e1008ff4bc191d9e4ef446ebd3c066a7e01623580829e07716c13799c0688f72

General

Target

e1008ff4bc191d9e4ef446ebd3c066a7e01623580829e07716c13799c0688f72.exe
Size

4.6MB
MD5

9af5d90da7497bd4b24dce6e9d8c1d0f
SHA1

90e2af60443ca536a1bd8e71d2abde5be8ed3fb4
SHA256

e1008ff4bc191d9e4ef446ebd3c066a7e01623580829e07716c13799c0688f72
SHA512

a59daa791d610a8650045227262c51ec24300d2dba9a75f4fc47c318a18b220e862c1defb502ae457f6c191b68b51572b4069e867f8c0f8d3622240e4bda7c34
SSDEEP

98304:byENIIut+hl5pU9HLOaFAIH3TcLWGO7d09GZkrCRfR:mEN2tm5pOuU3TcLWGO7djZkrC5R

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2928 cmd.exe

pid	process
2928	cmd.exe

Executes dropped EXE 3 IoCs

Processes:

Logo1_.exee1008ff4bc191d9e4ef446ebd3c066a7e01623580829e07716c13799c0688f72.exee1008ff4bc191d9e4ef446ebd3c066a7e01623580829e07716c13799c0688f72.exe

pid	process
3064	Logo1_.exe
2680	e1008ff4bc191d9e4ef446ebd3c066a7e01623580829e07716c13799c0688f72.exe
2500	e1008ff4bc191d9e4ef446ebd3c066a7e01623580829e07716c13799c0688f72.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Logo1_.exe

description	ioc	process
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

Processes:

Logo1_.exe

description	ioc	process
File opened for modification	C:\Program Files\Windows Photo Viewer\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pl\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Chess\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mr\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PROPLUS\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_extractor\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cy\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\HostSideAdapters\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\ext\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\Mahjong.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATER\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\logger\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\cs\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SETLANG.EXE	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ug\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EVRGREEN\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Defender\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Mozilla Firefox\browser\VisualElements\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\on_desktop\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

Processes:

e1008ff4bc191d9e4ef446ebd3c066a7e01623580829e07716c13799c0688f72.exeLogo1_.exe

description	ioc	process
File created	C:\Windows\rundl132.exe	e1008ff4bc191d9e4ef446ebd3c066a7e01623580829e07716c13799c0688f72.exe
File created	C:\Windows\Logo1_.exe	e1008ff4bc191d9e4ef446ebd3c066a7e01623580829e07716c13799c0688f72.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

Logo1_.exe

pid	process
3064	Logo1_.exe
3064	Logo1_.exe
3064	Logo1_.exe
3064	Logo1_.exe
3064	Logo1_.exe
3064	Logo1_.exe
3064	Logo1_.exe
3064	Logo1_.exe
3064	Logo1_.exe
3064	Logo1_.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

e1008ff4bc191d9e4ef446ebd3c066a7e01623580829e07716c13799c0688f72.exeLogo1_.exenet.exe

description	pid	process	target process
PID 2920 wrote to memory of 2928	2920	e1008ff4bc191d9e4ef446ebd3c066a7e01623580829e07716c13799c0688f72.exe	cmd.exe
PID 2920 wrote to memory of 2928	2920	e1008ff4bc191d9e4ef446ebd3c066a7e01623580829e07716c13799c0688f72.exe	cmd.exe
PID 2920 wrote to memory of 2928	2920	e1008ff4bc191d9e4ef446ebd3c066a7e01623580829e07716c13799c0688f72.exe	cmd.exe
PID 2920 wrote to memory of 2928	2920	e1008ff4bc191d9e4ef446ebd3c066a7e01623580829e07716c13799c0688f72.exe	cmd.exe
PID 2920 wrote to memory of 3064	2920	e1008ff4bc191d9e4ef446ebd3c066a7e01623580829e07716c13799c0688f72.exe	Logo1_.exe
PID 2920 wrote to memory of 3064	2920	e1008ff4bc191d9e4ef446ebd3c066a7e01623580829e07716c13799c0688f72.exe	Logo1_.exe
PID 2920 wrote to memory of 3064	2920	e1008ff4bc191d9e4ef446ebd3c066a7e01623580829e07716c13799c0688f72.exe	Logo1_.exe
PID 2920 wrote to memory of 3064	2920	e1008ff4bc191d9e4ef446ebd3c066a7e01623580829e07716c13799c0688f72.exe	Logo1_.exe
PID 3064 wrote to memory of 2732	3064	Logo1_.exe	net.exe
PID 3064 wrote to memory of 2732	3064	Logo1_.exe	net.exe
PID 3064 wrote to memory of 2732	3064	Logo1_.exe	net.exe
PID 3064 wrote to memory of 2732	3064	Logo1_.exe	net.exe
PID 2732 wrote to memory of 2240	2732	net.exe	net1.exe
PID 2732 wrote to memory of 2240	2732	net.exe	net1.exe
PID 2732 wrote to memory of 2240	2732	net.exe	net1.exe
PID 2732 wrote to memory of 2240	2732	net.exe	net1.exe
PID 3064 wrote to memory of 1204	3064	Logo1_.exe	Explorer.EXE
PID 3064 wrote to memory of 1204	3064	Logo1_.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204

C:\Users\Admin\AppData\Local\Temp\e1008ff4bc191d9e4ef446ebd3c066a7e01623580829e07716c13799c0688f72.exe
"C:\Users\Admin\AppData\Local\Temp\e1008ff4bc191d9e4ef446ebd3c066a7e01623580829e07716c13799c0688f72.exe"
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2920

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\$$a2EBE.bat
3⤵
- Deletes itself
PID:2928

C:\Users\Admin\AppData\Local\Temp\e1008ff4bc191d9e4ef446ebd3c066a7e01623580829e07716c13799c0688f72.exe
"C:\Users\Admin\AppData\Local\Temp\e1008ff4bc191d9e4ef446ebd3c066a7e01623580829e07716c13799c0688f72.exe"
4⤵
- Executes dropped EXE
PID:2680

C:\Users\Admin\AppData\Local\Temp\e1008ff4bc191d9e4ef446ebd3c066a7e01623580829e07716c13799c0688f72.exe
"C:\Users\Admin\AppData\Local\Temp\e1008ff4bc191d9e4ef446ebd3c066a7e01623580829e07716c13799c0688f72.exe"
4⤵
- Executes dropped EXE
PID:2500

C:\Windows\Logo1_.exe
C:\Windows\Logo1_.exe
3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3064

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:2732

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:2240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
471KB

MD5
99ea9b604a7a734d3087fa6159684c42

SHA1
709fa1068ad4d560fe03e05b68056f1b0bedbfc8

SHA256
3f733f9e6fec7c4165ca8ba41eb23f604a248babe794c4ad2c6c3ce8032aab1c

SHA512
7af8008c7e187f925c62efc97e1891a7a38d089302dba39fbde137fb895e0592847ed0982c824c2075be8e6b95b6ce165ecb848ab85adf53779ebef613410fbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a2EBE.bat

Filesize
722B

MD5
2a6e1f81bc03abca777d0bd6abd2cf14

SHA1
2752f209c0950e8ed9e04868431b216f93ee4e88

SHA256
efbfbd9ca41c503dc1ff01736cdba0470f3aa2e298aa10b57c259996d4026aa6

SHA512
07a3b11cd7922245aec0a2551ec144934049e874fd6f68fdbd325ea0166f76371df82860c7e1946025a87f0d02ed646431267c6a906161e004cc29c8051aaa3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\e1008ff4bc191d9e4ef446ebd3c066a7e01623580829e07716c13799c0688f72.exe.exe

Filesize
4.6MB

MD5
95222faeeab2cebe9502f2e123d5dd2a

SHA1
dac0e46c7b0bc998bee826538a3128fbe396e638

SHA256
b8af4588875e697e49db4e1ff5833ef8f89ffde327ab9dc9fad101551d6aec28

SHA512
aaec6212bb69d7dbf4b7d09dfa6ccfca803835c19a5974f534f7db2d6235e741bb404969b2695ff9487ee2c7ac2ab1f740a436332b740b45fbaf579c6e13bf4f

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
64a926d15aa028690bc14ef51132d6d6

SHA1
66638b0a02ecc310024bd3b3ccec85efbf467a10

SHA256
52a165a2cef64c6d5b99666985d18d0caf21dff39a40871ce30bd1a377b050b0

SHA512
1afecb82683ee0a55b445d7fcea8ebc13d1dbb3d6ae826e3ae1b2b7137f1f28f022c08b6ea64ff9648c5bda8b81fe57f4168aee0098aef1bc1f38d1a12ab7c86

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-268080393-3149932598-1824759070-1000\_desktop.ini

Filesize
9B

MD5
31874817e0fb055be8d2c971c0e3bbde

SHA1
ee8a35d6a86cb6d13f354d67d912e194bb09c74b

SHA256
94de8b492bc2db9a9592f7c9433547eb7f80826ed67f48d2bb7e22db9d49f544

SHA512
55747c69ae50fa212576d095f60cf33b42e26789cf8c34fc5120a45b1988aae95f91d9e37cb17298c5ac5243b2e4c40e1d0e084ce7fe14bceb4ebb318c65c944

Download Submit
memory/1204-66-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/2920-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2920-17-0x0000000000320000-0x0000000000354000-memory.dmp

Filesize
208KB

Download
memory/2920-16-0x0000000000320000-0x0000000000354000-memory.dmp

Filesize
208KB

Download
memory/2920-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2928-60-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/3064-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3064-78-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3064-84-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3064-130-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3064-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3064-1436-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3064-1913-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3064-3373-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3064-19-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads