c327913da3050e7071752e30c1d8885bb5cd53c6641ef9683e0d70cc3366020a

General

Target

c327913da3050e7071752e30c1d8885bb5cd53c6641ef9683e0d70cc3366020a.exe
Size

487KB
MD5

ecfe9c75e9eeb5256b7f117638db4984
SHA1

6d20c46202841e5c65f99ce9cdd45a38d4ab5c01
SHA256

c327913da3050e7071752e30c1d8885bb5cd53c6641ef9683e0d70cc3366020a
SHA512

3383f69d7bcb2776b4351111a71dad2e0c7602ef57bc12b7139750e1a11841ea7abeb16ea90f46ab7b068dc7fe71b3c6920ff851c509743248f0c428222e8363
SSDEEP

6144:mUuJoz1gL5pRTMTTjMkId/BynSx7dEe6XwzRaktNP08NhKs39zo43fTtl1fayCV4:f1gL5pRTcAkS/3hzN8qE43fm78V

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

3040 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

Logo1_.exec327913da3050e7071752e30c1d8885bb5cd53c6641ef9683e0d70cc3366020a.exe

pid process

2124 Logo1_.exe
2676 c327913da3050e7071752e30c1d8885bb5cd53c6641ef9683e0d70cc3366020a.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

3040 cmd.exe

pid	process
3040	cmd.exe

pid	process
3040	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Logo1_.exe

description	ioc	process
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

Processes:

Logo1_.exe

description	ioc	process
File created	C:\Program Files\DVD Maker\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Media Player\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\zi\Australia\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Chess\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\packetizer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\zi\Indian\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Mail\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Groove.en-us\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\STS2\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Triedit\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Defender\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\3082\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\OneNote.en-us\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Welcome Tool\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\2052\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CAPSULES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\images\cursors\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STRTEDGE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Discussion\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Swirl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\ACCWIZ\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\packetizer\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Journal\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA6\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

Processes:

c327913da3050e7071752e30c1d8885bb5cd53c6641ef9683e0d70cc3366020a.exeLogo1_.exe

description	ioc	process
File created	C:\Windows\rundl132.exe	c327913da3050e7071752e30c1d8885bb5cd53c6641ef9683e0d70cc3366020a.exe
File created	C:\Windows\Logo1_.exe	c327913da3050e7071752e30c1d8885bb5cd53c6641ef9683e0d70cc3366020a.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

Logo1_.exe

pid	process
2124	Logo1_.exe
2124	Logo1_.exe
2124	Logo1_.exe
2124	Logo1_.exe
2124	Logo1_.exe
2124	Logo1_.exe
2124	Logo1_.exe
2124	Logo1_.exe
2124	Logo1_.exe
2124	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

c327913da3050e7071752e30c1d8885bb5cd53c6641ef9683e0d70cc3366020a.exeLogo1_.exenet.execmd.exe

description	pid	process	target process
PID 2876 wrote to memory of 3040	2876	c327913da3050e7071752e30c1d8885bb5cd53c6641ef9683e0d70cc3366020a.exe	cmd.exe
PID 2876 wrote to memory of 3040	2876	c327913da3050e7071752e30c1d8885bb5cd53c6641ef9683e0d70cc3366020a.exe	cmd.exe
PID 2876 wrote to memory of 3040	2876	c327913da3050e7071752e30c1d8885bb5cd53c6641ef9683e0d70cc3366020a.exe	cmd.exe
PID 2876 wrote to memory of 3040	2876	c327913da3050e7071752e30c1d8885bb5cd53c6641ef9683e0d70cc3366020a.exe	cmd.exe
PID 2876 wrote to memory of 2124	2876	c327913da3050e7071752e30c1d8885bb5cd53c6641ef9683e0d70cc3366020a.exe	Logo1_.exe
PID 2876 wrote to memory of 2124	2876	c327913da3050e7071752e30c1d8885bb5cd53c6641ef9683e0d70cc3366020a.exe	Logo1_.exe
PID 2876 wrote to memory of 2124	2876	c327913da3050e7071752e30c1d8885bb5cd53c6641ef9683e0d70cc3366020a.exe	Logo1_.exe
PID 2876 wrote to memory of 2124	2876	c327913da3050e7071752e30c1d8885bb5cd53c6641ef9683e0d70cc3366020a.exe	Logo1_.exe
PID 2124 wrote to memory of 3000	2124	Logo1_.exe	net.exe
PID 2124 wrote to memory of 3000	2124	Logo1_.exe	net.exe
PID 2124 wrote to memory of 3000	2124	Logo1_.exe	net.exe
PID 2124 wrote to memory of 3000	2124	Logo1_.exe	net.exe
PID 3000 wrote to memory of 2548	3000	net.exe	net1.exe
PID 3000 wrote to memory of 2548	3000	net.exe	net1.exe
PID 3000 wrote to memory of 2548	3000	net.exe	net1.exe
PID 3000 wrote to memory of 2548	3000	net.exe	net1.exe
PID 3040 wrote to memory of 2676	3040	cmd.exe	c327913da3050e7071752e30c1d8885bb5cd53c6641ef9683e0d70cc3366020a.exe
PID 3040 wrote to memory of 2676	3040	cmd.exe	c327913da3050e7071752e30c1d8885bb5cd53c6641ef9683e0d70cc3366020a.exe
PID 3040 wrote to memory of 2676	3040	cmd.exe	c327913da3050e7071752e30c1d8885bb5cd53c6641ef9683e0d70cc3366020a.exe
PID 3040 wrote to memory of 2676	3040	cmd.exe	c327913da3050e7071752e30c1d8885bb5cd53c6641ef9683e0d70cc3366020a.exe
PID 2124 wrote to memory of 1200	2124	Logo1_.exe	Explorer.EXE
PID 2124 wrote to memory of 1200	2124	Logo1_.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200

C:\Users\Admin\AppData\Local\Temp\c327913da3050e7071752e30c1d8885bb5cd53c6641ef9683e0d70cc3366020a.exe
"C:\Users\Admin\AppData\Local\Temp\c327913da3050e7071752e30c1d8885bb5cd53c6641ef9683e0d70cc3366020a.exe"
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2876

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\$$a1F63.bat
3⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3040

C:\Users\Admin\AppData\Local\Temp\c327913da3050e7071752e30c1d8885bb5cd53c6641ef9683e0d70cc3366020a.exe
"C:\Users\Admin\AppData\Local\Temp\c327913da3050e7071752e30c1d8885bb5cd53c6641ef9683e0d70cc3366020a.exe"
4⤵
- Executes dropped EXE
PID:2676

C:\Windows\Logo1_.exe
C:\Windows\Logo1_.exe
3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2124

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:3000

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:2548

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
Filesize
254KB

MD5
8b9d754f6a062a360f1eca184e4360bd

SHA1
29dff755cbcee35a9daf3b7a548b569c1126b616

SHA256
e17ac11d2dd6a2fa4d9adb98701499f6a0c7f748830c98f6d780cdf1a0af6789

SHA512
2722e3e400b4b27ef20c7a96b64d98fdc729a48b3f199ad87dbf3cef5912b58c6604a2b69f737ef211093b9c0ec99bbc7d5885a07f61a619d4492b5ffbe198ef

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
Filesize
474KB

MD5
e96712cc2991fab37a21ceeeee83b1f6

SHA1
e7894f4029baf5faa81584bab7d20acb0feadf5f

SHA256
fc5ecf67ef00e72d234c1b58be4d807a7fa2603cf66085204bacabb796275153

SHA512
fd8ba411e0083b3120431f23f272daf3923c96c96a15f7f861565b4de85fce7bf5aafd42d15cf45c559b8e7192513a31b9167ec7c5b6f52823bf3dc20701a06e

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a1F63.bat
Filesize
722B

MD5
08e00342c86ae8e62a2eb86bb08265d5

SHA1
65b151e9fb37a9c4698be5d55da8dbde5e3fbc34

SHA256
d57dfe5ca287414db385d4291845e0f3f9b8641318816c1d9d9cc73865ec42cd

SHA512
b14b38bd7225f17c0e49c2777ea6f3d6cd0be1c8aef2fd13f51297415ed4d90382dc32951d2379c9dd06a671fd6495f8392fc1c175360573f8cb03c080a6db51

Download Submit
C:\Users\Admin\AppData\Local\Temp\c327913da3050e7071752e30c1d8885bb5cd53c6641ef9683e0d70cc3366020a.exe.exe
Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Windows\rundl132.exe
Filesize
29KB

MD5
24743dc5d84b6ed4f72fe9d489cdc87d

SHA1
0617cf95dbb842ac82434416264c2a8e4cc2e9b0

SHA256
c1d1c76da5241e76615ed163fa7b64feca7463f70cd4f615459788da4705a73d

SHA512
e1b1f1815c661d4287dbfe2f485fbcff90c96e0cd5905a5701527b54fcd36e6cb93f49ce87369a669bc2c5753d78d0af7c889076062f53557600250bb498c25a

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3452737119-3959686427-228443150-1000\_desktop.ini
Filesize
9B

MD5
7d02194d5f21d1288ee3e3f595122aba

SHA1
68e51fcc75148bf51da5ad67c7137b85946fc393

SHA256
a4da2cd5e1bd5b7cc915b0572d2805cb074c16122fa7e5a41fbc1203aafc3416

SHA512
b5aba933dbbe76d9c49da7e4bd9aa8449f164d1a6563feb65e795fd497f42a5c8cc317186adf817990a180e46499987a7403b68b0b089a38ccda0fc9f2dd6c1c

Download Submit
memory/1200-28-0x0000000002CE0000-0x0000000002CE1000-memory.dmp

Filesize
4KB

Download
memory/2124-37-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2124-30-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2124-43-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2124-89-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2124-95-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2124-983-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2124-1848-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2124-3307-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2124-20-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2876-10-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download

pid	process
2124	Logo1_.exe
2676	c327913da3050e7071752e30c1d8885bb5cd53c6641ef9683e0d70cc3366020a.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads