e8972788991eda9e3d2145eca63c4a1082adb3db8a45f40aa46fc13f6834961a

General

Target

e8972788991eda9e3d2145eca63c4a1082adb3db8a45f40aa46fc13f6834961a.exe
Size

575KB
MD5

424a3d376fef29b33eb0db07ab1b420a
SHA1

9bc87cc0596eaf218fdd1086fd2cd78e37449f32
SHA256

e8972788991eda9e3d2145eca63c4a1082adb3db8a45f40aa46fc13f6834961a
SHA512

8ab47253a52d606bafd19a9535245c8769a650093c0520b694ccbd615e4990893eab7939fbdf2dc309dd05753a3255a1a8b0774ba616a8b7b026f4c4881f6c9d
SSDEEP

6144:PVfjmNJbxaxzLu0Xz5WM7z6VVbwbyiKs/HPQhoYewxmQSENzC8Kwgb8:97+J41hz6VVMb0O8c8

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3392	Logo1_.exe
4700	e8972788991eda9e3d2145eca63c4a1082adb3db8a45f40aa46fc13f6834961a.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\F:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	e8972788991eda9e3d2145eca63c4a1082adb3db8a45f40aa46fc13f6834961a.exe
File created	C:\Windows\Logo1_.exe	e8972788991eda9e3d2145eca63c4a1082adb3db8a45f40aa46fc13f6834961a.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
3392	Logo1_.exe
3392	Logo1_.exe
3392	Logo1_.exe
3392	Logo1_.exe
3392	Logo1_.exe
3392	Logo1_.exe
3392	Logo1_.exe
3392	Logo1_.exe
3392	Logo1_.exe
3392	Logo1_.exe
3392	Logo1_.exe
3392	Logo1_.exe
3392	Logo1_.exe
3392	Logo1_.exe
3392	Logo1_.exe
3392	Logo1_.exe
3392	Logo1_.exe
3392	Logo1_.exe
3392	Logo1_.exe
3392	Logo1_.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4772 wrote to memory of 3232	4772	e8972788991eda9e3d2145eca63c4a1082adb3db8a45f40aa46fc13f6834961a.exe	82
PID 4772 wrote to memory of 3232	4772	e8972788991eda9e3d2145eca63c4a1082adb3db8a45f40aa46fc13f6834961a.exe	82
PID 4772 wrote to memory of 3232	4772	e8972788991eda9e3d2145eca63c4a1082adb3db8a45f40aa46fc13f6834961a.exe	82
PID 4772 wrote to memory of 3392	4772	e8972788991eda9e3d2145eca63c4a1082adb3db8a45f40aa46fc13f6834961a.exe	84
PID 4772 wrote to memory of 3392	4772	e8972788991eda9e3d2145eca63c4a1082adb3db8a45f40aa46fc13f6834961a.exe	84
PID 4772 wrote to memory of 3392	4772	e8972788991eda9e3d2145eca63c4a1082adb3db8a45f40aa46fc13f6834961a.exe	84
PID 3392 wrote to memory of 3984	3392	Logo1_.exe	85
PID 3392 wrote to memory of 3984	3392	Logo1_.exe	85
PID 3392 wrote to memory of 3984	3392	Logo1_.exe	85
PID 3984 wrote to memory of 3420	3984	net.exe	87
PID 3984 wrote to memory of 3420	3984	net.exe	87
PID 3984 wrote to memory of 3420	3984	net.exe	87
PID 3232 wrote to memory of 4700	3232	cmd.exe	88
PID 3232 wrote to memory of 4700	3232	cmd.exe	88
PID 3232 wrote to memory of 4700	3232	cmd.exe	88
PID 3392 wrote to memory of 2620	3392	Logo1_.exe	68
PID 3392 wrote to memory of 2620	3392	Logo1_.exe	68

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2620
- C:\Users\Admin\AppData\Local\Temp\e8972788991eda9e3d2145eca63c4a1082adb3db8a45f40aa46fc13f6834961a.exe
  "C:\Users\Admin\AppData\Local\Temp\e8972788991eda9e3d2145eca63c4a1082adb3db8a45f40aa46fc13f6834961a.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:4772
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9E93.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3232
  - - C:\Users\Admin\AppData\Local\Temp\e8972788991eda9e3d2145eca63c4a1082adb3db8a45f40aa46fc13f6834961a.exe
      "C:\Users\Admin\AppData\Local\Temp\e8972788991eda9e3d2145eca63c4a1082adb3db8a45f40aa46fc13f6834961a.exe"
      4⤵
      Executes dropped EXE
      PID:4700
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3392
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3984
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:3420

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$a9E93.bat

Filesize
722B

MD5
b53faff9aa8f7bca56f9077a78749cef

SHA1
5976dd46209c09a5c333350798e71ff512c010ff

SHA256
b8e743afc48b1ac0add92c986004e55c60c5e57209493b19552e7ff6632c6144

SHA512
44bead508a869122c2d920d4250e04845df82d145df9387c55d1f7749b03cf1c1b417d359e9fc44926e947039538cd1594d4453770a0bcb4835bcf9e493083b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\e8972788991eda9e3d2145eca63c4a1082adb3db8a45f40aa46fc13f6834961a.exe

Filesize
549KB

MD5
3f60ff27fa222e95795f6a15514f6af9

SHA1
fe89d4dd69fe3b0bb824928f4c93be0c3c951dd0

SHA256
ff48f7e1b80e7d20d8daa44a6f4d6acc248e6c65bec0d0f81ff7e8961b3dd4de

SHA512
ed25c588300bd9a6fcbf5ff4e48710a571d0637cb2c2cf599708bffab4cac1e8ad997b4214bcdc31dbcadbf3da12d13571feab3af2d8a72b6370a18b4aa7a3bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\e8972788991eda9e3d2145eca63c4a1082adb3db8a45f40aa46fc13f6834961a.exe.exe

Filesize
549KB

MD5
3f60ff27fa222e95795f6a15514f6af9

SHA1
fe89d4dd69fe3b0bb824928f4c93be0c3c951dd0

SHA256
ff48f7e1b80e7d20d8daa44a6f4d6acc248e6c65bec0d0f81ff7e8961b3dd4de

SHA512
ed25c588300bd9a6fcbf5ff4e48710a571d0637cb2c2cf599708bffab4cac1e8ad997b4214bcdc31dbcadbf3da12d13571feab3af2d8a72b6370a18b4aa7a3bf

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
c6492befa5393b1a32402e84331b39ff

SHA1
c0958e4984463d37d236c5d4f2bad8bea5deeb96

SHA256
3cc6397951b24e26f6239d575174708ff1e13eb29492ee1de79ed3bb4c1d0030

SHA512
52c11947409c435e28f62ddb08124a4e027db0bf89460c3d2d569c7958fece03bbda9750f5a79a066c2dba7ecca4692eb09a340ebc893e58234a1bf1018de2a0

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
c6492befa5393b1a32402e84331b39ff

SHA1
c0958e4984463d37d236c5d4f2bad8bea5deeb96

SHA256
3cc6397951b24e26f6239d575174708ff1e13eb29492ee1de79ed3bb4c1d0030

SHA512
52c11947409c435e28f62ddb08124a4e027db0bf89460c3d2d569c7958fece03bbda9750f5a79a066c2dba7ecca4692eb09a340ebc893e58234a1bf1018de2a0

Download Submit
C:\Windows\rundl132.exe

Filesize
26KB

MD5
c6492befa5393b1a32402e84331b39ff

SHA1
c0958e4984463d37d236c5d4f2bad8bea5deeb96

SHA256
3cc6397951b24e26f6239d575174708ff1e13eb29492ee1de79ed3bb4c1d0030

SHA512
52c11947409c435e28f62ddb08124a4e027db0bf89460c3d2d569c7958fece03bbda9750f5a79a066c2dba7ecca4692eb09a340ebc893e58234a1bf1018de2a0

Download Submit
memory/3392-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3392-147-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4772-137-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4772-132-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4772-133-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing