055099ebbe7a6a6fceba9cbcbee15df02b7bbd7dd0ea987140fce7df353dff95

General

Target

055099ebbe7a6a6fceba9cbcbee15df02b7bbd7dd0ea987140fce7df353dff95.exe
Size

97KB
MD5

11c5b899bc2eec52ed990a8013e7ef10
SHA1

f6eac0a0cba5ef91708c038a3fb091fc8f34e55b
SHA256

055099ebbe7a6a6fceba9cbcbee15df02b7bbd7dd0ea987140fce7df353dff95
SHA512

d866efb6c17da9c2a588ed5add29593ebc5a9bf4ecd69d8c3bb33d4a4a2864dc1f81842117558544098fd26e8d86c73b44205f8038bff438c05768b72605e64b
SSDEEP

3072:KDftffjmN+CTlvbhgdgTIMV/Vo7Bsxrkx:qVfjmNL1gd7y0

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
5012	Logo1_.exe
776	055099ebbe7a6a6fceba9cbcbee15df02b7bbd7dd0ea987140fce7df353dff95.exe

Enumerates connected drives 3 TTPs 20 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	055099ebbe7a6a6fceba9cbcbee15df02b7bbd7dd0ea987140fce7df353dff95.exe
File created	C:\Windows\Logo1_.exe	055099ebbe7a6a6fceba9cbcbee15df02b7bbd7dd0ea987140fce7df353dff95.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
5012	Logo1_.exe
5012	Logo1_.exe
5012	Logo1_.exe
5012	Logo1_.exe
5012	Logo1_.exe
5012	Logo1_.exe
5012	Logo1_.exe
5012	Logo1_.exe
5012	Logo1_.exe
5012	Logo1_.exe
5012	Logo1_.exe
5012	Logo1_.exe
5012	Logo1_.exe
5012	Logo1_.exe
5012	Logo1_.exe
5012	Logo1_.exe
5012	Logo1_.exe
5012	Logo1_.exe
5012	Logo1_.exe
5012	Logo1_.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1808 wrote to memory of 5040	1808	055099ebbe7a6a6fceba9cbcbee15df02b7bbd7dd0ea987140fce7df353dff95.exe	82
PID 1808 wrote to memory of 5040	1808	055099ebbe7a6a6fceba9cbcbee15df02b7bbd7dd0ea987140fce7df353dff95.exe	82
PID 1808 wrote to memory of 5040	1808	055099ebbe7a6a6fceba9cbcbee15df02b7bbd7dd0ea987140fce7df353dff95.exe	82
PID 1808 wrote to memory of 5012	1808	055099ebbe7a6a6fceba9cbcbee15df02b7bbd7dd0ea987140fce7df353dff95.exe	83
PID 1808 wrote to memory of 5012	1808	055099ebbe7a6a6fceba9cbcbee15df02b7bbd7dd0ea987140fce7df353dff95.exe	83
PID 1808 wrote to memory of 5012	1808	055099ebbe7a6a6fceba9cbcbee15df02b7bbd7dd0ea987140fce7df353dff95.exe	83
PID 5012 wrote to memory of 4372	5012	Logo1_.exe	85
PID 5012 wrote to memory of 4372	5012	Logo1_.exe	85
PID 5012 wrote to memory of 4372	5012	Logo1_.exe	85
PID 4372 wrote to memory of 3756	4372	net.exe	87
PID 4372 wrote to memory of 3756	4372	net.exe	87
PID 4372 wrote to memory of 3756	4372	net.exe	87
PID 5040 wrote to memory of 776	5040	cmd.exe	88
PID 5040 wrote to memory of 776	5040	cmd.exe	88
PID 5012 wrote to memory of 3164	5012	Logo1_.exe	54
PID 5012 wrote to memory of 3164	5012	Logo1_.exe	54

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3164
- C:\Users\Admin\AppData\Local\Temp\055099ebbe7a6a6fceba9cbcbee15df02b7bbd7dd0ea987140fce7df353dff95.exe
  "C:\Users\Admin\AppData\Local\Temp\055099ebbe7a6a6fceba9cbcbee15df02b7bbd7dd0ea987140fce7df353dff95.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7D3E.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5040
  - - C:\Users\Admin\AppData\Local\Temp\055099ebbe7a6a6fceba9cbcbee15df02b7bbd7dd0ea987140fce7df353dff95.exe
      "C:\Users\Admin\AppData\Local\Temp\055099ebbe7a6a6fceba9cbcbee15df02b7bbd7dd0ea987140fce7df353dff95.exe"
      4⤵
      Executes dropped EXE
      PID:776
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:5012
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4372
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:3756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$a7D3E.bat

Filesize
722B

MD5
54a10dc3b1434b6beca2ddeafc4b8984

SHA1
5a4f72bccf8ce14e5a3056c064839de1f6b0e2e9

SHA256
305f3c63e96819666de5122f6e1cdec1e4dad2c8b82dd50bc3d7b47047a0886d

SHA512
ef84e00611bcd7e75ec73e8663c768a3a76d4ba2cd34f69889c8745fe0672299c94496999e3bc891b8e94586b2e68cb1e7ee00736b9ea03a884f99c396b9eb3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\055099ebbe7a6a6fceba9cbcbee15df02b7bbd7dd0ea987140fce7df353dff95.exe

Filesize
71KB

MD5
12db3a3d8e38797243fbf460a465cdcc

SHA1
8764ae88d483d4580e7edadd145f6e0cacb61d95

SHA256
5eb76f8d21129085c18cfef50c790b95df7d4f371f6bcf2705449e3f972d2bea

SHA512
eec9bd6e0216a895efd4264590f15743e144bb4132b94d662c379a6ae679180df164547caa508f533a7aacbd4c244b7b3b2425717a7a1ebe8564bddf569558a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\055099ebbe7a6a6fceba9cbcbee15df02b7bbd7dd0ea987140fce7df353dff95.exe.exe

Filesize
71KB

MD5
12db3a3d8e38797243fbf460a465cdcc

SHA1
8764ae88d483d4580e7edadd145f6e0cacb61d95

SHA256
5eb76f8d21129085c18cfef50c790b95df7d4f371f6bcf2705449e3f972d2bea

SHA512
eec9bd6e0216a895efd4264590f15743e144bb4132b94d662c379a6ae679180df164547caa508f533a7aacbd4c244b7b3b2425717a7a1ebe8564bddf569558a0

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
ba368f8c05d08e18b8f6665dfa445a38

SHA1
aef67dd8cf4cc4c263aa83ffd71e57399ea8c080

SHA256
eebabcf5f40532ff91cbf026fa8c5e3618c8f3089b754749541c4ca2cfefcfe2

SHA512
2dd56b8be5b530cb408149bac9e5a029dce0b476c5651423691c99f813d35972997471eefbfc39a37891b71367f25c04350bcd3e25183eeda9c9c78e37aa21bd

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
ba368f8c05d08e18b8f6665dfa445a38

SHA1
aef67dd8cf4cc4c263aa83ffd71e57399ea8c080

SHA256
eebabcf5f40532ff91cbf026fa8c5e3618c8f3089b754749541c4ca2cfefcfe2

SHA512
2dd56b8be5b530cb408149bac9e5a029dce0b476c5651423691c99f813d35972997471eefbfc39a37891b71367f25c04350bcd3e25183eeda9c9c78e37aa21bd

Download Submit
C:\Windows\rundl132.exe

Filesize
26KB

MD5
ba368f8c05d08e18b8f6665dfa445a38

SHA1
aef67dd8cf4cc4c263aa83ffd71e57399ea8c080

SHA256
eebabcf5f40532ff91cbf026fa8c5e3618c8f3089b754749541c4ca2cfefcfe2

SHA512
2dd56b8be5b530cb408149bac9e5a029dce0b476c5651423691c99f813d35972997471eefbfc39a37891b71367f25c04350bcd3e25183eeda9c9c78e37aa21bd

Download Submit
memory/776-18-0x0000000000360000-0x000000000037A000-memory.dmp

Filesize
104KB

Download
memory/776-19-0x00007FFEF58A0000-0x00007FFEF6241000-memory.dmp

Filesize
9.6MB

Download
memory/776-20-0x00007FFEF58A0000-0x00007FFEF6241000-memory.dmp

Filesize
9.6MB

Download
memory/776-21-0x0000000000B40000-0x0000000000B50000-memory.dmp

Filesize
64KB

Download
memory/776-22-0x000000001B710000-0x000000001BBDE000-memory.dmp

Filesize
4.8MB

Download
memory/776-24-0x000000001BC80000-0x000000001BD1C000-memory.dmp

Filesize
624KB

Download
memory/776-25-0x0000000000CB0000-0x0000000000CB8000-memory.dmp

Filesize
32KB

Download
memory/776-26-0x0000000000CA0000-0x0000000000CAA000-memory.dmp

Filesize
40KB

Download
memory/1808-10-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1808-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5012-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing