Analysis
-
max time kernel
119s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/10/2024, 00:48
Static task
static1
Behavioral task
behavioral1
Sample
f21d807a2ded3f7f70a83ee43cd7e123cc6867c2ec5a34300f47d5a9a21625daN.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
f21d807a2ded3f7f70a83ee43cd7e123cc6867c2ec5a34300f47d5a9a21625daN.exe
Resource
win10v2004-20241007-en
General
-
Target
f21d807a2ded3f7f70a83ee43cd7e123cc6867c2ec5a34300f47d5a9a21625daN.exe
-
Size
70KB
-
MD5
1dc00e49cb06687846c07e0a14f3d640
-
SHA1
ff4374d2e0310e11dcbde268470afdacb286713b
-
SHA256
f21d807a2ded3f7f70a83ee43cd7e123cc6867c2ec5a34300f47d5a9a21625da
-
SHA512
095cb3a16438fb6a5ba0abb3763bb0c315e43aeb5f34311fd8cb8daf683a21a13f59ce3b45af49b3fd327e14445ba9fd8533795a8d266028f57e932f15c9a14a
-
SSDEEP
1536:SfgLdQAQfcfymNUH5Dt9iY4W8P4b4oOUzHir1v0IIKx:SftffjmNUH5DtaOWr1v0
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2616 Logo1_.exe 4392 f21d807a2ded3f7f70a83ee43cd7e123cc6867c2ec5a34300f47d5a9a21625daN.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sl-si\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\pt-br\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.UI.Xaml.2.0_2.1810.18004.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\sv-se\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fr-ma\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\sl-si\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft.NET\RedistList\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\he-il\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\pt-br\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\eu-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-125_8wekyb3d8bbwe\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Defender\ja-JP\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\2.0.1\Diagnostics\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\ar-ae\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ko-kr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\sl-si\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\hu-hu\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\CoreEngine\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-white\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\uk-ua\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\zh_TW\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\fi-fi\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\eu-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\1.1.1\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\en-il\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\hr-hr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\ja-JP\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-us\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\de-de\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ca-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\ru-ru\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themes\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Resources\RetailDemo\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-ma\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\uk-ua\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ca-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\hu-hu\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rundl132.exe f21d807a2ded3f7f70a83ee43cd7e123cc6867c2ec5a34300f47d5a9a21625daN.exe File created C:\Windows\Logo1_.exe f21d807a2ded3f7f70a83ee43cd7e123cc6867c2ec5a34300f47d5a9a21625daN.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\vDll.dll Logo1_.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f21d807a2ded3f7f70a83ee43cd7e123cc6867c2ec5a34300f47d5a9a21625daN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Logo1_.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 2616 Logo1_.exe 2616 Logo1_.exe 2616 Logo1_.exe 2616 Logo1_.exe 2616 Logo1_.exe 2616 Logo1_.exe 2616 Logo1_.exe 2616 Logo1_.exe 2616 Logo1_.exe 2616 Logo1_.exe 2616 Logo1_.exe 2616 Logo1_.exe 2616 Logo1_.exe 2616 Logo1_.exe 2616 Logo1_.exe 2616 Logo1_.exe 2616 Logo1_.exe 2616 Logo1_.exe 2616 Logo1_.exe 2616 Logo1_.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 212 wrote to memory of 1360 212 f21d807a2ded3f7f70a83ee43cd7e123cc6867c2ec5a34300f47d5a9a21625daN.exe 83 PID 212 wrote to memory of 1360 212 f21d807a2ded3f7f70a83ee43cd7e123cc6867c2ec5a34300f47d5a9a21625daN.exe 83 PID 212 wrote to memory of 1360 212 f21d807a2ded3f7f70a83ee43cd7e123cc6867c2ec5a34300f47d5a9a21625daN.exe 83 PID 212 wrote to memory of 2616 212 f21d807a2ded3f7f70a83ee43cd7e123cc6867c2ec5a34300f47d5a9a21625daN.exe 84 PID 212 wrote to memory of 2616 212 f21d807a2ded3f7f70a83ee43cd7e123cc6867c2ec5a34300f47d5a9a21625daN.exe 84 PID 212 wrote to memory of 2616 212 f21d807a2ded3f7f70a83ee43cd7e123cc6867c2ec5a34300f47d5a9a21625daN.exe 84 PID 2616 wrote to memory of 2276 2616 Logo1_.exe 86 PID 2616 wrote to memory of 2276 2616 Logo1_.exe 86 PID 2616 wrote to memory of 2276 2616 Logo1_.exe 86 PID 2276 wrote to memory of 4144 2276 net.exe 88 PID 2276 wrote to memory of 4144 2276 net.exe 88 PID 2276 wrote to memory of 4144 2276 net.exe 88 PID 1360 wrote to memory of 4392 1360 cmd.exe 90 PID 1360 wrote to memory of 4392 1360 cmd.exe 90 PID 1360 wrote to memory of 4392 1360 cmd.exe 90 PID 2616 wrote to memory of 3528 2616 Logo1_.exe 56 PID 2616 wrote to memory of 3528 2616 Logo1_.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3528
-
C:\Users\Admin\AppData\Local\Temp\f21d807a2ded3f7f70a83ee43cd7e123cc6867c2ec5a34300f47d5a9a21625daN.exe"C:\Users\Admin\AppData\Local\Temp\f21d807a2ded3f7f70a83ee43cd7e123cc6867c2ec5a34300f47d5a9a21625daN.exe"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:212 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB42D.bat3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Users\Admin\AppData\Local\Temp\f21d807a2ded3f7f70a83ee43cd7e123cc6867c2ec5a34300f47d5a9a21625daN.exe"C:\Users\Admin\AppData\Local\Temp\f21d807a2ded3f7f70a83ee43cd7e123cc6867c2ec5a34300f47d5a9a21625daN.exe"4⤵
- Executes dropped EXE
PID:4392
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵
- System Location Discovery: System Language Discovery
PID:4144
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
244KB
MD5565ba06db32f5e52c804520108e009c9
SHA121beb478ce2b527b47a015f3d6d0decbb87cbb51
SHA25629283e2e6d47a4ba16cb2dc7970fdad69ee47b02ad10de021261d1451009fe7c
SHA512535199337eb99dc89330fa62f1869418f0179677b3711e079e8f8013b47d5dab6fcda77f832f8dd55016431ac09216ae47719819daa1006eb3120b5d44ac99df
-
Filesize
570KB
MD5a4190ec647af598c74421b49b14b7fdb
SHA1a803f46138b44eadbe630325684db20949f9f56a
SHA256b0b1bc5fcf8e45bfbc3deb8b987c60b4f380c2e6e2bfb977578d60081a2a5693
SHA51233475b643979512015265b05fd470e72bf943513537575a569d212e4e9198366d26886d6d3c94cf688409a70bd0cd5dba1982db0f358af7f787140dbb80fa2bd
-
Filesize
728B
MD5fd2136783b96a40e9629e8003942e6f1
SHA18141618753e2ed75b686ba3483caaeb0b89a0f5b
SHA2566fc259858bdfa748affbd4cd28a3b5cc0afa228ca4b10e3d021822e205481bb3
SHA512baef24ee14ec761a8713b644dfff2d782bfe86ec6d412c5855700c088ddb261eefe03c29a181133ed3a090d7946db695d2ea0b446436f170a352cefa4c8cc6b3
-
C:\Users\Admin\AppData\Local\Temp\f21d807a2ded3f7f70a83ee43cd7e123cc6867c2ec5a34300f47d5a9a21625daN.exe.exe
Filesize43KB
MD5f97a48d68afad7deeda7449820a6c352
SHA19d3091d9aa1a13f14f88c97f9f4274b3a67ce022
SHA2560a868fc0cec233ae33c92485e4c8ce4a7659cfc8103d857b211e550b051be1c2
SHA512f865b055c3527dda5fbf0cabfb7c32e46f0bfeb763325392448f0bcc2a0de977c34f96e331d4ce508b2e0d6b8fca6d672dec79a07dd1ff5ecc32ea5e67269422
-
Filesize
26KB
MD541b7498859ec2514d5251c99701a5abb
SHA12d2c8d30b0d3232bdcb6ce0ae531120af2adfc87
SHA2561e29412173e57496c61a4a9f8685d3fc9b4be142a3252cd198fa819dd2105130
SHA51252f881a4753cb45e26481b1aa33e1f2266998bde7ccc6a76610d376a98c0d2f47e6462a7eee145591b9f0798ba3a22d72a1c4f1a48e6f229837f5b8bbb5b573b
-
Filesize
9B
MD51db84ab14f95c77ed9f73b444afe7548
SHA1a3c8282dbe6b16a8a263409827e1c94488e82bab
SHA256395bbd0ae569524e627b9b111a4ac729f524e449f7dd8a1ae4d810f72e505b0e
SHA512fc82a2c81847882cfa78770c057a0ee8c814cb4d0f2902714f30f156f25e05e8419675e0c0700d5085d97879ccb2f7329c6251debaff4a8489fedc7910901047