5f916339941040cc1da5f69cdeed40526f15d6d10a58cfe8392626fcf35ce1d7

General

Target

5f916339941040cc1da5f69cdeed40526f15d6d10a58cfe8392626fcf35ce1d7.exe
Size

5.7MB
MD5

34b54e3507775ffc95af009894b5c58e
SHA1

79d8c5272a0b47fc4f822e2ddf0f2ba15263b76c
SHA256

5f916339941040cc1da5f69cdeed40526f15d6d10a58cfe8392626fcf35ce1d7
SHA512

e87d5148c7f0282cdbdbcb83eed303f06f72ed80b66a8ef0425964dbc09fe416772c541a56105c01f540b075642316adb1f69ff0081847339bee61a6ea6956ca
SSDEEP

49152:0Pv94AEsKU8ggw1g+1CART5eBiyKS3EI3wybn20DCYIHvc8ixuZm9+fWsw6dTPBJ:yKUgTH2M2m9UMpu1QfLczqssnKSk

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2380 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

Logo1_.exe5f916339941040cc1da5f69cdeed40526f15d6d10a58cfe8392626fcf35ce1d7.exe

pid process

2772 Logo1_.exe
2420 5f916339941040cc1da5f69cdeed40526f15d6d10a58cfe8392626fcf35ce1d7.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

2380 cmd.exe

pid	process
2380	cmd.exe

pid	process
2380	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Logo1_.exe

description	ioc	process
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

Processes:

Logo1_.exe

description	ioc	process
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Mail\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SPRING\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\ACCWIZ\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1042\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ru\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Solitaire\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn_IN\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_output\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tet\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fi\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\zi\Africa\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\text_renderer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ps\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Oasis\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\WMPDMC.exe	Logo1_.exe
File created	C:\Program Files\Microsoft Games\More Games\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cgg\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

Processes:

Logo1_.exe5f916339941040cc1da5f69cdeed40526f15d6d10a58cfe8392626fcf35ce1d7.exe

description	ioc	process
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	5f916339941040cc1da5f69cdeed40526f15d6d10a58cfe8392626fcf35ce1d7.exe
File created	C:\Windows\Logo1_.exe	5f916339941040cc1da5f69cdeed40526f15d6d10a58cfe8392626fcf35ce1d7.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

Logo1_.exe

pid	process
2772	Logo1_.exe
2772	Logo1_.exe
2772	Logo1_.exe
2772	Logo1_.exe
2772	Logo1_.exe
2772	Logo1_.exe
2772	Logo1_.exe
2772	Logo1_.exe
2772	Logo1_.exe
2772	Logo1_.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

5f916339941040cc1da5f69cdeed40526f15d6d10a58cfe8392626fcf35ce1d7.exeLogo1_.exenet.exe

description	pid	process	target process
PID 2196 wrote to memory of 2380	2196	5f916339941040cc1da5f69cdeed40526f15d6d10a58cfe8392626fcf35ce1d7.exe	cmd.exe
PID 2196 wrote to memory of 2380	2196	5f916339941040cc1da5f69cdeed40526f15d6d10a58cfe8392626fcf35ce1d7.exe	cmd.exe
PID 2196 wrote to memory of 2380	2196	5f916339941040cc1da5f69cdeed40526f15d6d10a58cfe8392626fcf35ce1d7.exe	cmd.exe
PID 2196 wrote to memory of 2380	2196	5f916339941040cc1da5f69cdeed40526f15d6d10a58cfe8392626fcf35ce1d7.exe	cmd.exe
PID 2196 wrote to memory of 2772	2196	5f916339941040cc1da5f69cdeed40526f15d6d10a58cfe8392626fcf35ce1d7.exe	Logo1_.exe
PID 2196 wrote to memory of 2772	2196	5f916339941040cc1da5f69cdeed40526f15d6d10a58cfe8392626fcf35ce1d7.exe	Logo1_.exe
PID 2196 wrote to memory of 2772	2196	5f916339941040cc1da5f69cdeed40526f15d6d10a58cfe8392626fcf35ce1d7.exe	Logo1_.exe
PID 2196 wrote to memory of 2772	2196	5f916339941040cc1da5f69cdeed40526f15d6d10a58cfe8392626fcf35ce1d7.exe	Logo1_.exe
PID 2772 wrote to memory of 2608	2772	Logo1_.exe	net.exe
PID 2772 wrote to memory of 2608	2772	Logo1_.exe	net.exe
PID 2772 wrote to memory of 2608	2772	Logo1_.exe	net.exe
PID 2772 wrote to memory of 2608	2772	Logo1_.exe	net.exe
PID 2608 wrote to memory of 2552	2608	net.exe	net1.exe
PID 2608 wrote to memory of 2552	2608	net.exe	net1.exe
PID 2608 wrote to memory of 2552	2608	net.exe	net1.exe
PID 2608 wrote to memory of 2552	2608	net.exe	net1.exe
PID 2772 wrote to memory of 1200	2772	Logo1_.exe	Explorer.EXE
PID 2772 wrote to memory of 1200	2772	Logo1_.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200

C:\Users\Admin\AppData\Local\Temp\5f916339941040cc1da5f69cdeed40526f15d6d10a58cfe8392626fcf35ce1d7.exe
"C:\Users\Admin\AppData\Local\Temp\5f916339941040cc1da5f69cdeed40526f15d6d10a58cfe8392626fcf35ce1d7.exe"
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2196

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\$$a34B7.bat
3⤵
- Deletes itself
- Loads dropped DLL
PID:2380

C:\Users\Admin\AppData\Local\Temp\5f916339941040cc1da5f69cdeed40526f15d6d10a58cfe8392626fcf35ce1d7.exe
"C:\Users\Admin\AppData\Local\Temp\5f916339941040cc1da5f69cdeed40526f15d6d10a58cfe8392626fcf35ce1d7.exe"
4⤵
- Executes dropped EXE
PID:2420

C:\Windows\Logo1_.exe
C:\Windows\Logo1_.exe
3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2772

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:2608

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:2552

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
Filesize
254KB

MD5
3e470de1df977de1b6251d61cefd34c2

SHA1
c1919c8d46d9c95aab8c167b9ee4e6ac6c089a50

SHA256
cb52a481b391828464a9080ac8ed4a4daf3418176822165713179c0706a1ca27

SHA512
6e106f63747243353c7adaa2ee142ee9a260db0dc2b85e4e5c789969a777503c4508f7e7568213689d4cab4235aee0d81f54e4191997f04d1aaeb6577bc751ee

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
Filesize
474KB

MD5
6eabc463f8025a7e6e65f38cba22f126

SHA1
3e430ee5ec01c5509ed750b88d3473e7990dfe95

SHA256
cc8da3ecd355b519d81415d279ed037c725ba221bf323d250aa92ee2b2b88ca7

SHA512
c8fde7026ac8633403bbefee4b044457184388fb7343d8c46f5f7f272724227976bf485ea91da49e2a85dd0cfb73f260ac705d8007333dd3e5539fe5ed67e3ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a34B7.bat
Filesize
722B

MD5
6f09121fef6c311b9f27070e69d753f2

SHA1
6381a2507b4f0f2ad3a9bdf2a8e5a3cfc498bf6c

SHA256
cd05d051496fa917e5e3b081e41217b0f219b402efb328b6cf01b6c3c321f714

SHA512
9d0e530e557eda3f3ea6f7528743849448de05a426563456babea99bc941735c30634dfb4888093c1045312c64927473eeb1ac2fafdec7ffe67d5b8b9c95e184

Download Submit
C:\Users\Admin\AppData\Local\Temp\5f916339941040cc1da5f69cdeed40526f15d6d10a58cfe8392626fcf35ce1d7.exe.exe
Filesize
5.7MB

MD5
ba18e99b3e17adb5b029eaebc457dd89

SHA1
ec0458f3c00d35b323f08d4e1cc2e72899429c38

SHA256
f5ee36de8edf9be2ac2752b219cfdcb7ca1677071b8e116cb876306e9f1b6628

SHA512
1f41929e6f5b555b60c411c7810cbf14e3af26100df5ac4533ec3739a278c1b925687284660efb4868e3741305098e2737836229efc9fe46c97a6057c10e677c

Download Submit
C:\Windows\Logo1_.exe
Filesize
29KB

MD5
1c30b55853002b4599e0e5fa853f1329

SHA1
4e1ba89200dd04c3d7042024850deadc89a24af0

SHA256
ac0b99689ea0e6b3d5d4892871dd80175ac8e020a4d86217f968a23a608b22d6

SHA512
f475cd99a54db95649ee9ee83badf6eafb2b073867d95cf4482c2c63062df3446fb2044b7c42c924bf13eb955132379af0a25f877353e151f9ef84b66b5dc3cd

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1298544033-3225604241-2703760938-1000\_desktop.ini
Filesize
9B

MD5
ef2876ec14bdb3dc085fc3af9311b015

SHA1
68b64b46b1ff0fdc9f009d8fffb8ee87c597fa56

SHA256
ac2a34b4f2d44d19ca4269caf9f4e71cdb0b95ba8eb89ed52c5bc56eeeb1971c

SHA512
c9998caa062ad5b1da853fabb80e88e41d9f96109af89df0309be20469ca8f5be9dd1c08f3c97030e3a487732e82304f60ee2627462e017579da4204bc163c8f

Download Submit
memory/1200-30-0x0000000002F40000-0x0000000002F41000-memory.dmp

Filesize
4KB

Download
memory/2196-12-0x0000000000220000-0x0000000000256000-memory.dmp

Filesize
216KB

Download
memory/2196-18-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2196-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2772-32-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2772-45-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2772-91-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2772-97-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2772-517-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2772-1851-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2772-39-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2772-3311-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2772-22-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download

pid	process
2772	Logo1_.exe
2420	5f916339941040cc1da5f69cdeed40526f15d6d10a58cfe8392626fcf35ce1d7.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads