8b583044a4762ebcbe44d07ed6f0c5f3c804b38fa62df3c3bde147636cb8ba3e

General

Target

8b583044a4762ebcbe44d07ed6f0c5f3c804b38fa62df3c3bde147636cb8ba3e.exe
Size

1.3MB
MD5

0dc6ccbce2a064132dd5674157e5b7c7
SHA1

7e082f0f8d08b94fac8e5f89da7998c7552c8507
SHA256

8b583044a4762ebcbe44d07ed6f0c5f3c804b38fa62df3c3bde147636cb8ba3e
SHA512

a8184d0e8d1c5d0c94570f6523554cee617d5cec9d955ea38d06d347c8b167792bc83e9c8716c4cc55ad43409efc55f5e186fa4a720ffe8ad4fdb6d697e6151b
SSDEEP

24576:e7f2UHT+4Zi8Qopici4gpSqnbz5xfyASahVXqV6aOdCsWh88YaXag:e7f2++4w8TptyHnbz5fS6XqV6a4CsWYA

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
3276	Logo1_.exe
1896	8b583044a4762ebcbe44d07ed6f0c5f3c804b38fa62df3c3bde147636cb8ba3e.exe
4624	8b583044a4762ebcbe44d07ed6f0c5f3c804b38fa62df3c3bde147636cb8ba3e.tmp

Enumerates connected drives 3 TTPs 20 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	8b583044a4762ebcbe44d07ed6f0c5f3c804b38fa62df3c3bde147636cb8ba3e.exe
File created	C:\Windows\Logo1_.exe	8b583044a4762ebcbe44d07ed6f0c5f3c804b38fa62df3c3bde147636cb8ba3e.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3276	Logo1_.exe
3276	Logo1_.exe
3276	Logo1_.exe
3276	Logo1_.exe
3276	Logo1_.exe
3276	Logo1_.exe
3276	Logo1_.exe
3276	Logo1_.exe
3276	Logo1_.exe
3276	Logo1_.exe
3276	Logo1_.exe
3276	Logo1_.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1812 wrote to memory of 3348	1812	8b583044a4762ebcbe44d07ed6f0c5f3c804b38fa62df3c3bde147636cb8ba3e.exe	80
PID 1812 wrote to memory of 3348	1812	8b583044a4762ebcbe44d07ed6f0c5f3c804b38fa62df3c3bde147636cb8ba3e.exe	80
PID 1812 wrote to memory of 3348	1812	8b583044a4762ebcbe44d07ed6f0c5f3c804b38fa62df3c3bde147636cb8ba3e.exe	80
PID 1812 wrote to memory of 3276	1812	8b583044a4762ebcbe44d07ed6f0c5f3c804b38fa62df3c3bde147636cb8ba3e.exe	81
PID 1812 wrote to memory of 3276	1812	8b583044a4762ebcbe44d07ed6f0c5f3c804b38fa62df3c3bde147636cb8ba3e.exe	81
PID 1812 wrote to memory of 3276	1812	8b583044a4762ebcbe44d07ed6f0c5f3c804b38fa62df3c3bde147636cb8ba3e.exe	81
PID 3276 wrote to memory of 3828	3276	Logo1_.exe	83
PID 3276 wrote to memory of 3828	3276	Logo1_.exe	83
PID 3276 wrote to memory of 3828	3276	Logo1_.exe	83
PID 3828 wrote to memory of 5112	3828	net.exe	85
PID 3828 wrote to memory of 5112	3828	net.exe	85
PID 3828 wrote to memory of 5112	3828	net.exe	85
PID 3348 wrote to memory of 1896	3348	cmd.exe	86
PID 3348 wrote to memory of 1896	3348	cmd.exe	86
PID 3348 wrote to memory of 1896	3348	cmd.exe	86
PID 1896 wrote to memory of 4624	1896	8b583044a4762ebcbe44d07ed6f0c5f3c804b38fa62df3c3bde147636cb8ba3e.exe	87
PID 1896 wrote to memory of 4624	1896	8b583044a4762ebcbe44d07ed6f0c5f3c804b38fa62df3c3bde147636cb8ba3e.exe	87
PID 1896 wrote to memory of 4624	1896	8b583044a4762ebcbe44d07ed6f0c5f3c804b38fa62df3c3bde147636cb8ba3e.exe	87

C:\Users\Admin\AppData\Local\Temp\8b583044a4762ebcbe44d07ed6f0c5f3c804b38fa62df3c3bde147636cb8ba3e.exe
"C:\Users\Admin\AppData\Local\Temp\8b583044a4762ebcbe44d07ed6f0c5f3c804b38fa62df3c3bde147636cb8ba3e.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1812
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aE222.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3348
- - C:\Users\Admin\AppData\Local\Temp\8b583044a4762ebcbe44d07ed6f0c5f3c804b38fa62df3c3bde147636cb8ba3e.exe
    "C:\Users\Admin\AppData\Local\Temp\8b583044a4762ebcbe44d07ed6f0c5f3c804b38fa62df3c3bde147636cb8ba3e.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1896
  - - C:\Users\Admin\AppData\Local\Temp\is-N2P7J.tmp\8b583044a4762ebcbe44d07ed6f0c5f3c804b38fa62df3c3bde147636cb8ba3e.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-N2P7J.tmp\8b583044a4762ebcbe44d07ed6f0c5f3c804b38fa62df3c3bde147636cb8ba3e.tmp" /SL5="$C003C,1084492,53248,C:\Users\Admin\AppData\Local\Temp\8b583044a4762ebcbe44d07ed6f0c5f3c804b38fa62df3c3bde147636cb8ba3e.exe"
      4⤵
      Executes dropped EXE
      PID:4624
- C:\Windows\Logo1_.exe
  C:\Windows\Logo1_.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3276
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3828
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:5112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$aE222.bat

Filesize
722B

MD5
3a114c6b2df4b02985e4390a728cc205

SHA1
4541689a19fd71db86e7b6224e01db5555b01ffd

SHA256
c0e83919ccd1b11078c2b615d34f4e7bdbfd5aae729f3a97c86113a070816134

SHA512
a6e8e772cd6ec80214db6b45f7cac2d8c44499b57d3dd2ce2130de744ae03ab2381f3fe0949ab23b890948ac1a8db107933ff6498d2a4d23a51205e364e31f15

Download Submit
C:\Users\Admin\AppData\Local\Temp\8b583044a4762ebcbe44d07ed6f0c5f3c804b38fa62df3c3bde147636cb8ba3e.exe

Filesize
1.3MB

MD5
1b9e019f5999b56e2231d1d2542f75f9

SHA1
9e38f15d1c458293d514c4797d36de379549211c

SHA256
ddf4cbb96b00b6ec558de523ce3fc5f7bf2c7c18384517d5f1d050f1e35d6bdf

SHA512
16c5ef5c9eeffe8117f3617f2738aa6524592f0797e6a1d539bbbb5a6a5b9f1f0ea1dd5e9c41ede5bfcb8817731cc4d080be4abe0b726d60b132897e08a635b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\8b583044a4762ebcbe44d07ed6f0c5f3c804b38fa62df3c3bde147636cb8ba3e.exe.exe

Filesize
1.3MB

MD5
1b9e019f5999b56e2231d1d2542f75f9

SHA1
9e38f15d1c458293d514c4797d36de379549211c

SHA256
ddf4cbb96b00b6ec558de523ce3fc5f7bf2c7c18384517d5f1d050f1e35d6bdf

SHA512
16c5ef5c9eeffe8117f3617f2738aa6524592f0797e6a1d539bbbb5a6a5b9f1f0ea1dd5e9c41ede5bfcb8817731cc4d080be4abe0b726d60b132897e08a635b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N2P7J.tmp\8b583044a4762ebcbe44d07ed6f0c5f3c804b38fa62df3c3bde147636cb8ba3e.tmp

Filesize
669KB

MD5
52950ac9e2b481453082f096120e355a

SHA1
159c09db1abcee9114b4f792ffba255c78a6e6c3

SHA256
25fbc88c7c967266f041ae4d47c2eae0b96086f9e440cca10729103aee7ef6cd

SHA512
5b61c28bbcaedadb3b6cd3bb8a392d18016c354c4c16e01395930666addc95994333dfc45bea1a1844f6f1585e79c729136d3714ac118b5848becde0bdb182ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N2P7J.tmp\8b583044a4762ebcbe44d07ed6f0c5f3c804b38fa62df3c3bde147636cb8ba3e.tmp

Filesize
669KB

MD5
52950ac9e2b481453082f096120e355a

SHA1
159c09db1abcee9114b4f792ffba255c78a6e6c3

SHA256
25fbc88c7c967266f041ae4d47c2eae0b96086f9e440cca10729103aee7ef6cd

SHA512
5b61c28bbcaedadb3b6cd3bb8a392d18016c354c4c16e01395930666addc95994333dfc45bea1a1844f6f1585e79c729136d3714ac118b5848becde0bdb182ba

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
8f05c081e198827d9c8abe69c3d35c62

SHA1
314dab16c5d26bd815f2c0eafd52ce2718ad24e6

SHA256
a25a78c65d46af9ef2e7bd5334f7f964e00640041131293b705531474b14ca02

SHA512
15364d28aaf53b3a92392ab318ad24f00399b08ba744c5fb625aad45f011dbd893b6542dee5285ccbc872f5e6356f77026086c0bfd7325988581cedddeae1aa4

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
8f05c081e198827d9c8abe69c3d35c62

SHA1
314dab16c5d26bd815f2c0eafd52ce2718ad24e6

SHA256
a25a78c65d46af9ef2e7bd5334f7f964e00640041131293b705531474b14ca02

SHA512
15364d28aaf53b3a92392ab318ad24f00399b08ba744c5fb625aad45f011dbd893b6542dee5285ccbc872f5e6356f77026086c0bfd7325988581cedddeae1aa4

Download Submit
C:\Windows\rundl132.exe

Filesize
26KB

MD5
8f05c081e198827d9c8abe69c3d35c62

SHA1
314dab16c5d26bd815f2c0eafd52ce2718ad24e6

SHA256
a25a78c65d46af9ef2e7bd5334f7f964e00640041131293b705531474b14ca02

SHA512
15364d28aaf53b3a92392ab318ad24f00399b08ba744c5fb625aad45f011dbd893b6542dee5285ccbc872f5e6356f77026086c0bfd7325988581cedddeae1aa4

Download Submit
memory/1812-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1812-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1896-18-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3276-9-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing