cd73d31ee068c816c07974ea31e685501d0d7dc464d9f8e2ccd347f38f14b0a6

General

Target

cd73d31ee068c816c07974ea31e685501d0d7dc464d9f8e2ccd347f38f14b0a6.exe
Size

209KB
MD5

405a0661788e1d5758d5deee5630f5e9
SHA1

11a340ad45508afd012a5de55db66fa64c1f4346
SHA256

cd73d31ee068c816c07974ea31e685501d0d7dc464d9f8e2ccd347f38f14b0a6
SHA512

804811a083df44e33c67a461d4232b524460ad4a512b3f08f0665fa93c3b0d830bd5770e661120a87639ed9b7e9b293457894bd78c93b575197ddc97547e7993
SSDEEP

3072:RftffjmNXb2SNKt/CQywzDL8M5JJDhfRtHRl74DF4ODoMWpTav7Fi:ZVfjmNKAKt/CBwzDHO7cpTavR

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
864	Logo1_.exe
4428	cd73d31ee068c816c07974ea31e685501d0d7dc464d9f8e2ccd347f38f14b0a6.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	cd73d31ee068c816c07974ea31e685501d0d7dc464d9f8e2ccd347f38f14b0a6.exe
File created	C:\Windows\Logo1_.exe	cd73d31ee068c816c07974ea31e685501d0d7dc464d9f8e2ccd347f38f14b0a6.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
864	Logo1_.exe
864	Logo1_.exe
864	Logo1_.exe
864	Logo1_.exe
864	Logo1_.exe
864	Logo1_.exe
864	Logo1_.exe
864	Logo1_.exe
864	Logo1_.exe
864	Logo1_.exe
864	Logo1_.exe
864	Logo1_.exe
864	Logo1_.exe
864	Logo1_.exe
864	Logo1_.exe
864	Logo1_.exe
864	Logo1_.exe
864	Logo1_.exe
864	Logo1_.exe
864	Logo1_.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2944 wrote to memory of 2288	2944	cd73d31ee068c816c07974ea31e685501d0d7dc464d9f8e2ccd347f38f14b0a6.exe	27
PID 2944 wrote to memory of 2288	2944	cd73d31ee068c816c07974ea31e685501d0d7dc464d9f8e2ccd347f38f14b0a6.exe	27
PID 2944 wrote to memory of 2288	2944	cd73d31ee068c816c07974ea31e685501d0d7dc464d9f8e2ccd347f38f14b0a6.exe	27
PID 2944 wrote to memory of 864	2944	cd73d31ee068c816c07974ea31e685501d0d7dc464d9f8e2ccd347f38f14b0a6.exe	25
PID 2944 wrote to memory of 864	2944	cd73d31ee068c816c07974ea31e685501d0d7dc464d9f8e2ccd347f38f14b0a6.exe	25
PID 2944 wrote to memory of 864	2944	cd73d31ee068c816c07974ea31e685501d0d7dc464d9f8e2ccd347f38f14b0a6.exe	25
PID 864 wrote to memory of 4064	864	Logo1_.exe	19
PID 864 wrote to memory of 4064	864	Logo1_.exe	19
PID 864 wrote to memory of 4064	864	Logo1_.exe	19
PID 2288 wrote to memory of 4428	2288	cmd.exe	22
PID 2288 wrote to memory of 4428	2288	cmd.exe	22
PID 2288 wrote to memory of 4428	2288	cmd.exe	22
PID 4064 wrote to memory of 2236	4064	net.exe	20
PID 4064 wrote to memory of 2236	4064	net.exe	20
PID 4064 wrote to memory of 2236	4064	net.exe	20
PID 864 wrote to memory of 3452	864	Logo1_.exe	53
PID 864 wrote to memory of 3452	864	Logo1_.exe	53

C:\Users\Admin\AppData\Local\Temp\cd73d31ee068c816c07974ea31e685501d0d7dc464d9f8e2ccd347f38f14b0a6.exe
"C:\Users\Admin\AppData\Local\Temp\cd73d31ee068c816c07974ea31e685501d0d7dc464d9f8e2ccd347f38f14b0a6.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Windows\Logo1_.exe
  C:\Windows\Logo1_.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:864
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a65DE.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2288

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
1⤵
- Suspicious use of WriteProcessMemory
PID:4064
- C:\Windows\SysWOW64\net1.exe
  C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
  2⤵
  PID:2236

C:\Users\Admin\AppData\Local\Temp\cd73d31ee068c816c07974ea31e685501d0d7dc464d9f8e2ccd347f38f14b0a6.exe
"C:\Users\Admin\AppData\Local\Temp\cd73d31ee068c816c07974ea31e685501d0d7dc464d9f8e2ccd347f38f14b0a6.exe"
1⤵
- Executes dropped EXE
PID:4428

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/864-10-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/864-2032-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/864-1179-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/864-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/864-52-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/864-46-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/864-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/864-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/864-29-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2944-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2944-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4428-27-0x00000000067E0000-0x000000000681C000-memory.dmp

Filesize
240KB

Download
memory/4428-40-0x0000000005260000-0x0000000005270000-memory.dmp

Filesize
64KB

Download
memory/4428-26-0x0000000006740000-0x000000000678C000-memory.dmp

Filesize
304KB

Download
memory/4428-25-0x0000000006360000-0x00000000066B4000-memory.dmp

Filesize
3.3MB

Download
memory/4428-37-0x00000000741D0000-0x0000000074980000-memory.dmp

Filesize
7.7MB

Download
memory/4428-38-0x0000000005260000-0x0000000005270000-memory.dmp

Filesize
64KB

Download
memory/4428-24-0x0000000005220000-0x000000000522A000-memory.dmp

Filesize
40KB

Download
memory/4428-28-0x00000000067A0000-0x00000000067C1000-memory.dmp

Filesize
132KB

Download
memory/4428-23-0x0000000005260000-0x0000000005270000-memory.dmp

Filesize
64KB

Download
memory/4428-48-0x0000000005260000-0x0000000005270000-memory.dmp

Filesize
64KB

Download
memory/4428-22-0x00000000050B0000-0x0000000005142000-memory.dmp

Filesize
584KB

Download
memory/4428-21-0x00000000055C0000-0x0000000005B64000-memory.dmp

Filesize
5.6MB

Download
memory/4428-20-0x0000000000690000-0x00000000006C4000-memory.dmp

Filesize
208KB

Download
memory/4428-19-0x00000000741D0000-0x0000000074980000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing