44918f5646804d33c109cae33cbe3c03e12652153b44ef2ac99be984023329a2

General

Target

44918f5646804d33c109cae33cbe3c03e12652153b44ef2ac99be984023329a2.exe
Size

220KB
MD5

450da2c2e5b909da93aa0ecda8301180
SHA1

67c8c34d148c0426a5022c625498f231141b9908
SHA256

44918f5646804d33c109cae33cbe3c03e12652153b44ef2ac99be984023329a2
SHA512

9937b578f6bc3ec3bc6ee6cfa41ca712cb5fd6aa5f58fc4f00bbbc7e60ecb0547514391ad7696b1fffa6f4d739c66d71116ac3e5f5591f902b933b0f3301b233
SSDEEP

3072:pKsSkuJVL1Jw8KYg5zA5GsMYSxSJiN/vGss9kTBf9pAXAtPOYQwT:luJP035iMhL/vGsbTBl2wOsT

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

Logo1_.exe44918f5646804d33c109cae33cbe3c03e12652153b44ef2ac99be984023329a2.exe

pid process

2748 Logo1_.exe
3008 44918f5646804d33c109cae33cbe3c03e12652153b44ef2ac99be984023329a2.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Logo1_.exe

description	ioc	process
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\F:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

Processes:

Logo1_.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmid.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\deployed\jdk16\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\jfr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\Lang\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\pack200.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\applet\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\deployed\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\unpack200.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\dtplugin\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\jfr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\amd64\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\include\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\plugin2\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\schemagen.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ssvagent.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\cmm\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\orbd.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\management\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

Processes:

44918f5646804d33c109cae33cbe3c03e12652153b44ef2ac99be984023329a2.exeLogo1_.exe

description	ioc	process
File created	C:\Windows\rundl132.exe	44918f5646804d33c109cae33cbe3c03e12652153b44ef2ac99be984023329a2.exe
File created	C:\Windows\Logo1_.exe	44918f5646804d33c109cae33cbe3c03e12652153b44ef2ac99be984023329a2.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

Logo1_.exe

pid	process
2748	Logo1_.exe
2748	Logo1_.exe
2748	Logo1_.exe
2748	Logo1_.exe
2748	Logo1_.exe
2748	Logo1_.exe
2748	Logo1_.exe
2748	Logo1_.exe
2748	Logo1_.exe
2748	Logo1_.exe
2748	Logo1_.exe
2748	Logo1_.exe
2748	Logo1_.exe
2748	Logo1_.exe
2748	Logo1_.exe
2748	Logo1_.exe
2748	Logo1_.exe
2748	Logo1_.exe
2748	Logo1_.exe
2748	Logo1_.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

44918f5646804d33c109cae33cbe3c03e12652153b44ef2ac99be984023329a2.exeLogo1_.exenet.execmd.exe

description	pid	process	target process
PID 1564 wrote to memory of 3372	1564	44918f5646804d33c109cae33cbe3c03e12652153b44ef2ac99be984023329a2.exe	cmd.exe
PID 1564 wrote to memory of 3372	1564	44918f5646804d33c109cae33cbe3c03e12652153b44ef2ac99be984023329a2.exe	cmd.exe
PID 1564 wrote to memory of 3372	1564	44918f5646804d33c109cae33cbe3c03e12652153b44ef2ac99be984023329a2.exe	cmd.exe
PID 1564 wrote to memory of 2748	1564	44918f5646804d33c109cae33cbe3c03e12652153b44ef2ac99be984023329a2.exe	Logo1_.exe
PID 1564 wrote to memory of 2748	1564	44918f5646804d33c109cae33cbe3c03e12652153b44ef2ac99be984023329a2.exe	Logo1_.exe
PID 1564 wrote to memory of 2748	1564	44918f5646804d33c109cae33cbe3c03e12652153b44ef2ac99be984023329a2.exe	Logo1_.exe
PID 2748 wrote to memory of 4512	2748	Logo1_.exe	net.exe
PID 2748 wrote to memory of 4512	2748	Logo1_.exe	net.exe
PID 2748 wrote to memory of 4512	2748	Logo1_.exe	net.exe
PID 4512 wrote to memory of 4824	4512	net.exe	net1.exe
PID 4512 wrote to memory of 4824	4512	net.exe	net1.exe
PID 4512 wrote to memory of 4824	4512	net.exe	net1.exe
PID 3372 wrote to memory of 3008	3372	cmd.exe	44918f5646804d33c109cae33cbe3c03e12652153b44ef2ac99be984023329a2.exe
PID 3372 wrote to memory of 3008	3372	cmd.exe	44918f5646804d33c109cae33cbe3c03e12652153b44ef2ac99be984023329a2.exe
PID 3372 wrote to memory of 3008	3372	cmd.exe	44918f5646804d33c109cae33cbe3c03e12652153b44ef2ac99be984023329a2.exe
PID 2748 wrote to memory of 3040	2748	Logo1_.exe	Explorer.EXE
PID 2748 wrote to memory of 3040	2748	Logo1_.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3040

C:\Users\Admin\AppData\Local\Temp\44918f5646804d33c109cae33cbe3c03e12652153b44ef2ac99be984023329a2.exe
"C:\Users\Admin\AppData\Local\Temp\44918f5646804d33c109cae33cbe3c03e12652153b44ef2ac99be984023329a2.exe"
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aFC76.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:3372

C:\Users\Admin\AppData\Local\Temp\44918f5646804d33c109cae33cbe3c03e12652153b44ef2ac99be984023329a2.exe
"C:\Users\Admin\AppData\Local\Temp\44918f5646804d33c109cae33cbe3c03e12652153b44ef2ac99be984023329a2.exe"
4⤵
- Executes dropped EXE
PID:3008

C:\Windows\Logo1_.exe
C:\Windows\Logo1_.exe
3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2748

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:4512

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:4824

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$aFC76.bat

Filesize
722B

MD5
351cc656bf0f9d2b1dcf101ed15f5438

SHA1
c157b1540a6eb94a6f242b3f24c9789d69c5ea7b

SHA256
bf7c62d6d1bce1f6348f7513948b2c41fa57832a13cdf7046cf8663b005d964f

SHA512
2ff6a2762db395bf07ff9a1dd9519759a70387e043744c7e5696a4d58ec6961034c088431ba16d011087c124f9be042079449350206766d0a7ecce779baa7d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\44918f5646804d33c109cae33cbe3c03e12652153b44ef2ac99be984023329a2.exe

Filesize
191KB

MD5
8aa98031128ef0c81d34207e3c60d003

SHA1
182164292e382455f00349625dd5fd1e41dcc0c8

SHA256
52def964142be6891054d2f95256a3b05d66887964fcd66b34abfe32477e8965

SHA512
8ba615af6d4cad84c57c20e318d6277e4bc114c07c14b72088c526a01d414fe719a43551582ecbc38bd352979720d182efc1f639c2c3e91c78b180449bcf2c12

Download Submit
C:\Users\Admin\AppData\Local\Temp\44918f5646804d33c109cae33cbe3c03e12652153b44ef2ac99be984023329a2.exe.exe

Filesize
191KB

MD5
8aa98031128ef0c81d34207e3c60d003

SHA1
182164292e382455f00349625dd5fd1e41dcc0c8

SHA256
52def964142be6891054d2f95256a3b05d66887964fcd66b34abfe32477e8965

SHA512
8ba615af6d4cad84c57c20e318d6277e4bc114c07c14b72088c526a01d414fe719a43551582ecbc38bd352979720d182efc1f639c2c3e91c78b180449bcf2c12

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
beb286dcd8ba1bb38c7d451a2b14bbe0

SHA1
1378c0a34e75457c8f0eb6c242e35ec3ffb0da5d

SHA256
2ec4b5421a1dbe08e9cb7652ebc05052ae63aa4d74aaf482c4d549479877e99a

SHA512
2850ab16aa8c5bf6d6a130e188e53561b9d222fb72bf40065b4469bf8385844c92bcfd3386d28529bdb1674b5038b492b802a34c3264dbbfbf3f4c33ac03a5e7

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
beb286dcd8ba1bb38c7d451a2b14bbe0

SHA1
1378c0a34e75457c8f0eb6c242e35ec3ffb0da5d

SHA256
2ec4b5421a1dbe08e9cb7652ebc05052ae63aa4d74aaf482c4d549479877e99a

SHA512
2850ab16aa8c5bf6d6a130e188e53561b9d222fb72bf40065b4469bf8385844c92bcfd3386d28529bdb1674b5038b492b802a34c3264dbbfbf3f4c33ac03a5e7

Download Submit
C:\Windows\rundl132.exe

Filesize
29KB

MD5
beb286dcd8ba1bb38c7d451a2b14bbe0

SHA1
1378c0a34e75457c8f0eb6c242e35ec3ffb0da5d

SHA256
2ec4b5421a1dbe08e9cb7652ebc05052ae63aa4d74aaf482c4d549479877e99a

SHA512
2850ab16aa8c5bf6d6a130e188e53561b9d222fb72bf40065b4469bf8385844c92bcfd3386d28529bdb1674b5038b492b802a34c3264dbbfbf3f4c33ac03a5e7

Download Submit
memory/1564-134-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2748-133-0x0000000000000000-mapping.dmp

Download
memory/2748-144-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2748-145-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3008-142-0x0000000000000000-mapping.dmp

Download
memory/3372-132-0x0000000000000000-mapping.dmp

Download
memory/4512-138-0x0000000000000000-mapping.dmp

Download
memory/4824-139-0x0000000000000000-mapping.dmp

Download

pid	process
2748	Logo1_.exe
3008	44918f5646804d33c109cae33cbe3c03e12652153b44ef2ac99be984023329a2.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads