fae0f669faa4d3c2188444825a2992ad3304c90955a8073c7920028a122e25c4

General

Target

fae0f669faa4d3c2188444825a2992ad3304c90955a8073c7920028a122e25c4.exe
Size

1.9MB
MD5

04ed2212190b24935c27a3c52d45edd8
SHA1

e31a05d9ed92a131952b3c676ce1410eb7f6bc04
SHA256

fae0f669faa4d3c2188444825a2992ad3304c90955a8073c7920028a122e25c4
SHA512

c638c66ce8b0dfca28bacf2a6fd0b063e8c53b558d21fa030dc8148e2c016a25c3c78c3d0f36f431db92bdec54a474a23fe6c409125a33cab70403fc37198b0a
SSDEEP

49152:7IwpL7jys6Tqrj7jeRB13xYr+rtd4eBXGeBXJRf1tr:njP6TlP1hU+L4eceVf

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2092 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

Logo1_.exefae0f669faa4d3c2188444825a2992ad3304c90955a8073c7920028a122e25c4.exe

pid process

3032 Logo1_.exe
2876 fae0f669faa4d3c2188444825a2992ad3304c90955a8073c7920028a122e25c4.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

2092 cmd.exe

pid	process
2092	cmd.exe

pid	process
2092	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Logo1_.exe

description	ioc	process
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

Processes:

Logo1_.exe

description	ioc	process
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DAO\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\id\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EVRGREEN\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\applet\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Photo Viewer\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Hearts\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Defender\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bg\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EDGE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\kk\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Defender\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SpringGreen\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\SAMPLES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Americana\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	Logo1_.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\1041\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\COMPASS\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PAPYRUS\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\JOURNAL\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{4EFAFADA-208B-4BC3-8A2E-F71970AC49AC}\chrome_installer.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Media Player\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hi\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\or_IN\LC_MESSAGES\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

Processes:

Logo1_.exefae0f669faa4d3c2188444825a2992ad3304c90955a8073c7920028a122e25c4.exe

description	ioc	process
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	fae0f669faa4d3c2188444825a2992ad3304c90955a8073c7920028a122e25c4.exe
File created	C:\Windows\Logo1_.exe	fae0f669faa4d3c2188444825a2992ad3304c90955a8073c7920028a122e25c4.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

Logo1_.exe

pid	process
3032	Logo1_.exe
3032	Logo1_.exe
3032	Logo1_.exe
3032	Logo1_.exe
3032	Logo1_.exe
3032	Logo1_.exe
3032	Logo1_.exe
3032	Logo1_.exe
3032	Logo1_.exe
3032	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

fae0f669faa4d3c2188444825a2992ad3304c90955a8073c7920028a122e25c4.exeLogo1_.execmd.exenet.exe

description	pid	process	target process
PID 840 wrote to memory of 2092	840	fae0f669faa4d3c2188444825a2992ad3304c90955a8073c7920028a122e25c4.exe	cmd.exe
PID 840 wrote to memory of 2092	840	fae0f669faa4d3c2188444825a2992ad3304c90955a8073c7920028a122e25c4.exe	cmd.exe
PID 840 wrote to memory of 2092	840	fae0f669faa4d3c2188444825a2992ad3304c90955a8073c7920028a122e25c4.exe	cmd.exe
PID 840 wrote to memory of 2092	840	fae0f669faa4d3c2188444825a2992ad3304c90955a8073c7920028a122e25c4.exe	cmd.exe
PID 840 wrote to memory of 3032	840	fae0f669faa4d3c2188444825a2992ad3304c90955a8073c7920028a122e25c4.exe	Logo1_.exe
PID 840 wrote to memory of 3032	840	fae0f669faa4d3c2188444825a2992ad3304c90955a8073c7920028a122e25c4.exe	Logo1_.exe
PID 840 wrote to memory of 3032	840	fae0f669faa4d3c2188444825a2992ad3304c90955a8073c7920028a122e25c4.exe	Logo1_.exe
PID 840 wrote to memory of 3032	840	fae0f669faa4d3c2188444825a2992ad3304c90955a8073c7920028a122e25c4.exe	Logo1_.exe
PID 3032 wrote to memory of 2644	3032	Logo1_.exe	net.exe
PID 3032 wrote to memory of 2644	3032	Logo1_.exe	net.exe
PID 3032 wrote to memory of 2644	3032	Logo1_.exe	net.exe
PID 3032 wrote to memory of 2644	3032	Logo1_.exe	net.exe
PID 2092 wrote to memory of 2876	2092	cmd.exe	fae0f669faa4d3c2188444825a2992ad3304c90955a8073c7920028a122e25c4.exe
PID 2092 wrote to memory of 2876	2092	cmd.exe	fae0f669faa4d3c2188444825a2992ad3304c90955a8073c7920028a122e25c4.exe
PID 2092 wrote to memory of 2876	2092	cmd.exe	fae0f669faa4d3c2188444825a2992ad3304c90955a8073c7920028a122e25c4.exe
PID 2092 wrote to memory of 2876	2092	cmd.exe	fae0f669faa4d3c2188444825a2992ad3304c90955a8073c7920028a122e25c4.exe
PID 2644 wrote to memory of 2744	2644	net.exe	net1.exe
PID 2644 wrote to memory of 2744	2644	net.exe	net1.exe
PID 2644 wrote to memory of 2744	2644	net.exe	net1.exe
PID 2644 wrote to memory of 2744	2644	net.exe	net1.exe
PID 3032 wrote to memory of 1188	3032	Logo1_.exe	Explorer.EXE
PID 3032 wrote to memory of 1188	3032	Logo1_.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1188

C:\Users\Admin\AppData\Local\Temp\fae0f669faa4d3c2188444825a2992ad3304c90955a8073c7920028a122e25c4.exe
"C:\Users\Admin\AppData\Local\Temp\fae0f669faa4d3c2188444825a2992ad3304c90955a8073c7920028a122e25c4.exe"
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:840

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\$$a1140.bat
3⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2092

C:\Users\Admin\AppData\Local\Temp\fae0f669faa4d3c2188444825a2992ad3304c90955a8073c7920028a122e25c4.exe
"C:\Users\Admin\AppData\Local\Temp\fae0f669faa4d3c2188444825a2992ad3304c90955a8073c7920028a122e25c4.exe"
4⤵
- Executes dropped EXE
PID:2876

C:\Windows\Logo1_.exe
C:\Windows\Logo1_.exe
3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3032

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:2644

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:2744

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
Filesize
252KB

MD5
94ac2f80cd8fb8abe2464c1389ea891f

SHA1
466155c8170f0678d9d73d791c3bfd03aeb3c89e

SHA256
61e394877ee6e90ce0ecec1411633922005f59d9ad202eb5c83830f9bc6c8153

SHA512
79229d7be2201b20e68aecd2ee1623c51fcec7ed7c111565d8b204c577e872c926db9a1b31c8e758de8f7ffe61222d990a83e143d0a72fee8265e573ab1c75a1

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
Filesize
472KB

MD5
88eb1bca8c399bc3f46e99cdde2f047e

SHA1
55fafbceb011e1af2edced978686a90971bd95f2

SHA256
42fd78c05bc240d4ded16ac974f17c336f6ae3a1814d548021c48a942cc30428

SHA512
149d4de0c024e25a13a7bb17471e6f48391d4f26b1c8388672320eed1c255f84219ad7b72bbebc531ae558d5192dd4bb6d0dddd6c65a45300c8e8348a4fb3728

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a1140.bat
Filesize
722B

MD5
c1ec55da3eb128ca5f5a1f341edb76b5

SHA1
33837e4506f714c6e30a8339fca943cde9c052e5

SHA256
475b825a2c9c15e8eca464bd226bd7f4d7b7984d9112cdc0ae9d2106a9812a77

SHA512
53fbf679caa7545f9acd7db4fc0a20030fa57ae994322e0517e53f963e194f4e041eab042958ea85722ee8841fd27ec6bef3fd1f8b7096bcc214acff023f535f

Download Submit
C:\Users\Admin\AppData\Local\Temp\fae0f669faa4d3c2188444825a2992ad3304c90955a8073c7920028a122e25c4.exe.exe
Filesize
1.9MB

MD5
290ba3738d9bd6a6dd8f1e4d0d08916a

SHA1
529f79aafd8b3a97c3ad131280ce3f799013c209

SHA256
cd6e0ba7daacdbfe73cc1690c8e91f6019f1a87a4fba45b1cef17d49ac369a6e

SHA512
5cfe9083c15d0ff5c4c67a8d0d45aedf46552b1321b18b56f701ea51b506739ceabe312f42d951c19208e62818917109cfa0f03b1ba19a5baa7856edd766dd1b

Download Submit
C:\Windows\Logo1_.exe
Filesize
27KB

MD5
03b44db159a155adf9d6d4ce059bcc94

SHA1
a6e4a3d607d0a9e86ac3ee757c6edb0513bb8d72

SHA256
281f5e68ebf4c747601c9b252a1af6bf7452bde36311b00ab1db51efc12e48c3

SHA512
59a8b6ffdf00e7f9b08bced1f8ac0f98c6685f3bed54a8f2857830d9f0457fa28ecd429f1c0b70228223a71dc1ee0a8dacfff1819b1e52bc10f644cb43d1e89a

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-481678230-3773327859-3495911762-1000\_desktop.ini
Filesize
9B

MD5
31874817e0fb055be8d2c971c0e3bbde

SHA1
ee8a35d6a86cb6d13f354d67d912e194bb09c74b

SHA256
94de8b492bc2db9a9592f7c9433547eb7f80826ed67f48d2bb7e22db9d49f544

SHA512
55747c69ae50fa212576d095f60cf33b42e26789cf8c34fc5120a45b1988aae95f91d9e37cb17298c5ac5243b2e4c40e1d0e084ce7fe14bceb4ebb318c65c944

Download Submit
memory/840-17-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/840-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1188-31-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/2876-28-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2876-29-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3032-47-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3032-41-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3032-93-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3032-99-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3032-540-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3032-1876-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3032-1926-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3032-18-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3032-3336-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3032-34-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

pid	process
3032	Logo1_.exe
2876	fae0f669faa4d3c2188444825a2992ad3304c90955a8073c7920028a122e25c4.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads