6eaeb1b4d55e825c59eb5b21c5e73ce942caf108efea2f1935fd031fc52c566f

General

Target

6eaeb1b4d55e825c59eb5b21c5e73ce942caf108efea2f1935fd031fc52c566f.exe
Size

751KB
MD5

293bfccd25b23eeef29920ef1f6b7276
SHA1

264833a8cf7930c7a4488caa95b16496e79c77f0
SHA256

6eaeb1b4d55e825c59eb5b21c5e73ce942caf108efea2f1935fd031fc52c566f
SHA512

c8310ca9023b90409843285d1651d6a10acecda57de16f8a95049c6c707449ad1e06c3b60fdc7d446b2e20c2b398e8d0e8516a5fed3578633661ed667e251e77
SSDEEP

12288:iPOmVOkVx4x2aSqcvxoK/VlvUVbrbh1fBuFTrTU4+N+JHpgRUyazgO3/mPFYUkD:iRVx4x2aSqc5EVkTrwAJJ4Uya0TYUkD

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

Logo1_.exe6eaeb1b4d55e825c59eb5b21c5e73ce942caf108efea2f1935fd031fc52c566f.exe

pid process

1184 Logo1_.exe
1884 6eaeb1b4d55e825c59eb5b21c5e73ce942caf108efea2f1935fd031fc52c566f.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Logo1_.exe

description	ioc	process
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\F:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe

Drops file in Program Files directory 63 IoCs

Processes:

Logo1_.exe

description	ioc	process
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe	Logo1_.exe
File created	C:\Program Files\Google\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	Logo1_.exe
File created	C:\Program Files\7-Zip\Lang\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\_desktop.ini	Logo1_.exe
File created	C:\Program Files\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe	Logo1_.exe
File opened for modification	C:\Program Files\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	Logo1_.exe
File created	C:\Program Files\Google\Chrome\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\Lang\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_pwa_launcher.exe	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java.exe	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe	Logo1_.exe
File created	C:\Program Files\7-Zip\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

Processes:

6eaeb1b4d55e825c59eb5b21c5e73ce942caf108efea2f1935fd031fc52c566f.exeLogo1_.exe

description	ioc	process
File created	C:\Windows\rundl132.exe	6eaeb1b4d55e825c59eb5b21c5e73ce942caf108efea2f1935fd031fc52c566f.exe
File created	C:\Windows\Logo1_.exe	6eaeb1b4d55e825c59eb5b21c5e73ce942caf108efea2f1935fd031fc52c566f.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

Logo1_.exe

pid	process
1184	Logo1_.exe
1184	Logo1_.exe
1184	Logo1_.exe
1184	Logo1_.exe
1184	Logo1_.exe
1184	Logo1_.exe
1184	Logo1_.exe
1184	Logo1_.exe
1184	Logo1_.exe
1184	Logo1_.exe
1184	Logo1_.exe
1184	Logo1_.exe
1184	Logo1_.exe
1184	Logo1_.exe
1184	Logo1_.exe
1184	Logo1_.exe
1184	Logo1_.exe
1184	Logo1_.exe
1184	Logo1_.exe
1184	Logo1_.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

6eaeb1b4d55e825c59eb5b21c5e73ce942caf108efea2f1935fd031fc52c566f.exe

pid process

1884 6eaeb1b4d55e825c59eb5b21c5e73ce942caf108efea2f1935fd031fc52c566f.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

6eaeb1b4d55e825c59eb5b21c5e73ce942caf108efea2f1935fd031fc52c566f.exe

pid process

1884 6eaeb1b4d55e825c59eb5b21c5e73ce942caf108efea2f1935fd031fc52c566f.exe

pid	process
1884	6eaeb1b4d55e825c59eb5b21c5e73ce942caf108efea2f1935fd031fc52c566f.exe

pid	process
1884	6eaeb1b4d55e825c59eb5b21c5e73ce942caf108efea2f1935fd031fc52c566f.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

6eaeb1b4d55e825c59eb5b21c5e73ce942caf108efea2f1935fd031fc52c566f.exeLogo1_.execmd.exenet.exe

description	pid	process	target process
PID 2652 wrote to memory of 4944	2652	6eaeb1b4d55e825c59eb5b21c5e73ce942caf108efea2f1935fd031fc52c566f.exe	cmd.exe
PID 2652 wrote to memory of 4944	2652	6eaeb1b4d55e825c59eb5b21c5e73ce942caf108efea2f1935fd031fc52c566f.exe	cmd.exe
PID 2652 wrote to memory of 4944	2652	6eaeb1b4d55e825c59eb5b21c5e73ce942caf108efea2f1935fd031fc52c566f.exe	cmd.exe
PID 2652 wrote to memory of 1184	2652	6eaeb1b4d55e825c59eb5b21c5e73ce942caf108efea2f1935fd031fc52c566f.exe	Logo1_.exe
PID 2652 wrote to memory of 1184	2652	6eaeb1b4d55e825c59eb5b21c5e73ce942caf108efea2f1935fd031fc52c566f.exe	Logo1_.exe
PID 2652 wrote to memory of 1184	2652	6eaeb1b4d55e825c59eb5b21c5e73ce942caf108efea2f1935fd031fc52c566f.exe	Logo1_.exe
PID 1184 wrote to memory of 3144	1184	Logo1_.exe	net.exe
PID 1184 wrote to memory of 3144	1184	Logo1_.exe	net.exe
PID 1184 wrote to memory of 3144	1184	Logo1_.exe	net.exe
PID 4944 wrote to memory of 1884	4944	cmd.exe	6eaeb1b4d55e825c59eb5b21c5e73ce942caf108efea2f1935fd031fc52c566f.exe
PID 4944 wrote to memory of 1884	4944	cmd.exe	6eaeb1b4d55e825c59eb5b21c5e73ce942caf108efea2f1935fd031fc52c566f.exe
PID 4944 wrote to memory of 1884	4944	cmd.exe	6eaeb1b4d55e825c59eb5b21c5e73ce942caf108efea2f1935fd031fc52c566f.exe
PID 3144 wrote to memory of 2992	3144	net.exe	net1.exe
PID 3144 wrote to memory of 2992	3144	net.exe	net1.exe
PID 3144 wrote to memory of 2992	3144	net.exe	net1.exe
PID 1184 wrote to memory of 1132	1184	Logo1_.exe	Explorer.EXE
PID 1184 wrote to memory of 1132	1184	Logo1_.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1132

C:\Users\Admin\AppData\Local\Temp\6eaeb1b4d55e825c59eb5b21c5e73ce942caf108efea2f1935fd031fc52c566f.exe
"C:\Users\Admin\AppData\Local\Temp\6eaeb1b4d55e825c59eb5b21c5e73ce942caf108efea2f1935fd031fc52c566f.exe"
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6B91.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:4944

C:\Users\Admin\AppData\Local\Temp\6eaeb1b4d55e825c59eb5b21c5e73ce942caf108efea2f1935fd031fc52c566f.exe
"C:\Users\Admin\AppData\Local\Temp\6eaeb1b4d55e825c59eb5b21c5e73ce942caf108efea2f1935fd031fc52c566f.exe"
4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1884

C:\Windows\Logo1_.exe
C:\Windows\Logo1_.exe
3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1184

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:3144

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:2992

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$a6B91.bat
Filesize
722B

MD5
61b35d46ce04256cdc6d5658a06ab5ce

SHA1
b66437c490561b88b35b296d06a9a4d6b8137991

SHA256
361b27e0a25dee6c0e05fd899c044b4ba716f31b51f7feebef2c3c0e77bf9a83

SHA512
3f933109e0b9d691101c57946ebe581193b8933cff9f86c06dab124259616fe30ada53c565717adbf601fca099e76c1c2df1bb1725e8567f1104f332aa9a91eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\6eaeb1b4d55e825c59eb5b21c5e73ce942caf108efea2f1935fd031fc52c566f.exe
Filesize
721KB

MD5
1c1c6abbc3408a373c731ec3f41eae16

SHA1
55eb7aa906668aaac125327a34ee12e51991ce8f

SHA256
bda7a5a5f6eca4c51a8666d7c1f9de9d4590ea38f6fd85baeb251824b9674562

SHA512
f15c4c7ec3f99de0a45655f182d0db162d724537c4d9faac760d6c371a0a06e1476ad9021c981f2511d21952ec33c84b17adcc93956b9e3812df8a3eeab93dbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\6eaeb1b4d55e825c59eb5b21c5e73ce942caf108efea2f1935fd031fc52c566f.exe.exe
Filesize
721KB

MD5
1c1c6abbc3408a373c731ec3f41eae16

SHA1
55eb7aa906668aaac125327a34ee12e51991ce8f

SHA256
bda7a5a5f6eca4c51a8666d7c1f9de9d4590ea38f6fd85baeb251824b9674562

SHA512
f15c4c7ec3f99de0a45655f182d0db162d724537c4d9faac760d6c371a0a06e1476ad9021c981f2511d21952ec33c84b17adcc93956b9e3812df8a3eeab93dbd

Download Submit
C:\Windows\Logo1_.exe
Filesize
29KB

MD5
df3057b4c462bfec37b55490816a017f

SHA1
4a6c3b5417790f8461b6f570d5ba2acff85a99d9

SHA256
88dd8dc62fb4a16383e6c2bcafa63b7581d5725bc8ef56adc4809364534856e9

SHA512
0bc927ee3b61b90c659a51f7ad5481c6b2d4f432ab76c648e394015f27a529d119b8ebc66667d31103d36653440cdb7d7da7541e65f7eca1fea3f90377c08ed0

Download Submit
C:\Windows\Logo1_.exe
Filesize
29KB

MD5
df3057b4c462bfec37b55490816a017f

SHA1
4a6c3b5417790f8461b6f570d5ba2acff85a99d9

SHA256
88dd8dc62fb4a16383e6c2bcafa63b7581d5725bc8ef56adc4809364534856e9

SHA512
0bc927ee3b61b90c659a51f7ad5481c6b2d4f432ab76c648e394015f27a529d119b8ebc66667d31103d36653440cdb7d7da7541e65f7eca1fea3f90377c08ed0

Download Submit
C:\Windows\rundl132.exe
Filesize
29KB

MD5
df3057b4c462bfec37b55490816a017f

SHA1
4a6c3b5417790f8461b6f570d5ba2acff85a99d9

SHA256
88dd8dc62fb4a16383e6c2bcafa63b7581d5725bc8ef56adc4809364534856e9

SHA512
0bc927ee3b61b90c659a51f7ad5481c6b2d4f432ab76c648e394015f27a529d119b8ebc66667d31103d36653440cdb7d7da7541e65f7eca1fea3f90377c08ed0

Download Submit
memory/1184-135-0x0000000000000000-mapping.dmp

Download
memory/1184-137-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1884-143-0x0000000000000000-mapping.dmp

Download
memory/2652-138-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2652-132-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2992-145-0x0000000000000000-mapping.dmp

Download
memory/3144-142-0x0000000000000000-mapping.dmp

Download
memory/4944-133-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads