44918f5646804d33c109cae33cbe3c03e12652153b44ef2ac99be984023329a2

General

Target

44918f5646804d33c109cae33cbe3c03e12652153b44ef2ac99be984023329a2.exe
Size

220KB
MD5

450da2c2e5b909da93aa0ecda8301180
SHA1

67c8c34d148c0426a5022c625498f231141b9908
SHA256

44918f5646804d33c109cae33cbe3c03e12652153b44ef2ac99be984023329a2
SHA512

9937b578f6bc3ec3bc6ee6cfa41ca712cb5fd6aa5f58fc4f00bbbc7e60ecb0547514391ad7696b1fffa6f4d739c66d71116ac3e5f5591f902b933b0f3301b233
SSDEEP

3072:pKsSkuJVL1Jw8KYg5zA5GsMYSxSJiN/vGss9kTBf9pAXAtPOYQwT:luJP035iMhL/vGsbTBl2wOsT

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

Logo1_.exe44918f5646804d33c109cae33cbe3c03e12652153b44ef2ac99be984023329a2.exe

pid process

1280 Logo1_.exe
268 44918f5646804d33c109cae33cbe3c03e12652153b44ef2ac99be984023329a2.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1572 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1572 cmd.exe

pid	process
1572	cmd.exe

pid	process
1572	cmd.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Logo1_.exe

description	ioc	process
File opened (read-only)	\??\F:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

Processes:

Logo1_.exe

description	ioc	process
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\visualization\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Mail\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Journal\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ko\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ru\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\km\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_splitter\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pt_PT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\it\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\lua\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\he\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ia\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\FreeCell\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Portable Devices\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	Logo1_.exe
File created	C:\Program Files\Java\jre7\bin\dtplugin\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Mahjong\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	Logo1_.exe

Drops file in Windows directory 4 IoCs

Processes:

44918f5646804d33c109cae33cbe3c03e12652153b44ef2ac99be984023329a2.exeLogo1_.exe

description	ioc	process
File created	C:\Windows\rundl132.exe	44918f5646804d33c109cae33cbe3c03e12652153b44ef2ac99be984023329a2.exe
File created	C:\Windows\Logo1_.exe	44918f5646804d33c109cae33cbe3c03e12652153b44ef2ac99be984023329a2.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

Logo1_.exe

pid	process
1280	Logo1_.exe
1280	Logo1_.exe
1280	Logo1_.exe
1280	Logo1_.exe
1280	Logo1_.exe
1280	Logo1_.exe
1280	Logo1_.exe
1280	Logo1_.exe
1280	Logo1_.exe
1280	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

44918f5646804d33c109cae33cbe3c03e12652153b44ef2ac99be984023329a2.exeLogo1_.execmd.exenet.exe

description	pid	process	target process
PID 1508 wrote to memory of 1572	1508	44918f5646804d33c109cae33cbe3c03e12652153b44ef2ac99be984023329a2.exe	cmd.exe
PID 1508 wrote to memory of 1572	1508	44918f5646804d33c109cae33cbe3c03e12652153b44ef2ac99be984023329a2.exe	cmd.exe
PID 1508 wrote to memory of 1572	1508	44918f5646804d33c109cae33cbe3c03e12652153b44ef2ac99be984023329a2.exe	cmd.exe
PID 1508 wrote to memory of 1572	1508	44918f5646804d33c109cae33cbe3c03e12652153b44ef2ac99be984023329a2.exe	cmd.exe
PID 1508 wrote to memory of 1280	1508	44918f5646804d33c109cae33cbe3c03e12652153b44ef2ac99be984023329a2.exe	Logo1_.exe
PID 1508 wrote to memory of 1280	1508	44918f5646804d33c109cae33cbe3c03e12652153b44ef2ac99be984023329a2.exe	Logo1_.exe
PID 1508 wrote to memory of 1280	1508	44918f5646804d33c109cae33cbe3c03e12652153b44ef2ac99be984023329a2.exe	Logo1_.exe
PID 1508 wrote to memory of 1280	1508	44918f5646804d33c109cae33cbe3c03e12652153b44ef2ac99be984023329a2.exe	Logo1_.exe
PID 1280 wrote to memory of 2020	1280	Logo1_.exe	net.exe
PID 1280 wrote to memory of 2020	1280	Logo1_.exe	net.exe
PID 1280 wrote to memory of 2020	1280	Logo1_.exe	net.exe
PID 1280 wrote to memory of 2020	1280	Logo1_.exe	net.exe
PID 1572 wrote to memory of 268	1572	cmd.exe	44918f5646804d33c109cae33cbe3c03e12652153b44ef2ac99be984023329a2.exe
PID 1572 wrote to memory of 268	1572	cmd.exe	44918f5646804d33c109cae33cbe3c03e12652153b44ef2ac99be984023329a2.exe
PID 1572 wrote to memory of 268	1572	cmd.exe	44918f5646804d33c109cae33cbe3c03e12652153b44ef2ac99be984023329a2.exe
PID 1572 wrote to memory of 268	1572	cmd.exe	44918f5646804d33c109cae33cbe3c03e12652153b44ef2ac99be984023329a2.exe
PID 2020 wrote to memory of 316	2020	net.exe	net1.exe
PID 2020 wrote to memory of 316	2020	net.exe	net1.exe
PID 2020 wrote to memory of 316	2020	net.exe	net1.exe
PID 2020 wrote to memory of 316	2020	net.exe	net1.exe
PID 1280 wrote to memory of 1252	1280	Logo1_.exe	Explorer.EXE
PID 1280 wrote to memory of 1252	1280	Logo1_.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1252

C:\Users\Admin\AppData\Local\Temp\44918f5646804d33c109cae33cbe3c03e12652153b44ef2ac99be984023329a2.exe
"C:\Users\Admin\AppData\Local\Temp\44918f5646804d33c109cae33cbe3c03e12652153b44ef2ac99be984023329a2.exe"
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1508

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\$$a9E1.bat
3⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1572

C:\Users\Admin\AppData\Local\Temp\44918f5646804d33c109cae33cbe3c03e12652153b44ef2ac99be984023329a2.exe
"C:\Users\Admin\AppData\Local\Temp\44918f5646804d33c109cae33cbe3c03e12652153b44ef2ac99be984023329a2.exe"
4⤵
- Executes dropped EXE
PID:268

C:\Windows\Logo1_.exe
C:\Windows\Logo1_.exe
3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1280

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:316

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$a9E1.bat
Filesize
721B

MD5
964ea11014759a938c949e9157a74097

SHA1
080f5c9c7d7c7b8fabdb2b8a5cd10250cc680a6d

SHA256
f61081222a036a2f7249304644c12ee7688b1a4287b311992aad3d3368f34084

SHA512
b0976f30cd9e5b21def04751916e16c555803b6090868d1d93aef7191e16bf0d78c5f9038fc3a6e93374a6cdca624d4f2b3ed6a4a3a43db1209c9420dfcbbcb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\44918f5646804d33c109cae33cbe3c03e12652153b44ef2ac99be984023329a2.exe
Filesize
191KB

MD5
8aa98031128ef0c81d34207e3c60d003

SHA1
182164292e382455f00349625dd5fd1e41dcc0c8

SHA256
52def964142be6891054d2f95256a3b05d66887964fcd66b34abfe32477e8965

SHA512
8ba615af6d4cad84c57c20e318d6277e4bc114c07c14b72088c526a01d414fe719a43551582ecbc38bd352979720d182efc1f639c2c3e91c78b180449bcf2c12

Download Submit
C:\Users\Admin\AppData\Local\Temp\44918f5646804d33c109cae33cbe3c03e12652153b44ef2ac99be984023329a2.exe.exe
Filesize
191KB

MD5
8aa98031128ef0c81d34207e3c60d003

SHA1
182164292e382455f00349625dd5fd1e41dcc0c8

SHA256
52def964142be6891054d2f95256a3b05d66887964fcd66b34abfe32477e8965

SHA512
8ba615af6d4cad84c57c20e318d6277e4bc114c07c14b72088c526a01d414fe719a43551582ecbc38bd352979720d182efc1f639c2c3e91c78b180449bcf2c12

Download Submit
C:\Windows\Logo1_.exe
Filesize
29KB

MD5
beb286dcd8ba1bb38c7d451a2b14bbe0

SHA1
1378c0a34e75457c8f0eb6c242e35ec3ffb0da5d

SHA256
2ec4b5421a1dbe08e9cb7652ebc05052ae63aa4d74aaf482c4d549479877e99a

SHA512
2850ab16aa8c5bf6d6a130e188e53561b9d222fb72bf40065b4469bf8385844c92bcfd3386d28529bdb1674b5038b492b802a34c3264dbbfbf3f4c33ac03a5e7

Download Submit
C:\Windows\Logo1_.exe
Filesize
29KB

MD5
beb286dcd8ba1bb38c7d451a2b14bbe0

SHA1
1378c0a34e75457c8f0eb6c242e35ec3ffb0da5d

SHA256
2ec4b5421a1dbe08e9cb7652ebc05052ae63aa4d74aaf482c4d549479877e99a

SHA512
2850ab16aa8c5bf6d6a130e188e53561b9d222fb72bf40065b4469bf8385844c92bcfd3386d28529bdb1674b5038b492b802a34c3264dbbfbf3f4c33ac03a5e7

Download Submit
C:\Windows\rundl132.exe
Filesize
29KB

MD5
beb286dcd8ba1bb38c7d451a2b14bbe0

SHA1
1378c0a34e75457c8f0eb6c242e35ec3ffb0da5d

SHA256
2ec4b5421a1dbe08e9cb7652ebc05052ae63aa4d74aaf482c4d549479877e99a

SHA512
2850ab16aa8c5bf6d6a130e188e53561b9d222fb72bf40065b4469bf8385844c92bcfd3386d28529bdb1674b5038b492b802a34c3264dbbfbf3f4c33ac03a5e7

Download Submit
\Users\Admin\AppData\Local\Temp\44918f5646804d33c109cae33cbe3c03e12652153b44ef2ac99be984023329a2.exe
Filesize
191KB

MD5
8aa98031128ef0c81d34207e3c60d003

SHA1
182164292e382455f00349625dd5fd1e41dcc0c8

SHA256
52def964142be6891054d2f95256a3b05d66887964fcd66b34abfe32477e8965

SHA512
8ba615af6d4cad84c57c20e318d6277e4bc114c07c14b72088c526a01d414fe719a43551582ecbc38bd352979720d182efc1f639c2c3e91c78b180449bcf2c12

Download Submit
memory/268-66-0x0000000074C41000-0x0000000074C43000-memory.dmp

Filesize
8KB

Download
memory/268-64-0x0000000000000000-mapping.dmp

Download
memory/316-67-0x0000000000000000-mapping.dmp

Download
memory/1280-55-0x0000000000000000-mapping.dmp

Download
memory/1280-68-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1280-69-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1508-57-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1572-54-0x0000000000000000-mapping.dmp

Download
memory/2020-61-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads