688687fa3a90436342e29494c85c5025adbfce0c9761611ec6c7c21fc0c1594a

General

Target

688687fa3a90436342e29494c85c5025adbfce0c9761611ec6c7c21fc0c1594a.exe
Size

711KB
MD5

b7136b0a4fd467638a8ac1c1b232b0e1
SHA1

05d726269f87b5fbc098930de52cc26b794d502e
SHA256

688687fa3a90436342e29494c85c5025adbfce0c9761611ec6c7c21fc0c1594a
SHA512

b7cae8b6d24b4524f50b2c3e9e537117d753420ea7335b447332b5dd7e1596e192cbe074959d8fc8c4809a99c6c88949184abf5e852bfa6c9002a893367d83d6
SSDEEP

12288:8pKfC6Aj+TN5uixZN+8rKhUdTC/wE1ZD0Ca5ZIXV:8pGLOS2opPIXV

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2560 cmd.exe
Executes dropped EXE 3 IoCs

Processes:

Logo1_.exe688687fa3a90436342e29494c85c5025adbfce0c9761611ec6c7c21fc0c1594a.exeExplorer.EXE

pid process

2692 Logo1_.exe
2520 688687fa3a90436342e29494c85c5025adbfce0c9761611ec6c7c21fc0c1594a.exe
1200 Explorer.EXE
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

2560 cmd.exe
2560 cmd.exe

pid	process
2560	cmd.exe

pid	process
2560	cmd.exe
2560	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Logo1_.exe

description	ioc	process
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

Processes:

Logo1_.exe

description	ioc	process
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\as_IN\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zu\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Mail\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Portal\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Lime\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PAPYRUS\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\XLICONS.EXE	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Purble Place\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sl\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Internet Explorer\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\ACCWIZ\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Mail\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Mail\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\de\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\gd\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Photo Viewer\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pt_PT\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

Processes:

Logo1_.exe688687fa3a90436342e29494c85c5025adbfce0c9761611ec6c7c21fc0c1594a.exe

description	ioc	process
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	688687fa3a90436342e29494c85c5025adbfce0c9761611ec6c7c21fc0c1594a.exe
File created	C:\Windows\Logo1_.exe	688687fa3a90436342e29494c85c5025adbfce0c9761611ec6c7c21fc0c1594a.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

Logo1_.exe

pid	process
2692	Logo1_.exe
2692	Logo1_.exe
2692	Logo1_.exe
2692	Logo1_.exe
2692	Logo1_.exe
2692	Logo1_.exe
2692	Logo1_.exe
2692	Logo1_.exe
2692	Logo1_.exe
2692	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

688687fa3a90436342e29494c85c5025adbfce0c9761611ec6c7c21fc0c1594a.exeLogo1_.exenet.execmd.exe

description	pid	process	target process
PID 3048 wrote to memory of 2560	3048	688687fa3a90436342e29494c85c5025adbfce0c9761611ec6c7c21fc0c1594a.exe	cmd.exe
PID 3048 wrote to memory of 2560	3048	688687fa3a90436342e29494c85c5025adbfce0c9761611ec6c7c21fc0c1594a.exe	cmd.exe
PID 3048 wrote to memory of 2560	3048	688687fa3a90436342e29494c85c5025adbfce0c9761611ec6c7c21fc0c1594a.exe	cmd.exe
PID 3048 wrote to memory of 2560	3048	688687fa3a90436342e29494c85c5025adbfce0c9761611ec6c7c21fc0c1594a.exe	cmd.exe
PID 3048 wrote to memory of 2692	3048	688687fa3a90436342e29494c85c5025adbfce0c9761611ec6c7c21fc0c1594a.exe	Logo1_.exe
PID 3048 wrote to memory of 2692	3048	688687fa3a90436342e29494c85c5025adbfce0c9761611ec6c7c21fc0c1594a.exe	Logo1_.exe
PID 3048 wrote to memory of 2692	3048	688687fa3a90436342e29494c85c5025adbfce0c9761611ec6c7c21fc0c1594a.exe	Logo1_.exe
PID 3048 wrote to memory of 2692	3048	688687fa3a90436342e29494c85c5025adbfce0c9761611ec6c7c21fc0c1594a.exe	Logo1_.exe
PID 2692 wrote to memory of 2852	2692	Logo1_.exe	net.exe
PID 2692 wrote to memory of 2852	2692	Logo1_.exe	net.exe
PID 2692 wrote to memory of 2852	2692	Logo1_.exe	net.exe
PID 2692 wrote to memory of 2852	2692	Logo1_.exe	net.exe
PID 2852 wrote to memory of 2720	2852	net.exe	net1.exe
PID 2852 wrote to memory of 2720	2852	net.exe	net1.exe
PID 2852 wrote to memory of 2720	2852	net.exe	net1.exe
PID 2852 wrote to memory of 2720	2852	net.exe	net1.exe
PID 2560 wrote to memory of 2520	2560	cmd.exe	688687fa3a90436342e29494c85c5025adbfce0c9761611ec6c7c21fc0c1594a.exe
PID 2560 wrote to memory of 2520	2560	cmd.exe	688687fa3a90436342e29494c85c5025adbfce0c9761611ec6c7c21fc0c1594a.exe
PID 2560 wrote to memory of 2520	2560	cmd.exe	688687fa3a90436342e29494c85c5025adbfce0c9761611ec6c7c21fc0c1594a.exe
PID 2560 wrote to memory of 2520	2560	cmd.exe	688687fa3a90436342e29494c85c5025adbfce0c9761611ec6c7c21fc0c1594a.exe
PID 2692 wrote to memory of 1200	2692	Logo1_.exe	Explorer.EXE
PID 2692 wrote to memory of 1200	2692	Logo1_.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
PID:1200

C:\Users\Admin\AppData\Local\Temp\688687fa3a90436342e29494c85c5025adbfce0c9761611ec6c7c21fc0c1594a.exe
"C:\Users\Admin\AppData\Local\Temp\688687fa3a90436342e29494c85c5025adbfce0c9761611ec6c7c21fc0c1594a.exe"
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3048

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\$$a7F0F.bat
3⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2560

C:\Users\Admin\AppData\Local\Temp\688687fa3a90436342e29494c85c5025adbfce0c9761611ec6c7c21fc0c1594a.exe
"C:\Users\Admin\AppData\Local\Temp\688687fa3a90436342e29494c85c5025adbfce0c9761611ec6c7c21fc0c1594a.exe"
4⤵
- Executes dropped EXE
PID:2520

C:\Windows\Logo1_.exe
C:\Windows\Logo1_.exe
3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2692

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:2852

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:2720

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
Filesize
252KB

MD5
0b2679dc1eb882abf56d11ca591aeb76

SHA1
7a5c7ff9a42f9c84873d269d1e776a89045a1f45

SHA256
3d1b129d45f7fe6c861e380906a0c97576a804240426a0d2408f131cbaedc354

SHA512
8661ecb16631ac033db4d7ee8aa291647ca3311888988693633acd1a69fd9d6eb890c94c97656602c47964219a082f875bce41710fe036cf546c29ae49e2e114

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
Filesize
472KB

MD5
88eb1bca8c399bc3f46e99cdde2f047e

SHA1
55fafbceb011e1af2edced978686a90971bd95f2

SHA256
42fd78c05bc240d4ded16ac974f17c336f6ae3a1814d548021c48a942cc30428

SHA512
149d4de0c024e25a13a7bb17471e6f48391d4f26b1c8388672320eed1c255f84219ad7b72bbebc531ae558d5192dd4bb6d0dddd6c65a45300c8e8348a4fb3728

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a7F0F.bat
Filesize
722B

MD5
a44d4e47b0b9882be6694eb648582a12

SHA1
d0d2d356abe580ee5230a61cdbb8c094a6836925

SHA256
5de27cc81b47c7d52484a5e1c0777e8b5065ad26316eb776c1bd58855627839e

SHA512
9487d0f0124f2b6c27f5b08de4aeff3ec49d39929d0ffcce55fed1a61b0c5da79c3ded581ec4dd82d0ac59bf44db9ae53177c2f434e4c2dbfa621119d9c042f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\688687fa3a90436342e29494c85c5025adbfce0c9761611ec6c7c21fc0c1594a.exe.exe
Filesize
684KB

MD5
50f289df0c19484e970849aac4e6f977

SHA1
3dc77c8830836ab844975eb002149b66da2e10be

SHA256
b9b179b305c5268ad428b6ae59de10b4fe99cf0199bbc89b7017181905e97305

SHA512
877d852ea1062b90e2fd2f3c4dc7d05d9697e9a9b2929c830a770b62741f6a11e06de73275eb871113f11143faf1cb40d99f7c247862ffb778d26833ed5d7e38

Download Submit
C:\Windows\Logo1_.exe
Filesize
27KB

MD5
d0d42004d5e14fecf764dc99963c82fa

SHA1
2b05a3b17e23a16df2a838d31d8c4113993dd833

SHA256
fe58d080c6a43f69deaec1b3fa9ffa2963dd9a3384b6f3aa9895c4dd2c485a8f

SHA512
72f9b71e46512dfcec9bd294930cc9a01acdb8c5b33a3c9a48c9475889f300e35d13191e5868c9798fd335af5a32793f19180b9d015ec18d2b112d0ac1749bee

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-330940541-141609230-1670313778-1000\_desktop.ini
Filesize
9B

MD5
3b22ce0fee2d1aaf2c66dcd142740e29

SHA1
94d542b4bb9854a9419753c38e6ffe747653d91c

SHA256
8284772f28954a109c16f1583e6e34e29f06673b34e04f268bda961b57ba9f79

SHA512
efd4900a49624170e51ea401f0845634f49484a49335845258dc3d41a12e2022bf413a6751fcbcfd1ec68cde506f3363beae57f20e8eaca8b214d28baa138c5b

Download Submit
memory/1200-31-0x0000000002AC0000-0x0000000002AC1000-memory.dmp

Filesize
4KB

Download
memory/2692-18-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2692-33-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2692-40-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2692-46-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2692-92-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2692-98-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2692-209-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2692-1851-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2692-3311-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3048-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3048-16-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

pid	process
2692	Logo1_.exe
2520	688687fa3a90436342e29494c85c5025adbfce0c9761611ec6c7c21fc0c1594a.exe
1200	Explorer.EXE

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads