Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
217s -
max time network
232s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
11/10/2023, 17:46
Static task
static1
Behavioral task
behavioral1
Sample
038b96de10f5663905674f2c6f7b1166abe1eeebefcf19e7b11bb1f0d9e55045.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
038b96de10f5663905674f2c6f7b1166abe1eeebefcf19e7b11bb1f0d9e55045.exe
Resource
win10v2004-20230915-en
General
-
Target
038b96de10f5663905674f2c6f7b1166abe1eeebefcf19e7b11bb1f0d9e55045.exe
-
Size
239KB
-
MD5
31bddc60c9daeebd1efd4170d02a02a8
-
SHA1
c68ffa75a7700406caa50131e785f622d354403c
-
SHA256
038b96de10f5663905674f2c6f7b1166abe1eeebefcf19e7b11bb1f0d9e55045
-
SHA512
fd40f3c18dc0a6493dae65c34626e4516d1fc012fd89840ffef7732ca590ce7c762233d59a128ebaaa00fb1490165b04a82429ec988f0ecd958d9691b32fe09f
-
SSDEEP
3072:+bftffjmNbqcVz5fzsTl4dsOc6v2vTzwU+Pho86meq+FaSoB2+vSHrX:aVfjmNecT93PiY+Fa7BdvGX
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 4796 Logo1_.exe 4584 038b96de10f5663905674f2c6f7b1166abe1eeebefcf19e7b11bb1f0d9e55045.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe Logo1_.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe Logo1_.exe File opened for modification C:\Program Files\7-Zip\7z.exe Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\serialver.exe Logo1_.exe File created C:\Program Files\7-Zip\Lang\_desktop.ini Logo1_.exe File created C:\Program Files\Google\_desktop.ini Logo1_.exe File created C:\Program Files\Google\Chrome\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jstatd.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\wsgen.exe Logo1_.exe File created C:\Program Files\Java\jdk1.8.0_66\db\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\servertool.exe Logo1_.exe File created C:\Program Files\Java\jdk1.8.0_66\db\bin\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe Logo1_.exe File created C:\Program Files\Java\jdk1.8.0_66\db\lib\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jmap.exe Logo1_.exe File created C:\Program Files\Java\jdk1.8.0_66\jre\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\jabswitch.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\java-rmi.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\java.exe Logo1_.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\kinit.exe Logo1_.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\java.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\ktab.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\native2ascii.exe Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\_desktop.ini Logo1_.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\klist.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\schemagen.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\unpack200.exe Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe Logo1_.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jstat.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jvisualvm.exe Logo1_.exe File created C:\Program Files\Java\jdk1.8.0_66\include\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\rmid.exe Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe Logo1_.exe File created C:\Program Files\Java\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.8.0_66\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Logo1_.exe 038b96de10f5663905674f2c6f7b1166abe1eeebefcf19e7b11bb1f0d9e55045.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\vDll.dll Logo1_.exe File created C:\Windows\rundl132.exe 038b96de10f5663905674f2c6f7b1166abe1eeebefcf19e7b11bb1f0d9e55045.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 4796 Logo1_.exe 4796 Logo1_.exe 4796 Logo1_.exe 4796 Logo1_.exe 4796 Logo1_.exe 4796 Logo1_.exe 4796 Logo1_.exe 4796 Logo1_.exe 4796 Logo1_.exe 4796 Logo1_.exe 4796 Logo1_.exe 4796 Logo1_.exe 4796 Logo1_.exe 4796 Logo1_.exe 4796 Logo1_.exe 4796 Logo1_.exe 4796 Logo1_.exe 4796 Logo1_.exe 4796 Logo1_.exe 4796 Logo1_.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1808 wrote to memory of 1708 1808 038b96de10f5663905674f2c6f7b1166abe1eeebefcf19e7b11bb1f0d9e55045.exe 86 PID 1808 wrote to memory of 1708 1808 038b96de10f5663905674f2c6f7b1166abe1eeebefcf19e7b11bb1f0d9e55045.exe 86 PID 1808 wrote to memory of 1708 1808 038b96de10f5663905674f2c6f7b1166abe1eeebefcf19e7b11bb1f0d9e55045.exe 86 PID 1808 wrote to memory of 4796 1808 038b96de10f5663905674f2c6f7b1166abe1eeebefcf19e7b11bb1f0d9e55045.exe 87 PID 1808 wrote to memory of 4796 1808 038b96de10f5663905674f2c6f7b1166abe1eeebefcf19e7b11bb1f0d9e55045.exe 87 PID 1808 wrote to memory of 4796 1808 038b96de10f5663905674f2c6f7b1166abe1eeebefcf19e7b11bb1f0d9e55045.exe 87 PID 4796 wrote to memory of 1156 4796 Logo1_.exe 88 PID 4796 wrote to memory of 1156 4796 Logo1_.exe 88 PID 4796 wrote to memory of 1156 4796 Logo1_.exe 88 PID 1156 wrote to memory of 2220 1156 net.exe 90 PID 1156 wrote to memory of 2220 1156 net.exe 90 PID 1156 wrote to memory of 2220 1156 net.exe 90 PID 1708 wrote to memory of 4584 1708 cmd.exe 92 PID 1708 wrote to memory of 4584 1708 cmd.exe 92 PID 1708 wrote to memory of 4584 1708 cmd.exe 92 PID 4796 wrote to memory of 3172 4796 Logo1_.exe 43 PID 4796 wrote to memory of 3172 4796 Logo1_.exe 43
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3172
-
C:\Users\Admin\AppData\Local\Temp\038b96de10f5663905674f2c6f7b1166abe1eeebefcf19e7b11bb1f0d9e55045.exe"C:\Users\Admin\AppData\Local\Temp\038b96de10f5663905674f2c6f7b1166abe1eeebefcf19e7b11bb1f0d9e55045.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aED39.bat3⤵
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Users\Admin\AppData\Local\Temp\038b96de10f5663905674f2c6f7b1166abe1eeebefcf19e7b11bb1f0d9e55045.exe"C:\Users\Admin\AppData\Local\Temp\038b96de10f5663905674f2c6f7b1166abe1eeebefcf19e7b11bb1f0d9e55045.exe"4⤵
- Executes dropped EXE
PID:4584
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:2220
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
484KB
MD594b66f3e099a5bb2a3297cc3f19b690c
SHA10ed7175bdae8352a8eb620992ecb941bbae1cad5
SHA256d50279ea1ed42b86655de9303d76abebddf8cbe07844939fe42323ab1bf8b1e0
SHA51229e32824099d66b94a449e1fb9168802c9dac0d08d6648fa0272a89331adcd7946cd843d25b88eca056577cd7fc22fa35e823e4c9008894a2c82607df56bb2b7
-
Filesize
722B
MD5a984c5470afc6dcf08f11b3f01aa7e95
SHA1c82c1203aa5350ff2a0cccb63162d524fedeb0f0
SHA256277694517ee6b344d674b14ca4c2dd0b7718b85962bc2f2124c6f89f8962f933
SHA51213e16e04ef835e1656ac2627fa1aa9aa49b87891684429b2383fa2e1f992d5e9416e713e07b2e3fffc757329a040143f0864e9a4e5e4c96889d465d31cdbcb85
-
C:\Users\Admin\AppData\Local\Temp\038b96de10f5663905674f2c6f7b1166abe1eeebefcf19e7b11bb1f0d9e55045.exe
Filesize213KB
MD520d89d1781cde87db3a8b59da816efcc
SHA14f6670c4dcd8d978b21d1db91e081e609f5abcd0
SHA2564653df6eb852f717ac03d5ecdfdd5e1e2c1ac70b012049f1188e0e7d5b5f8983
SHA5127b03a2e2c5f94a3e6164e160e3346cf0e8247471c48858dad9747dc17c8bccd20caaf2ea9f15d7e6be3e633a01536caefdeff6b384c4448c861f1e5a5ff6cf0e
-
C:\Users\Admin\AppData\Local\Temp\038b96de10f5663905674f2c6f7b1166abe1eeebefcf19e7b11bb1f0d9e55045.exe.exe
Filesize213KB
MD520d89d1781cde87db3a8b59da816efcc
SHA14f6670c4dcd8d978b21d1db91e081e609f5abcd0
SHA2564653df6eb852f717ac03d5ecdfdd5e1e2c1ac70b012049f1188e0e7d5b5f8983
SHA5127b03a2e2c5f94a3e6164e160e3346cf0e8247471c48858dad9747dc17c8bccd20caaf2ea9f15d7e6be3e633a01536caefdeff6b384c4448c861f1e5a5ff6cf0e
-
Filesize
26KB
MD5f7b0ab0aff6aad4bf0ccf0f3b127a9fd
SHA14a66a7d02be22cd152d1b1815e7c9a7bca03c909
SHA25655b1084df5b436dbe01998c2eccceb74f9ef6dad3cbcade949e47d4b340a0365
SHA512214b61c2e57148d152c7be4dc462d0ba617192b3dc6999b8edc0105ab897d286688f8b4ff1d4e0637a40f25f31d75bf83a75d12a392b6ef68d37d3cc8d0f0a92
-
Filesize
26KB
MD5f7b0ab0aff6aad4bf0ccf0f3b127a9fd
SHA14a66a7d02be22cd152d1b1815e7c9a7bca03c909
SHA25655b1084df5b436dbe01998c2eccceb74f9ef6dad3cbcade949e47d4b340a0365
SHA512214b61c2e57148d152c7be4dc462d0ba617192b3dc6999b8edc0105ab897d286688f8b4ff1d4e0637a40f25f31d75bf83a75d12a392b6ef68d37d3cc8d0f0a92
-
Filesize
26KB
MD5f7b0ab0aff6aad4bf0ccf0f3b127a9fd
SHA14a66a7d02be22cd152d1b1815e7c9a7bca03c909
SHA25655b1084df5b436dbe01998c2eccceb74f9ef6dad3cbcade949e47d4b340a0365
SHA512214b61c2e57148d152c7be4dc462d0ba617192b3dc6999b8edc0105ab897d286688f8b4ff1d4e0637a40f25f31d75bf83a75d12a392b6ef68d37d3cc8d0f0a92
-
Filesize
10B
MD5dbf19ca54500e964528b156763234c1d
SHA105376f86423aec8badf0adbc47887234ac83ef5a
SHA256bfa0ad2e861e2369dc239edf8f62fbe1c4507d877ec2f76e46e48f1e68fdd5ae
SHA512fb8ce1253ad6d3c1b7d970614dbc2d21574576336a490b54a8dc705a3d8637c0669747ba821fb2f4da14d7447dc24607aca988b0cd3bd9fc4d9d5988b4b631d0