8296ba41c549570ee2e06e27e7b9b976fac292ab56063430bbb6407ef866acb1

Analysis

max time kernel
187s
max time network
179s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
24-11-2022 00:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8296ba41c549570ee2e06e27e7b9b976fac292ab56063430bbb6407ef866acb1.exe
Size

176KB
MD5

42fd0d4290c7f7e662645845df5a6fa0
SHA1

0c378139d3a2ed03dfe87039f6eb608a2fc91783
SHA256

8296ba41c549570ee2e06e27e7b9b976fac292ab56063430bbb6407ef866acb1
SHA512

6aebff25032b4864d7968c196c6682044f8bd49da2db05c067b64f9522b9166bc92db9f837dc68992625167d6823bb02c6bce294f0b48ff801eb8cfb250237e2
SSDEEP

3072:pjkuJVLEQIURTXJaOuxR8E6GmEWvWVBZbPwP8EYzcnhDSyXAKP:quJes8bR8EJAvWHxo0JkuY

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

Logo1_.exe8296ba41c549570ee2e06e27e7b9b976fac292ab56063430bbb6407ef866acb1.exedownloadtool.exeW.P.S.4994.50.316.exe

pid process

1344 Logo1_.exe
1424 8296ba41c549570ee2e06e27e7b9b976fac292ab56063430bbb6407ef866acb1.exe
1324 downloadtool.exe
996 W.P.S.4994.50.316.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

604 cmd.exe

Loads dropped DLL 5 IoCs

Processes:

cmd.exe8296ba41c549570ee2e06e27e7b9b976fac292ab56063430bbb6407ef866acb1.exedownloadtool.exeW.P.S.4994.50.316.exe

pid	process
604	cmd.exe
1424	8296ba41c549570ee2e06e27e7b9b976fac292ab56063430bbb6407ef866acb1.exe
1324	downloadtool.exe
996	W.P.S.4994.50.316.exe
996	W.P.S.4994.50.316.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Logo1_.exe

description	ioc	process
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\F:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe

Drops file in Windows directory 4 IoCs

Processes:

8296ba41c549570ee2e06e27e7b9b976fac292ab56063430bbb6407ef866acb1.exeLogo1_.exe

description	ioc	process
File created	C:\Windows\rundl132.exe	8296ba41c549570ee2e06e27e7b9b976fac292ab56063430bbb6407ef866acb1.exe
File created	C:\Windows\Logo1_.exe	8296ba41c549570ee2e06e27e7b9b976fac292ab56063430bbb6407ef866acb1.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 12 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\8296ba41c549570ee2e06e27e7b9b976fac292ab56063430bbb6407ef866acb1.exe.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\8296ba41c549570ee2e06e27e7b9b976fac292ab56063430bbb6407ef866acb1.exe.exe	nsis_installer_2
\Users\Admin\AppData\Local\Temp\8296ba41c549570ee2e06e27e7b9b976fac292ab56063430bbb6407ef866acb1.exe	nsis_installer_1
\Users\Admin\AppData\Local\Temp\8296ba41c549570ee2e06e27e7b9b976fac292ab56063430bbb6407ef866acb1.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\8296ba41c549570ee2e06e27e7b9b976fac292ab56063430bbb6407ef866acb1.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\8296ba41c549570ee2e06e27e7b9b976fac292ab56063430bbb6407ef866acb1.exe	nsis_installer_2
\Users\Admin\AppData\Local\Temp\W.P.S.4994.50.316.exe	nsis_installer_1
\Users\Admin\AppData\Local\Temp\W.P.S.4994.50.316.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\W.P.S.4994.50.316.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\W.P.S.4994.50.316.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\W.P.S.4994.50.316.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\W.P.S.4994.50.316.exe	nsis_installer_2

Runs net.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

Logo1_.exeW.P.S.4994.50.316.exe

pid	process
1344	Logo1_.exe
1344	Logo1_.exe
1344	Logo1_.exe
1344	Logo1_.exe
1344	Logo1_.exe
1344	Logo1_.exe
1344	Logo1_.exe
1344	Logo1_.exe
1344	Logo1_.exe
1344	Logo1_.exe
996	W.P.S.4994.50.316.exe
996	W.P.S.4994.50.316.exe
996	W.P.S.4994.50.316.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

8296ba41c549570ee2e06e27e7b9b976fac292ab56063430bbb6407ef866acb1.execmd.exeLogo1_.exenet.exe8296ba41c549570ee2e06e27e7b9b976fac292ab56063430bbb6407ef866acb1.exedownloadtool.exe

description	pid	process	target process
PID 576 wrote to memory of 604	576	8296ba41c549570ee2e06e27e7b9b976fac292ab56063430bbb6407ef866acb1.exe	cmd.exe
PID 576 wrote to memory of 604	576	8296ba41c549570ee2e06e27e7b9b976fac292ab56063430bbb6407ef866acb1.exe	cmd.exe
PID 576 wrote to memory of 604	576	8296ba41c549570ee2e06e27e7b9b976fac292ab56063430bbb6407ef866acb1.exe	cmd.exe
PID 576 wrote to memory of 604	576	8296ba41c549570ee2e06e27e7b9b976fac292ab56063430bbb6407ef866acb1.exe	cmd.exe
PID 576 wrote to memory of 1344	576	8296ba41c549570ee2e06e27e7b9b976fac292ab56063430bbb6407ef866acb1.exe	Logo1_.exe
PID 576 wrote to memory of 1344	576	8296ba41c549570ee2e06e27e7b9b976fac292ab56063430bbb6407ef866acb1.exe	Logo1_.exe
PID 576 wrote to memory of 1344	576	8296ba41c549570ee2e06e27e7b9b976fac292ab56063430bbb6407ef866acb1.exe	Logo1_.exe
PID 576 wrote to memory of 1344	576	8296ba41c549570ee2e06e27e7b9b976fac292ab56063430bbb6407ef866acb1.exe	Logo1_.exe
PID 604 wrote to memory of 1424	604	cmd.exe	8296ba41c549570ee2e06e27e7b9b976fac292ab56063430bbb6407ef866acb1.exe
PID 604 wrote to memory of 1424	604	cmd.exe	8296ba41c549570ee2e06e27e7b9b976fac292ab56063430bbb6407ef866acb1.exe
PID 604 wrote to memory of 1424	604	cmd.exe	8296ba41c549570ee2e06e27e7b9b976fac292ab56063430bbb6407ef866acb1.exe
PID 604 wrote to memory of 1424	604	cmd.exe	8296ba41c549570ee2e06e27e7b9b976fac292ab56063430bbb6407ef866acb1.exe
PID 1344 wrote to memory of 560	1344	Logo1_.exe	net.exe
PID 1344 wrote to memory of 560	1344	Logo1_.exe	net.exe
PID 1344 wrote to memory of 560	1344	Logo1_.exe	net.exe
PID 1344 wrote to memory of 560	1344	Logo1_.exe	net.exe
PID 560 wrote to memory of 1628	560	net.exe	net1.exe
PID 560 wrote to memory of 1628	560	net.exe	net1.exe
PID 560 wrote to memory of 1628	560	net.exe	net1.exe
PID 560 wrote to memory of 1628	560	net.exe	net1.exe
PID 1424 wrote to memory of 1324	1424	8296ba41c549570ee2e06e27e7b9b976fac292ab56063430bbb6407ef866acb1.exe	downloadtool.exe
PID 1424 wrote to memory of 1324	1424	8296ba41c549570ee2e06e27e7b9b976fac292ab56063430bbb6407ef866acb1.exe	downloadtool.exe
PID 1424 wrote to memory of 1324	1424	8296ba41c549570ee2e06e27e7b9b976fac292ab56063430bbb6407ef866acb1.exe	downloadtool.exe
PID 1424 wrote to memory of 1324	1424	8296ba41c549570ee2e06e27e7b9b976fac292ab56063430bbb6407ef866acb1.exe	downloadtool.exe
PID 1344 wrote to memory of 1252	1344	Logo1_.exe	Explorer.EXE
PID 1344 wrote to memory of 1252	1344	Logo1_.exe	Explorer.EXE
PID 1324 wrote to memory of 996	1324	downloadtool.exe	W.P.S.4994.50.316.exe
PID 1324 wrote to memory of 996	1324	downloadtool.exe	W.P.S.4994.50.316.exe
PID 1324 wrote to memory of 996	1324	downloadtool.exe	W.P.S.4994.50.316.exe
PID 1324 wrote to memory of 996	1324	downloadtool.exe	W.P.S.4994.50.316.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1252

C:\Users\Admin\AppData\Local\Temp\8296ba41c549570ee2e06e27e7b9b976fac292ab56063430bbb6407ef866acb1.exe
"C:\Users\Admin\AppData\Local\Temp\8296ba41c549570ee2e06e27e7b9b976fac292ab56063430bbb6407ef866acb1.exe"
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:576

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\$$aA304.bat
3⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:604

C:\Users\Admin\AppData\Local\Temp\8296ba41c549570ee2e06e27e7b9b976fac292ab56063430bbb6407ef866acb1.exe
"C:\Users\Admin\AppData\Local\Temp\8296ba41c549570ee2e06e27e7b9b976fac292ab56063430bbb6407ef866acb1.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1424

C:\Users\Admin\AppData\Local\Temp\downloadtool.exe
"C:\Users\Admin\AppData\Local\Temp\downloadtool.exe" -base64="pvVhTdQR/SCBM075+PQinh5Yo22gAT0qGiGozVyd/xV6A7GNHSDUrw37tPYtv1xaV3w3hf0xfkjD4n4LjuGemLQ4YIQIDIC7Yp+C615K+KwIEXJ2/qUbMHgnkQVZav+2LJJNCD6D/5/pAJ0csy7NC3cP3SaHhcssowba2QfSBtn/qmFtEa/DF7oeLwF9WxcuTdQZntCTZNIdPS6JZdAK7b2TwFLxry2EZixJy7QeGXXrej4nZqwiHTvotFjqcem2FKIvIRFhtyTaGQgJ484c0g+LeX3w3ZqGHfsDhrCCNY445PV2Q3DKKCPrFs0ygrxLYWPz1eNTJnGIGsk5Ls+hASDldgSix5mWKmLpNR/AfipvIg=="
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1324

C:\Users\Admin\AppData\Local\Temp\W.P.S.4994.50.316.exe
"C:\Users\Admin\AppData\Local\Temp\W.P.S.4994.50.316.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:996

C:\Windows\Logo1_.exe
C:\Windows\Logo1_.exe
3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1344

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:560

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:1628

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$aA304.bat

Filesize
722B

MD5
2990cf4f697ac90e6c3f44317b47e609

SHA1
10dc7a9a5a53e7ff25f46826ac4e187084a524fa

SHA256
b992bfedfc3a10005d63c77cf264024672a22a7d0de6ede7479fb2c477e7310c

SHA512
f1ec0ad88eac85c42fa268f869524306765de13824d2adf98d23b0b840fd201a60053a30c19ff73d9d3a951b1fe1b7d9d7418812941bd8e6e008b8a6f4768e93

Download Submit
C:\Users\Admin\AppData\Local\Temp\8296ba41c549570ee2e06e27e7b9b976fac292ab56063430bbb6407ef866acb1.exe

Filesize
147KB

MD5
5f11c33466fc6f27425304309ee2275e

SHA1
18f77ebfd8e24a085f3179772c1c0b72f8af86d1

SHA256
b6b71fcab1aaf44994b110f5a357c13cd60adafce39abfbbf43e26ec641a687d

SHA512
4580f3c4ef0f0a3e36636eabccc387bfdbece5410815d9cd42f68b66664c79a8c554ddb9b83a945526d381ff8965a3b2411018b44703cd1d1913deeeab0c83e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\8296ba41c549570ee2e06e27e7b9b976fac292ab56063430bbb6407ef866acb1.exe.exe

Filesize
147KB

MD5
5f11c33466fc6f27425304309ee2275e

SHA1
18f77ebfd8e24a085f3179772c1c0b72f8af86d1

SHA256
b6b71fcab1aaf44994b110f5a357c13cd60adafce39abfbbf43e26ec641a687d

SHA512
4580f3c4ef0f0a3e36636eabccc387bfdbece5410815d9cd42f68b66664c79a8c554ddb9b83a945526d381ff8965a3b2411018b44703cd1d1913deeeab0c83e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\W.P.S.4994.50.316.exe

Filesize
99.2MB

MD5
f3702a845717d2e7667e7cedcd262774

SHA1
4f81a28ca62082340ce576f5bd38066a2ae80dae

SHA256
759e355c6f76ec842ed682887127e07c16b1e46104938c26cdfbd5910f8ceeab

SHA512
d309caa4504def08b76c53108cf784a3514c359e1a626221f6fcf34dac8d1b1313b050a259fc30aca8a356b276c91e08273a2173e6146882d5b29ad5703dd83d

Download Submit
C:\Users\Admin\AppData\Local\Temp\W.P.S.4994.50.316.exe

Filesize
99.2MB

MD5
f3702a845717d2e7667e7cedcd262774

SHA1
4f81a28ca62082340ce576f5bd38066a2ae80dae

SHA256
759e355c6f76ec842ed682887127e07c16b1e46104938c26cdfbd5910f8ceeab

SHA512
d309caa4504def08b76c53108cf784a3514c359e1a626221f6fcf34dac8d1b1313b050a259fc30aca8a356b276c91e08273a2173e6146882d5b29ad5703dd83d

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloadtool.exe

Filesize
173KB

MD5
0d2dff1c62944e10a4ec6fbad168669c

SHA1
86da2e70b2765c4dafc505c413b85b97ceadd527

SHA256
9efb0d906ebafc6bcff30c593447c00745e4d12491e3d244867b63ddf0e16b5f

SHA512
8a590687ea01ed34bf92115b2f69325cd86fd23fc5919fed2bcdb59d432a739a996cf8e50fe376bc96aec61febd5523b780f9718ec5e8d68810e5aa85c33d37b

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
a1b322adec9e24c57893d69cda3e902b

SHA1
49a27c87c427d8a12b1147c6456a6261a77b7752

SHA256
904ac84ac8d2eb8433616b3c556f8e903864cd40c3e2421021a3282d517364e2

SHA512
cf08417569f84e2806fdb82fa2d370a84ebe98fc41a741f8927f61425bf7aac5ee4eb31131c7a9bd33c7a38fd7580f8f9f868648c8e73e0e4b4fb76cfa0018b8

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
a1b322adec9e24c57893d69cda3e902b

SHA1
49a27c87c427d8a12b1147c6456a6261a77b7752

SHA256
904ac84ac8d2eb8433616b3c556f8e903864cd40c3e2421021a3282d517364e2

SHA512
cf08417569f84e2806fdb82fa2d370a84ebe98fc41a741f8927f61425bf7aac5ee4eb31131c7a9bd33c7a38fd7580f8f9f868648c8e73e0e4b4fb76cfa0018b8

Download Submit
C:\Windows\rundl132.exe

Filesize
29KB

MD5
a1b322adec9e24c57893d69cda3e902b

SHA1
49a27c87c427d8a12b1147c6456a6261a77b7752

SHA256
904ac84ac8d2eb8433616b3c556f8e903864cd40c3e2421021a3282d517364e2

SHA512
cf08417569f84e2806fdb82fa2d370a84ebe98fc41a741f8927f61425bf7aac5ee4eb31131c7a9bd33c7a38fd7580f8f9f868648c8e73e0e4b4fb76cfa0018b8

Download Submit
\Users\Admin\AppData\Local\Temp\8296ba41c549570ee2e06e27e7b9b976fac292ab56063430bbb6407ef866acb1.exe

Filesize
147KB

MD5
5f11c33466fc6f27425304309ee2275e

SHA1
18f77ebfd8e24a085f3179772c1c0b72f8af86d1

SHA256
b6b71fcab1aaf44994b110f5a357c13cd60adafce39abfbbf43e26ec641a687d

SHA512
4580f3c4ef0f0a3e36636eabccc387bfdbece5410815d9cd42f68b66664c79a8c554ddb9b83a945526d381ff8965a3b2411018b44703cd1d1913deeeab0c83e3

Download Submit
\Users\Admin\AppData\Local\Temp\W.P.S.4994.50.316.exe

Filesize
99.2MB

MD5
f3702a845717d2e7667e7cedcd262774

SHA1
4f81a28ca62082340ce576f5bd38066a2ae80dae

SHA256
759e355c6f76ec842ed682887127e07c16b1e46104938c26cdfbd5910f8ceeab

SHA512
d309caa4504def08b76c53108cf784a3514c359e1a626221f6fcf34dac8d1b1313b050a259fc30aca8a356b276c91e08273a2173e6146882d5b29ad5703dd83d

Download Submit
\Users\Admin\AppData\Local\Temp\downloadtool.exe

Filesize
173KB

MD5
0d2dff1c62944e10a4ec6fbad168669c

SHA1
86da2e70b2765c4dafc505c413b85b97ceadd527

SHA256
9efb0d906ebafc6bcff30c593447c00745e4d12491e3d244867b63ddf0e16b5f

SHA512
8a590687ea01ed34bf92115b2f69325cd86fd23fc5919fed2bcdb59d432a739a996cf8e50fe376bc96aec61febd5523b780f9718ec5e8d68810e5aa85c33d37b

Download Submit
\Users\Admin\AppData\Local\Temp\nszA112.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nszA112.tmp\v6svc_oem.dll

Filesize
192KB

MD5
500318167948bdd3ad42a40721e1a72b

SHA1
24134691693e6d78d6eb0a0c64833c12a0090968

SHA256
d3378ee739debcaee8c715963403d96bf025db98bfbb55e54635429890db85c6

SHA512
0a2d3b55528cc53cfce5b47158997300c562afd2c7bb5596532b218d3f482380887ee7c204b13d42425dc0c4cc439a7f9ed167f3767bda7b6e205e7e8f454863

Download Submit
memory/560-66-0x0000000000000000-mapping.dmp

Download
memory/576-57-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/604-54-0x0000000000000000-mapping.dmp

Download
memory/996-75-0x0000000000000000-mapping.dmp

Download
memory/1324-70-0x0000000000000000-mapping.dmp

Download
memory/1344-69-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1344-73-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1344-55-0x0000000000000000-mapping.dmp

Download
memory/1424-65-0x0000000075FE1000-0x0000000075FE3000-memory.dmp

Filesize
8KB

Download
memory/1424-63-0x0000000000000000-mapping.dmp

Download
memory/1628-67-0x0000000000000000-mapping.dmp

Download