23d750c1617ea8230783e849bb5873d18a8303843c55e61861132a7a7b43358c

General

Target

23d750c1617ea8230783e849bb5873d18a8303843c55e61861132a7a7b43358c.exe
Size

765KB
MD5

1d3cef21a6de0f25b68e036f6668f485
SHA1

1d486312343806006f3b7150cdb912ca4e6c212a
SHA256

23d750c1617ea8230783e849bb5873d18a8303843c55e61861132a7a7b43358c
SHA512

010c9e93e4fcf9db5bbbaaede358a4643e4d125be2374bc6eacceb4dca2068a303dbb43e8ad5c3f4ed1bf6816a7105398d041202cfee4257362b5ce1d472b662
SSDEEP

12288:C7+6FICuICWaK+iYMWcHHlhXlga3gbsD9nofaNydMAYe:C7V6v9iYMHFhVbgbETy6s

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3712	Logo1_.exe
3700	23d750c1617ea8230783e849bb5873d18a8303843c55e61861132a7a7b43358c.exe

Enumerates connected drives 3 TTPs 20 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	23d750c1617ea8230783e849bb5873d18a8303843c55e61861132a7a7b43358c.exe
File created	C:\Windows\Logo1_.exe	23d750c1617ea8230783e849bb5873d18a8303843c55e61861132a7a7b43358c.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3712	Logo1_.exe
3712	Logo1_.exe
3712	Logo1_.exe
3712	Logo1_.exe
3712	Logo1_.exe
3712	Logo1_.exe
3712	Logo1_.exe
3712	Logo1_.exe
3712	Logo1_.exe
3712	Logo1_.exe
3712	Logo1_.exe
3712	Logo1_.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4432 wrote to memory of 208	4432	23d750c1617ea8230783e849bb5873d18a8303843c55e61861132a7a7b43358c.exe	82
PID 4432 wrote to memory of 208	4432	23d750c1617ea8230783e849bb5873d18a8303843c55e61861132a7a7b43358c.exe	82
PID 4432 wrote to memory of 208	4432	23d750c1617ea8230783e849bb5873d18a8303843c55e61861132a7a7b43358c.exe	82
PID 4432 wrote to memory of 3712	4432	23d750c1617ea8230783e849bb5873d18a8303843c55e61861132a7a7b43358c.exe	83
PID 4432 wrote to memory of 3712	4432	23d750c1617ea8230783e849bb5873d18a8303843c55e61861132a7a7b43358c.exe	83
PID 4432 wrote to memory of 3712	4432	23d750c1617ea8230783e849bb5873d18a8303843c55e61861132a7a7b43358c.exe	83
PID 3712 wrote to memory of 3732	3712	Logo1_.exe	84
PID 3712 wrote to memory of 3732	3712	Logo1_.exe	84
PID 3712 wrote to memory of 3732	3712	Logo1_.exe	84
PID 3732 wrote to memory of 3500	3732	net.exe	87
PID 3732 wrote to memory of 3500	3732	net.exe	87
PID 3732 wrote to memory of 3500	3732	net.exe	87
PID 208 wrote to memory of 3700	208	cmd.exe	88
PID 208 wrote to memory of 3700	208	cmd.exe	88
PID 208 wrote to memory of 3700	208	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\23d750c1617ea8230783e849bb5873d18a8303843c55e61861132a7a7b43358c.exe
"C:\Users\Admin\AppData\Local\Temp\23d750c1617ea8230783e849bb5873d18a8303843c55e61861132a7a7b43358c.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4432
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC505.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:208
- - C:\Users\Admin\AppData\Local\Temp\23d750c1617ea8230783e849bb5873d18a8303843c55e61861132a7a7b43358c.exe
    "C:\Users\Admin\AppData\Local\Temp\23d750c1617ea8230783e849bb5873d18a8303843c55e61861132a7a7b43358c.exe"
    3⤵
    - Executes dropped EXE
    PID:3700
- C:\Windows\Logo1_.exe
  C:\Windows\Logo1_.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3712
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3732
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:3500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$aC505.bat

Filesize
722B

MD5
6687075f1dd7ac7b731d1175ac1a5369

SHA1
4a144fa545d2a24b0fb92554159b804303d4ec78

SHA256
bb0d230ae63438d34da5a34300563038b0eda0cd4061e47daf5c256b371f34ad

SHA512
9e899e28e17c101266abf88f95835247d913664aa75ee2f4dcb2499c5441e086f0765441f9daf4f1b19bd53f67b5f231aa6126948e668aa59e4707a9ef9ee04d

Download Submit
C:\Users\Admin\AppData\Local\Temp\23d750c1617ea8230783e849bb5873d18a8303843c55e61861132a7a7b43358c.exe

Filesize
739KB

MD5
7bb4069d375f5319909637e4a533fa51

SHA1
1df98286f33cc32695d92ce7f2177d46344b90df

SHA256
f2b06c5e66586c24e406c218a529656bc117b1fddb1947719e4c1f729090370b

SHA512
2809875bb28021ccbdb5e090a88794c2ee9fad5d2cedc80892edee1e9cb19f9b7d22250e65c78149b5a9bd534080e73ac9b7c99406454719484a284409b81b3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\23d750c1617ea8230783e849bb5873d18a8303843c55e61861132a7a7b43358c.exe.exe

Filesize
739KB

MD5
7bb4069d375f5319909637e4a533fa51

SHA1
1df98286f33cc32695d92ce7f2177d46344b90df

SHA256
f2b06c5e66586c24e406c218a529656bc117b1fddb1947719e4c1f729090370b

SHA512
2809875bb28021ccbdb5e090a88794c2ee9fad5d2cedc80892edee1e9cb19f9b7d22250e65c78149b5a9bd534080e73ac9b7c99406454719484a284409b81b3d

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
df539598cb788ec692b681b7daeae7a5

SHA1
97d7641e81c39be17bb61d06b3dd681cb3610461

SHA256
490673d10696887de5bee92453e384cd8ee8007a9e7327f24a497a750182b00a

SHA512
8be252c7c9427fa9871861b1c37d6c2d42f25d4df3612ec5b00f2542918c56b66a1f326ffd19523b34bdef2b8dcbacdfc50b5a88e106a780cf77b4450e4bc7d5

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
df539598cb788ec692b681b7daeae7a5

SHA1
97d7641e81c39be17bb61d06b3dd681cb3610461

SHA256
490673d10696887de5bee92453e384cd8ee8007a9e7327f24a497a750182b00a

SHA512
8be252c7c9427fa9871861b1c37d6c2d42f25d4df3612ec5b00f2542918c56b66a1f326ffd19523b34bdef2b8dcbacdfc50b5a88e106a780cf77b4450e4bc7d5

Download Submit
C:\Windows\rundl132.exe

Filesize
26KB

MD5
df539598cb788ec692b681b7daeae7a5

SHA1
97d7641e81c39be17bb61d06b3dd681cb3610461

SHA256
490673d10696887de5bee92453e384cd8ee8007a9e7327f24a497a750182b00a

SHA512
8be252c7c9427fa9871861b1c37d6c2d42f25d4df3612ec5b00f2542918c56b66a1f326ffd19523b34bdef2b8dcbacdfc50b5a88e106a780cf77b4450e4bc7d5

Download Submit
memory/3712-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4432-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4432-10-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing