50a9ef582dd6fea0c43b743f6f2544d96b2fbcccb5e575ccca0deff79a7bbf97

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
14/03/2024, 15:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

50a9ef582dd6fea0c43b743f6f2544d96b2fbcccb5e575ccca0deff79a7bbf97.exe
Size

522KB
MD5

e17b6b6f7937580c8dc8d090142ef388
SHA1

73af51ecb513bf54607fac2f52c00977e8644744
SHA256

50a9ef582dd6fea0c43b743f6f2544d96b2fbcccb5e575ccca0deff79a7bbf97
SHA512

a7a28596f253662dc52ac95ec961c05dee398832896707d5d177093bd61cb38d432aa2c005221c0edde4074d3b57160f82a206b6d1544c4c67374a1b4fc51120
SSDEEP

12288:GIpa5aalihAQVTZmMFvH/K1J7iaVe9891odTJv0Oi/IqpDLQ9D7310iPfhj6B/7Y:GIzxmJaTJM/Ikc10iHhj6BdAGbk

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2932	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2924	Logo1_.exe
2512	50a9ef582dd6fea0c43b743f6f2544d96b2fbcccb5e575ccca0deff79a7bbf97.exe

Loads dropped DLL 1 IoCs

pid	Process
2932	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Photo Viewer\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\as_IN\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\Solitaire.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\packetizer\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PROPLUS\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Portal\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RMNSQUE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Journal\PDIALOG.exe	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Antarctica\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\visualization\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EURO\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\misc\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FRAR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\is\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\amd64\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\WMPDMC.exe	Logo1_.exe
File created	C:\Program Files\Windows Journal\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\uk\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	50a9ef582dd6fea0c43b743f6f2544d96b2fbcccb5e575ccca0deff79a7bbf97.exe
File created	C:\Windows\Logo1_.exe	50a9ef582dd6fea0c43b743f6f2544d96b2fbcccb5e575ccca0deff79a7bbf97.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2924	Logo1_.exe
2924	Logo1_.exe
2924	Logo1_.exe
2924	Logo1_.exe
2924	Logo1_.exe
2924	Logo1_.exe
2924	Logo1_.exe
2924	Logo1_.exe
2924	Logo1_.exe
2924	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 2932	2268	50a9ef582dd6fea0c43b743f6f2544d96b2fbcccb5e575ccca0deff79a7bbf97.exe	28
PID 2268 wrote to memory of 2932	2268	50a9ef582dd6fea0c43b743f6f2544d96b2fbcccb5e575ccca0deff79a7bbf97.exe	28
PID 2268 wrote to memory of 2932	2268	50a9ef582dd6fea0c43b743f6f2544d96b2fbcccb5e575ccca0deff79a7bbf97.exe	28
PID 2268 wrote to memory of 2932	2268	50a9ef582dd6fea0c43b743f6f2544d96b2fbcccb5e575ccca0deff79a7bbf97.exe	28
PID 2268 wrote to memory of 2924	2268	50a9ef582dd6fea0c43b743f6f2544d96b2fbcccb5e575ccca0deff79a7bbf97.exe	30
PID 2268 wrote to memory of 2924	2268	50a9ef582dd6fea0c43b743f6f2544d96b2fbcccb5e575ccca0deff79a7bbf97.exe	30
PID 2268 wrote to memory of 2924	2268	50a9ef582dd6fea0c43b743f6f2544d96b2fbcccb5e575ccca0deff79a7bbf97.exe	30
PID 2268 wrote to memory of 2924	2268	50a9ef582dd6fea0c43b743f6f2544d96b2fbcccb5e575ccca0deff79a7bbf97.exe	30
PID 2924 wrote to memory of 2664	2924	Logo1_.exe	31
PID 2924 wrote to memory of 2664	2924	Logo1_.exe	31
PID 2924 wrote to memory of 2664	2924	Logo1_.exe	31
PID 2924 wrote to memory of 2664	2924	Logo1_.exe	31
PID 2932 wrote to memory of 2512	2932	cmd.exe	34
PID 2932 wrote to memory of 2512	2932	cmd.exe	34
PID 2932 wrote to memory of 2512	2932	cmd.exe	34
PID 2932 wrote to memory of 2512	2932	cmd.exe	34
PID 2664 wrote to memory of 2552	2664	net.exe	33
PID 2664 wrote to memory of 2552	2664	net.exe	33
PID 2664 wrote to memory of 2552	2664	net.exe	33
PID 2664 wrote to memory of 2552	2664	net.exe	33
PID 2924 wrote to memory of 1200	2924	Logo1_.exe	21
PID 2924 wrote to memory of 1200	2924	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200
- C:\Users\Admin\AppData\Local\Temp\50a9ef582dd6fea0c43b743f6f2544d96b2fbcccb5e575ccca0deff79a7bbf97.exe
  "C:\Users\Admin\AppData\Local\Temp\50a9ef582dd6fea0c43b743f6f2544d96b2fbcccb5e575ccca0deff79a7bbf97.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2268
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a8B8D.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2932
  - - C:\Users\Admin\AppData\Local\Temp\50a9ef582dd6fea0c43b743f6f2544d96b2fbcccb5e575ccca0deff79a7bbf97.exe
      "C:\Users\Admin\AppData\Local\Temp\50a9ef582dd6fea0c43b743f6f2544d96b2fbcccb5e575ccca0deff79a7bbf97.exe"
      4⤵
      Executes dropped EXE
      PID:2512
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2924
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2664
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
254KB

MD5
0ade624ff15070cf156e6ed6f017c8c8

SHA1
34bc8312a862e5712d2882174857cd7bf6cdaa27

SHA256
4a24bde816eee011a6ac9f397a89300b161eb1bce1905fb14128731d096ee8e0

SHA512
13c6afbc73b1f436bca8e15bf8c77fc26ef2df79b01f8c6937b6da7639d368f34064057a88d3261866eb06a7514412322fd093620c5931641ca3376cf0e9e02e

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
474KB

MD5
b8bebb43c19eb2fd80dd7e89c855b564

SHA1
8cfe1e082e035c32f8875995b007b5ab56b2ee0e

SHA256
6f4198f11d1902681e0af068a18a2d13fcf8211c35cd91c082777e912865e15b

SHA512
7995e79ecf24f803a407f2121c90b16e7d9ab94daa451a0e571cc8d7258287c21bd12ef65faa6b407a0583e04b08d2f2956c0dbf6000941ee44b655b4c147fac

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a8B8D.bat

Filesize
722B

MD5
71fca96b912d942d5d45a52f79daf0c3

SHA1
959ee27345577d1a955307fa12db5debac71f88d

SHA256
4f11b1f6cb39d55a88d1cbecf6c0062d7a9074ca2bc6a9d501c7600e7001923c

SHA512
21200ab78d59d9d74c013341093f322be7ba38165399a535bec91841c5f6b8b5c5026ebfda051f020dd9b1923483a56b481db55231de3bc4077043fcdabd831c

Download Submit
C:\Users\Admin\AppData\Local\Temp\50a9ef582dd6fea0c43b743f6f2544d96b2fbcccb5e575ccca0deff79a7bbf97.exe.exe

Filesize
492KB

MD5
d7d385f74966bfd5ee2214243aaa5b93

SHA1
67ff52e9e7b4e5c63c724a8a44c147fe27142a8e

SHA256
90a891221dfc24ca4531976b0454889d11f37480c52f279df3c9b58494eb7f3d

SHA512
6a29f29c28ff63f947a8ed30b2faa89cdb61662feac0138a411b2ad9184efef6091570146f0773ff23df671001d72665379871de1d102392537225b1800ce792

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
473711bbfb07bfa8d48f90ce5cd98722

SHA1
078cf218ab0c51df8df4bd794960076984f99a55

SHA256
b84f8bd547c5b90053c1f19ab8e22891910c386a8289b558e1a60690c3a09aa9

SHA512
d84f7bc7f264baa68751752f2f10ea3f15d9118e81b5035a346b23419e46287641f9bd026087181235be03314850d85aeb04a6106df8e02ddf2ada36644b5935

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-330940541-141609230-1670313778-1000\_desktop.ini

Filesize
9B

MD5
b2c5a70d0c0f7486eb7bcd691664669b

SHA1
0be0eb4afb44c300b16181ffb981db5d2e6563e8

SHA256
3369ac2d9926df9466c914d7bafae58764696319b1584f9f83202267db0f8799

SHA512
5d9ec62e9872989b928f4372fe35a4fec4ab6ae308a2d0191b487cfa1bdca276bb5ac54c7d3ba59d081128dcfb40252e40089e03ca4600ee428714a322628d14

Download Submit
memory/1200-29-0x0000000002B10000-0x0000000002B11000-memory.dmp

Filesize
4KB

Download
memory/2268-15-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2268-16-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/2268-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2924-31-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2924-44-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2924-90-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2924-96-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2924-278-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2924-1849-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2924-38-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2924-3309-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2924-19-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download