b177a813bf07327b14058f012afbccf757b73f3722ebc2568f8be0134ad38add

General

Target

b177a813bf07327b14058f012afbccf757b73f3722ebc2568f8be0134ad38add.exe
Size

77KB
MD5

07c3595f6b45a377b023d8f85f663fc0
SHA1

d990ae4c8f9980c5728876132b4cae6f3d42f8e8
SHA256

b177a813bf07327b14058f012afbccf757b73f3722ebc2568f8be0134ad38add
SHA512

ad1716c036b424e5e2a1f2663de3c869600e72a964f2a144629ebbbb626dcb75376bfc8a464e03e27727c7f9f9c555a8aab65fad40e8529385f2fff89c26879e
SSDEEP

1536:4l3SHuJV9yi7lXMgdiSAuGsQ1OWxXnhipohLxUneR9lVFqkfm4rv:4lkuJVtVMgdiSAuGsQgWxXnhipohLxUw

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

Logo1_.exeb177a813bf07327b14058f012afbccf757b73f3722ebc2568f8be0134ad38add.exe

pid process

1744 Logo1_.exe
1304 b177a813bf07327b14058f012afbccf757b73f3722ebc2568f8be0134ad38add.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

888 cmd.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

888 cmd.exe
888 cmd.exe

pid	process
888	cmd.exe

pid	process
888	cmd.exe
888	cmd.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Logo1_.exe

description	ioc	process
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\F:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

Processes:

Logo1_.exe

description	ioc	process
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ms\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ug\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ARCTIC\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\REFINED\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Mail\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Logo1_.exe
File opened for modification	C:\Program Files\Windows Mail\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SONORA\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ICE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	Logo1_.exe
File created	C:\Program Files\Java\jre7\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\id\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\DEEPBLUE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Discussion\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Mahjong\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mk\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\NETWORK\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Australia\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\gui\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\skins\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSClientDataMgr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SPRING\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\SIGNUP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Mozilla Firefox\defaults\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Journal\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\MineSweeper.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\en-US\css\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

Processes:

b177a813bf07327b14058f012afbccf757b73f3722ebc2568f8be0134ad38add.exeLogo1_.exe

description	ioc	process
File created	C:\Windows\rundl132.exe	b177a813bf07327b14058f012afbccf757b73f3722ebc2568f8be0134ad38add.exe
File created	C:\Windows\Logo1_.exe	b177a813bf07327b14058f012afbccf757b73f3722ebc2568f8be0134ad38add.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

Logo1_.exe

pid	process
1744	Logo1_.exe
1744	Logo1_.exe
1744	Logo1_.exe
1744	Logo1_.exe
1744	Logo1_.exe
1744	Logo1_.exe
1744	Logo1_.exe
1744	Logo1_.exe
1744	Logo1_.exe
1744	Logo1_.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

b177a813bf07327b14058f012afbccf757b73f3722ebc2568f8be0134ad38add.exe

pid process

1304 b177a813bf07327b14058f012afbccf757b73f3722ebc2568f8be0134ad38add.exe

pid	process
1304	b177a813bf07327b14058f012afbccf757b73f3722ebc2568f8be0134ad38add.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

b177a813bf07327b14058f012afbccf757b73f3722ebc2568f8be0134ad38add.execmd.exeLogo1_.exenet.exe

