ec9b5ecb4c0e1fa99e688c9351eb53b68d26a6aa83713ebcfd81440225450250

General

Target

ec9b5ecb4c0e1fa99e688c9351eb53b68d26a6aa83713ebcfd81440225450250.exe
Size

72KB
MD5

181b05f797bf19da72559765f89ccc8b
SHA1

c05566d5a52e59501b666889460087547840c126
SHA256

ec9b5ecb4c0e1fa99e688c9351eb53b68d26a6aa83713ebcfd81440225450250
SHA512

5186db618444967af521b777f0f515cd7148c9bc2cf244e0f70e543bf2b782071e91563f4087aee2fb0561f4c8f599a8f354d6a4c004fec87260294db723ee22
SSDEEP

1536:lhhufgLdQAQfcfymN92nOF6u/i8i+KicZRYeghh:cftffjmN92OFp68iIyR

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

3000 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

Logo1_.exeec9b5ecb4c0e1fa99e688c9351eb53b68d26a6aa83713ebcfd81440225450250.exe

pid process

2424 Logo1_.exe
2216 ec9b5ecb4c0e1fa99e688c9351eb53b68d26a6aa83713ebcfd81440225450250.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

3000 cmd.exe
3000 cmd.exe

pid	process
3000	cmd.exe

pid	process
3000	cmd.exe
3000	cmd.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\ec9b5ecb4c0e1fa99e688c9351eb53b68d26a6aa83713ebcfd81440225450250.exe.exe	upx
behavioral1/memory/2216-31-0x0000000000400000-0x000000000050F000-memory.dmp	upx

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Logo1_.exe

description	ioc	process
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

Processes:

Logo1_.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\kn\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Media Player\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\text_renderer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightOrange\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\br\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.en-us\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Photo Viewer\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AFTRNOON\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Triedit\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\Mahjong.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SONORA\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Hearts\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mn\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA6\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ie\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.WW\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Journal\Journal.exe	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\EURO\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInSideAdapters\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\wmpenc.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\win32\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\XLSTART\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Places\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STUDIO\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

Processes:

ec9b5ecb4c0e1fa99e688c9351eb53b68d26a6aa83713ebcfd81440225450250.exeLogo1_.exe

description	ioc	process
File created	C:\Windows\rundl132.exe	ec9b5ecb4c0e1fa99e688c9351eb53b68d26a6aa83713ebcfd81440225450250.exe
File created	C:\Windows\Logo1_.exe	ec9b5ecb4c0e1fa99e688c9351eb53b68d26a6aa83713ebcfd81440225450250.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

Logo1_.exe

pid	process
2424	Logo1_.exe
2424	Logo1_.exe
2424	Logo1_.exe
2424	Logo1_.exe
2424	Logo1_.exe
2424	Logo1_.exe
2424	Logo1_.exe
2424	Logo1_.exe
2424	Logo1_.exe
2424	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

ec9b5ecb4c0e1fa99e688c9351eb53b68d26a6aa83713ebcfd81440225450250.exeLogo1_.execmd.exenet.exe

description	pid	process	target process
PID 1008 wrote to memory of 3000	1008	ec9b5ecb4c0e1fa99e688c9351eb53b68d26a6aa83713ebcfd81440225450250.exe	cmd.exe
PID 1008 wrote to memory of 3000	1008	ec9b5ecb4c0e1fa99e688c9351eb53b68d26a6aa83713ebcfd81440225450250.exe	cmd.exe
PID 1008 wrote to memory of 3000	1008	ec9b5ecb4c0e1fa99e688c9351eb53b68d26a6aa83713ebcfd81440225450250.exe	cmd.exe
PID 1008 wrote to memory of 3000	1008	ec9b5ecb4c0e1fa99e688c9351eb53b68d26a6aa83713ebcfd81440225450250.exe	cmd.exe
PID 1008 wrote to memory of 2424	1008	ec9b5ecb4c0e1fa99e688c9351eb53b68d26a6aa83713ebcfd81440225450250.exe	Logo1_.exe
PID 1008 wrote to memory of 2424	1008	ec9b5ecb4c0e1fa99e688c9351eb53b68d26a6aa83713ebcfd81440225450250.exe	Logo1_.exe
PID 1008 wrote to memory of 2424	1008	ec9b5ecb4c0e1fa99e688c9351eb53b68d26a6aa83713ebcfd81440225450250.exe	Logo1_.exe
PID 1008 wrote to memory of 2424	1008	ec9b5ecb4c0e1fa99e688c9351eb53b68d26a6aa83713ebcfd81440225450250.exe	Logo1_.exe
PID 2424 wrote to memory of 2744	2424	Logo1_.exe	net.exe
PID 2424 wrote to memory of 2744	2424	Logo1_.exe	net.exe
PID 2424 wrote to memory of 2744	2424	Logo1_.exe	net.exe
PID 2424 wrote to memory of 2744	2424	Logo1_.exe	net.exe
PID 3000 wrote to memory of 2216	3000	cmd.exe	ec9b5ecb4c0e1fa99e688c9351eb53b68d26a6aa83713ebcfd81440225450250.exe
PID 3000 wrote to memory of 2216	3000	cmd.exe	ec9b5ecb4c0e1fa99e688c9351eb53b68d26a6aa83713ebcfd81440225450250.exe
PID 3000 wrote to memory of 2216	3000	cmd.exe	ec9b5ecb4c0e1fa99e688c9351eb53b68d26a6aa83713ebcfd81440225450250.exe
PID 3000 wrote to memory of 2216	3000	cmd.exe	ec9b5ecb4c0e1fa99e688c9351eb53b68d26a6aa83713ebcfd81440225450250.exe
PID 2744 wrote to memory of 2892	2744	net.exe	net1.exe
PID 2744 wrote to memory of 2892	2744	net.exe	net1.exe
PID 2744 wrote to memory of 2892	2744	net.exe	net1.exe
PID 2744 wrote to memory of 2892	2744	net.exe	net1.exe
PID 2424 wrote to memory of 1116	2424	Logo1_.exe	Explorer.EXE
PID 2424 wrote to memory of 1116	2424	Logo1_.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1116

C:\Users\Admin\AppData\Local\Temp\ec9b5ecb4c0e1fa99e688c9351eb53b68d26a6aa83713ebcfd81440225450250.exe
"C:\Users\Admin\AppData\Local\Temp\ec9b5ecb4c0e1fa99e688c9351eb53b68d26a6aa83713ebcfd81440225450250.exe"
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1008

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\$$a5CB.bat
3⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3000

C:\Users\Admin\AppData\Local\Temp\ec9b5ecb4c0e1fa99e688c9351eb53b68d26a6aa83713ebcfd81440225450250.exe
"C:\Users\Admin\AppData\Local\Temp\ec9b5ecb4c0e1fa99e688c9351eb53b68d26a6aa83713ebcfd81440225450250.exe"
4⤵
- Executes dropped EXE
PID:2216

C:\Windows\Logo1_.exe
C:\Windows\Logo1_.exe
3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2424

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:2744

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:2892

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
Filesize
251KB

MD5
3e7e33f90519246ba56d5539af241f1d

SHA1
b670438955c17f3c05d321138bd051031dc96c69

SHA256
b5f8587bd50d73e4c0d2a626aeee40166cf953f0ef6b7936bcd2566daa4c03d7

SHA512
3f11e97f71a8a57abae3f2a74a5c62820995d29538c9202701540c889ede1573d59f43d30a3040afebeb8a4be7aec721b57a7e3259f52e82e6d74ad2dfa0be13

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
Filesize
471KB

MD5
4cfdb20b04aa239d6f9e83084d5d0a77

SHA1
f22863e04cc1fd4435f785993ede165bd8245ac6

SHA256
30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

SHA512
35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a5CB.bat
Filesize
721B

MD5
875ce4a9267906899e428d6a6395221f

SHA1
eccab27b1a27a2a3f8f9a0912dc52bc72ccd3777

SHA256
fcb2650cfa9a0785ddff5f9e4fbf2af7c2a9396326f79ec9ef8a88073353f7b7

SHA512
07bd610061b4d9fc8fb65f2566805470278d7588cee57a703f5f068560ff2f1ca9012c9a12973cdb331347699c0fdbba335d54d703c3b554ca5f2c95b66fe54d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec9b5ecb4c0e1fa99e688c9351eb53b68d26a6aa83713ebcfd81440225450250.exe.exe
Filesize
46KB

MD5
07adddef653a702b9a11edbcee07e82b

SHA1
97729f6df1cd96b61e3e2bc1a841adf1720e2ec5

SHA256
69214c946aa2db33ae97ebe3ca23808853a5110a716ea58510787229599960ee

SHA512
98fbad7178470651ebab97c0c5ed78f7dde9e8f2d7e9060538a4f0e60d53471def7433d38e02cf3afe1c2b6be3c1a503950d4c2cfe1ee9c00465255332ef519d

Download Submit
C:\Windows\rundl132.exe
Filesize
26KB

MD5
d4e8715b88849f5a8e1dc07f031120a2

SHA1
c77ee0410fd1d584547b3d308229149451da50aa

SHA256
f1a37f5d13a0db4ff22a45fee6a87a66ab4d70f31336bcf047f7129e89578d8a

SHA512
a7d6a9dc3b2050a0a4f59f2cac5f0c3cd2097827257bc76101b8d4153158104cc2a686e882e73f679800941ca71a2a1a989c9aec7052e0f0af4b2f71263edd73

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-481678230-3773327859-3495911762-1000\_desktop.ini
Filesize
9B

MD5
31874817e0fb055be8d2c971c0e3bbde

SHA1
ee8a35d6a86cb6d13f354d67d912e194bb09c74b

SHA256
94de8b492bc2db9a9592f7c9433547eb7f80826ed67f48d2bb7e22db9d49f544

SHA512
55747c69ae50fa212576d095f60cf33b42e26789cf8c34fc5120a45b1988aae95f91d9e37cb17298c5ac5243b2e4c40e1d0e084ce7fe14bceb4ebb318c65c944

Download Submit
memory/1008-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1008-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1116-33-0x0000000002DF0000-0x0000000002DF1000-memory.dmp

Filesize
4KB

Download
memory/2216-31-0x0000000000400000-0x000000000050F000-memory.dmp

Filesize
1.1MB

Download
memory/2424-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2424-42-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2424-94-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2424-100-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2424-643-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2424-1877-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2424-1937-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2424-35-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2424-3337-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2424-18-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3000-30-0x0000000000420000-0x000000000052F000-memory.dmp

Filesize
1.1MB

Download

pid	process
2424	Logo1_.exe
2216	ec9b5ecb4c0e1fa99e688c9351eb53b68d26a6aa83713ebcfd81440225450250.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads