Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
163s -
max time network
172s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
12/10/2023, 17:18
Static task
static1
Behavioral task
behavioral1
Sample
182f83b9d943d4c7a5a80cc457035405270e23644616baf0def200995446c3ee.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
182f83b9d943d4c7a5a80cc457035405270e23644616baf0def200995446c3ee.exe
Resource
win10v2004-20230915-en
General
-
Target
182f83b9d943d4c7a5a80cc457035405270e23644616baf0def200995446c3ee.exe
-
Size
50KB
-
MD5
04b91c8721fd1d2ae1d20328d0787628
-
SHA1
a29a19c768ed04890c3394b179b063e0c8193e1e
-
SHA256
182f83b9d943d4c7a5a80cc457035405270e23644616baf0def200995446c3ee
-
SHA512
7cf1872a0c5b17de367ab37fe4be0523f69492ac7616639d492a0e84fc925a00ed153d5d1f12428cde9d7bc57ad7864a18c42568271a6eb8a545a71487e25bb7
-
SSDEEP
768:1Hcp1ODKAaDMG8H92RwZNQSwcfymNBg+g61GoLjdzbXjQLiaeB949rwXkAwQ6Ufn:YfgLdQAQfcfymN/ZXkWS9rwXkjUfn
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 4632 Logo1_.exe 5016 182f83b9d943d4c7a5a80cc457035405270e23644616baf0def200995446c3ee.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jstatd.exe Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.update\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\include\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\tet\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Uninstall Information\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\lua\http\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\zu\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\bn_IN\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\sr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\extensions\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\_desktop.ini Logo1_.exe File created C:\Program Files\MSBuild\Microsoft\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe Logo1_.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\kn\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ckb\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\7-Zip\7zG.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\bn_IN\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\cs\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\zh_TW\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\dropins\_desktop.ini Logo1_.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ckb\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\de\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jre1.8.0_66\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\it\_desktop.ini Logo1_.exe File created C:\Program Files\Mozilla Firefox\defaults\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\pack200.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\applet\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\fur\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\kinit.exe Logo1_.exe File created C:\Program Files\ModifiableWindowsApps\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\uz\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rundl132.exe 182f83b9d943d4c7a5a80cc457035405270e23644616baf0def200995446c3ee.exe File created C:\Windows\Logo1_.exe 182f83b9d943d4c7a5a80cc457035405270e23644616baf0def200995446c3ee.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\vDll.dll Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 4632 Logo1_.exe 4632 Logo1_.exe 4632 Logo1_.exe 4632 Logo1_.exe 4632 Logo1_.exe 4632 Logo1_.exe 4632 Logo1_.exe 4632 Logo1_.exe 4632 Logo1_.exe 4632 Logo1_.exe 4632 Logo1_.exe 4632 Logo1_.exe 4632 Logo1_.exe 4632 Logo1_.exe 4632 Logo1_.exe 4632 Logo1_.exe 4632 Logo1_.exe 4632 Logo1_.exe 4632 Logo1_.exe 4632 Logo1_.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2452 wrote to memory of 1348 2452 182f83b9d943d4c7a5a80cc457035405270e23644616baf0def200995446c3ee.exe 84 PID 2452 wrote to memory of 1348 2452 182f83b9d943d4c7a5a80cc457035405270e23644616baf0def200995446c3ee.exe 84 PID 2452 wrote to memory of 1348 2452 182f83b9d943d4c7a5a80cc457035405270e23644616baf0def200995446c3ee.exe 84 PID 2452 wrote to memory of 4632 2452 182f83b9d943d4c7a5a80cc457035405270e23644616baf0def200995446c3ee.exe 86 PID 2452 wrote to memory of 4632 2452 182f83b9d943d4c7a5a80cc457035405270e23644616baf0def200995446c3ee.exe 86 PID 2452 wrote to memory of 4632 2452 182f83b9d943d4c7a5a80cc457035405270e23644616baf0def200995446c3ee.exe 86 PID 4632 wrote to memory of 2092 4632 Logo1_.exe 87 PID 4632 wrote to memory of 2092 4632 Logo1_.exe 87 PID 4632 wrote to memory of 2092 4632 Logo1_.exe 87 PID 1348 wrote to memory of 5016 1348 cmd.exe 89 PID 1348 wrote to memory of 5016 1348 cmd.exe 89 PID 1348 wrote to memory of 5016 1348 cmd.exe 89 PID 2092 wrote to memory of 544 2092 net.exe 90 PID 2092 wrote to memory of 544 2092 net.exe 90 PID 2092 wrote to memory of 544 2092 net.exe 90 PID 4632 wrote to memory of 3164 4632 Logo1_.exe 40 PID 4632 wrote to memory of 3164 4632 Logo1_.exe 40
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3164
-
C:\Users\Admin\AppData\Local\Temp\182f83b9d943d4c7a5a80cc457035405270e23644616baf0def200995446c3ee.exe"C:\Users\Admin\AppData\Local\Temp\182f83b9d943d4c7a5a80cc457035405270e23644616baf0def200995446c3ee.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a751B.bat3⤵
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Users\Admin\AppData\Local\Temp\182f83b9d943d4c7a5a80cc457035405270e23644616baf0def200995446c3ee.exe"C:\Users\Admin\AppData\Local\Temp\182f83b9d943d4c7a5a80cc457035405270e23644616baf0def200995446c3ee.exe"4⤵
- Executes dropped EXE
PID:5016
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:544
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
484KB
MD5677de80fbcca8d6cf4ba539133d37539
SHA1725696c6efff345c1a72fc368dc4926e77532263
SHA256527bd74317d720b2e0ad0d390ffe2f01d3ebf5d7e35bf6a674e3dd0c8b521dd2
SHA512b1881a72d0d6d3815a2c7ce20ba7b4db6d44ca4423192ce7cfc39b9c023c66a62f168780cc907012f166072fd195694b494c7b288463bd55a77f4820fe726d50
-
Filesize
722B
MD565f0763d2f018bcd74345ee89bad82e2
SHA13eb19ac7e39fce5612a08f07f917b9a321ce6844
SHA25612c8f4dd4a7a39682ac7c01c88bd0346ab301b5acaed793fadc42829a7ad2793
SHA51222579ab47431f5d375fdce75b83646d3482cfa456fa879ea76fc9db38786529e50506ec7a8b572e135d7ddd715abc61bb4d473fdd2678268631cf6b3c3f34de7
-
C:\Users\Admin\AppData\Local\Temp\182f83b9d943d4c7a5a80cc457035405270e23644616baf0def200995446c3ee.exe
Filesize23KB
MD5a5c496552546b7e79d6228a3a419bf5d
SHA1b29303a2d03d483baa2d5735df359c00aa9aed60
SHA2562d0b45fa608dd8336722d85be930bb0d271fc407230a6f5082fdb3b058f67119
SHA512c5d4973387ef18bfaaaf9ccf47fd0cbc485940fb77c59a4212bcf33c5cfc6b969d13bd34c3b7f5199925a7e40b19b4a3ae19cff5559c057fa106414c83775713
-
C:\Users\Admin\AppData\Local\Temp\182f83b9d943d4c7a5a80cc457035405270e23644616baf0def200995446c3ee.exe.exe
Filesize23KB
MD5a5c496552546b7e79d6228a3a419bf5d
SHA1b29303a2d03d483baa2d5735df359c00aa9aed60
SHA2562d0b45fa608dd8336722d85be930bb0d271fc407230a6f5082fdb3b058f67119
SHA512c5d4973387ef18bfaaaf9ccf47fd0cbc485940fb77c59a4212bcf33c5cfc6b969d13bd34c3b7f5199925a7e40b19b4a3ae19cff5559c057fa106414c83775713
-
Filesize
26KB
MD5fdd504678a404fbffc560cd95a4363ff
SHA10e8a87142acaeadfe96f00ea117c05758b0514cc
SHA2564b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da
SHA512c6e5b506c5988072cbee535f18c89fec46fad599adff83a13ecb819bc157391a527eb5336c9c03392174a6ab345b699602fe9ecb0139a2a10a053f557ccc769f
-
Filesize
26KB
MD5fdd504678a404fbffc560cd95a4363ff
SHA10e8a87142acaeadfe96f00ea117c05758b0514cc
SHA2564b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da
SHA512c6e5b506c5988072cbee535f18c89fec46fad599adff83a13ecb819bc157391a527eb5336c9c03392174a6ab345b699602fe9ecb0139a2a10a053f557ccc769f
-
Filesize
26KB
MD5fdd504678a404fbffc560cd95a4363ff
SHA10e8a87142acaeadfe96f00ea117c05758b0514cc
SHA2564b396f3b3d76cd75e64a47eb652ab93d6239a197fd9b32c66619d6a8ffbdc2da
SHA512c6e5b506c5988072cbee535f18c89fec46fad599adff83a13ecb819bc157391a527eb5336c9c03392174a6ab345b699602fe9ecb0139a2a10a053f557ccc769f
-
Filesize
10B
MD5743754b59d55d26c081d8f839a3662c8
SHA18e88e3bda53f58b9122f6f9c9a5f23f80e7be6c7
SHA256bbb0f1aae4572c821fac1d6b7890df67d9f4a7576af30e70925192dded063e8b
SHA5121e8d9e5e1651bd2aaef969713d949cc4ddab58c53d0be31392d660aedeb621a0f968196e4938d2ba75e40ebdb7557cee23bf5587877268cb087fdd09a8abba1b