Automated Malware Analysis IOC Report for

Details

Filetype:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy:	7.642545552164292
Filename:	logioptionsplus_installer.exe
Filesize:	30695680
MD5:	719485510aeabbf435c804ea39851462
SHA1:	687cbc30eeea5fae9acf5a289702dbeb873ba6c6
SHA256:	634b485749719ce9089a2b82ac1021f989873e1bad31b19756a0fe67dbe67167
SHA512:	d63ff636f23a81dfe7be526c91719b83bff4bad66170a680362016ce50ebfbfd91853ee1b369902c2e2c24a8d088912d43f26d122c813d3d6a2b2424b8da8396
SSDEEP:	393216:HwnsqS5Gwb6+lptVYmfr7yBG/4oyFN/YuuccKU9oxcS2ZFpYLbNXFzX5P5ZS7MUi:Hwn+5GU6upttD7yBG/PcXU9g5zLrb
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........<d..].I.].I.].I.%.I.].IM-.H.].I.].I0].I.#.H.].I.#.H.].I.#.H.].IM-.H.].IM-.H.].IM-.H.].I.".H.].I.".I.].I.].I.].I.".H.].IRich.].

Signature Hits	Behavior Group	Mitre Attack
PE file contains executable resources (Code or Archives)	System Summary
PE file contains sections with non-standard names	Data Obfuscation	File Deletion
Creates temporary files	System Summary
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Reads software policies	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE file has a big raw section	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a high image base, often used for DLLs	System Summary
Submission file is bigger than most known malware samples	System Summary

Details

File:	C:\ProgramData\LogiOptionsPlus\next.json
Category:	dropped
Dump:	next.json.2.dr
ID:	dr_42
Target ID:	2
Process:	C:\Users\user\AppData\Local\Temp\optionsplus-21c9-ea0e-f34c-ee3a\logioptionsplus_setup.exe
Type:	JSON data
Entropy:	4.134395999692706
Encrypted:	false
Size:	107
Whitelisted:	false

Details

File:	C:\ProgramData\LogiOptionsPlus\periodic_check.json
Category:	modified
Dump:	periodic_check.json.2.dr
ID:	dr_43
Target ID:	2
Process:	C:\Users\user\AppData\Local\Temp\optionsplus-21c9-ea0e-f34c-ee3a\logioptionsplus_setup.exe
Type:	JSON data
Entropy:	4.765749494103495
Encrypted:	false
Size:	147
Whitelisted:	false

Details

File:	C:\ProgramData\Logishrd\{5c4ad735-8c88-42f2-b573-9c8beef54821}_logioptionsplus_setup\PageInstalled.gif
Category:	dropped
Dump:	PageInstalled.gif.2.dr
ID:	dr_1
Target ID:	2
Process:	C:\Users\user\AppData\Local\Temp\optionsplus-21c9-ea0e-f34c-ee3a\logioptionsplus_setup.exe
Type:	GIF image data, version 89a, 800 x 400
Entropy:	7.921156286103369
Encrypted:	false
Size:	31395
Whitelisted:	false

Details

File:	C:\ProgramData\Logishrd\{5c4ad735-8c88-42f2-b573-9c8beef54821}_logioptionsplus_setup\PageLegacyOptions.gif
Category:	dropped
Dump:	PageLegacyOptions.gif.2.dr
ID:	dr_3
Target ID:	2
Process:	C:\Users\user\AppData\Local\Temp\optionsplus-21c9-ea0e-f34c-ee3a\logioptionsplus_setup.exe
Type:	GIF image data, version 89a, 800 x 400
Entropy:	7.8374027371239015
Encrypted:	false
Size:	26348
Whitelisted:	false

Details

File:	C:\ProgramData\Logishrd\{5c4ad735-8c88-42f2-b573-9c8beef54821}_logioptionsplus_setup\PageUnsupportedOs.gif
Category:	dropped
Dump:	PageUnsupportedOs.gif.2.dr
ID:	dr_2
Target ID:	2
Process:	C:\Users\user\AppData\Local\Temp\optionsplus-21c9-ea0e-f34c-ee3a\logioptionsplus_setup.exe
Type:	GIF image data, version 89a, 800 x 400
Entropy:	7.8366827140862645
Encrypted:	false
Size:	24284
Whitelisted:	false

