49baa78921418d08ca49fd808b9ab9916fd90f353e9c709df17ca36ddeecf6c8

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
04-05-2024 15:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

49baa78921418d08ca49fd808b9ab9916fd90f353e9c709df17ca36ddeecf6c8.exe
Size

1016KB
MD5

03117ed13fdc04f55c4635cb6abcfcbd
SHA1

a5a95d3a71e7f26f232a2f4fa8f45519a4103f5d
SHA256

49baa78921418d08ca49fd808b9ab9916fd90f353e9c709df17ca36ddeecf6c8
SHA512

85114e9b4b6452b22e3ef5da5ddecae435460ccfab2974899affee9a84aa0510a20afbaea3c0ed47168e06a6a2a9b82f848e57a8057382b088f12b3c2fcacc11
SSDEEP

12288:sRrXcB62E+/E1EbtSf7lJgrOaDnRg0R/NNq+AW+cVQuzHjDjYL1Io:csjc1EWgl1Nw+AWpV/jjK1r

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2924	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2532	Logo1_.exe
2772	49baa78921418d08ca49fd808b9ab9916fd90f353e9c709df17ca36ddeecf6c8.exe

Loads dropped DLL 2 IoCs

pid	Process
2924	cmd.exe
2924	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mn\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\ManagedObjects\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VC\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Portable Devices\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Mail\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Portal\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ru\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sq\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSTORE.EXE	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\az\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Defender\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Journal\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Journal\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Biscay\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ru\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SoftBlue\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	49baa78921418d08ca49fd808b9ab9916fd90f353e9c709df17ca36ddeecf6c8.exe
File created	C:\Windows\Logo1_.exe	49baa78921418d08ca49fd808b9ab9916fd90f353e9c709df17ca36ddeecf6c8.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2532	Logo1_.exe
2532	Logo1_.exe
2532	Logo1_.exe
2532	Logo1_.exe
2532	Logo1_.exe
2532	Logo1_.exe
2532	Logo1_.exe
2532	Logo1_.exe
2532	Logo1_.exe
2532	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 2924	3064	49baa78921418d08ca49fd808b9ab9916fd90f353e9c709df17ca36ddeecf6c8.exe	28
PID 3064 wrote to memory of 2924	3064	49baa78921418d08ca49fd808b9ab9916fd90f353e9c709df17ca36ddeecf6c8.exe	28
PID 3064 wrote to memory of 2924	3064	49baa78921418d08ca49fd808b9ab9916fd90f353e9c709df17ca36ddeecf6c8.exe	28
PID 3064 wrote to memory of 2924	3064	49baa78921418d08ca49fd808b9ab9916fd90f353e9c709df17ca36ddeecf6c8.exe	28
PID 3064 wrote to memory of 2532	3064	49baa78921418d08ca49fd808b9ab9916fd90f353e9c709df17ca36ddeecf6c8.exe	29
PID 3064 wrote to memory of 2532	3064	49baa78921418d08ca49fd808b9ab9916fd90f353e9c709df17ca36ddeecf6c8.exe	29
PID 3064 wrote to memory of 2532	3064	49baa78921418d08ca49fd808b9ab9916fd90f353e9c709df17ca36ddeecf6c8.exe	29
PID 3064 wrote to memory of 2532	3064	49baa78921418d08ca49fd808b9ab9916fd90f353e9c709df17ca36ddeecf6c8.exe	29
PID 2532 wrote to memory of 2580	2532	Logo1_.exe	31
PID 2532 wrote to memory of 2580	2532	Logo1_.exe	31
PID 2532 wrote to memory of 2580	2532	Logo1_.exe	31
PID 2532 wrote to memory of 2580	2532	Logo1_.exe	31
PID 2924 wrote to memory of 2772	2924	cmd.exe	33
PID 2924 wrote to memory of 2772	2924	cmd.exe	33
PID 2924 wrote to memory of 2772	2924	cmd.exe	33
PID 2924 wrote to memory of 2772	2924	cmd.exe	33
PID 2580 wrote to memory of 2452	2580	net.exe	34
PID 2580 wrote to memory of 2452	2580	net.exe	34
PID 2580 wrote to memory of 2452	2580	net.exe	34
PID 2580 wrote to memory of 2452	2580	net.exe	34
PID 2532 wrote to memory of 1064	2532	Logo1_.exe	18
PID 2532 wrote to memory of 1064	2532	Logo1_.exe	18

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1064
- C:\Users\Admin\AppData\Local\Temp\49baa78921418d08ca49fd808b9ab9916fd90f353e9c709df17ca36ddeecf6c8.exe
  "C:\Users\Admin\AppData\Local\Temp\49baa78921418d08ca49fd808b9ab9916fd90f353e9c709df17ca36ddeecf6c8.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a898.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2924
  - - C:\Users\Admin\AppData\Local\Temp\49baa78921418d08ca49fd808b9ab9916fd90f353e9c709df17ca36ddeecf6c8.exe
      "C:\Users\Admin\AppData\Local\Temp\49baa78921418d08ca49fd808b9ab9916fd90f353e9c709df17ca36ddeecf6c8.exe"
      4⤵
      Executes dropped EXE
      PID:2772
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2532
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2580
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
254KB

MD5
c9d03bbcd10b0e801fc367b5a0efcfc9

SHA1
d2f24b48444d8020ae89823e1ea6d6596c8cecc6

SHA256
638eb33caa438a65283e3ce3be65625b06622bbcc82a2462192a2ab34099e8ce

SHA512
78105bfb8afd7c92e2b58bf87a1850a458f5de40bf2e2995e261c632c7c918158647c68bb69454095b8e3e0661561337d537e2e1f7fdbc0aee9e1055a3c2548c

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
474KB

MD5
6ca6d9b69c2d9a62bf240384eda33b7d

SHA1
5e35d35505a4e1db59f56b23e050aa311bd8f6cb

SHA256
cf2a3ebe3ccdf9bb78d18eb86989ff49666d01961c24c8114172a83a758550c6

SHA512
26b6671ede6a2e3f20f9b8b16bec0db866484f637b3984d49fc8002da1061b04619edeb5c0ef96da9ff0cfc3f6c24e2becdf0f5d81eb96f551d287c973a4ff6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a898.bat

Filesize
721B

MD5
616b602cc65f2f6ad17ac5a61e4fab99

SHA1
353cdfd4d3aece1b47dbd98b5314efa94020f445

SHA256
6fafa07e17d7fbab8fdef2ed8b3671914b52b97b3f7970e61256329e624abbeb

SHA512
883ed4d64f97a42c75e7d5d1d9f55ac2501a3babdf3263dd8b0a9a201fa511438f7c14c3fe0232fb8ca48acd33c9321cc863e3b60bdc29c963fbc1d8722d3c2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\49baa78921418d08ca49fd808b9ab9916fd90f353e9c709df17ca36ddeecf6c8.exe.exe

Filesize
987KB

MD5
3d194286d43f9589f5caa7ada1408e89

SHA1
17587fc5df6c6926a37753a584adb26e6a47760e

SHA256
15a188e3b2ddac28860f4dc8132db282e883ab6880b09f3ad1f150ba5c61b9c3

SHA512
a99c98f8cb386708f76e82348e83bb2be23f38236d597642eb6753030585c96736575a15a4104d39a4ccc3c56e2d888c7b0b2276b47a505f0ec04f8c05b68597

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
13cb5c936526fdd9214907187330462e

SHA1
2d888b3ab837034f725be36681d9e96d8c698353

SHA256
37b8a2d02981de0ebd1837dd624f96d12eb8dbf14fe6648e6322da5463203c47

SHA512
a09ad1a94183b04ed91a7a363031ffc34963d33b09357bf068c142ef561e20fef74fe9e04f34caa129d853c9a49c280b2bd457bcdf374fa748eaddf6fcbf7cea

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2721934792-624042501-2768869379-1000\_desktop.ini

Filesize
8B

MD5
5979a5ab5d6ce7068aff133101a79c52

SHA1
8ec7729d3782fc978cc50f9b3217fc8309ae7733

SHA256
6b009cde89047fc55503dc0b3649d341e98320a0438d044bc8fb068d0c919ef1

SHA512
213c10a6b5b394b2736619ed0418ba715e643dfa08b5827757dd64b1718ddec6a44822ff4b192bd594997cc13bc2027d03c029537ed2f12591b370ec1f242f2d

Download Submit
memory/1064-36-0x0000000002E00000-0x0000000002E01000-memory.dmp

Filesize
4KB

Download
memory/2532-40-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2532-105-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2532-3318-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2532-1858-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2532-726-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2532-2390-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2532-19-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2532-47-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2532-53-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2532-99-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2772-34-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/2772-32-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/2924-29-0x00000000022A0000-0x0000000002374000-memory.dmp

Filesize
848KB

Download
memory/2924-30-0x00000000022A0000-0x0000000002374000-memory.dmp

Filesize
848KB

Download
memory/3064-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3064-16-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3064-17-0x0000000000220000-0x0000000000256000-memory.dmp

Filesize
216KB

Download