e0af0090225dfacaae6d0dc0f8e589066ee6d9cf460feb236d061b808d58376c

General

Target

e0af0090225dfacaae6d0dc0f8e589066ee6d9cf460feb236d061b808d58376c.exe
Size

4.1MB
MD5

19e39e02d05aaf110ea196df080d0013
SHA1

01e1c9f44b55182b066c009197131cb379c03300
SHA256

e0af0090225dfacaae6d0dc0f8e589066ee6d9cf460feb236d061b808d58376c
SHA512

eaa966b4108f06014deca5f7e67ddc233fa0a900b229992ebdc359f1c6dbf38a84ba146b62a530068ae27b1a885149a4b21eeaf95ce0cb7d7b8361fe9efc9128
SSDEEP

49152:Z7uTEk9yZGTrRJlfOI3vO1hVWV8O2f5wK4mjPuXVQb9ZQjFur5+YJsFQqSqACStU:0lONWWO2f9uiJ3/aHC31

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

3040 cmd.exe

pid	process
3040	cmd.exe

Executes dropped EXE 3 IoCs

Processes:

Logo1_.exee0af0090225dfacaae6d0dc0f8e589066ee6d9cf460feb236d061b808d58376c.exee0af0090225dfacaae6d0dc0f8e589066ee6d9cf460feb236d061b808d58376c.exe

pid	process
2000	Logo1_.exe
1964	e0af0090225dfacaae6d0dc0f8e589066ee6d9cf460feb236d061b808d58376c.exe
2532	e0af0090225dfacaae6d0dc0f8e589066ee6d9cf460feb236d061b808d58376c.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Logo1_.exe

description	ioc	process
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

Processes:

Logo1_.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_splitter\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\Bibliography\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\ext\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Americana\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kk\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Chess\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Mail\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_extractor\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.EXE	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mai\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Defender\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Places\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Media Player\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ia\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VC\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

Processes:

e0af0090225dfacaae6d0dc0f8e589066ee6d9cf460feb236d061b808d58376c.exeLogo1_.exe

description	ioc	process
File created	C:\Windows\Logo1_.exe	e0af0090225dfacaae6d0dc0f8e589066ee6d9cf460feb236d061b808d58376c.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	e0af0090225dfacaae6d0dc0f8e589066ee6d9cf460feb236d061b808d58376c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

Logo1_.exe

pid	process
2000	Logo1_.exe
2000	Logo1_.exe
2000	Logo1_.exe
2000	Logo1_.exe
2000	Logo1_.exe
2000	Logo1_.exe
2000	Logo1_.exe
2000	Logo1_.exe
2000	Logo1_.exe
2000	Logo1_.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

e0af0090225dfacaae6d0dc0f8e589066ee6d9cf460feb236d061b808d58376c.exeLogo1_.exenet.exe

description	pid	process	target process
PID 2192 wrote to memory of 3040	2192	e0af0090225dfacaae6d0dc0f8e589066ee6d9cf460feb236d061b808d58376c.exe	cmd.exe
PID 2192 wrote to memory of 3040	2192	e0af0090225dfacaae6d0dc0f8e589066ee6d9cf460feb236d061b808d58376c.exe	cmd.exe
PID 2192 wrote to memory of 3040	2192	e0af0090225dfacaae6d0dc0f8e589066ee6d9cf460feb236d061b808d58376c.exe	cmd.exe
PID 2192 wrote to memory of 3040	2192	e0af0090225dfacaae6d0dc0f8e589066ee6d9cf460feb236d061b808d58376c.exe	cmd.exe
PID 2192 wrote to memory of 2000	2192	e0af0090225dfacaae6d0dc0f8e589066ee6d9cf460feb236d061b808d58376c.exe	Logo1_.exe
PID 2192 wrote to memory of 2000	2192	e0af0090225dfacaae6d0dc0f8e589066ee6d9cf460feb236d061b808d58376c.exe	Logo1_.exe
PID 2192 wrote to memory of 2000	2192	e0af0090225dfacaae6d0dc0f8e589066ee6d9cf460feb236d061b808d58376c.exe	Logo1_.exe
PID 2192 wrote to memory of 2000	2192	e0af0090225dfacaae6d0dc0f8e589066ee6d9cf460feb236d061b808d58376c.exe	Logo1_.exe
PID 2000 wrote to memory of 2836	2000	Logo1_.exe	net.exe
PID 2000 wrote to memory of 2836	2000	Logo1_.exe	net.exe
PID 2000 wrote to memory of 2836	2000	Logo1_.exe	net.exe
PID 2000 wrote to memory of 2836	2000	Logo1_.exe	net.exe
PID 2836 wrote to memory of 2572	2836	net.exe	net1.exe
PID 2836 wrote to memory of 2572	2836	net.exe	net1.exe
PID 2836 wrote to memory of 2572	2836	net.exe	net1.exe
PID 2836 wrote to memory of 2572	2836	net.exe	net1.exe
PID 2000 wrote to memory of 1088	2000	Logo1_.exe	Explorer.EXE
PID 2000 wrote to memory of 1088	2000	Logo1_.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1088

C:\Users\Admin\AppData\Local\Temp\e0af0090225dfacaae6d0dc0f8e589066ee6d9cf460feb236d061b808d58376c.exe
"C:\Users\Admin\AppData\Local\Temp\e0af0090225dfacaae6d0dc0f8e589066ee6d9cf460feb236d061b808d58376c.exe"
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2192

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\$$a1738.bat
3⤵
- Deletes itself
PID:3040

C:\Users\Admin\AppData\Local\Temp\e0af0090225dfacaae6d0dc0f8e589066ee6d9cf460feb236d061b808d58376c.exe
"C:\Users\Admin\AppData\Local\Temp\e0af0090225dfacaae6d0dc0f8e589066ee6d9cf460feb236d061b808d58376c.exe"
4⤵
- Executes dropped EXE
PID:1964

C:\Users\Admin\AppData\Local\Temp\e0af0090225dfacaae6d0dc0f8e589066ee6d9cf460feb236d061b808d58376c.exe
"C:\Users\Admin\AppData\Local\Temp\e0af0090225dfacaae6d0dc0f8e589066ee6d9cf460feb236d061b808d58376c.exe"
4⤵
- Executes dropped EXE
PID:2532

C:\Windows\Logo1_.exe
C:\Windows\Logo1_.exe
3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:2836

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:2572

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
Filesize
251KB

MD5
a4be970114fde7b4347a171ef559737b

SHA1
9ff5a5c55eca69d00aa5cf88a86831f2954ee214

SHA256
54f93dd3fd4b973502236e7372591290aef4913ed31ab38fa17c4b0e52b86e21

SHA512
e4fb957ac171ac1bbca431fbfbb8c9142b5493e3b875db7f61182c91adce87d29b410c766d5043b8bee276f9024b7b14ee636106a037db8f35d545b20ec635ce

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
Filesize
471KB

MD5
99ea9b604a7a734d3087fa6159684c42

SHA1
709fa1068ad4d560fe03e05b68056f1b0bedbfc8

SHA256
3f733f9e6fec7c4165ca8ba41eb23f604a248babe794c4ad2c6c3ce8032aab1c

SHA512
7af8008c7e187f925c62efc97e1891a7a38d089302dba39fbde137fb895e0592847ed0982c824c2075be8e6b95b6ce165ecb848ab85adf53779ebef613410fbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a1738.bat
Filesize
722B

MD5
0ea9e4455bef7f4b4f2b31220cdd49ea

SHA1
65e049d05f5d15a6c6e45cb5ee4db428ffef5778

SHA256
93a44ef38d138a034e6b8adbb275816ece5ec5800b153ff97f770918ed8cbd52

SHA512
a3882ce8243b8de891b6d399d73ecf2c4234767e40fa4457c1bf230fd135e59c005be8902498c03768c0de8b391aae0fb77ce1f2db2a02f36c326de44a084227

Download Submit
C:\Users\Admin\AppData\Local\Temp\e0af0090225dfacaae6d0dc0f8e589066ee6d9cf460feb236d061b808d58376c.exe.exe
Filesize
4.0MB

MD5
781a600a895e771ada56cf0afefd9050

SHA1
6bd0605333fe5cbb59441ef2d3f8bbebf453eba4

SHA256
627ceedadc031997a5a04d7186782415bb5e5c0c44c9ffb64e65bade7c008fd1

SHA512
15978229235d920fe511bfe859609b1ec6dcd38199dfba33393d00be7274f822a3002fb6ef53c5df5be0d9ec869e2b359ac3b829a1ba61a7bc1b358b5a65770d

Download Submit
C:\Windows\Logo1_.exe
Filesize
26KB

MD5
86f9430d4925c4f45151eea124081d83

SHA1
52df34b47184ed2700bbd92b68874c73592b6d1d

SHA256
41b9e2bf3ce43d681d6dde91ffff8a23adcc4da2076516de2bf2631708b74350

SHA512
910bce524874bbe43de4e9309b1e7aa6a547a6592e3cdcff1f992c156142dc4bf493d23218f635bb6f6366bc1616d96d6ca885d651c0b4be87ab845901f4e3e8

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2297530677-1229052932-2803917579-1000\_desktop.ini
Filesize
9B

MD5
31874817e0fb055be8d2c971c0e3bbde

SHA1
ee8a35d6a86cb6d13f354d67d912e194bb09c74b

SHA256
94de8b492bc2db9a9592f7c9433547eb7f80826ed67f48d2bb7e22db9d49f544

SHA512
55747c69ae50fa212576d095f60cf33b42e26789cf8c34fc5120a45b1988aae95f91d9e37cb17298c5ac5243b2e4c40e1d0e084ce7fe14bceb4ebb318c65c944

Download Submit
memory/1088-65-0x00000000024B0000-0x00000000024B1000-memory.dmp

Filesize
4KB

Download
memory/2000-131-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2000-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2000-79-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2000-85-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2000-138-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2000-1889-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2000-3349-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2000-21-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2192-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2192-17-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3040-59-0x0000000002320000-0x0000000002321000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads