b8c8006525175900e9910e1a04d32e0b4be02ad96c0fba1d4e932abadec8d42f

General

Target

b8c8006525175900e9910e1a04d32e0b4be02ad96c0fba1d4e932abadec8d42f.exe
Size

88KB
MD5

8acddae791729518d108da97d597f3c6
SHA1

f00ab91bc548cb03d5475c66119b506e0420e422
SHA256

b8c8006525175900e9910e1a04d32e0b4be02ad96c0fba1d4e932abadec8d42f
SHA512

f851620040e254f257178196f68d4dfac5d32f84ab08289639a7c0b5f9109bcc31eac6a87620f41b453dc5768ee4dcffc42f37609354ebb50f21f1d750bc0a14
SSDEEP

1536:pJF3SHuJV9Ntyapmebn4ddJZeY86iLflLJYEIs67rxo:pJFkuJVL8LK4ddJMY86ipmns6S

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2384 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

Logo1_.exeb8c8006525175900e9910e1a04d32e0b4be02ad96c0fba1d4e932abadec8d42f.exe

pid process

1948 Logo1_.exe
2664 b8c8006525175900e9910e1a04d32e0b4be02ad96c0fba1d4e932abadec8d42f.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

2384 cmd.exe

pid	process
2384	cmd.exe

pid	process
2384	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Logo1_.exe

description	ioc	process
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

Processes:

Logo1_.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\People\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Photo Viewer\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PPTICO.EXE	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Hearts\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fa\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\1049\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Desert\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\More Games\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ko\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pt_PT\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\More Games\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Purble Place\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\am\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

Processes:

Logo1_.exeb8c8006525175900e9910e1a04d32e0b4be02ad96c0fba1d4e932abadec8d42f.exe

description	ioc	process
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	b8c8006525175900e9910e1a04d32e0b4be02ad96c0fba1d4e932abadec8d42f.exe
File created	C:\Windows\Logo1_.exe	b8c8006525175900e9910e1a04d32e0b4be02ad96c0fba1d4e932abadec8d42f.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

Logo1_.exe

pid	process
1948	Logo1_.exe
1948	Logo1_.exe
1948	Logo1_.exe
1948	Logo1_.exe
1948	Logo1_.exe
1948	Logo1_.exe
1948	Logo1_.exe
1948	Logo1_.exe
1948	Logo1_.exe
1948	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

b8c8006525175900e9910e1a04d32e0b4be02ad96c0fba1d4e932abadec8d42f.exeLogo1_.execmd.exenet.exe

description	pid	process	target process
PID 1936 wrote to memory of 2384	1936	b8c8006525175900e9910e1a04d32e0b4be02ad96c0fba1d4e932abadec8d42f.exe	cmd.exe
PID 1936 wrote to memory of 2384	1936	b8c8006525175900e9910e1a04d32e0b4be02ad96c0fba1d4e932abadec8d42f.exe	cmd.exe
PID 1936 wrote to memory of 2384	1936	b8c8006525175900e9910e1a04d32e0b4be02ad96c0fba1d4e932abadec8d42f.exe	cmd.exe
PID 1936 wrote to memory of 2384	1936	b8c8006525175900e9910e1a04d32e0b4be02ad96c0fba1d4e932abadec8d42f.exe	cmd.exe
PID 1936 wrote to memory of 1948	1936	b8c8006525175900e9910e1a04d32e0b4be02ad96c0fba1d4e932abadec8d42f.exe	Logo1_.exe
PID 1936 wrote to memory of 1948	1936	b8c8006525175900e9910e1a04d32e0b4be02ad96c0fba1d4e932abadec8d42f.exe	Logo1_.exe
PID 1936 wrote to memory of 1948	1936	b8c8006525175900e9910e1a04d32e0b4be02ad96c0fba1d4e932abadec8d42f.exe	Logo1_.exe
PID 1936 wrote to memory of 1948	1936	b8c8006525175900e9910e1a04d32e0b4be02ad96c0fba1d4e932abadec8d42f.exe	Logo1_.exe
PID 1948 wrote to memory of 3028	1948	Logo1_.exe	net.exe
PID 1948 wrote to memory of 3028	1948	Logo1_.exe	net.exe
PID 1948 wrote to memory of 3028	1948	Logo1_.exe	net.exe
PID 1948 wrote to memory of 3028	1948	Logo1_.exe	net.exe
PID 2384 wrote to memory of 2664	2384	cmd.exe	b8c8006525175900e9910e1a04d32e0b4be02ad96c0fba1d4e932abadec8d42f.exe
PID 2384 wrote to memory of 2664	2384	cmd.exe	b8c8006525175900e9910e1a04d32e0b4be02ad96c0fba1d4e932abadec8d42f.exe
PID 2384 wrote to memory of 2664	2384	cmd.exe	b8c8006525175900e9910e1a04d32e0b4be02ad96c0fba1d4e932abadec8d42f.exe
PID 2384 wrote to memory of 2664	2384	cmd.exe	b8c8006525175900e9910e1a04d32e0b4be02ad96c0fba1d4e932abadec8d42f.exe
PID 3028 wrote to memory of 2704	3028	net.exe	net1.exe
PID 3028 wrote to memory of 2704	3028	net.exe	net1.exe
PID 3028 wrote to memory of 2704	3028	net.exe	net1.exe
PID 3028 wrote to memory of 2704	3028	net.exe	net1.exe
PID 1948 wrote to memory of 1312	1948	Logo1_.exe	Explorer.EXE
PID 1948 wrote to memory of 1312	1948	Logo1_.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1312

C:\Users\Admin\AppData\Local\Temp\b8c8006525175900e9910e1a04d32e0b4be02ad96c0fba1d4e932abadec8d42f.exe
"C:\Users\Admin\AppData\Local\Temp\b8c8006525175900e9910e1a04d32e0b4be02ad96c0fba1d4e932abadec8d42f.exe"
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1936

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\$$aCAE.bat
3⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2384

C:\Users\Admin\AppData\Local\Temp\b8c8006525175900e9910e1a04d32e0b4be02ad96c0fba1d4e932abadec8d42f.exe
"C:\Users\Admin\AppData\Local\Temp\b8c8006525175900e9910e1a04d32e0b4be02ad96c0fba1d4e932abadec8d42f.exe"
4⤵
- Executes dropped EXE
PID:2664

C:\Windows\Logo1_.exe
C:\Windows\Logo1_.exe
3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:3028

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
254KB

MD5
3e470de1df977de1b6251d61cefd34c2

SHA1
c1919c8d46d9c95aab8c167b9ee4e6ac6c089a50

SHA256
cb52a481b391828464a9080ac8ed4a4daf3418176822165713179c0706a1ca27

SHA512
6e106f63747243353c7adaa2ee142ee9a260db0dc2b85e4e5c789969a777503c4508f7e7568213689d4cab4235aee0d81f54e4191997f04d1aaeb6577bc751ee

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
474KB

MD5
6eabc463f8025a7e6e65f38cba22f126

SHA1
3e430ee5ec01c5509ed750b88d3473e7990dfe95

SHA256
cc8da3ecd355b519d81415d279ed037c725ba221bf323d250aa92ee2b2b88ca7

SHA512
c8fde7026ac8633403bbefee4b044457184388fb7343d8c46f5f7f272724227976bf485ea91da49e2a85dd0cfb73f260ac705d8007333dd3e5539fe5ed67e3ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aCAE.bat

Filesize
721B

MD5
0ca4b1ad74f04c59d31c77cf804f97af

SHA1
596c8433ee6dbd7bd88c7bafb61aa0ad9647554d

SHA256
587964f183d942a425081c5748e8b7f0a64eb62f14e4e754a7a657f1e0e8e2c6

SHA512
c9e7537503f63be98acaa6f6a9c9b394e0232d117852708cf5c724de4497a9785dd45bf76d4b6b67250e6cc54245ba017f8a2a2ca13a65a59f01e66ecd58d72b

Download Submit
C:\Users\Admin\AppData\Local\Temp\b8c8006525175900e9910e1a04d32e0b4be02ad96c0fba1d4e932abadec8d42f.exe.exe

Filesize
59KB

MD5
dfc18f7068913dde25742b856788d7ca

SHA1
cbaa23f782c2ddcd7c9ff024fd0b096952a2b387

SHA256
ff4ac75c02247000da084de006c214d3dd3583867bd3533ba788e22734c7a2bf

SHA512
d0c7ec1dae41a803325b51c12490c355ed779d297daa35247889950491e52427810132f0829fc7ffa3022f1a106f4e4ba78ed612223395313a6f267e9ab24945

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
1c30b55853002b4599e0e5fa853f1329

SHA1
4e1ba89200dd04c3d7042024850deadc89a24af0

SHA256
ac0b99689ea0e6b3d5d4892871dd80175ac8e020a4d86217f968a23a608b22d6

SHA512
f475cd99a54db95649ee9ee83badf6eafb2b073867d95cf4482c2c63062df3446fb2044b7c42c924bf13eb955132379af0a25f877353e151f9ef84b66b5dc3cd

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3627615824-4061627003-3019543961-1000\_desktop.ini

Filesize
9B

MD5
ef2876ec14bdb3dc085fc3af9311b015

SHA1
68b64b46b1ff0fdc9f009d8fffb8ee87c597fa56

SHA256
ac2a34b4f2d44d19ca4269caf9f4e71cdb0b95ba8eb89ed52c5bc56eeeb1971c

SHA512
c9998caa062ad5b1da853fabb80e88e41d9f96109af89df0309be20469ca8f5be9dd1c08f3c97030e3a487732e82304f60ee2627462e017579da4204bc163c8f

Download Submit
memory/1312-29-0x0000000002F80000-0x0000000002F81000-memory.dmp

Filesize
4KB

Download
memory/1936-17-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1936-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1948-18-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1948-44-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1948-90-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1948-96-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1948-631-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1948-1849-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1948-2315-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1948-38-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1948-3309-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1948-31-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download

pid	process
1948	Logo1_.exe
2664	b8c8006525175900e9910e1a04d32e0b4be02ad96c0fba1d4e932abadec8d42f.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads