75feb51f91fb1e6c06d8338fd0e79d94c5b5059dabbc9e1032f1fd69c6b4220a

General

Target

06b20a20c9de68e0f69b7f19de820ef5.exe
Size

58KB
MD5

06b20a20c9de68e0f69b7f19de820ef5
SHA1

41df559aefd262a53815a95a54287cfe622dabf5
SHA256

75feb51f91fb1e6c06d8338fd0e79d94c5b5059dabbc9e1032f1fd69c6b4220a
SHA512

5d25fc6933f6aaf6e2d2c548a06dd79fa33df388c8ecb1f9567355ddeaefd3c8bd4554a7e1088853130d6ef8ef3a263e59c3aea7cc0bbd6ac5d3bfb1d7c0c917
SSDEEP

1536:p4q8Q1xZtffrb8sjPFNhTYsFFrzckH2fmitDg:qKtfDwsjPThTYszDH2fO

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
400	Logo1_.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\dotnet\dotnet.exe	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\createdump.exe	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\createdump.exe	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	Logo1_.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Logo1_.exe	06b20a20c9de68e0f69b7f19de820ef5.exe
File created	C:\Windows\virDll.dll	Logo1_.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
400	Logo1_.exe
400	Logo1_.exe
400	Logo1_.exe
400	Logo1_.exe
400	Logo1_.exe
400	Logo1_.exe
400	Logo1_.exe
400	Logo1_.exe
400	Logo1_.exe
400	Logo1_.exe
400	Logo1_.exe
400	Logo1_.exe
400	Logo1_.exe
400	Logo1_.exe
400	Logo1_.exe
400	Logo1_.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4260 wrote to memory of 1416	4260	06b20a20c9de68e0f69b7f19de820ef5.exe	89
PID 4260 wrote to memory of 1416	4260	06b20a20c9de68e0f69b7f19de820ef5.exe	89
PID 4260 wrote to memory of 1416	4260	06b20a20c9de68e0f69b7f19de820ef5.exe	89
PID 4260 wrote to memory of 400	4260	06b20a20c9de68e0f69b7f19de820ef5.exe	90
PID 4260 wrote to memory of 400	4260	06b20a20c9de68e0f69b7f19de820ef5.exe	90
PID 4260 wrote to memory of 400	4260	06b20a20c9de68e0f69b7f19de820ef5.exe	90
PID 400 wrote to memory of 3432	400	Logo1_.exe	36
PID 400 wrote to memory of 3432	400	Logo1_.exe	36

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3432
- C:\Users\Admin\AppData\Local\Temp\06b20a20c9de68e0f69b7f19de820ef5.exe
  "C:\Users\Admin\AppData\Local\Temp\06b20a20c9de68e0f69b7f19de820ef5.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:4260
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4D64.bat
    3⤵
    PID:1416
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7zFM.exe

Filesize
989KB

MD5
9a35ed95647ddb96ed23e5b200a677e2

SHA1
5a44e0fb6cd3a938769c187bc8cffce708ecdd14

SHA256
45d6ba47b3d481d7978559cf625688b69ee6179ad8f532b679a77c34910ea2d3

SHA512
9b327f2709093838564b96fc58eeff7688494e55fdd798e3c135ea69fbe569a663fb86f84b30479e1840f926072efdb8df996cff12d4e476b3020ebf518740e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a4D64.bat

Filesize
530B

MD5
51e3c9fffe8c014292048035b0372006

SHA1
9d3dfbc1b0855b6c9d6fab240fb4619dc1345360

SHA256
9edb451df4e006bfa00da27dc480f51152810bb37c8eb4e7b97ec3192d2c46c9

SHA512
2c390c6d5ad84ab1562dacaa88223bb7f4c4b6024b5c968f1608dbb2ec819689680810ef1c578dfe6337b214c99b03c80c2f0d29b84cf5a66791e472ce0ecad8

Download Submit
C:\Users\Admin\AppData\Local\Temp\06b20a20c9de68e0f69b7f19de820ef5.exe.exe

Filesize
19B

MD5
429e6e5b48e77b0e608751c46838dbc3

SHA1
d8f32e8d3b32ffb23ecf665df05b25ff4be836ed

SHA256
833620980d7fa36cd3601a14288c68f1b2b1d87e91b8d5a9489ccbe90236b282

SHA512
b7f6f0d5ecb454b1c11ee43744258b11dcb5fe4852eccfd57b3952a157b0a500893005d13fb051794693203fed3c3c6b897f01f47c24046da39ead9eab8d9f4e

Download Submit
C:\Windows\Logo1_.exe

Filesize
58KB

MD5
d3067363e6e0c36a8090d6f155de0b52

SHA1
92ed48dfa0b159b9645b868bd69c9b70f963e526

SHA256
b8cadd0ac47418494c38417f6f98e48e7b081c5b4aa1c93116f231e9a86e36ea

SHA512
241c09d3c5bc6df05cd14df9a20a65201cb2b7b95646ea8024341a30f61544fb4af0b82e3335062e4de3fe79423682c125dbec538668ac41099d6538235ae3a8

Download Submit
memory/400-19-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4260-6-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing