05a764e937591a777200e3275d552f89ae8c525a9a55fb164e609c42b05ff6fc

General

Target

05a764e937591a777200e3275d552f89ae8c525a9a55fb164e609c42b05ff6fc.exe
Size

46KB
MD5

a0fd01f24873453478058ce633230b90
SHA1

51f78599b7aec2d127cf5b1bbe68f5e70f95a4e3
SHA256

05a764e937591a777200e3275d552f89ae8c525a9a55fb164e609c42b05ff6fc
SHA512

84f3b2482acf9770434625aaf6be046fa6a72746b7f2db439b27c19b88faf4b99ffc82453340f337c9ab0f35f32374429a69df3a9fbf5c92cfbd3e72049357cc
SSDEEP

768:7Y1ODKAaDMG8H92RwZNQSwcfymNBg+g61GoL+JjW5oB1blL3d/o+S:7KfgLdQAQfcfymNKNW5oBplR/o3

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4052	Logo1_.exe
4704	05a764e937591a777200e3275d552f89ae8c525a9a55fb164e609c42b05ff6fc.exe

Enumerates connected drives 3 TTPs 20 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\rundl132.exe	05a764e937591a777200e3275d552f89ae8c525a9a55fb164e609c42b05ff6fc.exe
File created	C:\Windows\Logo1_.exe	05a764e937591a777200e3275d552f89ae8c525a9a55fb164e609c42b05ff6fc.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4052	Logo1_.exe
4052	Logo1_.exe
4052	Logo1_.exe
4052	Logo1_.exe
4052	Logo1_.exe
4052	Logo1_.exe
4052	Logo1_.exe
4052	Logo1_.exe
4052	Logo1_.exe
4052	Logo1_.exe
4052	Logo1_.exe
4052	Logo1_.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3332 wrote to memory of 872	3332	05a764e937591a777200e3275d552f89ae8c525a9a55fb164e609c42b05ff6fc.exe	85
PID 3332 wrote to memory of 872	3332	05a764e937591a777200e3275d552f89ae8c525a9a55fb164e609c42b05ff6fc.exe	85
PID 3332 wrote to memory of 872	3332	05a764e937591a777200e3275d552f89ae8c525a9a55fb164e609c42b05ff6fc.exe	85
PID 3332 wrote to memory of 4052	3332	05a764e937591a777200e3275d552f89ae8c525a9a55fb164e609c42b05ff6fc.exe	86
PID 3332 wrote to memory of 4052	3332	05a764e937591a777200e3275d552f89ae8c525a9a55fb164e609c42b05ff6fc.exe	86
PID 3332 wrote to memory of 4052	3332	05a764e937591a777200e3275d552f89ae8c525a9a55fb164e609c42b05ff6fc.exe	86
PID 4052 wrote to memory of 4808	4052	Logo1_.exe	88
PID 4052 wrote to memory of 4808	4052	Logo1_.exe	88
PID 4052 wrote to memory of 4808	4052	Logo1_.exe	88
PID 4808 wrote to memory of 1836	4808	net.exe	90
PID 4808 wrote to memory of 1836	4808	net.exe	90
PID 4808 wrote to memory of 1836	4808	net.exe	90
PID 872 wrote to memory of 4704	872	cmd.exe	91
PID 872 wrote to memory of 4704	872	cmd.exe	91
PID 872 wrote to memory of 4704	872	cmd.exe	91

C:\Users\Admin\AppData\Local\Temp\05a764e937591a777200e3275d552f89ae8c525a9a55fb164e609c42b05ff6fc.exe
"C:\Users\Admin\AppData\Local\Temp\05a764e937591a777200e3275d552f89ae8c525a9a55fb164e609c42b05ff6fc.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3332
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7E09.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:872
- - C:\Users\Admin\AppData\Local\Temp\05a764e937591a777200e3275d552f89ae8c525a9a55fb164e609c42b05ff6fc.exe
    "C:\Users\Admin\AppData\Local\Temp\05a764e937591a777200e3275d552f89ae8c525a9a55fb164e609c42b05ff6fc.exe"
    3⤵
    - Executes dropped EXE
    PID:4704
- C:\Windows\Logo1_.exe
  C:\Windows\Logo1_.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4052
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4808
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:1836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$a7E09.bat

Filesize
722B

MD5
5c38b5a8b4785b7a3452318325d12bbc

SHA1
05cea9bd84a0f76f28ffbddcb182eb2cea033bec

SHA256
c65091c7fb4ac698096d40799b2fd75d5441aa66ed89d54479535a1e959f4d60

SHA512
30511b41e7504e6dcb5f6b48f7e4285e2e736665c0d980a92ced190f18086fcdaf06763e36dfe8ac14aba432fe125d8a18b808fbd378e2b140b5b9b07547ec29

Download Submit
C:\Users\Admin\AppData\Local\Temp\05a764e937591a777200e3275d552f89ae8c525a9a55fb164e609c42b05ff6fc.exe

Filesize
19KB

MD5
b5cffc5aa0a876d606e0bb8714bc32d4

SHA1
d14ea2881031ac3fffead469451a342108af86f0

SHA256
497f26fa64618bc336716fbf39378bcb63631c389276dd678b28e1e1359f3814

SHA512
a5d9143b14405ddcac1dc9d8a16e3aa3fa65fb57ba193c7a27f6b51bb77995e0ca8c8f6d7a66da43b426d5dbfbf96e0454448774ce33f4f7c1e39b325006d26b

Download Submit
C:\Users\Admin\AppData\Local\Temp\05a764e937591a777200e3275d552f89ae8c525a9a55fb164e609c42b05ff6fc.exe.exe

Filesize
19KB

MD5
b5cffc5aa0a876d606e0bb8714bc32d4

SHA1
d14ea2881031ac3fffead469451a342108af86f0

SHA256
497f26fa64618bc336716fbf39378bcb63631c389276dd678b28e1e1359f3814

SHA512
a5d9143b14405ddcac1dc9d8a16e3aa3fa65fb57ba193c7a27f6b51bb77995e0ca8c8f6d7a66da43b426d5dbfbf96e0454448774ce33f4f7c1e39b325006d26b

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
28948521636f027a6e321d0ece85f68b

SHA1
4cc393871c2174328558347094d44cef430836d9

SHA256
37d128b4b8f41d2ed52a38ef4b628fa082d4693729b1af11d4067a1781a1a197

SHA512
2952a8aca9924a6c5a1dbdb94f79a9da49696e88c06f50ca1ce3390efb2b9bb86c8fd1184a160e810485c8f7ff11bc0d58c22787877ae5a46c66d1a6a8173c3b

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
28948521636f027a6e321d0ece85f68b

SHA1
4cc393871c2174328558347094d44cef430836d9

SHA256
37d128b4b8f41d2ed52a38ef4b628fa082d4693729b1af11d4067a1781a1a197

SHA512
2952a8aca9924a6c5a1dbdb94f79a9da49696e88c06f50ca1ce3390efb2b9bb86c8fd1184a160e810485c8f7ff11bc0d58c22787877ae5a46c66d1a6a8173c3b

Download Submit
C:\Windows\rundl132.exe

Filesize
26KB

MD5
28948521636f027a6e321d0ece85f68b

SHA1
4cc393871c2174328558347094d44cef430836d9

SHA256
37d128b4b8f41d2ed52a38ef4b628fa082d4693729b1af11d4067a1781a1a197

SHA512
2952a8aca9924a6c5a1dbdb94f79a9da49696e88c06f50ca1ce3390efb2b9bb86c8fd1184a160e810485c8f7ff11bc0d58c22787877ae5a46c66d1a6a8173c3b

Download Submit
memory/3332-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3332-12-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4052-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing