHA51252f881a4753cb45e26481b1aa33e1f2266998bde7ccc6a76610d376a98c0d2f47e6462a7eee145591b9f0798ba3a22d72a1c4f1a48e6f229837f5b8bbb5b573b
-
Filesize
9B
MD51db84ab14f95c77ed9f73b444afe7548
SHA1a3c8282dbe6b16a8a263409827e1c94488e82bab
SHA256395bbd0ae569524e627b9b111a4ac729f524e449f7dd8a1ae4d810f72e505b0e
SHA512fc82a2c81847882cfa78770c057a0ee8c814cb4d0f2902714f30f156f25e05e8419675e0c0700d5085d97879ccb2f7329c6251debaff4a8489fedc7910901047