477484286161223da65e75036d86bb3712c0e322258f174e2f74cc2cdccd4dae

General

Target

477484286161223da65e75036d86bb3712c0e322258f174e2f74cc2cdccd4dae.exe
Size

3.0MB
MD5

349b58ac22ceee7a2d9f5becb6b68ae1
SHA1

c4e2f6de987d2dad58305490b758ed8b71820f74
SHA256

477484286161223da65e75036d86bb3712c0e322258f174e2f74cc2cdccd4dae
SHA512

a9e3f169477cac925731509f99b9dd18a117a149fabb62c1458c9104edaf5fe39631da2a8ae2ab513d47f1d515c574324a24e14dcd3fe812437b4564209ddcd4
SSDEEP

98304:/A8h1iV9lP9Wp24uD3+s7/ilFH47zSHOrv:/A80P9o24SDWB47zS+v

Score

9^/10

cryptone packer

Malware Config

Signatures

CryptOne packer 1 IoCs

Detects CryptOne packer defined in NCC blogpost.

cryptone packer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\477484286161223da65e75036d86bb3712c0e322258f174e2f74cc2cdccd4dae.exe.exe	cryptone

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2744 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

Logo1_.exe477484286161223da65e75036d86bb3712c0e322258f174e2f74cc2cdccd4dae.exe

pid process

2900 Logo1_.exe
2680 477484286161223da65e75036d86bb3712c0e322258f174e2f74cc2cdccd4dae.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

2744 cmd.exe

pid	process
2744	cmd.exe

pid	process
2744	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Logo1_.exe

description	ioc	process
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

Processes:

Logo1_.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInViews\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\control\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\INDUST\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\More Games\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\keystore\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_splitter\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Defender\MpCmdRun.exe	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Journal\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\Components\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\1.0\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Defender\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\More Games\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tet\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\DESIGNER\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Triedit\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

Processes:

Logo1_.exe477484286161223da65e75036d86bb3712c0e322258f174e2f74cc2cdccd4dae.exe

description	ioc	process
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	477484286161223da65e75036d86bb3712c0e322258f174e2f74cc2cdccd4dae.exe
File created	C:\Windows\Logo1_.exe	477484286161223da65e75036d86bb3712c0e322258f174e2f74cc2cdccd4dae.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

Logo1_.exe

pid	process
2900	Logo1_.exe
2900	Logo1_.exe
2900	Logo1_.exe
2900	Logo1_.exe
2900	Logo1_.exe
2900	Logo1_.exe
2900	Logo1_.exe
2900	Logo1_.exe
2900	Logo1_.exe
2900	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

477484286161223da65e75036d86bb3712c0e322258f174e2f74cc2cdccd4dae.exeLogo1_.exenet.execmd.exe

description	pid	process	target process
PID 1448 wrote to memory of 2744	1448	477484286161223da65e75036d86bb3712c0e322258f174e2f74cc2cdccd4dae.exe	cmd.exe
PID 1448 wrote to memory of 2744	1448	477484286161223da65e75036d86bb3712c0e322258f174e2f74cc2cdccd4dae.exe	cmd.exe
PID 1448 wrote to memory of 2744	1448	477484286161223da65e75036d86bb3712c0e322258f174e2f74cc2cdccd4dae.exe	cmd.exe
PID 1448 wrote to memory of 2744	1448	477484286161223da65e75036d86bb3712c0e322258f174e2f74cc2cdccd4dae.exe	cmd.exe
PID 1448 wrote to memory of 2900	1448	477484286161223da65e75036d86bb3712c0e322258f174e2f74cc2cdccd4dae.exe	Logo1_.exe
PID 1448 wrote to memory of 2900	1448	477484286161223da65e75036d86bb3712c0e322258f174e2f74cc2cdccd4dae.exe	Logo1_.exe
PID 1448 wrote to memory of 2900	1448	477484286161223da65e75036d86bb3712c0e322258f174e2f74cc2cdccd4dae.exe	Logo1_.exe
PID 1448 wrote to memory of 2900	1448	477484286161223da65e75036d86bb3712c0e322258f174e2f74cc2cdccd4dae.exe	Logo1_.exe
PID 2900 wrote to memory of 2636	2900	Logo1_.exe	net.exe
PID 2900 wrote to memory of 2636	2900	Logo1_.exe	net.exe
PID 2900 wrote to memory of 2636	2900	Logo1_.exe	net.exe
PID 2900 wrote to memory of 2636	2900	Logo1_.exe	net.exe
PID 2636 wrote to memory of 2760	2636	net.exe	net1.exe
PID 2636 wrote to memory of 2760	2636	net.exe	net1.exe
PID 2636 wrote to memory of 2760	2636	net.exe	net1.exe
PID 2636 wrote to memory of 2760	2636	net.exe	net1.exe
PID 2744 wrote to memory of 2680	2744	cmd.exe	477484286161223da65e75036d86bb3712c0e322258f174e2f74cc2cdccd4dae.exe
PID 2744 wrote to memory of 2680	2744	cmd.exe	477484286161223da65e75036d86bb3712c0e322258f174e2f74cc2cdccd4dae.exe
PID 2744 wrote to memory of 2680	2744	cmd.exe	477484286161223da65e75036d86bb3712c0e322258f174e2f74cc2cdccd4dae.exe
PID 2744 wrote to memory of 2680	2744	cmd.exe	477484286161223da65e75036d86bb3712c0e322258f174e2f74cc2cdccd4dae.exe
PID 2900 wrote to memory of 1412	2900	Logo1_.exe	Explorer.EXE
PID 2900 wrote to memory of 1412	2900	Logo1_.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1412

C:\Users\Admin\AppData\Local\Temp\477484286161223da65e75036d86bb3712c0e322258f174e2f74cc2cdccd4dae.exe
"C:\Users\Admin\AppData\Local\Temp\477484286161223da65e75036d86bb3712c0e322258f174e2f74cc2cdccd4dae.exe"
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1448

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\$$a901F.bat
3⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2744

C:\Users\Admin\AppData\Local\Temp\477484286161223da65e75036d86bb3712c0e322258f174e2f74cc2cdccd4dae.exe
"C:\Users\Admin\AppData\Local\Temp\477484286161223da65e75036d86bb3712c0e322258f174e2f74cc2cdccd4dae.exe"
4⤵
- Executes dropped EXE
PID:2680

C:\Windows\Logo1_.exe
C:\Windows\Logo1_.exe
3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2900

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:2636

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:2760

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
Filesize
251KB

MD5
7ea02a735848047e1d8e7c00d94ca1bd

SHA1
332cf8da17363271e68cfaaa33e17263e4b8e9eb

SHA256
e87a2ce1a7afaf0f95488a500a386182b5fdc7dd4cfb6c73b887f4efa88a006a

SHA512
617a3682a93046f5dc34ac146e7fff1fa8b0deeecd773e5557a14485c24095d501f5e8477ce686ff8b195bb2a798608428c78faf7f46fea38428ca76b8f95d86

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
Filesize
471KB

MD5
f9fc019eacb573ec828d2d9ff6a48318

SHA1
b91958dc8d178b6eeb35e829bab84d0fb12c2280

SHA256
bf9ba3df2bad76d15f4efe42c0c59f37b9454907958892df8ab996552658934e

SHA512
998ba7bc7cdd5df3e1acfda6f4f92ec9d27732e1e182177dff310f3c918f3be99626a3526bebdff5bb7eb980640434baf56e0f08bfd125168c0a9e37e7239305

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a901F.bat
Filesize
722B

MD5
337720b12346d8a5fa84a5ce68ec5c1e

SHA1
83a594aa89da003ddc79409eb677ca2ffd49b87b

SHA256
d3001dd855dc4dff134fafcadbbd8239b08aaafb64f3d4e1cd8c8fed4429f7d0

SHA512
9fc441a812ae29fed43bc5d3cb459e3d71ceea301909b33e371678f6d77c2f6937aacc22c810ef34df42c69e5a9b3774164d7a2f89a9b2fbe7eb833dd49367bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\477484286161223da65e75036d86bb3712c0e322258f174e2f74cc2cdccd4dae.exe.exe
Filesize
3.0MB

MD5
a94ed6699d08a59484fd2d4884cf4400

SHA1
135a80e681ec8b9e0e5d1a41c2617a8c46ea780e

SHA256
2122b63576219671aae4e32c706ad997a4d5220b5cfd94f1f134fe3c53b66b14

SHA512
879729c1aa1c6a8a1195afa7df2d212a731fa4f7991149ac6eb2f0786f4f727fe93aa74998b49491536fd8af5a6a98ab77adadf2d2b7cd02569a3c2fb877a62d

Download Submit
C:\Windows\rundl132.exe
Filesize
26KB

MD5
773d4ec846cc53c96e2ff8dd102079e4

SHA1
b654768c79314a1a7bcddd3e744703cab0beaf97

SHA256
683baf581a18f3dcd8322de60398c793150eb75d0480964ccd3a8b7b915522db

SHA512
c3989fefed8a01d718acccfaf1775d1351bdb2a1a8a714cb8ca81044b723a0bb33a185819aa76fc06720b7c6ffe70af0a80b4e4d0b81634a86dffc8ec15559e3

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-330940541-141609230-1670313778-1000\_desktop.ini
Filesize
9B

MD5
4b2b75605a65a6762ec4715de0a70902

SHA1
3b85993ef06d2d814abc405188fdd19a1bffea0c

SHA256
77072cc5a7b394508cf5d819ff8cf4385a9b3cb15d8715a59845ccfa235ea34e

SHA512
888361e75afd4308bdad817af543704a42ffdf2d798acef619459e9978ac68f1cf4d468c6e0b146ab738b0109fdf331c4380471aa83f637b0f6ab06164840c65

Download Submit
memory/1412-29-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/1448-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1448-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2900-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2900-38-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2900-44-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2900-90-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2900-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2900-221-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2900-1849-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2900-3309-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2900-21-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

pid	process
2900	Logo1_.exe
2680	477484286161223da65e75036d86bb3712c0e322258f174e2f74cc2cdccd4dae.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads