28494180e200ce01f8cf7281d2c945e68d0765c5e7823e5918a4ef5bf29708b4

General

Target

28494180e200ce01f8cf7281d2c945e68d0765c5e7823e5918a4ef5bf29708b4.exe
Size

68KB
MD5

42a24f7feaf22c32e57f003db916439e
SHA1

240c0f263a1c175abacd7d3d2e0824286b9906d7
SHA256

28494180e200ce01f8cf7281d2c945e68d0765c5e7823e5918a4ef5bf29708b4
SHA512

5cc5099a1f9448af3a2d759a1d1e0305955fa488116f420aed650555da6f7bc69d6610be0fc1bf3d33557aadd4099dd9944e6b96310a554e7665d327429f6475
SSDEEP

1536:vF3SHmLKarIpYeEToa9D4ZQKbgZi1dst7x9PxQ:vFkF3pdlZQKbgZi1St7xQ

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2832 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

Logo1_.exe28494180e200ce01f8cf7281d2c945e68d0765c5e7823e5918a4ef5bf29708b4.exe

pid process

1200 Logo1_.exe
2596 28494180e200ce01f8cf7281d2c945e68d0765c5e7823e5918a4ef5bf29708b4.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

2832 cmd.exe

pid	process
2832	cmd.exe

pid	process
2832	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Logo1_.exe

description	ioc	process
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

Processes:

Logo1_.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Acrobat\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\misc.exe	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\brx\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CONCRETE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\uk\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Defender\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Mahjong\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ja\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sr\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RICEPAPR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\GrayCheck\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{5CF72A45-AD68-472B-BBFF-38A947BD74EE}\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\gd\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATER\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Americana\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\zi\Australia\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\es-ES\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

Processes:

28494180e200ce01f8cf7281d2c945e68d0765c5e7823e5918a4ef5bf29708b4.exeLogo1_.exe

description	ioc	process
File created	C:\Windows\rundl132.exe	28494180e200ce01f8cf7281d2c945e68d0765c5e7823e5918a4ef5bf29708b4.exe
File created	C:\Windows\Logo1_.exe	28494180e200ce01f8cf7281d2c945e68d0765c5e7823e5918a4ef5bf29708b4.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

Logo1_.exe

pid	process
1200	Logo1_.exe
1200	Logo1_.exe
1200	Logo1_.exe
1200	Logo1_.exe
1200	Logo1_.exe
1200	Logo1_.exe
1200	Logo1_.exe
1200	Logo1_.exe
1200	Logo1_.exe
1200	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

28494180e200ce01f8cf7281d2c945e68d0765c5e7823e5918a4ef5bf29708b4.exeLogo1_.exenet.execmd.exe

description	pid	process	target process
PID 2780 wrote to memory of 2832	2780	28494180e200ce01f8cf7281d2c945e68d0765c5e7823e5918a4ef5bf29708b4.exe	cmd.exe
PID 2780 wrote to memory of 2832	2780	28494180e200ce01f8cf7281d2c945e68d0765c5e7823e5918a4ef5bf29708b4.exe	cmd.exe
PID 2780 wrote to memory of 2832	2780	28494180e200ce01f8cf7281d2c945e68d0765c5e7823e5918a4ef5bf29708b4.exe	cmd.exe
PID 2780 wrote to memory of 2832	2780	28494180e200ce01f8cf7281d2c945e68d0765c5e7823e5918a4ef5bf29708b4.exe	cmd.exe
PID 2780 wrote to memory of 1200	2780	28494180e200ce01f8cf7281d2c945e68d0765c5e7823e5918a4ef5bf29708b4.exe	Logo1_.exe
PID 2780 wrote to memory of 1200	2780	28494180e200ce01f8cf7281d2c945e68d0765c5e7823e5918a4ef5bf29708b4.exe	Logo1_.exe
PID 2780 wrote to memory of 1200	2780	28494180e200ce01f8cf7281d2c945e68d0765c5e7823e5918a4ef5bf29708b4.exe	Logo1_.exe
PID 2780 wrote to memory of 1200	2780	28494180e200ce01f8cf7281d2c945e68d0765c5e7823e5918a4ef5bf29708b4.exe	Logo1_.exe
PID 1200 wrote to memory of 2584	1200	Logo1_.exe	net.exe
PID 1200 wrote to memory of 2584	1200	Logo1_.exe	net.exe
PID 1200 wrote to memory of 2584	1200	Logo1_.exe	net.exe
PID 1200 wrote to memory of 2584	1200	Logo1_.exe	net.exe
PID 2584 wrote to memory of 2592	2584	net.exe	net1.exe
PID 2584 wrote to memory of 2592	2584	net.exe	net1.exe
PID 2584 wrote to memory of 2592	2584	net.exe	net1.exe
PID 2584 wrote to memory of 2592	2584	net.exe	net1.exe
PID 2832 wrote to memory of 2596	2832	cmd.exe	28494180e200ce01f8cf7281d2c945e68d0765c5e7823e5918a4ef5bf29708b4.exe
PID 2832 wrote to memory of 2596	2832	cmd.exe	28494180e200ce01f8cf7281d2c945e68d0765c5e7823e5918a4ef5bf29708b4.exe
PID 2832 wrote to memory of 2596	2832	cmd.exe	28494180e200ce01f8cf7281d2c945e68d0765c5e7823e5918a4ef5bf29708b4.exe
PID 2832 wrote to memory of 2596	2832	cmd.exe	28494180e200ce01f8cf7281d2c945e68d0765c5e7823e5918a4ef5bf29708b4.exe
PID 1200 wrote to memory of 1180	1200	Logo1_.exe	Explorer.EXE
PID 1200 wrote to memory of 1180	1200	Logo1_.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1180

C:\Users\Admin\AppData\Local\Temp\28494180e200ce01f8cf7281d2c945e68d0765c5e7823e5918a4ef5bf29708b4.exe
"C:\Users\Admin\AppData\Local\Temp\28494180e200ce01f8cf7281d2c945e68d0765c5e7823e5918a4ef5bf29708b4.exe"
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2780

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\$$a312E.bat
3⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2832

C:\Users\Admin\AppData\Local\Temp\28494180e200ce01f8cf7281d2c945e68d0765c5e7823e5918a4ef5bf29708b4.exe
"C:\Users\Admin\AppData\Local\Temp\28494180e200ce01f8cf7281d2c945e68d0765c5e7823e5918a4ef5bf29708b4.exe"
4⤵
- Executes dropped EXE
PID:2596

C:\Windows\Logo1_.exe
C:\Windows\Logo1_.exe
3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1200

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:2584

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
252KB

MD5
0b2679dc1eb882abf56d11ca591aeb76

SHA1
7a5c7ff9a42f9c84873d269d1e776a89045a1f45

SHA256
3d1b129d45f7fe6c861e380906a0c97576a804240426a0d2408f131cbaedc354

SHA512
8661ecb16631ac033db4d7ee8aa291647ca3311888988693633acd1a69fd9d6eb890c94c97656602c47964219a082f875bce41710fe036cf546c29ae49e2e114

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
472KB

MD5
88eb1bca8c399bc3f46e99cdde2f047e

SHA1
55fafbceb011e1af2edced978686a90971bd95f2

SHA256
42fd78c05bc240d4ded16ac974f17c336f6ae3a1814d548021c48a942cc30428

SHA512
149d4de0c024e25a13a7bb17471e6f48391d4f26b1c8388672320eed1c255f84219ad7b72bbebc531ae558d5192dd4bb6d0dddd6c65a45300c8e8348a4fb3728

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a312E.bat

Filesize
722B

MD5
d06b2b96aa2e9efbd63b8b8d2fa8dbeb

SHA1
4ae923572f5b52cdbe3c88d96ea142bda845318f

SHA256
426357cb1177c9a940ebf0b6b6623e601570bf8b29302043a4a9af8843a5ddb5

SHA512
09b3286ae6a281606c0747a24fb8fc0f58c974b2f61185f57cefac7716180a9fc65c9edf310d917a34711a084b6c32bcf70ea19df339a6d173ad28f0a84bcd30

Download Submit
C:\Users\Admin\AppData\Local\Temp\28494180e200ce01f8cf7281d2c945e68d0765c5e7823e5918a4ef5bf29708b4.exe.exe

Filesize
41KB

MD5
977e405c109268909fd24a94cc23d4f0

SHA1
af5d032c2b6caa2164cf298e95b09060665c4188

SHA256
cd24c61fe7dc3896c6c928c92a2adc58fab0a3ff61ef7ddcac1ba794182ab12f

SHA512
12b4b59c1a8e65e72aa07ee4b6b6cd9fdedead01d5ce8e30f16ca26b5d733655e23a71c1d273a950a5b1a6cce810b696612de4a1148ac5f468ddf05d4549eed5

Download Submit
C:\Windows\Logo1_.exe

Filesize
27KB

MD5
d0d42004d5e14fecf764dc99963c82fa

SHA1
2b05a3b17e23a16df2a838d31d8c4113993dd833

SHA256
fe58d080c6a43f69deaec1b3fa9ffa2963dd9a3384b6f3aa9895c4dd2c485a8f

SHA512
72f9b71e46512dfcec9bd294930cc9a01acdb8c5b33a3c9a48c9475889f300e35d13191e5868c9798fd335af5a32793f19180b9d015ec18d2b112d0ac1749bee

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1298544033-3225604241-2703760938-1000\_desktop.ini

Filesize
9B

MD5
3b22ce0fee2d1aaf2c66dcd142740e29

SHA1
94d542b4bb9854a9419753c38e6ffe747653d91c

SHA256
8284772f28954a109c16f1583e6e34e29f06673b34e04f268bda961b57ba9f79

SHA512
efd4900a49624170e51ea401f0845634f49484a49335845258dc3d41a12e2022bf413a6751fcbcfd1ec68cde506f3363beae57f20e8eaca8b214d28baa138c5b

Download Submit
memory/1180-29-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/1200-96-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1200-31-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1200-38-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1200-44-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1200-90-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1200-459-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1200-1849-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1200-1955-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1200-3309-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1200-21-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2780-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2780-16-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

pid	process
1200	Logo1_.exe
2596	28494180e200ce01f8cf7281d2c945e68d0765c5e7823e5918a4ef5bf29708b4.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads