8e5e7b9a59e5d086f81305b64444654650c6f422dac29a4aedd223e3c260e4a7

General

Target

8e5e7b9a59e5d086f81305b64444654650c6f422dac29a4aedd223e3c260e4a7.exe
Size

59KB
MD5

70e60a07fc5ec3cfecad11f9d7e8b644
SHA1

f62e04a8b05c22c0bf7522359428f720714e9206
SHA256

8e5e7b9a59e5d086f81305b64444654650c6f422dac29a4aedd223e3c260e4a7
SHA512

e2cdbf9d3218342fdd3f895b2d7e54f16e3c34f58fd3c2cd7fb42fbb034b208dfac43710fb8bb58f68c27855f7dbf53e3846bb4e1fa0a92f508d7ca4b2cc3605
SSDEEP

1536:dfgLdQAQfcfymNf+nHDUSLxXtDxZHMJhpuNUsRln:dftffjmNuUSLx9DeptQln

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3416	Logo1_.exe

Enumerates connected drives 3 TTPs 20 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	8e5e7b9a59e5d086f81305b64444654650c6f422dac29a4aedd223e3c260e4a7.exe
File created	C:\Windows\Logo1_.exe	8e5e7b9a59e5d086f81305b64444654650c6f422dac29a4aedd223e3c260e4a7.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3416	Logo1_.exe
3416	Logo1_.exe
3416	Logo1_.exe
3416	Logo1_.exe
3416	Logo1_.exe
3416	Logo1_.exe
3416	Logo1_.exe
3416	Logo1_.exe
3416	Logo1_.exe
3416	Logo1_.exe
3416	Logo1_.exe
3416	Logo1_.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 872 wrote to memory of 1784	872	8e5e7b9a59e5d086f81305b64444654650c6f422dac29a4aedd223e3c260e4a7.exe	86
PID 872 wrote to memory of 1784	872	8e5e7b9a59e5d086f81305b64444654650c6f422dac29a4aedd223e3c260e4a7.exe	86
PID 872 wrote to memory of 1784	872	8e5e7b9a59e5d086f81305b64444654650c6f422dac29a4aedd223e3c260e4a7.exe	86
PID 872 wrote to memory of 3416	872	8e5e7b9a59e5d086f81305b64444654650c6f422dac29a4aedd223e3c260e4a7.exe	87
PID 872 wrote to memory of 3416	872	8e5e7b9a59e5d086f81305b64444654650c6f422dac29a4aedd223e3c260e4a7.exe	87
PID 872 wrote to memory of 3416	872	8e5e7b9a59e5d086f81305b64444654650c6f422dac29a4aedd223e3c260e4a7.exe	87
PID 3416 wrote to memory of 4608	3416	Logo1_.exe	89
PID 3416 wrote to memory of 4608	3416	Logo1_.exe	89
PID 3416 wrote to memory of 4608	3416	Logo1_.exe	89

C:\Users\Admin\AppData\Local\Temp\8e5e7b9a59e5d086f81305b64444654650c6f422dac29a4aedd223e3c260e4a7.exe
"C:\Users\Admin\AppData\Local\Temp\8e5e7b9a59e5d086f81305b64444654650c6f422dac29a4aedd223e3c260e4a7.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:872
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8702.bat
  2⤵
  PID:1784
- - C:\Users\Admin\AppData\Local\Temp\8e5e7b9a59e5d086f81305b64444654650c6f422dac29a4aedd223e3c260e4a7.exe
    "C:\Users\Admin\AppData\Local\Temp\8e5e7b9a59e5d086f81305b64444654650c6f422dac29a4aedd223e3c260e4a7.exe"
    3⤵
    PID:3064
- C:\Windows\Logo1_.exe
  C:\Windows\Logo1_.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3416
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    PID:4608
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:4816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$a8702.bat

Filesize
722B

MD5
ab787c372cc33602d3b196568e2a6d13

SHA1
b4d523d2ea0e40a056eed229ed85e617c1fc1533

SHA256
12d7958b0bacd10fb2d4b6440b27d540f5eec8b557937419f814ac86a52a9b23

SHA512
0555276242aa21acc516444bcab6b5f7e40dbec8a1cd3805bf888f3b47801a5bdb5139740fd61e37d6d068ae4b652093fce2d9aa1f1795a8f251fcf68c82d7ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\8e5e7b9a59e5d086f81305b64444654650c6f422dac29a4aedd223e3c260e4a7.exe

Filesize
33KB

MD5
8d05ecf2ab1c6977a588ea5d668050ab

SHA1
ba402e1035ec8f5d1c686752584993395aa9e1b9

SHA256
caa73b1e0d729f03de5e8deee8316dd0e1976f1ba3fedb0c6a85dd4096c109d3

SHA512
4827c4aab9ffc7a9857e399b8b8480fe842a61e92193ab50ca6ed557884d64458c4bce9f4d2ca2105bcd2276098bc61e0c6968e9cf6b1d881ab6dea2c3945c88

Download Submit
C:\Users\Admin\AppData\Local\Temp\8e5e7b9a59e5d086f81305b64444654650c6f422dac29a4aedd223e3c260e4a7.exe.exe

Filesize
33KB

MD5
8d05ecf2ab1c6977a588ea5d668050ab

SHA1
ba402e1035ec8f5d1c686752584993395aa9e1b9

SHA256
caa73b1e0d729f03de5e8deee8316dd0e1976f1ba3fedb0c6a85dd4096c109d3

SHA512
4827c4aab9ffc7a9857e399b8b8480fe842a61e92193ab50ca6ed557884d64458c4bce9f4d2ca2105bcd2276098bc61e0c6968e9cf6b1d881ab6dea2c3945c88

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
3b3bb3d8ab4a2a4e6d740495a52d6e25

SHA1
a97eacc11f455bcb7de6b924df8a64d99062ce34

SHA256
12c99fb5c6b78e193dd16bc5eb659b4a7510e51fef318914ad76414bec69a4a2

SHA512
d70b5417117116c85e790150f311f489e25104861ffb0888bcdf7b6ab8411e2777318801eb97552ae5e373aaf21c142e16f9871326d630c6335ad80031c738ee

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
3b3bb3d8ab4a2a4e6d740495a52d6e25

SHA1
a97eacc11f455bcb7de6b924df8a64d99062ce34

SHA256
12c99fb5c6b78e193dd16bc5eb659b4a7510e51fef318914ad76414bec69a4a2

SHA512
d70b5417117116c85e790150f311f489e25104861ffb0888bcdf7b6ab8411e2777318801eb97552ae5e373aaf21c142e16f9871326d630c6335ad80031c738ee

Download Submit
C:\Windows\rundl132.exe

Filesize
26KB

MD5
3b3bb3d8ab4a2a4e6d740495a52d6e25

SHA1
a97eacc11f455bcb7de6b924df8a64d99062ce34

SHA256
12c99fb5c6b78e193dd16bc5eb659b4a7510e51fef318914ad76414bec69a4a2

SHA512
d70b5417117116c85e790150f311f489e25104861ffb0888bcdf7b6ab8411e2777318801eb97552ae5e373aaf21c142e16f9871326d630c6335ad80031c738ee

Download Submit
memory/872-10-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/872-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3064-18-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/3064-19-0x0000000000030000-0x000000000003E000-memory.dmp

Filesize
56KB

Download
memory/3064-20-0x0000000004E80000-0x0000000005424000-memory.dmp

Filesize
5.6MB

Download
memory/3064-21-0x0000000004970000-0x0000000004A02000-memory.dmp

Filesize
584KB

Download
memory/3416-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing