12a68c94b4f0b13cca2a8b908bf674686a0ab331ec366d88baa2c192c33f236f

General

Target

logo.exe
Size

10.5MB
MD5

f9656fc3a1e0374f728a844a3a97a56a
SHA1

92558a564f524dde5227cb4e463e887a028b465e
SHA256

12a68c94b4f0b13cca2a8b908bf674686a0ab331ec366d88baa2c192c33f236f
SHA512

d2f87396f900b22a9f758d967082a546d177064bbae84c43747eabeb8d51da7ed39c13e38a98f090071ffe7a4d764969682489df03ffc08eb132e53856b50fed
SSDEEP

98304:Bfy32pGWBVD5g/O3VelEaQE4QUzLo47ssIktninGeiUAfFOOKVq/wi:9dGW7d5aQE4DoI0ktninKLn

Score

10^/10

collection discovery evasion execution spyware stealer

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0"	logo.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2496	powershell.exe

Loads dropped DLL 22 IoCs

pid	Process
1920	logo.exe
1920	logo.exe
1920	logo.exe
1920	logo.exe
1920	logo.exe
1920	logo.exe
1920	logo.exe
1920	logo.exe
1920	logo.exe
1920	logo.exe
1920	logo.exe
1920	logo.exe
1920	logo.exe
1920	logo.exe
1920	logo.exe
1920	logo.exe
1920	logo.exe
1920	logo.exe
1920	logo.exe
1920	logo.exe
1920	logo.exe
1920	logo.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	logo.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	logo.exe
Key opened	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	logo.exe
Key opened	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	logo.exe
Key opened	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	logo.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	logo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 20 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	logo.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	logo.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	logo.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	logo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	logo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	logo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	logo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	logo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	logo.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	logo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	logo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	logo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	logo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	logo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	logo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	logo.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	logo.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	logo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	logo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	logo.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\FC279E75B04C472B0AA78AC60D8F14B6A82CD405	logo.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\FC279E75B04C472B0AA78AC60D8F14B6A82CD405\Blob = 030000000100000014000000fc279e75b04c472b0aa78ac60d8f14b6a82cd40520000000010000007a02000030820276308201dfa00302010202087fea145c0988b47e300d06092a864886f70d01010b050030733132303006035504030c294d6963726f736f667420526f6f7420436572746966696361746520416774686f726974792032303131311e301c060355040a0c154d6963726f736f667420436f72706f726174696f6e310b30090603550406130255533110300e06035504070c075265646d6f6e64301e170d3232303531373139353333325a170d3236303531363139353333325a30733132303006035504030c294d6963726f736f667420526f6f7420436572746966696361746520416774686f726974792032303131311e301c060355040a0c154d6963726f736f667420436f72706f726174696f6e310b30090603550406130255533110300e06035504070c075265646d6f6e6430819f300d06092a864886f70d010101050003818d0030818902818100b76369b00e8c537c906b128f4ed0341461e74cf966622da09d3fc8c92e016f6c8eb6acdb6e3221ebd8159054ec24afa15784a39ec6674b53cece29ccbe0b2df8858208eee3dad7b29cdec09a9f7a7db19721fec19c31ad52b6e58891a4dbde558adc094dbed6f2103938a95a6b3e072fc494c91acf3df6aa034503d9ecb0e7270203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010b05000381810001f3bcc4d1c4d65814ce000dcb919b267893b480ef37ef68795e72c5cfa1b81df3f33cb224eec6d4867ca0cae3249964b178c0531da2916e6e3aa9126a36341617253da378d73a321cbe3a3fcfc47f0039173480c3bfc3c51a470f0bb6097cff52cf05ee68c43eb38af3cf650fc3a9422d150b50563af5984bcd9a11edbc0beb	logo.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1920	logo.exe
2496	powershell.exe
1920	logo.exe
1920	logo.exe
1920	logo.exe
1920	logo.exe
1920	logo.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2496	powershell.exe
Token: SeDebugPrivilege	1920	logo.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1920	logo.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1920 wrote to memory of 2496	1920	logo.exe	28
PID 1920 wrote to memory of 2496	1920	logo.exe	28
PID 1920 wrote to memory of 2496	1920	logo.exe	28

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	logo.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	logo.exe

C:\Users\Admin\AppData\Local\Temp\logo.exe
"C:\Users\Admin\AppData\Local\Temp\logo.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:1920
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\logo.exe
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

1

T1552.001

Credentials in Registry

1

T1552.002

Discovery

Query Registry

3

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Ptpruoerpe

Filesize
46KB

MD5
b13fcb3223116f6eec60be9143cae98b

SHA1
9a9eb6da6d8e008a51e6ce6212c49bfbe7cb3c88

SHA256
961fc9bf866c5b58401d3c91735f9a7b7b4fc93c94038c504c965491f622b52b

SHA512
89d72b893acd2ec537b3c3deffcc71d1ce02211f9f5b931c561625ee7162052b511e46d4b4596c0a715e1c992310f2536ebdd512db400eeab23c8960ec4d312d

Download Submit
\Program Files\Mozilla Firefox\firefox.exe

Filesize
654KB

MD5
1fd347ee17287e9c9532c46a49c4abc4

SHA1
ad5d9599030bfbcc828c4321fffd7b9066369393

SHA256
912373af6f3c176b7e0a71c986d6288f76f5be80de7c9a580b110690271e9237

SHA512
9e52622077e805fcff2c6fe510524bf9ca7246da9ef42843041e82ced28b59163a2729335139df9e2d2a4c748ed56471bb053f337655a77d2d0976370f07acf4

Download Submit
memory/1920-22-0x0000000003290000-0x0000000003F72000-memory.dmp

Filesize
12.9MB

Download
memory/1920-78-0x0000000003290000-0x0000000003F72000-memory.dmp

Filesize
12.9MB

Download
memory/1920-4-0x000000006E400000-0x000000006E49E000-memory.dmp

Filesize
632KB

Download
memory/1920-5-0x000000006E400000-0x000000006E49E000-memory.dmp

Filesize
632KB

Download
memory/1920-8-0x0000000003290000-0x0000000003F72000-memory.dmp

Filesize
12.9MB

Download
memory/1920-6-0x0000000003290000-0x0000000003F72000-memory.dmp

Filesize
12.9MB

Download
memory/1920-11-0x0000000003290000-0x0000000003F72000-memory.dmp

Filesize
12.9MB

Download
memory/1920-12-0x0000000000400000-0x0000000000E9D000-memory.dmp

Filesize
10.6MB

Download
memory/1920-14-0x0000000003290000-0x0000000003F72000-memory.dmp

Filesize
12.9MB

Download
memory/1920-81-0x000000006E400000-0x000000006E49E000-memory.dmp

Filesize
632KB

Download
memory/1920-2-0x0000000063080000-0x0000000063301000-memory.dmp

Filesize
2.5MB

Download
memory/1920-80-0x0000000063080000-0x0000000063301000-memory.dmp

Filesize
2.5MB

Download
memory/1920-3-0x0000000063080000-0x0000000063301000-memory.dmp

Filesize
2.5MB

Download
memory/1920-0-0x0000000003290000-0x0000000003F72000-memory.dmp

Filesize
12.9MB

Download
memory/1920-75-0x0000000003290000-0x0000000003F72000-memory.dmp

Filesize
12.9MB

Download
memory/1920-63-0x0000000003290000-0x0000000003F72000-memory.dmp

Filesize
12.9MB

Download
memory/1920-32-0x0000000003290000-0x0000000003F72000-memory.dmp

Filesize
12.9MB

Download
memory/1920-61-0x0000000003290000-0x0000000003F72000-memory.dmp

Filesize
12.9MB

Download
memory/1920-1-0x0000000003290000-0x0000000003F72000-memory.dmp

Filesize
12.9MB

Download
memory/1920-60-0x0000000003290000-0x0000000003F72000-memory.dmp

Filesize
12.9MB

Download
memory/2496-31-0x000007FEF5510000-0x000007FEF5EAD000-memory.dmp

Filesize
9.6MB

Download
memory/2496-23-0x0000000002CE4000-0x0000000002CE7000-memory.dmp

Filesize
12KB

Download
memory/2496-21-0x0000000001D20000-0x0000000001D28000-memory.dmp

Filesize
32KB

Download
memory/2496-24-0x0000000002CEB000-0x0000000002D52000-memory.dmp

Filesize
412KB

Download
memory/2496-20-0x000000001B690000-0x000000001B972000-memory.dmp

Filesize
2.9MB

Download
memory/2496-19-0x000007FEF57CE000-0x000007FEF57CF000-memory.dmp

Filesize
4KB

Download
memory/2496-98-0x000007FEF5510000-0x000007FEF5EAD000-memory.dmp

Filesize
9.6MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads