Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
23/10/2023, 07:47
Static task
static1
Behavioral task
behavioral1
Sample
201cff169b47cdb925ca24fe47584599281b6ecd0bb65e5960411e93dff7b59d.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
201cff169b47cdb925ca24fe47584599281b6ecd0bb65e5960411e93dff7b59d.exe
Resource
win10v2004-20231020-en
General
-
Target
201cff169b47cdb925ca24fe47584599281b6ecd0bb65e5960411e93dff7b59d.exe
-
Size
116KB
-
MD5
a625bffbcc9f310a3998ca5ade8f14f4
-
SHA1
a76829a264359eccc14f4d30db97102234be49e8
-
SHA256
201cff169b47cdb925ca24fe47584599281b6ecd0bb65e5960411e93dff7b59d
-
SHA512
1585c30d9b5ae16988c6b1c9ca924bf69b86b2b8b73bc6f235fd7c474db30c5f3628197bae95e22154c8ceaa2a615d950eddd0c580732a2dead218c4572811ec
-
SSDEEP
3072:BftffjmN3Jo/FQXy+uc//korlDFtNel3kaIFH/B0CyPvO3c0gCajNCg:JVfjmN3Jo/qi+k
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1196 Logo1_.exe 2112 201cff169b47cdb925ca24fe47584599281b6ecd0bb65e5960411e93dff7b59d.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-il\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\plugins\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\de-de\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themes\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-ae\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sk-sk\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows NT\Accessories\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-ma\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pt-br\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\it-it\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\da-dk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\en\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\da-dk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\collect_feedback\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\he-il\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\th\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\typing\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\fr-ma\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\sk-sk\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\zh-cn\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\pl-pl\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\lua\playlist\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\vi-VN\View3d\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\1.1.1\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\en-US\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Defender\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\an\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\cs-cz\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\en-gb\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\en-gb\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\bn_IN\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\kn\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account-select\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\en-gb\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\fr-ma\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\it-it\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sl-sl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\en-gb\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\_desktop.ini Logo1_.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\fr-ma\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ro-ro\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\hu-hu\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\es-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\pl-pl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\{58A0B331-3AF0-4193-878F-F049A00D7980}\MicrosoftEdgeUpdateSetup_X86_1.3.177.11.exe Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rundl132.exe 201cff169b47cdb925ca24fe47584599281b6ecd0bb65e5960411e93dff7b59d.exe File created C:\Windows\Logo1_.exe 201cff169b47cdb925ca24fe47584599281b6ecd0bb65e5960411e93dff7b59d.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\vDll.dll Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 1196 Logo1_.exe 1196 Logo1_.exe 1196 Logo1_.exe 1196 Logo1_.exe 1196 Logo1_.exe 1196 Logo1_.exe 1196 Logo1_.exe 1196 Logo1_.exe 1196 Logo1_.exe 1196 Logo1_.exe 1196 Logo1_.exe 1196 Logo1_.exe 1196 Logo1_.exe 1196 Logo1_.exe 1196 Logo1_.exe 1196 Logo1_.exe 1196 Logo1_.exe 1196 Logo1_.exe 1196 Logo1_.exe 1196 Logo1_.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 4448 wrote to memory of 808 4448 201cff169b47cdb925ca24fe47584599281b6ecd0bb65e5960411e93dff7b59d.exe 85 PID 4448 wrote to memory of 808 4448 201cff169b47cdb925ca24fe47584599281b6ecd0bb65e5960411e93dff7b59d.exe 85 PID 4448 wrote to memory of 808 4448 201cff169b47cdb925ca24fe47584599281b6ecd0bb65e5960411e93dff7b59d.exe 85 PID 4448 wrote to memory of 1196 4448 201cff169b47cdb925ca24fe47584599281b6ecd0bb65e5960411e93dff7b59d.exe 86 PID 4448 wrote to memory of 1196 4448 201cff169b47cdb925ca24fe47584599281b6ecd0bb65e5960411e93dff7b59d.exe 86 PID 4448 wrote to memory of 1196 4448 201cff169b47cdb925ca24fe47584599281b6ecd0bb65e5960411e93dff7b59d.exe 86 PID 1196 wrote to memory of 4892 1196 Logo1_.exe 87 PID 1196 wrote to memory of 4892 1196 Logo1_.exe 87 PID 1196 wrote to memory of 4892 1196 Logo1_.exe 87 PID 4892 wrote to memory of 1648 4892 net.exe 90 PID 4892 wrote to memory of 1648 4892 net.exe 90 PID 4892 wrote to memory of 1648 4892 net.exe 90 PID 808 wrote to memory of 2112 808 cmd.exe 92 PID 808 wrote to memory of 2112 808 cmd.exe 92 PID 1196 wrote to memory of 3256 1196 Logo1_.exe 51 PID 1196 wrote to memory of 3256 1196 Logo1_.exe 51
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3256
-
C:\Users\Admin\AppData\Local\Temp\201cff169b47cdb925ca24fe47584599281b6ecd0bb65e5960411e93dff7b59d.exe"C:\Users\Admin\AppData\Local\Temp\201cff169b47cdb925ca24fe47584599281b6ecd0bb65e5960411e93dff7b59d.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4448 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA5B6.bat3⤵
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Users\Admin\AppData\Local\Temp\201cff169b47cdb925ca24fe47584599281b6ecd0bb65e5960411e93dff7b59d.exe"C:\Users\Admin\AppData\Local\Temp\201cff169b47cdb925ca24fe47584599281b6ecd0bb65e5960411e93dff7b59d.exe"4⤵
- Executes dropped EXE
PID:2112
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:1648
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
251KB
MD5bd68d43c687d28dd7a767928ee356a04
SHA1683eeecef7f75194de1fc21296a31742351ec07f
SHA256f50e651f61f0b43219f84425b96bb29d04067158c9a2090824501c128eb322f5
SHA512d5d8bbc180782a5c648a44003622105904ac4d39018083631d3f56eb9b3ccb2990f7b295670e2920d7420d8ca785311b245ae46cc15d93c18f91fd74d028ddd4
-
Filesize
484KB
MD5dd7289d41bdd1d4e797fb59ec03c9ced
SHA1d42c057bcd13b424abe11adfef721a10d2609288
SHA25629bc1fa38ad291825d1e2d43db6bca71124243251b52df5b31922ff0f377684e
SHA512bb2585c9bf1a9e8ab0f393b6e2e24eeea430c4a610ff5912b22b6ac860ba97b05dba5179159343a935bdecccaf1cdc3de03e437f86a0ea988d6e73ce4f832c14
-
Filesize
722B
MD50bdf235b86dd154c383f64a7e530e872
SHA14edc6100625e36546df0b7bbe70def610ac99c7d
SHA256ba44298319dd653dbfaea75bbe40879a7f1f83eff5b51663b24e635d7bd7a959
SHA512ea32c216e6efd13b693ea6e686443ecd7074197f285ddc2774af8995877f3e9dd577bb347e9efca98a44e959c6ea2b4373cca511f42325099f54de9ef65b3396
-
C:\Users\Admin\AppData\Local\Temp\201cff169b47cdb925ca24fe47584599281b6ecd0bb65e5960411e93dff7b59d.exe
Filesize90KB
MD5c8c3b8fb878ce29b75a69219abff4ccf
SHA1e2e5d4feb0dff20ad1d83f72062f5816d365bc37
SHA2564656a73e3e8ae7ab4dc9bcdcda922f18787978c758871c9bd51e4340d46e5113
SHA51270c68e1c770cc806b2d2edf5d40cc86dd1781d8a01849cffc08a511133c1efcf892bd8a56dd4a7f8e307c46b038fff3a309ce9c1d78feb6190347ae6d77d6ad1
-
C:\Users\Admin\AppData\Local\Temp\201cff169b47cdb925ca24fe47584599281b6ecd0bb65e5960411e93dff7b59d.exe.exe
Filesize90KB
MD5c8c3b8fb878ce29b75a69219abff4ccf
SHA1e2e5d4feb0dff20ad1d83f72062f5816d365bc37
SHA2564656a73e3e8ae7ab4dc9bcdcda922f18787978c758871c9bd51e4340d46e5113
SHA51270c68e1c770cc806b2d2edf5d40cc86dd1781d8a01849cffc08a511133c1efcf892bd8a56dd4a7f8e307c46b038fff3a309ce9c1d78feb6190347ae6d77d6ad1
-
Filesize
26KB
MD52001b3d40d05330d0c289354fd39c442
SHA131c0c109110e336da3bdfee62d6986e50be0affd
SHA256ba1346ea33d2c9d045b75592ce50046974aaf474b530fd4c4d16dbf16cbaf815
SHA51292847dfb9be7c658b61063cedaf0f7faa51fc8afe4dae11ab4bdfdeb4ad1f8a976f20901d2d8532a60df5ad528dbd907064889412d14370dd17f5e73289cde69
-
Filesize
26KB
MD52001b3d40d05330d0c289354fd39c442
SHA131c0c109110e336da3bdfee62d6986e50be0affd
SHA256ba1346ea33d2c9d045b75592ce50046974aaf474b530fd4c4d16dbf16cbaf815
SHA51292847dfb9be7c658b61063cedaf0f7faa51fc8afe4dae11ab4bdfdeb4ad1f8a976f20901d2d8532a60df5ad528dbd907064889412d14370dd17f5e73289cde69
-
Filesize
26KB
MD52001b3d40d05330d0c289354fd39c442
SHA131c0c109110e336da3bdfee62d6986e50be0affd
SHA256ba1346ea33d2c9d045b75592ce50046974aaf474b530fd4c4d16dbf16cbaf815
SHA51292847dfb9be7c658b61063cedaf0f7faa51fc8afe4dae11ab4bdfdeb4ad1f8a976f20901d2d8532a60df5ad528dbd907064889412d14370dd17f5e73289cde69
-
Filesize
10B
MD5e0b221b9338753deceb4d4e7a6bf13e8
SHA156521251ff5aab737b3617dd82eb07df74ad588f
SHA2563e46e7e2c6c9cf629a9230a5b1c5b196f727959b334cbb517641244ec5c4b065
SHA512391e4ed4ed44dc677fd663677cb7e69e4c23e4a3629940e46cf757d812395a7876a93c3568d12e5dd99e06b7068e22397694cf54723efa3f0f5789b9687b5810