Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
18/01/2024, 19:40
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
15cec831b12a0713a14a38c3d8a1a067adb86e538fb599296a09c8dc5bc8b364.exe
Resource
win7-20231215-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
15cec831b12a0713a14a38c3d8a1a067adb86e538fb599296a09c8dc5bc8b364.exe
Resource
win10v2004-20231222-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
15cec831b12a0713a14a38c3d8a1a067adb86e538fb599296a09c8dc5bc8b364.exe
-
Size
530KB
-
MD5
17b18fad091a105b7adc27ad2545bbdc
-
SHA1
13f8144b240ca6df7847b86d610b07bc811bb40b
-
SHA256
15cec831b12a0713a14a38c3d8a1a067adb86e538fb599296a09c8dc5bc8b364
-
SHA512
42881a8068d3d74acbd29ac36fe33ad2179ce1cd1ddc7fe76154e06d5b39c86dbbbb8f27ae0659220555a559aa8d2e367a60b01744b0d3e25e0b0a1bec69f74d
-
SSDEEP
12288:w7+oqb61gjjtmevCClxPZyH2WaGWcZywmITc5kOCexlBGu8dKOU5:w75q+1KhmOgH26WcZywmITc5kOCexlBD
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 4776 Logo1_.exe 2420 15cec831b12a0713a14a38c3d8a1a067adb86e538fb599296a09c8dc5bc8b364.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_~_kzf8qxf38zg5c\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\nl-nl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ja-jp\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\nl-nl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\fr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\nl\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-us\styles\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\ja\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\cs-cz\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ja-jp\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-white\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\images\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\uk-ua\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\root\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\zh-tw\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\es-es\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-white\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\cs-cz\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\0.2.2\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\pt-br\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.18101.0_x86__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ja-jp\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\root\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\pl-pl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\sv-se\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Defender\es-ES\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_neutral_~_8wekyb3d8bbwe\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\ImmersiveVideoPlayback\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\zh-cn\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ja-jp\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\en-il\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\cy\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\he\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\lv\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\pt_PT\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\da-dk\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\cs-cz\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MLModels\_desktop.ini Logo1_.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\fr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Toolkit\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\uk-ua\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\Comprehensive\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe Logo1_.exe File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe Logo1_.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\vDll.dll Logo1_.exe File created C:\Windows\rundl132.exe 15cec831b12a0713a14a38c3d8a1a067adb86e538fb599296a09c8dc5bc8b364.exe File created C:\Windows\Logo1_.exe 15cec831b12a0713a14a38c3d8a1a067adb86e538fb599296a09c8dc5bc8b364.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 4776 Logo1_.exe 4776 Logo1_.exe 4776 Logo1_.exe 4776 Logo1_.exe 4776 Logo1_.exe 4776 Logo1_.exe 4776 Logo1_.exe 4776 Logo1_.exe 4776 Logo1_.exe 4776 Logo1_.exe 4776 Logo1_.exe 4776 Logo1_.exe 4776 Logo1_.exe 4776 Logo1_.exe 4776 Logo1_.exe 4776 Logo1_.exe 4776 Logo1_.exe 4776 Logo1_.exe 4776 Logo1_.exe 4776 Logo1_.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 4092 wrote to memory of 2112 4092 15cec831b12a0713a14a38c3d8a1a067adb86e538fb599296a09c8dc5bc8b364.exe 25 PID 4092 wrote to memory of 2112 4092 15cec831b12a0713a14a38c3d8a1a067adb86e538fb599296a09c8dc5bc8b364.exe 25 PID 4092 wrote to memory of 2112 4092 15cec831b12a0713a14a38c3d8a1a067adb86e538fb599296a09c8dc5bc8b364.exe 25 PID 4092 wrote to memory of 4776 4092 15cec831b12a0713a14a38c3d8a1a067adb86e538fb599296a09c8dc5bc8b364.exe 24 PID 4092 wrote to memory of 4776 4092 15cec831b12a0713a14a38c3d8a1a067adb86e538fb599296a09c8dc5bc8b364.exe 24 PID 4092 wrote to memory of 4776 4092 15cec831b12a0713a14a38c3d8a1a067adb86e538fb599296a09c8dc5bc8b364.exe 24 PID 4776 wrote to memory of 3792 4776 Logo1_.exe 16 PID 4776 wrote to memory of 3792 4776 Logo1_.exe 16 PID 4776 wrote to memory of 3792 4776 Logo1_.exe 16 PID 3792 wrote to memory of 4556 3792 net.exe 18 PID 3792 wrote to memory of 4556 3792 net.exe 18 PID 3792 wrote to memory of 4556 3792 net.exe 18 PID 2112 wrote to memory of 2420 2112 cmd.exe 22 PID 2112 wrote to memory of 2420 2112 cmd.exe 22 PID 4776 wrote to memory of 3404 4776 Logo1_.exe 53 PID 4776 wrote to memory of 3404 4776 Logo1_.exe 53
Processes
-
C:\Users\Admin\AppData\Local\Temp\15cec831b12a0713a14a38c3d8a1a067adb86e538fb599296a09c8dc5bc8b364.exe"C:\Users\Admin\AppData\Local\Temp\15cec831b12a0713a14a38c3d8a1a067adb86e538fb599296a09c8dc5bc8b364.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4092 -
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4776
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a5350.bat2⤵
- Suspicious use of WriteProcessMemory
PID:2112
-
-
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"1⤵
- Suspicious use of WriteProcessMemory
PID:3792 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"2⤵PID:4556
-
-
C:\Users\Admin\AppData\Local\Temp\15cec831b12a0713a14a38c3d8a1a067adb86e538fb599296a09c8dc5bc8b364.exe"C:\Users\Admin\AppData\Local\Temp\15cec831b12a0713a14a38c3d8a1a067adb86e538fb599296a09c8dc5bc8b364.exe"1⤵
- Executes dropped EXE
PID:2420
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3404
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
251KB
MD5c65bcc4201f7f618a8ce6de5677fa65a
SHA12992b7d62355470ced5ed4bc5a640f2cf8978278
SHA256d460b00e491d72836b5f489a1c506f03077eda1ceaf7f0fb07bbe6c66c0e0962
SHA512d2b45731d044e91583ef3bde0e33f0c6131ba2145a9211aa866c61cde5d07de2522e3f8713adcc40d5e897789b62eb891f275c2c074c47ceb3934a8fbf2c74cc
-
Filesize
346KB
MD5d9b9b3063977f4ae7a527eaf07729d1e
SHA12015733a03983ddd9e3cdbd96a62b743ebdfd360
SHA256ae424ae7c34858cf832153baefe37454a9af548b15b9a039a7b0fde2169f9c91
SHA512c8b995ccfc22d8cffef594e0956ae02489fea753ee325f32c4ca98d88544fed567554a85654bd3486b4be47705b178757ed62cf404670c321b2fae9973721794
-
Filesize
481KB
MD51db5b390daa2d070657fbdb4f5d2cc55
SHA177e633e49df484b827080753514cc376749b0ceb
SHA256d5fbaf5c0d8e313d4dad23b28cac4256c5dbed6ab3b0d797e2971f30c5e095ad
SHA51268aa0152f5aae79a146c1813915fd16ec5454b285bd1781370923f97d6c147d53684192f7f4161e5c1a340959ec432ecaac127b0abe7d08f70c387e08ee4f617
-
Filesize
722B
MD51f5071ab7c25146b764c75b48afc34b1
SHA1e4c72052eb053a01c8ef355ec79e68b01a912575
SHA256bd80dc3c1d07a0bf06f975f782d5f185eb2c3621ae272974a739b7a635f1d1dc
SHA512ee5eec7abc5cbc9e95ccb52516c7063f54e5ee60a47eede374b398d0a1808f67932da8a4b82609ce764ea1573c44b456f59ea0d35418d4058e765ded4d0fb580
-
C:\Users\Admin\AppData\Local\Temp\15cec831b12a0713a14a38c3d8a1a067adb86e538fb599296a09c8dc5bc8b364.exe
Filesize57KB
MD5a95151cf7ee2a332b592da49728cdfa7
SHA183ab52e98b685455733644007e3abe5ed37cca16
SHA256b7d52c503048ea4713ada662469994aa8698f05e67abf66ef9a3479d7cbbcc26
SHA51267e593af62cf56119a4e8f117664a9a4867faee722553e88c3fe66047ad6239c992ea607ab5c6e92891e5d817368c4be8ab6970db24d5b22e05b60e7f330401d
-
C:\Users\Admin\AppData\Local\Temp\15cec831b12a0713a14a38c3d8a1a067adb86e538fb599296a09c8dc5bc8b364.exe.exe
Filesize74KB
MD53288de45c18e4b91793724b044cd34ef
SHA1963146966c52c5cce7880fbb0e0d104352e2e849
SHA256fcd7e5b0b148569173e56048884c481b3e7bf8db1ab4f80ed7da615f98711c93
SHA51258fad6f8e5b82c1366df83a128b141fe5260d4fb4050992135e6c5481feed0f327d0d3e6890531feb509533f42a02a8a0f56da45ac07e1e8ad34078014e1451c
-
Filesize
26KB
MD5736bfccf89b0055bacacf13bc37b50ce
SHA1dabc333f28e954f49aa80a3b0531160ae5bdec82
SHA2566fa3aa279929eee03df371ace16a751b2184da323b9c72ab97bb36c947aa12c3
SHA512a7af014c4f8d3af22c2fe20fbd50a6c52d17d77adf0e59365e67c98fbdbd4890a96d2b010e42728bb33f92ab468e1ec50449fb97c10c3204ac13c49d9ef8d578
-
Filesize
9B
MD543bfb8ec11aeaf165dc2b4ae60ab3be3
SHA1cb410a309b1a56ae5fdda61d68b9d41e1e4d8128
SHA256edb9cece5d0056ab9be898bb317a3712b9d0db010a9455c6e265c6b5e85774a0
SHA5122f192df131177ea8f969aaa1883fafe9e463eca96c31ca48b506ed94d7d86e06dc88885df587c46efe61a366b97dd79aa56f8c6fb1bfd7759894132db3a8dfa5