92ad7fb5f279baf4133b3b8981ac34ef56dbe26ed946e21b6a348198375be79c

Reason

Machine shutdown

General

Target

92ad7fb5f279baf4133b3b8981ac34ef56dbe26ed946e21b6a348198375be79c.exe
Size

222KB
MD5

17f14555fcf8ea8f37f4902bf00782fe
SHA1

dc5a5328c6024a9b025bf3a23b74af1eaf3ce0bd
SHA256

92ad7fb5f279baf4133b3b8981ac34ef56dbe26ed946e21b6a348198375be79c
SHA512

6e776a22d32edba4f3a6085f92c9f45aaaa0e514b32a84cf8069877297124ec6e348beb30830c20eae980dbdf8e3dc0d8d60df46aa9efc517cd976bed179de1b
SSDEEP

3072:KftffjmN/aSi/qNwmmfg63jDpmSMG/0iAO7D1E2rr5dpUebuk1noV0NLPmd+1:KVfjmNylmmfg6zVmjK0idbucRLP

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2480	Logo1_.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	92ad7fb5f279baf4133b3b8981ac34ef56dbe26ed946e21b6a348198375be79c.exe
File created	C:\Windows\Logo1_.exe	92ad7fb5f279baf4133b3b8981ac34ef56dbe26ed946e21b6a348198375be79c.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2480	Logo1_.exe
2480	Logo1_.exe
2480	Logo1_.exe
2480	Logo1_.exe
2480	Logo1_.exe
2480	Logo1_.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 2956	2304	92ad7fb5f279baf4133b3b8981ac34ef56dbe26ed946e21b6a348198375be79c.exe	28
PID 2304 wrote to memory of 2956	2304	92ad7fb5f279baf4133b3b8981ac34ef56dbe26ed946e21b6a348198375be79c.exe	28
PID 2304 wrote to memory of 2956	2304	92ad7fb5f279baf4133b3b8981ac34ef56dbe26ed946e21b6a348198375be79c.exe	28
PID 2304 wrote to memory of 2956	2304	92ad7fb5f279baf4133b3b8981ac34ef56dbe26ed946e21b6a348198375be79c.exe	28
PID 2304 wrote to memory of 2480	2304	92ad7fb5f279baf4133b3b8981ac34ef56dbe26ed946e21b6a348198375be79c.exe	30
PID 2304 wrote to memory of 2480	2304	92ad7fb5f279baf4133b3b8981ac34ef56dbe26ed946e21b6a348198375be79c.exe	30
PID 2304 wrote to memory of 2480	2304	92ad7fb5f279baf4133b3b8981ac34ef56dbe26ed946e21b6a348198375be79c.exe	30
PID 2304 wrote to memory of 2480	2304	92ad7fb5f279baf4133b3b8981ac34ef56dbe26ed946e21b6a348198375be79c.exe	30

C:\Users\Admin\AppData\Local\Temp\92ad7fb5f279baf4133b3b8981ac34ef56dbe26ed946e21b6a348198375be79c.exe
"C:\Users\Admin\AppData\Local\Temp\92ad7fb5f279baf4133b3b8981ac34ef56dbe26ed946e21b6a348198375be79c.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\$$a2118.bat
  2⤵
  PID:2956
- - C:\Users\Admin\AppData\Local\Temp\92ad7fb5f279baf4133b3b8981ac34ef56dbe26ed946e21b6a348198375be79c.exe
    "C:\Users\Admin\AppData\Local\Temp\92ad7fb5f279baf4133b3b8981ac34ef56dbe26ed946e21b6a348198375be79c.exe"
    3⤵
    PID:2540
- C:\Windows\Logo1_.exe
  C:\Windows\Logo1_.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2480
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    PID:2076
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:1952

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:2684

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:2740

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$a2118.bat

Filesize
722B

MD5
70fdbffe6470fc9dfbebf49b963e3161

SHA1
4a954b6ff253e70811593bf25e3edeb06e3de764

SHA256
61c587fa304bb8a1cf6cab2c4fc30201b5ca0910820cce619adb8f9d73fd7696

SHA512
6408bde8d03298fd30b09a50693b4b10585967942cfcd4dfa1fe4065e25a2d5decf13865088459322b5c9b30388e990e8d004926031d52ccad1448591e172a30

Download Submit
C:\Users\Admin\AppData\Local\Temp\92ad7fb5f279baf4133b3b8981ac34ef56dbe26ed946e21b6a348198375be79c.exe

Filesize
196KB

MD5
218c296901cade577e8952e437aced34

SHA1
41c1be576c349730b42d2086c8f4184b66a9924e

SHA256
539f365bfcffd9ff57ed94d7943d40553cd345b7daec2ae3330ef77c7be88a6c

SHA512
923b0b7dcc595760801a09ce15f532749f25ad0563cff94bf26f73f4f88b4b2650a852a0e7a3bfec9ed5b1730f77035a3da54e19f2363a6bc8ba7f0387bf1ea1

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
e775b4af8097a3d5af255a698fa52750

SHA1
cf922ffbd0cd996e51c469fb035b1d564fa926b4

SHA256
8fdafecfba18d52ff994ce55258a62359d1e03851a8ffe4ca88c75bc8323948f

SHA512
007275f84970cb6eddf464171c67ceb1e2009e2c8173d0ae7e09e4dbdbc7d12f9c1e487b1dcfeb4d047fb57b5f687ffbf731bc7d90a73be9b680b7c49cfed773

Download Submit
memory/2304-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2304-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2304-18-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2304-12-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2480-33-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2540-31-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2540-32-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2684-34-0x0000000002E10000-0x0000000002E11000-memory.dmp

Filesize
4KB

Download
memory/2740-35-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

Filesize
4KB

Download
memory/2956-30-0x0000000000190000-0x00000000001C6000-memory.dmp

Filesize
216KB

Download
memory/2956-25-0x0000000000190000-0x00000000001C6000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

Errors