4e4781721a8790307d7d001c31a10e7a1c18ad114cdbe869c85042100b8ce86b

General

Target

4e4781721a8790307d7d001c31a10e7a1c18ad114cdbe869c85042100b8ce86b.exe
Size

298KB
MD5

5b861b390e8f4e218e39c7763c422b1a
SHA1

a194287f9f67b360a9ad6ac062e944530d4778b0
SHA256

4e4781721a8790307d7d001c31a10e7a1c18ad114cdbe869c85042100b8ce86b
SHA512

b8f1c1ab672ac425d6956c95858089bfa1e51636f8c35c51c5d7626a78be8a748ef3221756fff6ceaa17ce85d8a2c1d579c64573081d0069dbc99df7c1d9f45b
SSDEEP

6144:DVfjmNrbUARyUgzPcLactVks94DJ9TBA3QvE:Z7+rlwUAPDsyLDJ9TagvE

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4232	Logo1_.exe

Enumerates connected drives 3 TTPs 20 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	4e4781721a8790307d7d001c31a10e7a1c18ad114cdbe869c85042100b8ce86b.exe
File created	C:\Windows\Logo1_.exe	4e4781721a8790307d7d001c31a10e7a1c18ad114cdbe869c85042100b8ce86b.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4232	Logo1_.exe
4232	Logo1_.exe
4232	Logo1_.exe
4232	Logo1_.exe
4232	Logo1_.exe
4232	Logo1_.exe
4232	Logo1_.exe
4232	Logo1_.exe
4232	Logo1_.exe
4232	Logo1_.exe
4232	Logo1_.exe
4232	Logo1_.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4604 wrote to memory of 5044	4604	4e4781721a8790307d7d001c31a10e7a1c18ad114cdbe869c85042100b8ce86b.exe	86
PID 4604 wrote to memory of 5044	4604	4e4781721a8790307d7d001c31a10e7a1c18ad114cdbe869c85042100b8ce86b.exe	86
PID 4604 wrote to memory of 5044	4604	4e4781721a8790307d7d001c31a10e7a1c18ad114cdbe869c85042100b8ce86b.exe	86
PID 4604 wrote to memory of 4232	4604	4e4781721a8790307d7d001c31a10e7a1c18ad114cdbe869c85042100b8ce86b.exe	88
PID 4604 wrote to memory of 4232	4604	4e4781721a8790307d7d001c31a10e7a1c18ad114cdbe869c85042100b8ce86b.exe	88
PID 4604 wrote to memory of 4232	4604	4e4781721a8790307d7d001c31a10e7a1c18ad114cdbe869c85042100b8ce86b.exe	88
PID 4232 wrote to memory of 4056	4232	Logo1_.exe	90
PID 4232 wrote to memory of 4056	4232	Logo1_.exe	90
PID 4232 wrote to memory of 4056	4232	Logo1_.exe	90
PID 4056 wrote to memory of 3044	4056	net.exe	91
PID 4056 wrote to memory of 3044	4056	net.exe	91
PID 4056 wrote to memory of 3044	4056	net.exe	91

C:\Users\Admin\AppData\Local\Temp\4e4781721a8790307d7d001c31a10e7a1c18ad114cdbe869c85042100b8ce86b.exe
"C:\Users\Admin\AppData\Local\Temp\4e4781721a8790307d7d001c31a10e7a1c18ad114cdbe869c85042100b8ce86b.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4604
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7E96.bat
  2⤵
  PID:5044
- - C:\Users\Admin\AppData\Local\Temp\4e4781721a8790307d7d001c31a10e7a1c18ad114cdbe869c85042100b8ce86b.exe
    "C:\Users\Admin\AppData\Local\Temp\4e4781721a8790307d7d001c31a10e7a1c18ad114cdbe869c85042100b8ce86b.exe"
    3⤵
    PID:1192
- C:\Windows\Logo1_.exe
  C:\Windows\Logo1_.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4232
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4056
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:3044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$a7E96.bat

Filesize
722B

MD5
365d6668a8f9b69c8691389bb7cef5b3

SHA1
06b7b8afc988b8e6fc6a133280c3a8ca59ad9fc4

SHA256
a32347234a7d39bd422c5b7bd8a1b99002938f7fbc0b0f58931a17bca4f9a29a

SHA512
ee5c550f8a65e34f8b83558278989878b8423f048a7c9e3cc774e422dc1565c67b2103ddcc8f22ef09b554d314f167a8184ab930f0fdb3859d539d68551968d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\4e4781721a8790307d7d001c31a10e7a1c18ad114cdbe869c85042100b8ce86b.exe

Filesize
271KB

MD5
63475fca261f68f0d42c9372f9a77308

SHA1
e1ab1002db6723da4cdd0ebd5952ad21c41b9a72

SHA256
77d1bb014061f82e7dbb4038d062edff4cd961414283694ba5cb10386867b0f4

SHA512
520689f8013607ff0a275d8437b6c089819f53134a029f656f8ae550985b20170d1386a8017799630f39e08bb7f79326725a78bf1256b04ce3e0d22706c96d96

Download Submit
C:\Users\Admin\AppData\Local\Temp\4e4781721a8790307d7d001c31a10e7a1c18ad114cdbe869c85042100b8ce86b.exe.exe

Filesize
271KB

MD5
63475fca261f68f0d42c9372f9a77308

SHA1
e1ab1002db6723da4cdd0ebd5952ad21c41b9a72

SHA256
77d1bb014061f82e7dbb4038d062edff4cd961414283694ba5cb10386867b0f4

SHA512
520689f8013607ff0a275d8437b6c089819f53134a029f656f8ae550985b20170d1386a8017799630f39e08bb7f79326725a78bf1256b04ce3e0d22706c96d96

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
7aa3f7d0ddde37d1ba8a81eb45ae6238

SHA1
f6cfaf6008198edfb624e959404928c0fd860d5c

SHA256
8aee1ead2b934856107773de256c27c38118249a07a88e5f3fb0e710f61f4fc8

SHA512
5440020514ad92a5c52113cfd5077dd012cb0605530140a582d55a828d9b626cbc809593f1400685b1109f17e98e5f03e0e228ebca1ec19bf09430ce2fa11061

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
7aa3f7d0ddde37d1ba8a81eb45ae6238

SHA1
f6cfaf6008198edfb624e959404928c0fd860d5c

SHA256
8aee1ead2b934856107773de256c27c38118249a07a88e5f3fb0e710f61f4fc8

SHA512
5440020514ad92a5c52113cfd5077dd012cb0605530140a582d55a828d9b626cbc809593f1400685b1109f17e98e5f03e0e228ebca1ec19bf09430ce2fa11061

Download Submit
C:\Windows\rundl132.exe

Filesize
26KB

MD5
7aa3f7d0ddde37d1ba8a81eb45ae6238

SHA1
f6cfaf6008198edfb624e959404928c0fd860d5c

SHA256
8aee1ead2b934856107773de256c27c38118249a07a88e5f3fb0e710f61f4fc8

SHA512
5440020514ad92a5c52113cfd5077dd012cb0605530140a582d55a828d9b626cbc809593f1400685b1109f17e98e5f03e0e228ebca1ec19bf09430ce2fa11061

Download Submit
memory/4232-9-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4604-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4604-12-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing