c37895ad70b9cf51194c83710e39b6cc00b140373a8b267a578676854dbffe1f

General

Target

c37895ad70b9cf51194c83710e39b6cc00b140373a8b267a578676854dbffe1f.exe
Size

827KB
MD5

26254659064fb639fa6f12abebd95ba0
SHA1

e26f965b569ab5e052e6ae30adcaaf79cb824416
SHA256

c37895ad70b9cf51194c83710e39b6cc00b140373a8b267a578676854dbffe1f
SHA512

0cce29dfdd3fd18b038b50ef63c81ec60895c2a8c5ffd23c2c26fad37c41f38f1f74a2bbbaeb3330167d1140278545176b88460d58856da747e965b3e26496c6
SSDEEP

12288:Lc4SMo6QMwIcRiKLs4QgTs6tyDYaNe9BTkWNK8SeQ3m9Ks0mVj6IYaGyvQHuk9d:A6/ZUbLs4tTswyzWVBElmII77+

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

Logo1_.exec37895ad70b9cf51194c83710e39b6cc00b140373a8b267a578676854dbffe1f.exe

pid process

460 Logo1_.exe
1160 c37895ad70b9cf51194c83710e39b6cc00b140373a8b267a578676854dbffe1f.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2044 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

2044 cmd.exe

pid	process
460	Logo1_.exe
1160	c37895ad70b9cf51194c83710e39b6cc00b140373a8b267a578676854dbffe1f.exe

pid	process
2044	cmd.exe

pid	process
2044	cmd.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Logo1_.exe

description	ioc	process
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\F:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

Processes:

Logo1_.exe

description	ioc	process
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	Logo1_.exe
File created	C:\Program Files\DVD Maker\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\oc\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hu\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Atlantic\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Argentina\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Mahjong\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\Hearts.exe	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Hearts\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\MSBuild\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sl\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sl\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kn\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Photo Viewer\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_output\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\meta\reader\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Journal\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Kentucky\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\vi\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

Processes:

c37895ad70b9cf51194c83710e39b6cc00b140373a8b267a578676854dbffe1f.exeLogo1_.exe

description	ioc	process
File created	C:\Windows\rundl132.exe	c37895ad70b9cf51194c83710e39b6cc00b140373a8b267a578676854dbffe1f.exe
File created	C:\Windows\Logo1_.exe	c37895ad70b9cf51194c83710e39b6cc00b140373a8b267a578676854dbffe1f.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe
Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

Logo1_.exe

pid process

460 Logo1_.exe
460 Logo1_.exe
460 Logo1_.exe
460 Logo1_.exe
460 Logo1_.exe
460 Logo1_.exe
460 Logo1_.exe
460 Logo1_.exe
460 Logo1_.exe
460 Logo1_.exe

pid	process
460	Logo1_.exe
460	Logo1_.exe
460	Logo1_.exe
460	Logo1_.exe
460	Logo1_.exe
460	Logo1_.exe
460	Logo1_.exe
460	Logo1_.exe
460	Logo1_.exe
460	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

c37895ad70b9cf51194c83710e39b6cc00b140373a8b267a578676854dbffe1f.execmd.exeLogo1_.exenet.exe

description	pid	process	target process
PID 2040 wrote to memory of 2044	2040	c37895ad70b9cf51194c83710e39b6cc00b140373a8b267a578676854dbffe1f.exe	cmd.exe
PID 2040 wrote to memory of 2044	2040	c37895ad70b9cf51194c83710e39b6cc00b140373a8b267a578676854dbffe1f.exe	cmd.exe
PID 2040 wrote to memory of 2044	2040	c37895ad70b9cf51194c83710e39b6cc00b140373a8b267a578676854dbffe1f.exe	cmd.exe
PID 2040 wrote to memory of 2044	2040	c37895ad70b9cf51194c83710e39b6cc00b140373a8b267a578676854dbffe1f.exe	cmd.exe
PID 2040 wrote to memory of 460	2040	c37895ad70b9cf51194c83710e39b6cc00b140373a8b267a578676854dbffe1f.exe	Logo1_.exe
PID 2040 wrote to memory of 460	2040	c37895ad70b9cf51194c83710e39b6cc00b140373a8b267a578676854dbffe1f.exe	Logo1_.exe
PID 2040 wrote to memory of 460	2040	c37895ad70b9cf51194c83710e39b6cc00b140373a8b267a578676854dbffe1f.exe	Logo1_.exe
PID 2040 wrote to memory of 460	2040	c37895ad70b9cf51194c83710e39b6cc00b140373a8b267a578676854dbffe1f.exe	Logo1_.exe
PID 2044 wrote to memory of 1160	2044	cmd.exe	c37895ad70b9cf51194c83710e39b6cc00b140373a8b267a578676854dbffe1f.exe
PID 2044 wrote to memory of 1160	2044	cmd.exe	c37895ad70b9cf51194c83710e39b6cc00b140373a8b267a578676854dbffe1f.exe
PID 2044 wrote to memory of 1160	2044	cmd.exe	c37895ad70b9cf51194c83710e39b6cc00b140373a8b267a578676854dbffe1f.exe
PID 2044 wrote to memory of 1160	2044	cmd.exe	c37895ad70b9cf51194c83710e39b6cc00b140373a8b267a578676854dbffe1f.exe
PID 460 wrote to memory of 584	460	Logo1_.exe	net.exe
PID 460 wrote to memory of 584	460	Logo1_.exe	net.exe
PID 460 wrote to memory of 584	460	Logo1_.exe	net.exe
PID 460 wrote to memory of 584	460	Logo1_.exe	net.exe
PID 584 wrote to memory of 1304	584	net.exe	net1.exe
PID 584 wrote to memory of 1304	584	net.exe	net1.exe
PID 584 wrote to memory of 1304	584	net.exe	net1.exe
PID 584 wrote to memory of 1304	584	net.exe	net1.exe
PID 460 wrote to memory of 1204	460	Logo1_.exe	Explorer.EXE
PID 460 wrote to memory of 1204	460	Logo1_.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204

C:\Users\Admin\AppData\Local\Temp\c37895ad70b9cf51194c83710e39b6cc00b140373a8b267a578676854dbffe1f.exe
"C:\Users\Admin\AppData\Local\Temp\c37895ad70b9cf51194c83710e39b6cc00b140373a8b267a578676854dbffe1f.exe"
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\$$aDC0E.bat
3⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2044

C:\Users\Admin\AppData\Local\Temp\c37895ad70b9cf51194c83710e39b6cc00b140373a8b267a578676854dbffe1f.exe
"C:\Users\Admin\AppData\Local\Temp\c37895ad70b9cf51194c83710e39b6cc00b140373a8b267a578676854dbffe1f.exe"
4⤵
- Executes dropped EXE
PID:1160

C:\Windows\Logo1_.exe
C:\Windows\Logo1_.exe
3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:460

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:584

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:1304

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$aDC0E.bat

Filesize
722B

MD5
eb9042bc00769a17cdeffae5f549dc18

SHA1
23d41b996af198849bae70d09103d2f45188a77c

SHA256
d22eb2a81103d3b0508072abe6fe7e095d9a5ae3bcd565ccce1f317dcbca503e

SHA512
d78ddd9af11f207d48ce514ecbc40e28f8211df36d654e15d9a41132fcf281727fb2254acf0da3a0b46cbc6509b3c894ffb6eb28592da02d63d94bf74fb9157a

Download Submit
C:\Users\Admin\AppData\Local\Temp\c37895ad70b9cf51194c83710e39b6cc00b140373a8b267a578676854dbffe1f.exe

Filesize
797KB

MD5
28d826c27dec73d9853af87d328a46a6

SHA1
db283f13aa80609fca715bae5051fdb32518f9f2

SHA256
1295e5885c23220864df0a62082806726a121c90ce6df14d2d241d7d0905040d

SHA512
a863256cadf6a14312a9a4a29a5b23360868aa5f915ddcceb0bad8291ac58bb25c7cb0c295f1cc328d17140fc94897528b52946744ac48f7a9c9da7ac07ce992

Download Submit
C:\Users\Admin\AppData\Local\Temp\c37895ad70b9cf51194c83710e39b6cc00b140373a8b267a578676854dbffe1f.exe.exe

Filesize
797KB

MD5
28d826c27dec73d9853af87d328a46a6

SHA1
db283f13aa80609fca715bae5051fdb32518f9f2

SHA256
1295e5885c23220864df0a62082806726a121c90ce6df14d2d241d7d0905040d

SHA512
a863256cadf6a14312a9a4a29a5b23360868aa5f915ddcceb0bad8291ac58bb25c7cb0c295f1cc328d17140fc94897528b52946744ac48f7a9c9da7ac07ce992

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
96d0e0ccbd9f9d4d432ea028972f7202

SHA1
0128cb0d35e5ef0c60ec5cd3e4678e2fae93df30

SHA256
7309959e912fe8b6191a2fd480861494967cdb889bbfff6ab35ba4bd0eba90b4

SHA512
00458244daa5a36ef7bce53d71138a9c21b3c13d63a9d8ee2760f814e8a4c304c51828f280bdc8184b90c3fe7c0eb494cc05e67554b5f3e53ccf5f677acdea3a

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
96d0e0ccbd9f9d4d432ea028972f7202

SHA1
0128cb0d35e5ef0c60ec5cd3e4678e2fae93df30

SHA256
7309959e912fe8b6191a2fd480861494967cdb889bbfff6ab35ba4bd0eba90b4

SHA512
00458244daa5a36ef7bce53d71138a9c21b3c13d63a9d8ee2760f814e8a4c304c51828f280bdc8184b90c3fe7c0eb494cc05e67554b5f3e53ccf5f677acdea3a

Download Submit
C:\Windows\rundl132.exe

Filesize
29KB

MD5
96d0e0ccbd9f9d4d432ea028972f7202

SHA1
0128cb0d35e5ef0c60ec5cd3e4678e2fae93df30

SHA256
7309959e912fe8b6191a2fd480861494967cdb889bbfff6ab35ba4bd0eba90b4

SHA512
00458244daa5a36ef7bce53d71138a9c21b3c13d63a9d8ee2760f814e8a4c304c51828f280bdc8184b90c3fe7c0eb494cc05e67554b5f3e53ccf5f677acdea3a

Download Submit
\Users\Admin\AppData\Local\Temp\c37895ad70b9cf51194c83710e39b6cc00b140373a8b267a578676854dbffe1f.exe

Filesize
797KB

MD5
28d826c27dec73d9853af87d328a46a6

SHA1
db283f13aa80609fca715bae5051fdb32518f9f2

SHA256
1295e5885c23220864df0a62082806726a121c90ce6df14d2d241d7d0905040d

SHA512
a863256cadf6a14312a9a4a29a5b23360868aa5f915ddcceb0bad8291ac58bb25c7cb0c295f1cc328d17140fc94897528b52946744ac48f7a9c9da7ac07ce992

Download Submit
memory/460-57-0x0000000000000000-mapping.dmp

Download
memory/460-68-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/460-70-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/584-67-0x0000000000000000-mapping.dmp

Download
memory/1160-64-0x0000000000000000-mapping.dmp

Download
memory/1160-66-0x00000000761E1000-0x00000000761E3000-memory.dmp

Filesize
8KB

Download
memory/1304-69-0x0000000000000000-mapping.dmp

Download
memory/2040-58-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2040-54-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2044-55-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads