Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
138s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
15/10/2023, 13:57
Static task
static1
Behavioral task
behavioral1
Sample
cf63e09f3f0b9d566d26ab408d868ee8721b8062e99e832542be4dc7f2a72232.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
cf63e09f3f0b9d566d26ab408d868ee8721b8062e99e832542be4dc7f2a72232.exe
Resource
win10v2004-20230915-en
General
-
Target
cf63e09f3f0b9d566d26ab408d868ee8721b8062e99e832542be4dc7f2a72232.exe
-
Size
310KB
-
MD5
2489375ecfdf8a8812f3a48a93bf62ae
-
SHA1
f70daba692854f24e6a6a7bfd6b6cd710ef62fcd
-
SHA256
cf63e09f3f0b9d566d26ab408d868ee8721b8062e99e832542be4dc7f2a72232
-
SHA512
4a85b35485d032c02d071714aa37c03192616b54e4f0ccc6a78e2938f585cda810baa8f65cbd216c2f5cff37921c72af2a910e1447df950c6b29a2b1d4fbf7fd
-
SSDEEP
6144:kVfjmNyEq64tWRYCjhOhn7n4T5Bblt5RSZhlMIoEPsK:m7+yQhC7i5BtR0oEPsK
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 4940 Logo1_.exe 2548 cf63e09f3f0b9d566d26ab408d868ee8721b8062e99e832542be4dc7f2a72232.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\unpack200.exe Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\nb\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\Attribution\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Images\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pt-br\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\is-IS\View3d\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.1.7_1.7.25531.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jvisualvm.exe Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\bg\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Viewpoints\Light\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\fr-FR\_desktop.ini Logo1_.exe File created C:\Program Files\Google\Chrome\Application\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-150_8wekyb3d8bbwe\Assets\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hr-hr\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\pack200.exe Logo1_.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\be-BY\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\loc_archives\en\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Maps.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\he-il\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\locale\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_neutral_split.scale-100_8wekyb3d8bbwe\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-ae\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaw.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\keytool.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\fa-IR\View3d\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\es-ES\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\fr-FR\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_~_kzf8qxf38zg5c\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-white\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jre1.8.0_66\lib\cmm\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ru\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.1.7_1.7.25531.0_x64__8wekyb3d8bbwe\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\en-gb\locimages\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sk-sk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rundl132.exe cf63e09f3f0b9d566d26ab408d868ee8721b8062e99e832542be4dc7f2a72232.exe File created C:\Windows\Logo1_.exe cf63e09f3f0b9d566d26ab408d868ee8721b8062e99e832542be4dc7f2a72232.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\vDll.dll Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 4940 Logo1_.exe 4940 Logo1_.exe 4940 Logo1_.exe 4940 Logo1_.exe 4940 Logo1_.exe 4940 Logo1_.exe 4940 Logo1_.exe 4940 Logo1_.exe 4940 Logo1_.exe 4940 Logo1_.exe 4940 Logo1_.exe 4940 Logo1_.exe 4940 Logo1_.exe 4940 Logo1_.exe 4940 Logo1_.exe 4940 Logo1_.exe 4940 Logo1_.exe 4940 Logo1_.exe 4940 Logo1_.exe 4940 Logo1_.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2548 cf63e09f3f0b9d566d26ab408d868ee8721b8062e99e832542be4dc7f2a72232.exe 2548 cf63e09f3f0b9d566d26ab408d868ee8721b8062e99e832542be4dc7f2a72232.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2848 wrote to memory of 4764 2848 cf63e09f3f0b9d566d26ab408d868ee8721b8062e99e832542be4dc7f2a72232.exe 84 PID 2848 wrote to memory of 4764 2848 cf63e09f3f0b9d566d26ab408d868ee8721b8062e99e832542be4dc7f2a72232.exe 84 PID 2848 wrote to memory of 4764 2848 cf63e09f3f0b9d566d26ab408d868ee8721b8062e99e832542be4dc7f2a72232.exe 84 PID 2848 wrote to memory of 4940 2848 cf63e09f3f0b9d566d26ab408d868ee8721b8062e99e832542be4dc7f2a72232.exe 85 PID 2848 wrote to memory of 4940 2848 cf63e09f3f0b9d566d26ab408d868ee8721b8062e99e832542be4dc7f2a72232.exe 85 PID 2848 wrote to memory of 4940 2848 cf63e09f3f0b9d566d26ab408d868ee8721b8062e99e832542be4dc7f2a72232.exe 85 PID 4940 wrote to memory of 1224 4940 Logo1_.exe 86 PID 4940 wrote to memory of 1224 4940 Logo1_.exe 86 PID 4940 wrote to memory of 1224 4940 Logo1_.exe 86 PID 1224 wrote to memory of 4452 1224 net.exe 88 PID 1224 wrote to memory of 4452 1224 net.exe 88 PID 1224 wrote to memory of 4452 1224 net.exe 88 PID 4764 wrote to memory of 2548 4764 cmd.exe 90 PID 4764 wrote to memory of 2548 4764 cmd.exe 90 PID 4764 wrote to memory of 2548 4764 cmd.exe 90 PID 4940 wrote to memory of 768 4940 Logo1_.exe 30 PID 4940 wrote to memory of 768 4940 Logo1_.exe 30
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:768
-
C:\Users\Admin\AppData\Local\Temp\cf63e09f3f0b9d566d26ab408d868ee8721b8062e99e832542be4dc7f2a72232.exe"C:\Users\Admin\AppData\Local\Temp\cf63e09f3f0b9d566d26ab408d868ee8721b8062e99e832542be4dc7f2a72232.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD38C.bat3⤵
- Suspicious use of WriteProcessMemory
PID:4764 -
C:\Users\Admin\AppData\Local\Temp\cf63e09f3f0b9d566d26ab408d868ee8721b8062e99e832542be4dc7f2a72232.exe"C:\Users\Admin\AppData\Local\Temp\cf63e09f3f0b9d566d26ab408d868ee8721b8062e99e832542be4dc7f2a72232.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2548
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:4452
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
484KB
MD56d0d6bbb57eb0f29aacb6ae570e7b28f
SHA1532b00bd05d4e74f91db12543d6e88c5e694d82a
SHA2562347022384d8581c875b5d41f8e96e2a16ca6e9a73bbb6f770924722d949c416
SHA5128814fb1397cd4e647f553152fe2d8297bbcd9708a45aa2f1d35049855fe89dfec2c9683695fe02605db6b20e9caa5e2aebcfa4499a2a96cc9b6f6b845fb2ee25
-
Filesize
722B
MD5ff38013164a8312d89f4f77192094c46
SHA1b0a9f2f5323055962a1e44a150219a8f5baa4ed9
SHA2566d7a473abdd4012a1aab46cc4df0ac19e2982716a14ade68c2f31d39593bf45d
SHA512a6c5b7fe65ada43c78ea06d3a929afa8e890dcf40f2c415bf78cc98c0df171654cb0007cf331fc234caad6f15a004b2f2639224b5741fb7f5323a7dc5a39849f
-
C:\Users\Admin\AppData\Local\Temp\cf63e09f3f0b9d566d26ab408d868ee8721b8062e99e832542be4dc7f2a72232.exe
Filesize284KB
MD5db474d3a9ba1c0d73820bdd68b4ffcc0
SHA1231ebf1696f15152b94030e62c0d3d3a3cbc884f
SHA256e1f802890faf1ea6b8136ab1536bfd94d0ee221370e9213df85140b58a8be165
SHA512847ad4103e50d41fbe13e82eafc0b6a904bde05cf770c80f4356c2f0d418c6f1a5fc195a03649b551f030cf7c5177d5db192debc2545abed1c432f1e56c0765d
-
C:\Users\Admin\AppData\Local\Temp\cf63e09f3f0b9d566d26ab408d868ee8721b8062e99e832542be4dc7f2a72232.exe.exe
Filesize284KB
MD5db474d3a9ba1c0d73820bdd68b4ffcc0
SHA1231ebf1696f15152b94030e62c0d3d3a3cbc884f
SHA256e1f802890faf1ea6b8136ab1536bfd94d0ee221370e9213df85140b58a8be165
SHA512847ad4103e50d41fbe13e82eafc0b6a904bde05cf770c80f4356c2f0d418c6f1a5fc195a03649b551f030cf7c5177d5db192debc2545abed1c432f1e56c0765d
-
Filesize
26KB
MD5fdc7e51ff8752125309e31c936ec4915
SHA127b2025690e916335f77af39a93a43427e440882
SHA256c30125ebe9c5a24363ddc0a430f52a78f6e3e171ec2d041d977f08b5077a429c
SHA51243eeef47306514417d5e84b79095a61970e1dcd09551df624d38dacbd1fbc3c1abba7639a577ec671d41b30576b3f3690f81e427e4e8201e30e1e2af611cd13a
-
Filesize
26KB
MD5fdc7e51ff8752125309e31c936ec4915
SHA127b2025690e916335f77af39a93a43427e440882
SHA256c30125ebe9c5a24363ddc0a430f52a78f6e3e171ec2d041d977f08b5077a429c
SHA51243eeef47306514417d5e84b79095a61970e1dcd09551df624d38dacbd1fbc3c1abba7639a577ec671d41b30576b3f3690f81e427e4e8201e30e1e2af611cd13a
-
Filesize
26KB
MD5fdc7e51ff8752125309e31c936ec4915
SHA127b2025690e916335f77af39a93a43427e440882
SHA256c30125ebe9c5a24363ddc0a430f52a78f6e3e171ec2d041d977f08b5077a429c
SHA51243eeef47306514417d5e84b79095a61970e1dcd09551df624d38dacbd1fbc3c1abba7639a577ec671d41b30576b3f3690f81e427e4e8201e30e1e2af611cd13a
-
Filesize
10B
MD53fa5f43b227b96d6334e4649982d21b7
SHA1aaca225fe44f532099d2d7d7b00d80ebc3dd003b
SHA256d8fdb800da5ad9cc8b64df32df8c6006127fb46c590ee39f84bfd8b4f8912358
SHA5122bf18238a4b94cb61fdd22c61007bc5cbb7fc712b69685cc03efc548622dc365f07159a6599192b1aed0c2ffa9911fbeb321323f7bf24c8706d52adff07e432e