Details

File:	C:\ProgramData\Logishrd\{5c4ad735-8c88-42f2-b573-9c8beef54821}_logioptionsplus_setup\logi_installer_shared_optionsplus.dll
Category:	dropped
Dump:	logi_installer_shared_optionsplus.dll.2.dr
ID:	dr_5
Target ID:	2
Process:	C:\Users\user\AppData\Local\Temp\optionsplus-21c9-ea0e-f34c-ee3a\logioptionsplus_setup.exe
Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Entropy:	6.465693392402344
Encrypted:	false
Size:	9407488
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion

Details

File:	C:\ProgramData\Logishrd\{5c4ad735-8c88-42f2-b573-9c8beef54821}_logioptionsplus_setup\vc_redist.x64.exe
Category:	dropped
Dump:	vc_redist.x64.exe.2.dr
ID:	dr_4
Target ID:	2
Process:	C:\Users\user\AppData\Local\Temp\optionsplus-21c9-ea0e-f34c-ee3a\logioptionsplus_setup.exe
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.99595782028495
Encrypted:	true
Size:	15060496
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Deletes files inside the Windows folder	System Summary	File Deletion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Drops PE files to the windows directory (C:\Windows)	Persistence and Installation Behavior	Masquerading
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD
Category:	dropped
Dump:	WMSDKNS.DTD.2.dr
ID:	dr_7
Target ID:	2
Process:	C:\Users\user\AppData\Local\Temp\optionsplus-21c9-ea0e-f34c-ee3a\logioptionsplus_setup.exe
Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Entropy:	5.103913616294899
Encrypted:	false
Size:	498
Whitelisted:	false

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
Category:	dropped
Dump:	WMSDKNS.XML.2.dr
ID:	dr_6
Target ID:	2
Process:	C:\Users\user\AppData\Local\Temp\optionsplus-21c9-ea0e-f34c-ee3a\logioptionsplus_setup.exe
Type:	exported SGML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Entropy:	4.792342140217129
Encrypted:	false
Size:	10191
Whitelisted:	false

Details

File:	C:\Users\user\AppData\Local\Temp\com.logi.optionsplus.installer.logs\20240829T201147-installer-6980.log
Category:	dropped
Dump:	20240829T201147-installer-6980.log.2.dr
ID:	dr_44
Target ID:	2
Process:	C:\Users\user\AppData\Local\Temp\optionsplus-21c9-ea0e-f34c-ee3a\logioptionsplus_setup.exe
Type:	ASCII text, with CRLF, LF line terminators
Entropy:	5.007185734327359
Encrypted:	false
Size:	179
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Creates install or setup log file	Compliance, Persistence and Installation Behavior

Details

File:	C:\Users\user\AppData\Local\Temp\dd_vcredist_amd64_20240829161143.log
Category:	dropped
Dump:	dd_vcredist_amd64_20240829161143.log.4.dr
ID:	dr_34
Target ID:	4
Process:	C:\Windows\Temp\{290B7A63-DF99-4623-AAC0-79B88F78147A}\.cr\vc_redist.x64.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.49044436732878
Encrypted:	false
Size:	7226
Whitelisted:	false

Details

File:	C:\Users\user\AppData\Local\Temp\optionsplus-21c9-ea0e-f34c-ee3a\logioptionsplus_setup.exe
Category:	dropped
Dump:	logioptionsplus_setup.exe.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\logioptionsplus_installer.exe
Type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Entropy:	7.657053259395651
Encrypted:	false
Size:	29963520
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Checks for available system drives (often done to infect USB drives)	Spreading	Replication Through Removable Media Peripheral Device Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Enumerates the file system	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	System Information Discovery
Reads ini files	System Summary	File and Directory Discovery
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
Creates install or setup log file	Compliance, Persistence and Installation Behavior

Details

File:	C:\Windows\Temp\{290B7A63-DF99-4623-AAC0-79B88F78147A}\.cr\vc_redist.x64.exe
Category:	dropped
Dump:	vc_redist.x64.exe.3.dr
ID:	dr_8
Target ID:	3
Process:	C:\ProgramData\Logishrd\{5c4ad735-8c88-42f2-b573-9c8beef54821}_logioptionsplus_setup\vc_redist.x64.exe
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.216534710571963
Encrypted:	false
Size:	647904
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Deletes files inside the Windows folder	System Summary	File Deletion
Drops PE files	Persistence and Installation Behavior
Drops PE files to the windows directory (C:\Windows)	Persistence and Installation Behavior	Masquerading
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Creates license or readme file	Compliance, Persistence and Installation Behavior

Details

File:	C:\Windows\Temp\{C7C1DD64-5C4D-4753-A82D-A5722BC14B7C}\.ba\1028\license.rtf
Category:	dropped
Dump:	license.rtf6.4.dr
ID:	dr_25
Target ID:	4
Process:	C:\Windows\Temp\{290B7A63-DF99-4623-AAC0-79B88F78147A}\.cr\vc_redist.x64.exe
Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Entropy:	4.036737741619669
Encrypted:	false
Size:	18127
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Creates license or readme file	Compliance, Persistence and Installation Behavior

Details

File:	C:\Windows\Temp\{C7C1DD64-5C4D-4753-A82D-A5722BC14B7C}\.ba\1028\thm.wxl
Category:	dropped
Dump:	thm.wxl5.4.dr
ID:	dr_23
Target ID:	4
Process:	C:\Windows\Temp\{290B7A63-DF99-4623-AAC0-79B88F78147A}\.cr\vc_redist.x64.exe
Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Entropy:	6.163758160900388
Encrypted:	false
Size:	2980
Whitelisted:	false

Details

File:	C:\Windows\Temp\{C7C1DD64-5C4D-4753-A82D-A5722BC14B7C}\.ba\1029\license.rtf
Category:	dropped
Dump:	license.rtf8.4.dr
ID:	dr_29
Target ID:	4
Process:	C:\Windows\Temp\{290B7A63-DF99-4623-AAC0-79B88F78147A}\.cr\vc_redist.x64.exe
Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Entropy:	5.125552901367032
Encrypted:	false
Size:	13053
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Creates license or readme file	Compliance, Persistence and Installation Behavior

Details

File:	C:\Windows\Temp\{C7C1DD64-5C4D-4753-A82D-A5722BC14B7C}\.ba\1029\thm.wxl
Category:	dropped
Dump:	thm.wxl7.4.dr
ID:	dr_27
Target ID:	4
Process:	C:\Windows\Temp\{290B7A63-DF99-4623-AAC0-79B88F78147A}\.cr\vc_redist.x64.exe
Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Entropy:	5.370651462060085
Encrypted:	false
Size:	3333
Whitelisted:	false

Details

File:	C:\Windows\Temp\{C7C1DD64-5C4D-4753-A82D-A5722BC14B7C}\.ba\1031\license.rtf
Category:	dropped
Dump:	license.rtf10.4.dr
ID:	dr_33
Target ID:	4
Process:	C:\Windows\Temp\{290B7A63-DF99-4623-AAC0-79B88F78147A}\.cr\vc_redist.x64.exe
Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Entropy:	5.194264396634094
Encrypted:	false
Size:	11936
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Creates license or readme file	Compliance, Persistence and Installation Behavior

Details

File:	C:\Windows\Temp\{C7C1DD64-5C4D-4753-A82D-A5722BC14B7C}\.ba\1031\thm.wxl
Category:	dropped
Dump:	thm.wxl9.4.dr
ID:	dr_31
Target ID:	4
Process:	C:\Windows\Temp\{290B7A63-DF99-4623-AAC0-79B88F78147A}\.cr\vc_redist.x64.exe
Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Entropy:	5.094097800535488
Encrypted:	false
Size:	3379
Whitelisted:	false

Details

File:	C:\Windows\Temp\{C7C1DD64-5C4D-4753-A82D-A5722BC14B7C}\.ba\1036\license.rtf
Category:	dropped
Dump:	license.rtf11.4.dr
ID:	dr_36
Target ID:	4
Process:	C:\Windows\Temp\{290B7A63-DF99-4623-AAC0-79B88F78147A}\.cr\vc_redist.x64.exe
Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Entropy:	5.106817099949188
Encrypted:	false
Size:	11593
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Creates license or readme file	Compliance, Persistence and Installation Behavior

Details

File:	C:\Windows\Temp\{C7C1DD64-5C4D-4753-A82D-A5722BC14B7C}\.ba\1036\thm.wxl
Category:	dropped
Dump:	thm.wxl10.4.dr
ID:	dr_35
Target ID:	4
Process:	C:\Windows\Temp\{290B7A63-DF99-4623-AAC0-79B88F78147A}\.cr\vc_redist.x64.exe
Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Entropy:	5.0912204406356905
Encrypted:	false
Size:	3366
Whitelisted:	false

Details

File:	C:\Windows\Temp\{C7C1DD64-5C4D-4753-A82D-A5722BC14B7C}\.ba\1040\license.rtf
Category:	dropped
Dump:	license.rtf12.4.dr
ID:	dr_41
Target ID:	4
Process:	C:\Windows\Temp\{290B7A63-DF99-4623-AAC0-79B88F78147A}\.cr\vc_redist.x64.exe
Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Entropy:	5.046489958240229
Encrypted:	false
Size:	11281
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Creates license or readme file	Compliance, Persistence and Installation Behavior

Details

File:	C:\Windows\Temp\{C7C1DD64-5C4D-4753-A82D-A5722BC14B7C}\.ba\1040\thm.wxl
Category:	dropped
Dump:	thm.wxl12.4.dr
ID:	dr_40
Target ID:	4
Process:	C:\Windows\Temp\{290B7A63-DF99-4623-AAC0-79B88F78147A}\.cr\vc_redist.x64.exe
Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Entropy:	5.019774955491369
Encrypted:	false
Size:	3319
Whitelisted:	false

Details

File:	C:\Windows\Temp\{C7C1DD64-5C4D-4753-A82D-A5722BC14B7C}\.ba\1041\license.rtf
Category:	dropped
Dump:	license.rtf.4.dr
ID:	dr_10
Target ID:	4
Process:	C:\Windows\Temp\{290B7A63-DF99-4623-AAC0-79B88F78147A}\.cr\vc_redist.x64.exe
Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Entropy:	3.7669201853275722
Encrypted:	false
Size:	28232
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Creates license or readme file	Compliance, Persistence and Installation Behavior

Details

File:	C:\Windows\Temp\{C7C1DD64-5C4D-4753-A82D-A5722BC14B7C}\.ba\1041\thm.wxl
Category:	dropped
Dump:	thm.wxl.4.dr
ID:	dr_9
Target ID:	4
Process:	C:\Windows\Temp\{290B7A63-DF99-4623-AAC0-79B88F78147A}\.cr\vc_redist.x64.exe
Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Entropy:	5.955167044943003
Encrypted:	false
Size:	3959
Whitelisted:	false

Details

File:	C:\Windows\Temp\{C7C1DD64-5C4D-4753-A82D-A5722BC14B7C}\.ba\1042\license.rtf
Category:	dropped
Dump:	license.rtf0.4.dr
ID:	dr_12
Target ID:	4
Process:	C:\Windows\Temp\{290B7A63-DF99-4623-AAC0-79B88F78147A}\.cr\vc_redist.x64.exe
Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Entropy:	3.871317037004171
Encrypted:	false
Size:	27936
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Creates license or readme file	Compliance, Persistence and Installation Behavior

Details

File:	C:\Windows\Temp\{C7C1DD64-5C4D-4753-A82D-A5722BC14B7C}\.ba\1042\thm.wxl
Category:	dropped
Dump:	thm.wxl0.4.dr
ID:	dr_11
Target ID:	4
Process:	C:\Windows\Temp\{290B7A63-DF99-4623-AAC0-79B88F78147A}\.cr\vc_redist.x64.exe
Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Entropy:	5.985100495461761
Encrypted:	false
Size:	3249
Whitelisted:	false

Details

File:	C:\Windows\Temp\{C7C1DD64-5C4D-4753-A82D-A5722BC14B7C}\.ba\1045\license.rtf
Category:	dropped
Dump:	license.rtf1.4.dr
ID:	dr_14
Target ID:	4
Process:	C:\Windows\Temp\{290B7A63-DF99-4623-AAC0-79B88F78147A}\.cr\vc_redist.x64.exe
Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Entropy:	5.358483628484379
Encrypted:	false
Size:	13265
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Creates license or readme file	Compliance, Persistence and Installation Behavior

Details

File:	C:\Windows\Temp\{C7C1DD64-5C4D-4753-A82D-A5722BC14B7C}\.ba\1045\thm.wxl
Category:	dropped
Dump:	thm.wxl1.4.dr
ID:	dr_13
Target ID:	4
Process:	C:\Windows\Temp\{290B7A63-DF99-4623-AAC0-79B88F78147A}\.cr\vc_redist.x64.exe
Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Entropy:	5.268378763359481
Encrypted:	false
Size:	3212
Whitelisted:	false

Details

File:	C:\Windows\Temp\{C7C1DD64-5C4D-4753-A82D-A5722BC14B7C}\.ba\1046\license.rtf
Category:	dropped
Dump:	license.rtf2.4.dr
ID:	dr_16
Target ID:	4
Process:	C:\Windows\Temp\{290B7A63-DF99-4623-AAC0-79B88F78147A}\.cr\vc_redist.x64.exe
Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Entropy:	5.092962528947159
Encrypted:	false
Size:	10656
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Creates license or readme file	Compliance, Persistence and Installation Behavior

Details

File:	C:\Windows\Temp\{C7C1DD64-5C4D-4753-A82D-A5722BC14B7C}\.ba\1046\thm.wxl
Category:	dropped
Dump:	thm.wxl2.4.dr
ID:	dr_15
Target ID:	4
Process:	C:\Windows\Temp\{290B7A63-DF99-4623-AAC0-79B88F78147A}\.cr\vc_redist.x64.exe
Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Entropy:	5.150868216959352
Encrypted:	false
Size:	3095
Whitelisted:	false

Details

File:	C:\Windows\Temp\{C7C1DD64-5C4D-4753-A82D-A5722BC14B7C}\.ba\1049\license.rtf
Category:	dropped
Dump:	license.rtf3.4.dr
ID:	dr_18
Target ID:	4
Process:	C:\Windows\Temp\{290B7A63-DF99-4623-AAC0-79B88F78147A}\.cr\vc_redist.x64.exe
Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Entropy:	3.6440775919653996
Encrypted:	false
Size:	31915
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Creates license or readme file	Compliance, Persistence and Installation Behavior

Details

File:	C:\Windows\Temp\{C7C1DD64-5C4D-4753-A82D-A5722BC14B7C}\.ba\1049\thm.wxl
Category:	dropped
Dump:	thm.wxl3.4.dr
ID:	dr_17
Target ID:	4
Process:	C:\Windows\Temp\{290B7A63-DF99-4623-AAC0-79B88F78147A}\.cr\vc_redist.x64.exe
Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Entropy:	5.444436038992627
Encrypted:	false
Size:	4150
Whitelisted:	false

Details

File:	C:\Windows\Temp\{C7C1DD64-5C4D-4753-A82D-A5722BC14B7C}\.ba\1055\license.rtf
Category:	dropped
Dump:	license.rtf5.4.dr
ID:	dr_22
Target ID:	4
Process:	C:\Windows\Temp\{290B7A63-DF99-4623-AAC0-79B88F78147A}\.cr\vc_redist.x64.exe
Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Entropy:	5.214715951393874
Encrypted:	false
Size:	13379
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Creates license or readme file	Compliance, Persistence and Installation Behavior

Details

File:	C:\Windows\Temp\{C7C1DD64-5C4D-4753-A82D-A5722BC14B7C}\.ba\1055\thm.wxl
Category:	dropped
Dump:	thm.wxl4.4.dr
ID:	dr_20
Target ID:	4
Process:	C:\Windows\Temp\{290B7A63-DF99-4623-AAC0-79B88F78147A}\.cr\vc_redist.x64.exe
Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Entropy:	5.280530692056262
Encrypted:	false
Size:	3221
Whitelisted:	false

Details

File:	C:\Windows\Temp\{C7C1DD64-5C4D-4753-A82D-A5722BC14B7C}\.ba\2052\license.rtf
Category:	dropped
Dump:	license.rtf7.4.dr
ID:	dr_26
Target ID:	4
Process:	C:\Windows\Temp\{290B7A63-DF99-4623-AAC0-79B88F78147A}\.cr\vc_redist.x64.exe
Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Entropy:	3.9617786349452775
Encrypted:	false
Size:	17863
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Creates license or readme file	Compliance, Persistence and Installation Behavior

Details

File:	C:\Windows\Temp\{C7C1DD64-5C4D-4753-A82D-A5722BC14B7C}\.ba\2052\thm.wxl
Category:	dropped
Dump:	thm.wxl6.4.dr
ID:	dr_24
Target ID:	4
Process:	C:\Windows\Temp\{290B7A63-DF99-4623-AAC0-79B88F78147A}\.cr\vc_redist.x64.exe
Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Entropy:	6.135205733555905
Encrypted:	false
Size:	2978
Whitelisted:	false

Details

File:	C:\Windows\Temp\{C7C1DD64-5C4D-4753-A82D-A5722BC14B7C}\.ba\3082\license.rtf
Category:	dropped
Dump:	license.rtf9.4.dr
ID:	dr_30
Target ID:	4
Process:	C:\Windows\Temp\{290B7A63-DF99-4623-AAC0-79B88F78147A}\.cr\vc_redist.x64.exe
Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Entropy:	5.122578090102117
Encrypted:	false
Size:	10714
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Creates license or readme file	Compliance, Persistence and Installation Behavior

Details

File:	C:\Windows\Temp\{C7C1DD64-5C4D-4753-A82D-A5722BC14B7C}\.ba\3082\thm.wxl
Category:	dropped
Dump:	thm.wxl8.4.dr
ID:	dr_28
Target ID:	4
Process:	C:\Windows\Temp\{290B7A63-DF99-4623-AAC0-79B88F78147A}\.cr\vc_redist.x64.exe
Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Entropy:	5.0491645049584655
Encrypted:	false
Size:	3265
Whitelisted:	false

Details

File:	C:\Windows\Temp\{C7C1DD64-5C4D-4753-A82D-A5722BC14B7C}\.ba\BootstrapperApplicationData.xml
Category:	dropped
Dump:	BootstrapperApplicationData.xml.4.dr
ID:	dr_32
Target ID:	4
Process:	C:\Windows\Temp\{290B7A63-DF99-4623-AAC0-79B88F78147A}\.cr\vc_redist.x64.exe
Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (591), with CRLF line terminators
Entropy:	3.72805455167576
Encrypted:	false
Size:	13188
Whitelisted:	false

Details

File:	C:\Windows\Temp\{C7C1DD64-5C4D-4753-A82D-A5722BC14B7C}\.ba\license.rtf
Category:	dropped
Dump:	license.rtf4.4.dr
ID:	dr_21
Target ID:	4
Process:	C:\Windows\Temp\{290B7A63-DF99-4623-AAC0-79B88F78147A}\.cr\vc_redist.x64.exe
Type:	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
Entropy:	5.157073875669985
Encrypted:	false
Size:	9046
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Creates license or readme file	Compliance, Persistence and Installation Behavior

Details

File:	C:\Windows\Temp\{C7C1DD64-5C4D-4753-A82D-A5722BC14B7C}\.ba\logo.png
Category:	dropped
Dump:	logo.png.4.dr
ID:	dr_19
Target ID:	4
Process:	C:\Windows\Temp\{290B7A63-DF99-4623-AAC0-79B88F78147A}\.cr\vc_redist.x64.exe
Type:	PNG image data, 64 x 64, 8-bit colormap, non-interlaced
Entropy:	6.868587546770907
Encrypted:	false
Size:	1861
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery

Details

File:	C:\Windows\Temp\{C7C1DD64-5C4D-4753-A82D-A5722BC14B7C}\.ba\thm.wxl
Category:	dropped
Dump:	thm.wxl11.4.dr
ID:	dr_39
Target ID:	4
Process:	C:\Windows\Temp\{290B7A63-DF99-4623-AAC0-79B88F78147A}\.cr\vc_redist.x64.exe
Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Entropy:	5.052095286906672
Encrypted:	false
Size:	2952
Whitelisted:	false

Details

File:	C:\Windows\Temp\{C7C1DD64-5C4D-4753-A82D-A5722BC14B7C}\.ba\thm.xml
Category:	dropped
Dump:	thm.xml.4.dr
ID:	dr_38
Target ID:	4
Process:	C:\Windows\Temp\{290B7A63-DF99-4623-AAC0-79B88F78147A}\.cr\vc_redist.x64.exe
Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Entropy:	5.184632608060528
Encrypted:	false
Size:	8332
Whitelisted:	false

Details

File:	C:\Windows\Temp\{C7C1DD64-5C4D-4753-A82D-A5722BC14B7C}\.ba\wixstdba.dll
Category:	dropped
Dump:	wixstdba.dll.4.dr
ID:	dr_37
Target ID:	4
Process:	C:\Windows\Temp\{290B7A63-DF99-4623-AAC0-79B88F78147A}\.cr\vc_redist.x64.exe
Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy:	6.682530937585544
Encrypted:	false
Size:	195600
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Drops PE files to the windows directory (C:\Windows)	Persistence and Installation Behavior	Masquerading
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
logioptionsplus_installer.exe

Files

Domains

IPs

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportlogioptionsplus_installer.exe

Files

Domains

IPs

IOC Report
logioptionsplus_installer.exe