476efbd451220a931d6164e34a64cca3f46733fd166a0812e78b57cb792d15c6

General

Target

476efbd451220a931d6164e34a64cca3f46733fd166a0812e78b57cb792d15c6.exe
Size

2.8MB
MD5

3f95e52a64529deda7dd9db53680946e
SHA1

b7f3d45ecd6d5a45b1962a558324e0348fb616f9
SHA256

476efbd451220a931d6164e34a64cca3f46733fd166a0812e78b57cb792d15c6
SHA512

559306de2ab1c0c2a7479a3a98258618b24747abe612d492207f299351dd765fe15614a825b5cd1107efe04399bab6d05e1c9e250d27d799b6a3a6c9c489a7a4
SSDEEP

49152:a6gLKJuMarhVnMFwTH8/giBiBcbk4ZxZ2DqFeVMhuxcPh:fd1XdhBiiMa7

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1720 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

Logo1_.exe476efbd451220a931d6164e34a64cca3f46733fd166a0812e78b57cb792d15c6.exe

pid process

1704 Logo1_.exe
3032 476efbd451220a931d6164e34a64cca3f46733fd166a0812e78b57cb792d15c6.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1720 cmd.exe

pid	process
1720	cmd.exe

pid	process
1720	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Logo1_.exe

description	ioc	process
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

Processes:

Logo1_.exe

description	ioc	process
File created	C:\Program Files\VideoLAN\VLC\locale\am\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Defender\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Mozilla Firefox\defaults\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Lime\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ku_IQ\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Media Player\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\1033\14\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATERMAR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_output\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CASCADE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Photo Viewer\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\More Games\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PIXEL\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightYellow\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sq\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Journal\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Chess\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\misc\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Uninstall Information\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\meta_engine\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\gu\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ESEN\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Journal\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bg\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Americana\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

Processes:

476efbd451220a931d6164e34a64cca3f46733fd166a0812e78b57cb792d15c6.exeLogo1_.exe

description	ioc	process
File created	C:\Windows\rundl132.exe	476efbd451220a931d6164e34a64cca3f46733fd166a0812e78b57cb792d15c6.exe
File created	C:\Windows\Logo1_.exe	476efbd451220a931d6164e34a64cca3f46733fd166a0812e78b57cb792d15c6.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

Logo1_.exe

pid	process
1704	Logo1_.exe
1704	Logo1_.exe
1704	Logo1_.exe
1704	Logo1_.exe
1704	Logo1_.exe
1704	Logo1_.exe
1704	Logo1_.exe
1704	Logo1_.exe
1704	Logo1_.exe
1704	Logo1_.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

476efbd451220a931d6164e34a64cca3f46733fd166a0812e78b57cb792d15c6.exeLogo1_.exenet.exe

description	pid	process	target process
PID 2176 wrote to memory of 1720	2176	476efbd451220a931d6164e34a64cca3f46733fd166a0812e78b57cb792d15c6.exe	cmd.exe
PID 2176 wrote to memory of 1720	2176	476efbd451220a931d6164e34a64cca3f46733fd166a0812e78b57cb792d15c6.exe	cmd.exe
PID 2176 wrote to memory of 1720	2176	476efbd451220a931d6164e34a64cca3f46733fd166a0812e78b57cb792d15c6.exe	cmd.exe
PID 2176 wrote to memory of 1720	2176	476efbd451220a931d6164e34a64cca3f46733fd166a0812e78b57cb792d15c6.exe	cmd.exe
PID 2176 wrote to memory of 1704	2176	476efbd451220a931d6164e34a64cca3f46733fd166a0812e78b57cb792d15c6.exe	Logo1_.exe
PID 2176 wrote to memory of 1704	2176	476efbd451220a931d6164e34a64cca3f46733fd166a0812e78b57cb792d15c6.exe	Logo1_.exe
PID 2176 wrote to memory of 1704	2176	476efbd451220a931d6164e34a64cca3f46733fd166a0812e78b57cb792d15c6.exe	Logo1_.exe
PID 2176 wrote to memory of 1704	2176	476efbd451220a931d6164e34a64cca3f46733fd166a0812e78b57cb792d15c6.exe	Logo1_.exe
PID 1704 wrote to memory of 2724	1704	Logo1_.exe	net.exe
PID 1704 wrote to memory of 2724	1704	Logo1_.exe	net.exe
PID 1704 wrote to memory of 2724	1704	Logo1_.exe	net.exe
PID 1704 wrote to memory of 2724	1704	Logo1_.exe	net.exe
PID 2724 wrote to memory of 2604	2724	net.exe	net1.exe
PID 2724 wrote to memory of 2604	2724	net.exe	net1.exe
PID 2724 wrote to memory of 2604	2724	net.exe	net1.exe
PID 2724 wrote to memory of 2604	2724	net.exe	net1.exe
PID 1704 wrote to memory of 1208	1704	Logo1_.exe	Explorer.EXE
PID 1704 wrote to memory of 1208	1704	Logo1_.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208

C:\Users\Admin\AppData\Local\Temp\476efbd451220a931d6164e34a64cca3f46733fd166a0812e78b57cb792d15c6.exe
"C:\Users\Admin\AppData\Local\Temp\476efbd451220a931d6164e34a64cca3f46733fd166a0812e78b57cb792d15c6.exe"
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2176

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\$$a3218.bat
3⤵
- Deletes itself
- Loads dropped DLL
PID:1720

C:\Users\Admin\AppData\Local\Temp\476efbd451220a931d6164e34a64cca3f46733fd166a0812e78b57cb792d15c6.exe
"C:\Users\Admin\AppData\Local\Temp\476efbd451220a931d6164e34a64cca3f46733fd166a0812e78b57cb792d15c6.exe"
4⤵
- Executes dropped EXE
PID:3032

C:\Windows\Logo1_.exe
C:\Windows\Logo1_.exe
3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1704

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:2724

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:2604

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
Filesize
254KB

MD5
1e542136e714c36e03b9ee319763e747

SHA1
ef02fc4e91a35f21f3b19bb1b090d92c0d45b2f6

SHA256
2301aaa1b03b49344420829bad5b50bbcc4af516f7870af2682084f999fa02df

SHA512
1aa5d58d6e35efb23db89dcd652f7bdb00905dfa0a0abf2f69b4add0f46e8fd3fb5862835407491b694c2daf00790ff6e827dde329e6ea3a4735ac24656f859d

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
Filesize
474KB

MD5
e7c28befda578f10224ec9df5d31588b

SHA1
e8095eb56893224f81f048d084565d8e04c8b23d

SHA256
6ed819f9fd4e1314bbb6d5f147bf383821f54a3cd3a47cd40feac73a2cd09574

SHA512
3e26170aa5fb4459b870777d0911b36b1522392edfeb52d60c7e4b171794aa69780bb590d2c1d36cff8f582fb021190b304d26b5f99dbfea515e23220172b37c

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a3218.bat
Filesize
722B

MD5
c101eea976f03f776f15c962895f5136

SHA1
5add77b643182f7b6bdf5ba0e433a6adf329f315

SHA256
067002c18719618f2a599b2cd6edfe9fa085ed82ab3af7fb67d43895878f8992

SHA512
d295700f8ecadcd326eafa119bccf19dac18e7645d826fad06aa064a715bb70c807a6f1926e6a5b2dfb5fddb5c4d000a6b1b68f8ff6dc10bb0d1489d828f549f

Download Submit
C:\Users\Admin\AppData\Local\Temp\476efbd451220a931d6164e34a64cca3f46733fd166a0812e78b57cb792d15c6.exe.exe
Filesize
2.8MB

MD5
095092f4e746810c5829038d48afd55a

SHA1
246eb3d41194dddc826049bbafeb6fc522ec044a

SHA256
2f606012843d144610dc7be55d1716d5d106cbc6acbce57561dc0e62c38b8588

SHA512
7f36fc03bfed0f3cf6ac3406c819993bf995e4f8c26a7589e9032c14b5a9c7048f5567f77b3b15f946c5282fc0be6308a92eab7879332d74c400d0c139ce8400

Download Submit
C:\Windows\Logo1_.exe
Filesize
29KB

MD5
09c85faf916941f1a031ec476b32a345

SHA1
1c04dd321b46446792d0a734526d229bb54690b7

SHA256
6c78b33d77408c2d9aea93cba7d2275c140e25a38c7f942f75ae6a7b820769b8

SHA512
ff30b7377d0720c9ec9b08f29560285b3549efd526410ec1658e86cbefa03cddf8c678c3647c8852bcaa0bb382360c4e6ba153706d04861ff7cc790c1275a9a1

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3691908287-3775019229-3534252667-1000\_desktop.ini
Filesize
9B

MD5
31874817e0fb055be8d2c971c0e3bbde

SHA1
ee8a35d6a86cb6d13f354d67d912e194bb09c74b

SHA256
94de8b492bc2db9a9592f7c9433547eb7f80826ed67f48d2bb7e22db9d49f544

SHA512
55747c69ae50fa212576d095f60cf33b42e26789cf8c34fc5120a45b1988aae95f91d9e37cb17298c5ac5243b2e4c40e1d0e084ce7fe14bceb4ebb318c65c944

Download Submit
memory/1208-29-0x0000000002E90000-0x0000000002E91000-memory.dmp

Filesize
4KB

Download
memory/1704-18-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1704-31-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1704-38-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1704-44-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1704-90-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1704-96-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1704-508-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1704-1874-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1704-3334-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2176-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2176-16-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download

pid	process
1704	Logo1_.exe
3032	476efbd451220a931d6164e34a64cca3f46733fd166a0812e78b57cb792d15c6.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads