0ee56ceeede81fb81158a8cf9514d9f3a81a6222d674d77cb06bebcf7901513f

General

Target

0ee56ceeede81fb81158a8cf9514d9f3a81a6222d674d77cb06bebcf7901513f.exe
Size

31KB
MD5

4bc35ba1543546fc90aacf9aa3e80491
SHA1

1cc8b9910bf016e92a86541c84d8bd7e41d5401d
SHA256

0ee56ceeede81fb81158a8cf9514d9f3a81a6222d674d77cb06bebcf7901513f
SHA512

8f4c40a13ad73afe50e3df5b0a94b0fde713fde24a3bd10137a038fb40649edbc35de3905e510a93e3176823a17108e62ffd985fa8af655f5ce66ef3d71ff022
SSDEEP

768:MP1ODKAaDMG8H92RwZNQSw+IlJIJJREIOARSdxniel:MdfgLdQAQfhJIJ0IOhdIel

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Logo1_.exe

pid process

1952 Logo1_.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Logo1_.exe

description	ioc	process
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\F:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

Processes:

Logo1_.exe

description	ioc	process
File created	C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\import_google_contacts\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxCalendarAppImm.exe	Logo1_.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\SpeechToTextOverlay64-Retail.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ja\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_neutral_~_8wekyb3d8bbwe\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Resources\Fonts\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\nb\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\MixedRealityPortal.Brokered.exe	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.2.2_2.2.27405.0_x64__8wekyb3d8bbwe\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\control\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\skins\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-200_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-white\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Voices\beeps\beeps\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bs\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-white\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Viewpoints\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\cs-CZ\View3d\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_neutral_~_8wekyb3d8bbwe\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\node_modules\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn_IN\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\locale\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-white\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ckb\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\modules\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-white\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\lt-LT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\WinMetadata\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\tl\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-black\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\dropins\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_2020.1906.55.0_neutral_~_8wekyb3d8bbwe\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\keytool.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ast\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

Processes:

0ee56ceeede81fb81158a8cf9514d9f3a81a6222d674d77cb06bebcf7901513f.exeLogo1_.exe

description	ioc	process
File created	C:\Windows\rundl132.exe	0ee56ceeede81fb81158a8cf9514d9f3a81a6222d674d77cb06bebcf7901513f.exe
File created	C:\Windows\Logo1_.exe	0ee56ceeede81fb81158a8cf9514d9f3a81a6222d674d77cb06bebcf7901513f.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

Logo1_.exe

pid	process
1952	Logo1_.exe
1952	Logo1_.exe
1952	Logo1_.exe
1952	Logo1_.exe
1952	Logo1_.exe
1952	Logo1_.exe
1952	Logo1_.exe
1952	Logo1_.exe
1952	Logo1_.exe
1952	Logo1_.exe
1952	Logo1_.exe
1952	Logo1_.exe
1952	Logo1_.exe
1952	Logo1_.exe
1952	Logo1_.exe
1952	Logo1_.exe
1952	Logo1_.exe
1952	Logo1_.exe
1952	Logo1_.exe
1952	Logo1_.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

0ee56ceeede81fb81158a8cf9514d9f3a81a6222d674d77cb06bebcf7901513f.exeLogo1_.exenet.exe

description	pid	process	target process
PID 116 wrote to memory of 448	116	0ee56ceeede81fb81158a8cf9514d9f3a81a6222d674d77cb06bebcf7901513f.exe	cmd.exe
PID 116 wrote to memory of 448	116	0ee56ceeede81fb81158a8cf9514d9f3a81a6222d674d77cb06bebcf7901513f.exe	cmd.exe
PID 116 wrote to memory of 448	116	0ee56ceeede81fb81158a8cf9514d9f3a81a6222d674d77cb06bebcf7901513f.exe	cmd.exe
PID 116 wrote to memory of 1952	116	0ee56ceeede81fb81158a8cf9514d9f3a81a6222d674d77cb06bebcf7901513f.exe	Logo1_.exe
PID 116 wrote to memory of 1952	116	0ee56ceeede81fb81158a8cf9514d9f3a81a6222d674d77cb06bebcf7901513f.exe	Logo1_.exe
PID 116 wrote to memory of 1952	116	0ee56ceeede81fb81158a8cf9514d9f3a81a6222d674d77cb06bebcf7901513f.exe	Logo1_.exe
PID 1952 wrote to memory of 3808	1952	Logo1_.exe	net.exe
PID 1952 wrote to memory of 3808	1952	Logo1_.exe	net.exe
PID 1952 wrote to memory of 3808	1952	Logo1_.exe	net.exe
PID 3808 wrote to memory of 3196	3808	net.exe	net1.exe
PID 3808 wrote to memory of 3196	3808	net.exe	net1.exe
PID 3808 wrote to memory of 3196	3808	net.exe	net1.exe
PID 1952 wrote to memory of 772	1952	Logo1_.exe	Explorer.EXE
PID 1952 wrote to memory of 772	1952	Logo1_.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:772

C:\Users\Admin\AppData\Local\Temp\0ee56ceeede81fb81158a8cf9514d9f3a81a6222d674d77cb06bebcf7901513f.exe
"C:\Users\Admin\AppData\Local\Temp\0ee56ceeede81fb81158a8cf9514d9f3a81a6222d674d77cb06bebcf7901513f.exe"
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD42D.bat
3⤵
PID:448

C:\Windows\Logo1_.exe
C:\Windows\Logo1_.exe
3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1952

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:3808

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:3196

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$aD42D.bat

Filesize
722B

MD5
4f39303d565ae0c27b9907a4df0d87f6

SHA1
e292c25d31569f3d340f46f94e6ac973951da353

SHA256
7911a6c771a5cc89e7bcf5453bc2722bc51cc3efc971dd8518762fe6a5a7f187

SHA512
fc7b5e9469b9252b6702740b99f1905074a214594a191e80f9da246a9a3f705929d8abd49f68d85d77ec8b8e0bf2c2b0995f32acd3c9463ee18685c468c99f18

Download Submit
C:\Users\Admin\AppData\Local\Temp\0ee56ceeede81fb81158a8cf9514d9f3a81a6222d674d77cb06bebcf7901513f.exe.exe

Filesize
5KB

MD5
0af2c0157a7f49ffce8dd3eef4ac381e

SHA1
064c692115997658fe5c3f6f96d6c5c167777879

SHA256
386422101914cb2f3308a47ca62828ba3902765978bdba2a8de52cda3a9a8378

SHA512
ad8637babdd64627ea584206519eecee55bc65e0296b04696e9fdf456317d5724fac08cb692f37d325e2dd122e93982f4e9f00d2f97e4161d462677f944244ed

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
cd1d583a15f6d897bc3ce222b304681a

SHA1
2cc66bac208f62c400f59b8adf414d5df0d4c600

SHA256
5c18d6adee7bcb2330059ef6431a465629a3c7f4ae9dfe76a484a0917eaf3cbd

SHA512
815daa210401f2234800d230343cbd31c9e616c05addcb21f6403cfdf08c483b6db2c58e9ac0ed047ca28c95171114b816c282ea3bca10a86ac0c58511e40fd6

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
cd1d583a15f6d897bc3ce222b304681a

SHA1
2cc66bac208f62c400f59b8adf414d5df0d4c600

SHA256
5c18d6adee7bcb2330059ef6431a465629a3c7f4ae9dfe76a484a0917eaf3cbd

SHA512
815daa210401f2234800d230343cbd31c9e616c05addcb21f6403cfdf08c483b6db2c58e9ac0ed047ca28c95171114b816c282ea3bca10a86ac0c58511e40fd6

Download Submit
C:\Windows\rundl132.exe

Filesize
26KB

MD5
cd1d583a15f6d897bc3ce222b304681a

SHA1
2cc66bac208f62c400f59b8adf414d5df0d4c600

SHA256
5c18d6adee7bcb2330059ef6431a465629a3c7f4ae9dfe76a484a0917eaf3cbd

SHA512
815daa210401f2234800d230343cbd31c9e616c05addcb21f6403cfdf08c483b6db2c58e9ac0ed047ca28c95171114b816c282ea3bca10a86ac0c58511e40fd6

Download Submit
memory/116-138-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/116-132-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/448-133-0x0000000000000000-mapping.dmp

Download
memory/1952-134-0x0000000000000000-mapping.dmp

Download
memory/1952-142-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1952-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3196-143-0x0000000000000000-mapping.dmp

Download
memory/3808-140-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads