48b50a8aaecf6ebd45fc45a07fe29f50e4428e639466f03b1b9f5d6e96061b18

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
14-03-2024 15:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

48b50a8aaecf6ebd45fc45a07fe29f50e4428e639466f03b1b9f5d6e96061b18.exe
Size

56KB
MD5

fce33554a33007d6cd0bc092b47311ae
SHA1

bb56d59439dede8b06c3f3a27ec5095ddfc9ed30
SHA256

48b50a8aaecf6ebd45fc45a07fe29f50e4428e639466f03b1b9f5d6e96061b18
SHA512

7bf3cddfd7a2ea3747750c0dfe76a068842dbcc4c84546410fbe9e1552a966b46702858e35b941cdb71c57197772f09cb21348833f8796dc6c1ca8590e28b0aa
SSDEEP

1536:MfgLdQAQfcfymNG+KxLztUjVqhhO/Pjghgykga7Cw:MftffjmNoxvtzE3GkRl

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2156	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2524	Logo1_.exe
2484	48b50a8aaecf6ebd45fc45a07fe29f50e4428e639466f03b1b9f5d6e96061b18.exe

Loads dropped DLL 2 IoCs

pid	Process
2156	cmd.exe
2156	cmd.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a000000015cb1-25.dat	upx
behavioral1/memory/2484-29-0x0000000000400000-0x0000000000414000-memory.dmp	upx

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\id\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightOrange\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\DEEPBLUE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\MSBuild\Microsoft\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\GrayCheck\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Slate\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Slate\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ach\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Argentina\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\eu\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LEVEL\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\tl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	48b50a8aaecf6ebd45fc45a07fe29f50e4428e639466f03b1b9f5d6e96061b18.exe
File created	C:\Windows\Logo1_.exe	48b50a8aaecf6ebd45fc45a07fe29f50e4428e639466f03b1b9f5d6e96061b18.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2524	Logo1_.exe
2524	Logo1_.exe
2524	Logo1_.exe
2524	Logo1_.exe
2524	Logo1_.exe
2524	Logo1_.exe
2524	Logo1_.exe
2524	Logo1_.exe
2524	Logo1_.exe
2524	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1640 wrote to memory of 2156	1640	48b50a8aaecf6ebd45fc45a07fe29f50e4428e639466f03b1b9f5d6e96061b18.exe	28
PID 1640 wrote to memory of 2156	1640	48b50a8aaecf6ebd45fc45a07fe29f50e4428e639466f03b1b9f5d6e96061b18.exe	28
PID 1640 wrote to memory of 2156	1640	48b50a8aaecf6ebd45fc45a07fe29f50e4428e639466f03b1b9f5d6e96061b18.exe	28
PID 1640 wrote to memory of 2156	1640	48b50a8aaecf6ebd45fc45a07fe29f50e4428e639466f03b1b9f5d6e96061b18.exe	28
PID 1640 wrote to memory of 2524	1640	48b50a8aaecf6ebd45fc45a07fe29f50e4428e639466f03b1b9f5d6e96061b18.exe	29
PID 1640 wrote to memory of 2524	1640	48b50a8aaecf6ebd45fc45a07fe29f50e4428e639466f03b1b9f5d6e96061b18.exe	29
PID 1640 wrote to memory of 2524	1640	48b50a8aaecf6ebd45fc45a07fe29f50e4428e639466f03b1b9f5d6e96061b18.exe	29
PID 1640 wrote to memory of 2524	1640	48b50a8aaecf6ebd45fc45a07fe29f50e4428e639466f03b1b9f5d6e96061b18.exe	29
PID 2524 wrote to memory of 2500	2524	Logo1_.exe	30
PID 2524 wrote to memory of 2500	2524	Logo1_.exe	30
PID 2524 wrote to memory of 2500	2524	Logo1_.exe	30
PID 2524 wrote to memory of 2500	2524	Logo1_.exe	30
PID 2500 wrote to memory of 2668	2500	net.exe	33
PID 2500 wrote to memory of 2668	2500	net.exe	33
PID 2500 wrote to memory of 2668	2500	net.exe	33
PID 2500 wrote to memory of 2668	2500	net.exe	33
PID 2156 wrote to memory of 2484	2156	cmd.exe	34
PID 2156 wrote to memory of 2484	2156	cmd.exe	34
PID 2156 wrote to memory of 2484	2156	cmd.exe	34
PID 2156 wrote to memory of 2484	2156	cmd.exe	34
PID 2524 wrote to memory of 1136	2524	Logo1_.exe	20
PID 2524 wrote to memory of 1136	2524	Logo1_.exe	20

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1136
- C:\Users\Admin\AppData\Local\Temp\48b50a8aaecf6ebd45fc45a07fe29f50e4428e639466f03b1b9f5d6e96061b18.exe
  "C:\Users\Admin\AppData\Local\Temp\48b50a8aaecf6ebd45fc45a07fe29f50e4428e639466f03b1b9f5d6e96061b18.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1640
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a197A.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2156
  - - C:\Users\Admin\AppData\Local\Temp\48b50a8aaecf6ebd45fc45a07fe29f50e4428e639466f03b1b9f5d6e96061b18.exe
      "C:\Users\Admin\AppData\Local\Temp\48b50a8aaecf6ebd45fc45a07fe29f50e4428e639466f03b1b9f5d6e96061b18.exe"
      4⤵
      Executes dropped EXE
      PID:2484
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2524
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2500
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
d76cd4328b50ee926de42875a5081d61

SHA1
e79b5af0d1e24523fd733a916c797f3a3476dded

SHA256
7830f9e9463895e93633a3b551d795efb3bb6b148478942c60665e9851a3640d

SHA512
4c150a1b562fd2dc4daa2f0fc8644737bae68f1e69a66bb596d96ee1beaefcaca31ae6a4889a93497f9f08df31d1f8669d4a2fa0b6d81f6e27e5b4621d407d4e

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
471KB

MD5
c6c8fde27f649c91ddaab8cb9ca344a6

SHA1
5e4865aec432a18107182f47edda176e8c566152

SHA256
32c3fed53bfc1d890e9bd1d771fdc7e2c81480e03f1425bce07b4045a192d100

SHA512
a8df7d1e852d871d7f16bae10c4ff049359583da88cc85a039f0298525839040d5363ce5ef4cbdb92a12a25785f73df83cf0df07752b78e6e6444f32160a2155

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a197A.bat

Filesize
722B

MD5
d5ee3c25e1e3c66fddea51ebeaf53f1f

SHA1
714236c15198933799e659cf9e0eb762c51998fa

SHA256
f2bf08aa4dcc9c5944c4f11b3779dd3fd5d0100d75bf6468b650de14fe2348c7

SHA512
e4738de5fb8c6eabafe1376b1fc380a35ae5186d47030c8ab5fe29113d7fce3f8d736dcc067ae9ef5eb542913dff3af8a28a2b91829ab92249c84500743badfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\48b50a8aaecf6ebd45fc45a07fe29f50e4428e639466f03b1b9f5d6e96061b18.exe.exe

Filesize
30KB

MD5
eb501cc7e76645141c537c48c109972b

SHA1
048bd852253133ea17b42c377e6a84ab695b9e41

SHA256
86cc414f88487b0e6af195ab6d23b89e68b87b06abd1c470652ff2f04f9093a2

SHA512
f9028e7137edb2e044596c0bf63072fb0188664d8b5e7f0a809de4a4ef72dc3554639e9a37647608dd8804ef792aede3dcc3b8fe60030594ef22666dad929e27

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
7da2d119f523dd69d8292dc88897a25d

SHA1
e132d9ab79c037320e748f1a3f77e96f250f6da3

SHA256
7d6868a7851699b6ebd4ae19a2863608bbe1444515258470fad991c6e3578ac5

SHA512
f27a14908b4a332feb6d40f480d38dbd28f4c6226f99e203f88c353408bc5bbb21e59bd8e149ee11a6949a2c4b2c1d22535ecf5f5f2f2fa71fb8a8c1a13cd5d2

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2721934792-624042501-2768869379-1000\_desktop.ini

Filesize
9B

MD5
b2c5a70d0c0f7486eb7bcd691664669b

SHA1
0be0eb4afb44c300b16181ffb981db5d2e6563e8

SHA256
3369ac2d9926df9466c914d7bafae58764696319b1584f9f83202267db0f8799

SHA512
5d9ec62e9872989b928f4372fe35a4fec4ab6ae308a2d0191b487cfa1bdca276bb5ac54c7d3ba59d081128dcfb40252e40089e03ca4600ee428714a322628d14

Download Submit
memory/1136-32-0x0000000002D20000-0x0000000002D21000-memory.dmp

Filesize
4KB

Download
memory/1640-16-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/1640-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1640-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2156-30-0x0000000000170000-0x0000000000184000-memory.dmp

Filesize
80KB

Download
memory/2484-29-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2524-34-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2524-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2524-93-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2524-99-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2524-983-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2524-1852-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2524-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2524-2555-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2524-3312-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2524-21-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download