ce6730e9d98fcc133bc96a9c4306c4e8e96648e9c27251a79ecbacc7bfdd865d

General

Target

ce6730e9d98fcc133bc96a9c4306c4e8e96648e9c27251a79ecbacc7bfdd865d.exe
Size

4.1MB
MD5

ca6c0855389589407774a221a7670b7c
SHA1

8d95ba40905e2d919984d31c8743eacb6059a9a6
SHA256

ce6730e9d98fcc133bc96a9c4306c4e8e96648e9c27251a79ecbacc7bfdd865d
SHA512

5b14fa3202f6b0984a74caaaad9dbd93dcbbca63b2a6944acaf9252bd8cf3bcd6ff23343d64533b56465cbe01befc59b2c52b2c814468cb53bdf95c21260d424
SSDEEP

49152:+7uTEk9yZGTrRJlfOI3vO1hVWV8O2f5wK4mjPuXVQb9ZQjFur5+YJsFQqSqACStU:nlONWWO2f9uiJ3/aHC31

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2940 cmd.exe

pid	process
2940	cmd.exe

Executes dropped EXE 3 IoCs

Processes:

Logo1_.exece6730e9d98fcc133bc96a9c4306c4e8e96648e9c27251a79ecbacc7bfdd865d.exece6730e9d98fcc133bc96a9c4306c4e8e96648e9c27251a79ecbacc7bfdd865d.exe

pid	process
2808	Logo1_.exe
2576	ce6730e9d98fcc133bc96a9c4306c4e8e96648e9c27251a79ecbacc7bfdd865d.exe
2448	ce6730e9d98fcc133bc96a9c4306c4e8e96648e9c27251a79ecbacc7bfdd865d.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Logo1_.exe

description	ioc	process
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

Processes:

Logo1_.exe

description	ioc	process
File opened for modification	C:\Program Files\Windows Journal\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\NETWORK\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sv\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\HostSideAdapters\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\zi\SystemV\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hy\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Stationery\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\in_sidebar\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ckb\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Australia\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sr\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Media Player\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Components\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\visualization\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\applet\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Discussion\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE	Logo1_.exe

Drops file in Windows directory 4 IoCs

Processes:

ce6730e9d98fcc133bc96a9c4306c4e8e96648e9c27251a79ecbacc7bfdd865d.exeLogo1_.exe

description	ioc	process
File created	C:\Windows\rundl132.exe	ce6730e9d98fcc133bc96a9c4306c4e8e96648e9c27251a79ecbacc7bfdd865d.exe
File created	C:\Windows\Logo1_.exe	ce6730e9d98fcc133bc96a9c4306c4e8e96648e9c27251a79ecbacc7bfdd865d.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

Logo1_.exe

pid	process
2808	Logo1_.exe
2808	Logo1_.exe
2808	Logo1_.exe
2808	Logo1_.exe
2808	Logo1_.exe
2808	Logo1_.exe
2808	Logo1_.exe
2808	Logo1_.exe
2808	Logo1_.exe
2808	Logo1_.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

ce6730e9d98fcc133bc96a9c4306c4e8e96648e9c27251a79ecbacc7bfdd865d.exeLogo1_.exenet.exe

description	pid	process	target process
PID 2868 wrote to memory of 2940	2868	ce6730e9d98fcc133bc96a9c4306c4e8e96648e9c27251a79ecbacc7bfdd865d.exe	cmd.exe
PID 2868 wrote to memory of 2940	2868	ce6730e9d98fcc133bc96a9c4306c4e8e96648e9c27251a79ecbacc7bfdd865d.exe	cmd.exe
PID 2868 wrote to memory of 2940	2868	ce6730e9d98fcc133bc96a9c4306c4e8e96648e9c27251a79ecbacc7bfdd865d.exe	cmd.exe
PID 2868 wrote to memory of 2940	2868	ce6730e9d98fcc133bc96a9c4306c4e8e96648e9c27251a79ecbacc7bfdd865d.exe	cmd.exe
PID 2868 wrote to memory of 2808	2868	ce6730e9d98fcc133bc96a9c4306c4e8e96648e9c27251a79ecbacc7bfdd865d.exe	Logo1_.exe
PID 2868 wrote to memory of 2808	2868	ce6730e9d98fcc133bc96a9c4306c4e8e96648e9c27251a79ecbacc7bfdd865d.exe	Logo1_.exe
PID 2868 wrote to memory of 2808	2868	ce6730e9d98fcc133bc96a9c4306c4e8e96648e9c27251a79ecbacc7bfdd865d.exe	Logo1_.exe
PID 2868 wrote to memory of 2808	2868	ce6730e9d98fcc133bc96a9c4306c4e8e96648e9c27251a79ecbacc7bfdd865d.exe	Logo1_.exe
PID 2808 wrote to memory of 2652	2808	Logo1_.exe	net.exe
PID 2808 wrote to memory of 2652	2808	Logo1_.exe	net.exe
PID 2808 wrote to memory of 2652	2808	Logo1_.exe	net.exe
PID 2808 wrote to memory of 2652	2808	Logo1_.exe	net.exe
PID 2652 wrote to memory of 2820	2652	net.exe	net1.exe
PID 2652 wrote to memory of 2820	2652	net.exe	net1.exe
PID 2652 wrote to memory of 2820	2652	net.exe	net1.exe
PID 2652 wrote to memory of 2820	2652	net.exe	net1.exe
PID 2808 wrote to memory of 1204	2808	Logo1_.exe	Explorer.EXE
PID 2808 wrote to memory of 1204	2808	Logo1_.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204

C:\Users\Admin\AppData\Local\Temp\ce6730e9d98fcc133bc96a9c4306c4e8e96648e9c27251a79ecbacc7bfdd865d.exe
"C:\Users\Admin\AppData\Local\Temp\ce6730e9d98fcc133bc96a9c4306c4e8e96648e9c27251a79ecbacc7bfdd865d.exe"
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2868

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\$$a1813.bat
3⤵
- Deletes itself
PID:2940

C:\Users\Admin\AppData\Local\Temp\ce6730e9d98fcc133bc96a9c4306c4e8e96648e9c27251a79ecbacc7bfdd865d.exe
"C:\Users\Admin\AppData\Local\Temp\ce6730e9d98fcc133bc96a9c4306c4e8e96648e9c27251a79ecbacc7bfdd865d.exe"
4⤵
- Executes dropped EXE
PID:2576

C:\Users\Admin\AppData\Local\Temp\ce6730e9d98fcc133bc96a9c4306c4e8e96648e9c27251a79ecbacc7bfdd865d.exe
"C:\Users\Admin\AppData\Local\Temp\ce6730e9d98fcc133bc96a9c4306c4e8e96648e9c27251a79ecbacc7bfdd865d.exe"
4⤵
- Executes dropped EXE
PID:2448

C:\Windows\Logo1_.exe
C:\Windows\Logo1_.exe
3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2808

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:2652

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
017b5ff3fe0c3468438be2ec74cebc30

SHA1
6c3d43933b458fc53062a5d51b8d9570be6d3e2d

SHA256
f23e73059d7cbbe7cc9f6a50932f5aa26d25feaf6e1a32c35cd01fa49183a619

SHA512
cb317a0becd259af4982ae63e97a1205c250a9cf09b47fbb0460eb2bcbe93421014f49f72c33b51dcd7517034be9b95b09ab7c0312cd79bf5b41b4fd8df6ac77

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
471KB

MD5
99ea9b604a7a734d3087fa6159684c42

SHA1
709fa1068ad4d560fe03e05b68056f1b0bedbfc8

SHA256
3f733f9e6fec7c4165ca8ba41eb23f604a248babe794c4ad2c6c3ce8032aab1c

SHA512
7af8008c7e187f925c62efc97e1891a7a38d089302dba39fbde137fb895e0592847ed0982c824c2075be8e6b95b6ce165ecb848ab85adf53779ebef613410fbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a1813.bat

Filesize
722B

MD5
d191e8400a48d8f26c01386fe3d86178

SHA1
3f217607c9f4e1053919f3f414a777859fc09cf7

SHA256
5ef1fadf51927f3ba974355cd9089e7af65d0969421d7e1bc1716e7494ef80d6

SHA512
85d2f33b3f845ab7a9028f760794a17fd347152d2678b9d2a867065b8be8da3fa60d375f3e16473e4e8b143eebec46e4c1324a3871967518ea82b24f64edd626

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce6730e9d98fcc133bc96a9c4306c4e8e96648e9c27251a79ecbacc7bfdd865d.exe.exe

Filesize
4.0MB

MD5
781a600a895e771ada56cf0afefd9050

SHA1
6bd0605333fe5cbb59441ef2d3f8bbebf453eba4

SHA256
627ceedadc031997a5a04d7186782415bb5e5c0c44c9ffb64e65bade7c008fd1

SHA512
15978229235d920fe511bfe859609b1ec6dcd38199dfba33393d00be7274f822a3002fb6ef53c5df5be0d9ec869e2b359ac3b829a1ba61a7bc1b358b5a65770d

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
d375bd04f866e1b3276ba3b9779966ad

SHA1
1da9855e29a5384522563e0c4bdac786712d8b12

SHA256
a540c3c24ac2e3e353f3e0376889b61d7c11c926b29c8f0b8c768aea37daf7be

SHA512
78aa0651eeebb8475328fb7090ef3bdc8984ea22c888365727fd7c09533d59873599fc172d291fbadc55e04034fa62e7be405cd501df063105b0c03d7638de10

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2297530677-1229052932-2803917579-1000\_desktop.ini

Filesize
9B

MD5
31874817e0fb055be8d2c971c0e3bbde

SHA1
ee8a35d6a86cb6d13f354d67d912e194bb09c74b

SHA256
94de8b492bc2db9a9592f7c9433547eb7f80826ed67f48d2bb7e22db9d49f544

SHA512
55747c69ae50fa212576d095f60cf33b42e26789cf8c34fc5120a45b1988aae95f91d9e37cb17298c5ac5243b2e4c40e1d0e084ce7fe14bceb4ebb318c65c944

Download Submit
memory/1204-65-0x0000000002590000-0x0000000002591000-memory.dmp

Filesize
4KB

Download
memory/2808-70-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2808-77-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2808-83-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2808-129-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2808-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2808-1721-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2808-1888-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2808-18-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2808-3347-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2868-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2868-17-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2940-59-0x00000000024D0000-0x00000000024D1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads