efb57c2615b89c0335152d9427e447b259c8855270760cd6a25de82b63e89728

General

Target

efb57c2615b89c0335152d9427e447b259c8855270760cd6a25de82b63e89728.exe
Size

617KB
MD5

3636319b73b61f34ecba613b999ef420
SHA1

7f740c71f9f9782393fbb57a4b7d07243b6ec0b9
SHA256

efb57c2615b89c0335152d9427e447b259c8855270760cd6a25de82b63e89728
SHA512

bf6dce53e80c75f80dd08f5c03d07cdba7a417c7c5e9e62a84e8ea879e25a7c7788cca968487bae808f7b7c5e38d1da3c5e3ad34027f2ce1c6e2338a6005cc56
SSDEEP

12288:9xtzfl8EmN95SKTifcNjvYRoo1QBPP2E7ZgT7FoyNjGyDe3mjW:9bl8EmN95KkFvEook2E7ivKyNjGyD3W

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

Logo1_.exeefb57c2615b89c0335152d9427e447b259c8855270760cd6a25de82b63e89728.exe

pid process

3004 Logo1_.exe
2216 efb57c2615b89c0335152d9427e447b259c8855270760cd6a25de82b63e89728.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Logo1_.exe

description	ioc	process
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\F:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

Processes:

Logo1_.exe

description	ioc	process
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\meta_engine\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\hr-hr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sl-si\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\StartScreen\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ko-kr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\en_GB\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Mail\wabmig.exe	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\Json\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.YourPhone_2019.430.2026.0_neutral_~_8wekyb3d8bbwe\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\el\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\en_GB\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\osf\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	Logo1_.exe
File created	C:\Program Files\Windows Defender\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\be-BY\View3d\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\nb-no\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\root\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ne\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\Attribution\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\klist.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\StoreLogo\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sl-sl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\it-it\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pa\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square310x310\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ro-ro\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-gb\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_neutral_~_8wekyb3d8bbwe\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ro-ro\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ko-kr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\unpack200.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\id\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_~_kzf8qxf38zg5c\AppxMetadata\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sv-se\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\th\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\ScreenSketch.exe	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_~_8wekyb3d8bbwe\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Assets\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exe	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_2019.1111.2029.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

Processes:

efb57c2615b89c0335152d9427e447b259c8855270760cd6a25de82b63e89728.exeLogo1_.exe

description	ioc	process
File created	C:\Windows\rundl132.exe	efb57c2615b89c0335152d9427e447b259c8855270760cd6a25de82b63e89728.exe
File created	C:\Windows\Logo1_.exe	efb57c2615b89c0335152d9427e447b259c8855270760cd6a25de82b63e89728.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

Logo1_.exe

pid	process
3004	Logo1_.exe
3004	Logo1_.exe
3004	Logo1_.exe
3004	Logo1_.exe
3004	Logo1_.exe
3004	Logo1_.exe
3004	Logo1_.exe
3004	Logo1_.exe
3004	Logo1_.exe
3004	Logo1_.exe
3004	Logo1_.exe
3004	Logo1_.exe
3004	Logo1_.exe
3004	Logo1_.exe
3004	Logo1_.exe
3004	Logo1_.exe
3004	Logo1_.exe
3004	Logo1_.exe
3004	Logo1_.exe
3004	Logo1_.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

efb57c2615b89c0335152d9427e447b259c8855270760cd6a25de82b63e89728.exeLogo1_.exenet.execmd.exe

description	pid	process	target process
PID 1796 wrote to memory of 4880	1796	efb57c2615b89c0335152d9427e447b259c8855270760cd6a25de82b63e89728.exe	cmd.exe
PID 1796 wrote to memory of 4880	1796	efb57c2615b89c0335152d9427e447b259c8855270760cd6a25de82b63e89728.exe	cmd.exe
PID 1796 wrote to memory of 4880	1796	efb57c2615b89c0335152d9427e447b259c8855270760cd6a25de82b63e89728.exe	cmd.exe
PID 1796 wrote to memory of 3004	1796	efb57c2615b89c0335152d9427e447b259c8855270760cd6a25de82b63e89728.exe	Logo1_.exe
PID 1796 wrote to memory of 3004	1796	efb57c2615b89c0335152d9427e447b259c8855270760cd6a25de82b63e89728.exe	Logo1_.exe
PID 1796 wrote to memory of 3004	1796	efb57c2615b89c0335152d9427e447b259c8855270760cd6a25de82b63e89728.exe	Logo1_.exe
PID 3004 wrote to memory of 2864	3004	Logo1_.exe	net.exe
PID 3004 wrote to memory of 2864	3004	Logo1_.exe	net.exe
PID 3004 wrote to memory of 2864	3004	Logo1_.exe	net.exe
PID 2864 wrote to memory of 1064	2864	net.exe	net1.exe
PID 2864 wrote to memory of 1064	2864	net.exe	net1.exe
PID 2864 wrote to memory of 1064	2864	net.exe	net1.exe
PID 4880 wrote to memory of 2216	4880	cmd.exe	efb57c2615b89c0335152d9427e447b259c8855270760cd6a25de82b63e89728.exe
PID 4880 wrote to memory of 2216	4880	cmd.exe	efb57c2615b89c0335152d9427e447b259c8855270760cd6a25de82b63e89728.exe
PID 4880 wrote to memory of 2216	4880	cmd.exe	efb57c2615b89c0335152d9427e447b259c8855270760cd6a25de82b63e89728.exe
PID 3004 wrote to memory of 2692	3004	Logo1_.exe	Explorer.EXE
PID 3004 wrote to memory of 2692	3004	Logo1_.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2692

C:\Users\Admin\AppData\Local\Temp\efb57c2615b89c0335152d9427e447b259c8855270760cd6a25de82b63e89728.exe
"C:\Users\Admin\AppData\Local\Temp\efb57c2615b89c0335152d9427e447b259c8855270760cd6a25de82b63e89728.exe"
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a2606.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:4880

C:\Users\Admin\AppData\Local\Temp\efb57c2615b89c0335152d9427e447b259c8855270760cd6a25de82b63e89728.exe
"C:\Users\Admin\AppData\Local\Temp\efb57c2615b89c0335152d9427e447b259c8855270760cd6a25de82b63e89728.exe"
4⤵
- Executes dropped EXE
PID:2216

C:\Windows\Logo1_.exe
C:\Windows\Logo1_.exe
3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3004

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:2864

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:1064

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$a2606.bat
Filesize
722B

MD5
8e57be551f94f1603550595820742c4f

SHA1
0e312e2f2f54b4d9889c073e5825a23cffcab309

SHA256
388e63992ee31f990de4e70a2aae1b1817193a014149e0e9c226cbf7a897df71

SHA512
fe0c271da8cbfa64f1077e4d8fba058fc61b77cce9a765b093636c2a0d40df3acedce1600df23387d6982abba479796c742bc68a97c82b6f30dbd57ebe8a62c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\efb57c2615b89c0335152d9427e447b259c8855270760cd6a25de82b63e89728.exe
Filesize
588KB

MD5
dd0042f0c3b606a6a8b92d49afb18ad6

SHA1
74fbb38fa923a2db686a7492c2c8feb9a23a7be4

SHA256
8d3be4c93d02af5f42ec46af598d6da40c61d467cb2fee5e222f9c1e7a84b852

SHA512
c36cf2e958c532b9d9b7d943f52e92525ceb4b0d41662ff6652f2929c26ce0afc22dff645bd44fd7878d170e0bf2dfa031d5be666e97498e6dcbe5cb113c51ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\efb57c2615b89c0335152d9427e447b259c8855270760cd6a25de82b63e89728.exe.exe
Filesize
588KB

MD5
dd0042f0c3b606a6a8b92d49afb18ad6

SHA1
74fbb38fa923a2db686a7492c2c8feb9a23a7be4

SHA256
8d3be4c93d02af5f42ec46af598d6da40c61d467cb2fee5e222f9c1e7a84b852

SHA512
c36cf2e958c532b9d9b7d943f52e92525ceb4b0d41662ff6652f2929c26ce0afc22dff645bd44fd7878d170e0bf2dfa031d5be666e97498e6dcbe5cb113c51ba

Download Submit
C:\Windows\Logo1_.exe
Filesize
29KB

MD5
486b2ec07e9305329ba6058d9ef9d6b1

SHA1
90aea0a417079569be2dfcd369c92d7c9a016ece

SHA256
57fed882e20017888230812e229df6a0b404777c262c1b56a424dfdc95b91d58

SHA512
91da07899ad08d3f1e9dff3d8af0522ba1cc6bd75dfb1191b4eabfc5099c2e2477b6008f8cea18a366b0e14217d38660258be1d495269ef3caca3a4a4ff2c441

Download Submit
C:\Windows\Logo1_.exe
Filesize
29KB

MD5
486b2ec07e9305329ba6058d9ef9d6b1

SHA1
90aea0a417079569be2dfcd369c92d7c9a016ece

SHA256
57fed882e20017888230812e229df6a0b404777c262c1b56a424dfdc95b91d58

SHA512
91da07899ad08d3f1e9dff3d8af0522ba1cc6bd75dfb1191b4eabfc5099c2e2477b6008f8cea18a366b0e14217d38660258be1d495269ef3caca3a4a4ff2c441

Download Submit
C:\Windows\rundl132.exe
Filesize
29KB

MD5
486b2ec07e9305329ba6058d9ef9d6b1

SHA1
90aea0a417079569be2dfcd369c92d7c9a016ece

SHA256
57fed882e20017888230812e229df6a0b404777c262c1b56a424dfdc95b91d58

SHA512
91da07899ad08d3f1e9dff3d8af0522ba1cc6bd75dfb1191b4eabfc5099c2e2477b6008f8cea18a366b0e14217d38660258be1d495269ef3caca3a4a4ff2c441

Download Submit
memory/1064-139-0x0000000000000000-mapping.dmp

Download
memory/1796-136-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2216-143-0x0000000000000000-mapping.dmp

Download
memory/2864-138-0x0000000000000000-mapping.dmp

Download
memory/3004-140-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3004-133-0x0000000000000000-mapping.dmp

Download
memory/3004-145-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4880-132-0x0000000000000000-mapping.dmp

Download

pid	process
3004	Logo1_.exe
2216	efb57c2615b89c0335152d9427e447b259c8855270760cd6a25de82b63e89728.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads