Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
153s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
03/11/2023, 15:52
Static task
static1
Behavioral task
behavioral1
Sample
3a9e8369a177a1ed90e1f50bea862286666d00a5b2fe2f01f4c0b53c66d9a888.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
3a9e8369a177a1ed90e1f50bea862286666d00a5b2fe2f01f4c0b53c66d9a888.exe
Resource
win10v2004-20231023-en
General
-
Target
3a9e8369a177a1ed90e1f50bea862286666d00a5b2fe2f01f4c0b53c66d9a888.exe
-
Size
203KB
-
MD5
bd301c11fa85dca192e868fcc640351b
-
SHA1
29bbb52634027378cc92382508c7bcb07f17fb03
-
SHA256
3a9e8369a177a1ed90e1f50bea862286666d00a5b2fe2f01f4c0b53c66d9a888
-
SHA512
f691ee9a80495cb1739a77b0b47d8d6a63068b15d7e93a8c073076f62056f1f2ecc451c849e1b10708f7d39fcf9ea765c0e6f7ea5ed4af53bc9839ff265c3362
-
SSDEEP
3072:wsftffjmNrZgxhlhGeJJrJsQ+qHcNL6LyZI6nQpL4jRXFiOkg3kLcm5LUlJ9t:3VfjmNefnCM9yZVnQpLuNEbLc0UL9t
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 3096 Logo1_.exe 2296 3a9e8369a177a1ed90e1f50bea862286666d00a5b2fe2f01f4c0b53c66d9a888.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe Logo1_.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe Logo1_.exe File created C:\Program Files\7-Zip\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\7-Zip\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe Logo1_.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\_desktop.ini Logo1_.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe Logo1_.exe File opened for modification C:\Program Files\_desktop.ini Logo1_.exe File created C:\Program Files\7-Zip\Lang\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\include\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\javafx\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe Logo1_.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe Logo1_.exe File created C:\Program Files\Java\jdk-1.8\include\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\7-Zip\7z.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe Logo1_.exe File created C:\Program Files\Google\Chrome\Application\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk-1.8\bin\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe Logo1_.exe File created C:\Program Files\Google\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\vDll.dll Logo1_.exe File created C:\Windows\rundl132.exe 3a9e8369a177a1ed90e1f50bea862286666d00a5b2fe2f01f4c0b53c66d9a888.exe File created C:\Windows\Logo1_.exe 3a9e8369a177a1ed90e1f50bea862286666d00a5b2fe2f01f4c0b53c66d9a888.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 3096 Logo1_.exe 3096 Logo1_.exe 3096 Logo1_.exe 3096 Logo1_.exe 3096 Logo1_.exe 3096 Logo1_.exe 3096 Logo1_.exe 3096 Logo1_.exe 3096 Logo1_.exe 3096 Logo1_.exe 3096 Logo1_.exe 3096 Logo1_.exe 3096 Logo1_.exe 3096 Logo1_.exe 3096 Logo1_.exe 3096 Logo1_.exe 3096 Logo1_.exe 3096 Logo1_.exe 3096 Logo1_.exe 3096 Logo1_.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 3404 wrote to memory of 3264 3404 3a9e8369a177a1ed90e1f50bea862286666d00a5b2fe2f01f4c0b53c66d9a888.exe 93 PID 3404 wrote to memory of 3264 3404 3a9e8369a177a1ed90e1f50bea862286666d00a5b2fe2f01f4c0b53c66d9a888.exe 93 PID 3404 wrote to memory of 3264 3404 3a9e8369a177a1ed90e1f50bea862286666d00a5b2fe2f01f4c0b53c66d9a888.exe 93 PID 3404 wrote to memory of 3096 3404 3a9e8369a177a1ed90e1f50bea862286666d00a5b2fe2f01f4c0b53c66d9a888.exe 94 PID 3404 wrote to memory of 3096 3404 3a9e8369a177a1ed90e1f50bea862286666d00a5b2fe2f01f4c0b53c66d9a888.exe 94 PID 3404 wrote to memory of 3096 3404 3a9e8369a177a1ed90e1f50bea862286666d00a5b2fe2f01f4c0b53c66d9a888.exe 94 PID 3096 wrote to memory of 4780 3096 Logo1_.exe 97 PID 3096 wrote to memory of 4780 3096 Logo1_.exe 97 PID 3096 wrote to memory of 4780 3096 Logo1_.exe 97 PID 3264 wrote to memory of 2296 3264 cmd.exe 99 PID 3264 wrote to memory of 2296 3264 cmd.exe 99 PID 3264 wrote to memory of 2296 3264 cmd.exe 99 PID 4780 wrote to memory of 1648 4780 net.exe 98 PID 4780 wrote to memory of 1648 4780 net.exe 98 PID 4780 wrote to memory of 1648 4780 net.exe 98 PID 3096 wrote to memory of 3380 3096 Logo1_.exe 51 PID 3096 wrote to memory of 3380 3096 Logo1_.exe 51
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3380
-
C:\Users\Admin\AppData\Local\Temp\3a9e8369a177a1ed90e1f50bea862286666d00a5b2fe2f01f4c0b53c66d9a888.exe"C:\Users\Admin\AppData\Local\Temp\3a9e8369a177a1ed90e1f50bea862286666d00a5b2fe2f01f4c0b53c66d9a888.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3404 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a945B.bat3⤵
- Suspicious use of WriteProcessMemory
PID:3264 -
C:\Users\Admin\AppData\Local\Temp\3a9e8369a177a1ed90e1f50bea862286666d00a5b2fe2f01f4c0b53c66d9a888.exe"C:\Users\Admin\AppData\Local\Temp\3a9e8369a177a1ed90e1f50bea862286666d00a5b2fe2f01f4c0b53c66d9a888.exe"4⤵
- Executes dropped EXE
PID:2296
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3096 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:1648
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
484KB
MD526ad1955e49c77461922b8167b40178b
SHA1edad5fd8dc1b6d7c5075e293764fea4297a2e3e6
SHA2568e2ecb63e3e5c25092fa0bd05abae885774fdbb58b5ec0b9ace93fd11b81f79d
SHA51248dd7a625fa33b8da6f41980c0d09395a4e4d3a89e64b9c3657ce46abb1417344d5132ac4963ed1cb0ddc31483d283e00f021029a4d4400287ce3f25e1656c5e
-
Filesize
722B
MD5134b14ce9f927dfdbd8a445126473556
SHA1f2026a401081d62d20a268cdeab5dfce51f546b3
SHA256df4fe5f00b233244a61849eb9710a61a7ba79600776535ab0e8d9c8eaa5d7de1
SHA512b2b10094200145826138246378ab2f16b9805b1538679c12dcbd6f62824e66d2900d510f47120397de2c3495d3e9db75cedd808d8b41ff214d053c7fe91a53e1
-
C:\Users\Admin\AppData\Local\Temp\3a9e8369a177a1ed90e1f50bea862286666d00a5b2fe2f01f4c0b53c66d9a888.exe
Filesize177KB
MD538ced7c7dca88182d3d8e02aaa889338
SHA1c702b28c7b267d6034cd06ebfc2e7b10b6700aa9
SHA2568b8bfe9d542b109edd6418d5679187abc1074e0c0f090c7ada0c608ce868d353
SHA512473ccf1f9b3265c192384140a48bef06a65105ab1f7d63a274a0e06487aea477206514bce1258a3bd0b74329dd2b678c71028d6eee166a1a497dd42deaabf70d
-
C:\Users\Admin\AppData\Local\Temp\3a9e8369a177a1ed90e1f50bea862286666d00a5b2fe2f01f4c0b53c66d9a888.exe.exe
Filesize177KB
MD538ced7c7dca88182d3d8e02aaa889338
SHA1c702b28c7b267d6034cd06ebfc2e7b10b6700aa9
SHA2568b8bfe9d542b109edd6418d5679187abc1074e0c0f090c7ada0c608ce868d353
SHA512473ccf1f9b3265c192384140a48bef06a65105ab1f7d63a274a0e06487aea477206514bce1258a3bd0b74329dd2b678c71028d6eee166a1a497dd42deaabf70d
-
Filesize
26KB
MD54f6b7b7dd1e90f9968e5197d34085d7c
SHA1e49e73e61aede77f897b3be38716b22a9ed86e37
SHA256c203da2bf8f27304bf94615ee5c238a6fefed6c557aaf65869306f68955756bf
SHA5124225a9c7c3cd1092ca2215fd915a1bd7cd5cc3f4bc8ffb83909f2a9a0b70b2b08281ae2b9f7302cbc5e4282d0ecf94654e4ce8538218b504fee05ff7b4834da2
-
Filesize
26KB
MD54f6b7b7dd1e90f9968e5197d34085d7c
SHA1e49e73e61aede77f897b3be38716b22a9ed86e37
SHA256c203da2bf8f27304bf94615ee5c238a6fefed6c557aaf65869306f68955756bf
SHA5124225a9c7c3cd1092ca2215fd915a1bd7cd5cc3f4bc8ffb83909f2a9a0b70b2b08281ae2b9f7302cbc5e4282d0ecf94654e4ce8538218b504fee05ff7b4834da2
-
Filesize
26KB
MD54f6b7b7dd1e90f9968e5197d34085d7c
SHA1e49e73e61aede77f897b3be38716b22a9ed86e37
SHA256c203da2bf8f27304bf94615ee5c238a6fefed6c557aaf65869306f68955756bf
SHA5124225a9c7c3cd1092ca2215fd915a1bd7cd5cc3f4bc8ffb83909f2a9a0b70b2b08281ae2b9f7302cbc5e4282d0ecf94654e4ce8538218b504fee05ff7b4834da2
-
Filesize
9B
MD5a496dc6e67a7c97fe6b5f93f052c5de1
SHA191d1cbd786e4ca543f5d364b42273efd1be384c5
SHA256f656a696c47b2c37afecab6674210ad082849577f4763b778f81ca947bef3e63
SHA512850c4fe29e0fa3388cb06d91a85330c1ac5eed337d23d2b6ee3d74142941dba27a49485ecf4a8cc73800c8c22d207b6586447ee3b20443f9a0e355614a6a1cb2