description	pid	process	target process
PID 1296 wrote to memory of 888	1296	b177a813bf07327b14058f012afbccf757b73f3722ebc2568f8be0134ad38add.exe	cmd.exe
PID 1296 wrote to memory of 888	1296	b177a813bf07327b14058f012afbccf757b73f3722ebc2568f8be0134ad38add.exe	cmd.exe
PID 1296 wrote to memory of 888	1296	b177a813bf07327b14058f012afbccf757b73f3722ebc2568f8be0134ad38add.exe	cmd.exe
PID 1296 wrote to memory of 888	1296	b177a813bf07327b14058f012afbccf757b73f3722ebc2568f8be0134ad38add.exe	cmd.exe
PID 1296 wrote to memory of 1744	1296	b177a813bf07327b14058f012afbccf757b73f3722ebc2568f8be0134ad38add.exe	Logo1_.exe
PID 1296 wrote to memory of 1744	1296	b177a813bf07327b14058f012afbccf757b73f3722ebc2568f8be0134ad38add.exe	Logo1_.exe
PID 1296 wrote to memory of 1744	1296	b177a813bf07327b14058f012afbccf757b73f3722ebc2568f8be0134ad38add.exe	Logo1_.exe
PID 1296 wrote to memory of 1744	1296	b177a813bf07327b14058f012afbccf757b73f3722ebc2568f8be0134ad38add.exe	Logo1_.exe
PID 888 wrote to memory of 1304	888	cmd.exe	b177a813bf07327b14058f012afbccf757b73f3722ebc2568f8be0134ad38add.exe
PID 888 wrote to memory of 1304	888	cmd.exe	b177a813bf07327b14058f012afbccf757b73f3722ebc2568f8be0134ad38add.exe
PID 888 wrote to memory of 1304	888	cmd.exe	b177a813bf07327b14058f012afbccf757b73f3722ebc2568f8be0134ad38add.exe
PID 888 wrote to memory of 1304	888	cmd.exe	b177a813bf07327b14058f012afbccf757b73f3722ebc2568f8be0134ad38add.exe
PID 1744 wrote to memory of 1752	1744	Logo1_.exe	net.exe
PID 1744 wrote to memory of 1752	1744	Logo1_.exe	net.exe
PID 1744 wrote to memory of 1752	1744	Logo1_.exe	net.exe
PID 1744 wrote to memory of 1752	1744	Logo1_.exe	net.exe
PID 1752 wrote to memory of 1292	1752	net.exe	net1.exe
PID 1752 wrote to memory of 1292	1752	net.exe	net1.exe
PID 1752 wrote to memory of 1292	1752	net.exe	net1.exe
PID 1752 wrote to memory of 1292	1752	net.exe	net1.exe
PID 1744 wrote to memory of 1380	1744	Logo1_.exe	Explorer.EXE
PID 1744 wrote to memory of 1380	1744	Logo1_.exe	Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\b177a813bf07327b14058f012afbccf757b73f3722ebc2568f8be0134ad38add.exe
"C:\Users\Admin\AppData\Local\Temp\b177a813bf07327b14058f012afbccf757b73f3722ebc2568f8be0134ad38add.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1296

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
2⤵
PID:1380

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\$$a6C6A.bat
2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:888

C:\Users\Admin\AppData\Local\Temp\b177a813bf07327b14058f012afbccf757b73f3722ebc2568f8be0134ad38add.exe
"C:\Users\Admin\AppData\Local\Temp\b177a813bf07327b14058f012afbccf757b73f3722ebc2568f8be0134ad38add.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1304

C:\Windows\Logo1_.exe
C:\Windows\Logo1_.exe
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1744

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
3⤵
- Suspicious use of WriteProcessMemory
PID:1752

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
4⤵
PID:1292

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$a6C6A.bat

Filesize
722B

MD5
aaf956311c505bd78aa1be35db5bfa6a

SHA1
c5e6e9c54c5a643e84eda7590bf3d80133c2941d

SHA256
33878a6f4efdc09fa5f52f8776185a3c7bdfdaab4ffea3ae76d361e55e37c135

SHA512
f0617fcbbf76cb1b97c18c448b5f88a2225a64227a8539c66c20eb563e8fdd25b269be77f8ea439783911c9fd93ca3fb17d4a6b3bd264fddbb973b6d75f808ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\b177a813bf07327b14058f012afbccf757b73f3722ebc2568f8be0134ad38add.exe

Filesize
48KB

MD5
166629c324b2e04805d29fffaa1316fa

SHA1
930c3852c5c6c5cffe72c59fe6d52252b748ecfd

SHA256
a51355fd8473371de3f0f1b58a3f772850ad2986fe7b1332de31a48de39ef39a

SHA512
199e9cf3afa4b20805f4be8d9bb8d7ee3c16f88b60c657a995e6ed1d394c258d65ff98f7ebdad6beedbd4563b39024e36198302af16885ae662ac87dd71bc8a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\b177a813bf07327b14058f012afbccf757b73f3722ebc2568f8be0134ad38add.exe.exe

Filesize
48KB

MD5
166629c324b2e04805d29fffaa1316fa

SHA1
930c3852c5c6c5cffe72c59fe6d52252b748ecfd

SHA256
a51355fd8473371de3f0f1b58a3f772850ad2986fe7b1332de31a48de39ef39a

SHA512
199e9cf3afa4b20805f4be8d9bb8d7ee3c16f88b60c657a995e6ed1d394c258d65ff98f7ebdad6beedbd4563b39024e36198302af16885ae662ac87dd71bc8a4

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
75a24afcfb96fb3c48c074ae8e4210b4

SHA1
c242874177dd5a91cd92d8b55acd7fb457f32b6c

SHA256
61fcd159fb00d6ddcb841b62e2390fa2e6894524fb1d8fb5b12fbbf63d1a8096

SHA512
ec9d16b59d3bc15b0df5d8a86afcb070c31eaf42200e53372c74c3daecee5d0b2ca79a943bcfd0a55b98ff875ba88e3fb4f68149feccf78a5064c172572b4328

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
75a24afcfb96fb3c48c074ae8e4210b4

SHA1
c242874177dd5a91cd92d8b55acd7fb457f32b6c

SHA256
61fcd159fb00d6ddcb841b62e2390fa2e6894524fb1d8fb5b12fbbf63d1a8096

SHA512
ec9d16b59d3bc15b0df5d8a86afcb070c31eaf42200e53372c74c3daecee5d0b2ca79a943bcfd0a55b98ff875ba88e3fb4f68149feccf78a5064c172572b4328

Download Submit
C:\Windows\rundl132.exe

Filesize
29KB

MD5
75a24afcfb96fb3c48c074ae8e4210b4

SHA1
c242874177dd5a91cd92d8b55acd7fb457f32b6c

SHA256
61fcd159fb00d6ddcb841b62e2390fa2e6894524fb1d8fb5b12fbbf63d1a8096

SHA512
ec9d16b59d3bc15b0df5d8a86afcb070c31eaf42200e53372c74c3daecee5d0b2ca79a943bcfd0a55b98ff875ba88e3fb4f68149feccf78a5064c172572b4328

Download Submit
\Users\Admin\AppData\Local\Temp\b177a813bf07327b14058f012afbccf757b73f3722ebc2568f8be0134ad38add.exe

Filesize
48KB

MD5
166629c324b2e04805d29fffaa1316fa

SHA1
930c3852c5c6c5cffe72c59fe6d52252b748ecfd

SHA256
a51355fd8473371de3f0f1b58a3f772850ad2986fe7b1332de31a48de39ef39a

SHA512
199e9cf3afa4b20805f4be8d9bb8d7ee3c16f88b60c657a995e6ed1d394c258d65ff98f7ebdad6beedbd4563b39024e36198302af16885ae662ac87dd71bc8a4

Download Submit
\Users\Admin\AppData\Local\Temp\b177a813bf07327b14058f012afbccf757b73f3722ebc2568f8be0134ad38add.exe

Filesize
48KB

MD5
166629c324b2e04805d29fffaa1316fa

SHA1
930c3852c5c6c5cffe72c59fe6d52252b748ecfd

SHA256
a51355fd8473371de3f0f1b58a3f772850ad2986fe7b1332de31a48de39ef39a

SHA512
199e9cf3afa4b20805f4be8d9bb8d7ee3c16f88b60c657a995e6ed1d394c258d65ff98f7ebdad6beedbd4563b39024e36198302af16885ae662ac87dd71bc8a4

Download Submit
memory/888-54-0x0000000000000000-mapping.dmp

Download
memory/1292-68-0x0000000000000000-mapping.dmp

Download
memory/1296-57-0x0000000000220000-0x0000000000256000-memory.dmp

Filesize
216KB

Download
memory/1296-56-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1296-70-0x0000000000220000-0x0000000000256000-memory.dmp

Filesize
216KB

Download
memory/1304-65-0x0000000000000000-mapping.dmp

Download
memory/1744-55-0x0000000000000000-mapping.dmp

Download
memory/1744-69-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1744-71-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1752-67-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads