Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07/03/2024, 16:13
Static task
static1
Behavioral task
behavioral1
Sample
31d3d7d119de686232e9d19128b2ff3d67e2259b131c11525b22787b197db9dc.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
31d3d7d119de686232e9d19128b2ff3d67e2259b131c11525b22787b197db9dc.exe
Resource
win10v2004-20240226-en
General
-
Target
31d3d7d119de686232e9d19128b2ff3d67e2259b131c11525b22787b197db9dc.exe
-
Size
381KB
-
MD5
c4c8cb796091adbbae269b05094e7332
-
SHA1
7cbbc98f889ade6945bc46fcf904999e66c8f308
-
SHA256
31d3d7d119de686232e9d19128b2ff3d67e2259b131c11525b22787b197db9dc
-
SHA512
1ffcaa3cef4bde4734dc1ff454bbba78e07989e07f9a699dffc694f89d819632c736fd082212cf855813e0b0342e524494e581076fcbcd4b1182140c696605c7
-
SSDEEP
6144:MVfjmN+6x0Joevr9BIfamYnwA92lGh5qyM4mF5sAOj/dxCzHa3NrJQe:O7++A02evr/IfamWkCM4OSdxma3Nrj
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1480 Logo1_.exe 4224 31d3d7d119de686232e9d19128b2ff3d67e2259b131c11525b22787b197db9dc.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\sk-sk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\es-ES\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Toolkit\Images\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-cn\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ru-ru\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\en-US\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\en-il\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\sl\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\VideoFrameExtractor\Views\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ca-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\sl-sl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Media Player\wmprph.exe Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\af-ZA\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\HoloAssets\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\hr-hr\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Microsoft.Xbox.SmartGlass.Controls\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-ma\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\de-de\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\fr-ma\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\zh-tw\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hr-hr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\es-es\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Internet Explorer\images\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\eu-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\fi-fi\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WidevineCdm\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\th-TH\View3d\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\sv-se\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Resources\RetailDemo\strings\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\sl-sl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\da-dk\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Media Player\en-US\_desktop.ini Logo1_.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\zh-Hans\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk-1.8\include\win32\bridge\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\keystore\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_~_8wekyb3d8bbwe\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\it-it\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\_desktop.ini Logo1_.exe File created C:\Program Files\dotnet\swidtag\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\mr\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Fonts\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\pl-pl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rundl132.exe 31d3d7d119de686232e9d19128b2ff3d67e2259b131c11525b22787b197db9dc.exe File created C:\Windows\Logo1_.exe 31d3d7d119de686232e9d19128b2ff3d67e2259b131c11525b22787b197db9dc.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\vDll.dll Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 1480 Logo1_.exe 1480 Logo1_.exe 1480 Logo1_.exe 1480 Logo1_.exe 1480 Logo1_.exe 1480 Logo1_.exe 1480 Logo1_.exe 1480 Logo1_.exe 1480 Logo1_.exe 1480 Logo1_.exe 1480 Logo1_.exe 1480 Logo1_.exe 1480 Logo1_.exe 1480 Logo1_.exe 1480 Logo1_.exe 1480 Logo1_.exe 1480 Logo1_.exe 1480 Logo1_.exe 1480 Logo1_.exe 1480 Logo1_.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 960 wrote to memory of 1772 960 31d3d7d119de686232e9d19128b2ff3d67e2259b131c11525b22787b197db9dc.exe 90 PID 960 wrote to memory of 1772 960 31d3d7d119de686232e9d19128b2ff3d67e2259b131c11525b22787b197db9dc.exe 90 PID 960 wrote to memory of 1772 960 31d3d7d119de686232e9d19128b2ff3d67e2259b131c11525b22787b197db9dc.exe 90 PID 960 wrote to memory of 1480 960 31d3d7d119de686232e9d19128b2ff3d67e2259b131c11525b22787b197db9dc.exe 91 PID 960 wrote to memory of 1480 960 31d3d7d119de686232e9d19128b2ff3d67e2259b131c11525b22787b197db9dc.exe 91 PID 960 wrote to memory of 1480 960 31d3d7d119de686232e9d19128b2ff3d67e2259b131c11525b22787b197db9dc.exe 91 PID 1480 wrote to memory of 4892 1480 Logo1_.exe 92 PID 1480 wrote to memory of 4892 1480 Logo1_.exe 92 PID 1480 wrote to memory of 4892 1480 Logo1_.exe 92 PID 4892 wrote to memory of 2236 4892 net.exe 95 PID 4892 wrote to memory of 2236 4892 net.exe 95 PID 4892 wrote to memory of 2236 4892 net.exe 95 PID 1772 wrote to memory of 4224 1772 cmd.exe 96 PID 1772 wrote to memory of 4224 1772 cmd.exe 96 PID 1480 wrote to memory of 3344 1480 Logo1_.exe 56 PID 1480 wrote to memory of 3344 1480 Logo1_.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3344
-
C:\Users\Admin\AppData\Local\Temp\31d3d7d119de686232e9d19128b2ff3d67e2259b131c11525b22787b197db9dc.exe"C:\Users\Admin\AppData\Local\Temp\31d3d7d119de686232e9d19128b2ff3d67e2259b131c11525b22787b197db9dc.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3614.bat3⤵
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Users\Admin\AppData\Local\Temp\31d3d7d119de686232e9d19128b2ff3d67e2259b131c11525b22787b197db9dc.exe"C:\Users\Admin\AppData\Local\Temp\31d3d7d119de686232e9d19128b2ff3d67e2259b131c11525b22787b197db9dc.exe"4⤵
- Executes dropped EXE
PID:4224
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:2236
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
251KB
MD5717bbf070b0486e85b4c31139c219c7e
SHA10e361c843f2a2586f6b80fcec5363f478ef9b251
SHA25625b83b39261bb702ed450e78d6d76c653cc1f6c12d70065be96a83df057a7156
SHA5122926f4012914e741b8653e3f9e2c7c4d2162b04ac97479709bd6126c5587755f8b71bb5b8d0df85580557c1aed475c5f4acf365c2f5e0026b4f448ecbd473c39
-
Filesize
570KB
MD58e459e5220458b5b0fb908befb380c1e
SHA15e028ed6415024e4892a1b477f679f6dcf9d3998
SHA2560febdadb41baf0e4a14a5229dd020af8abf53b662fd521d25fa26649014af985
SHA512eb6a3d808b1d44d9e8b770f514b472101136eb5fa286da27548a072265200ca767688809eccd09ea9584e2c37a07d9081789bcd6e1c278163b2f24908e17f102
-
Filesize
481KB
MD51db5b390daa2d070657fbdb4f5d2cc55
SHA177e633e49df484b827080753514cc376749b0ceb
SHA256d5fbaf5c0d8e313d4dad23b28cac4256c5dbed6ab3b0d797e2971f30c5e095ad
SHA51268aa0152f5aae79a146c1813915fd16ec5454b285bd1781370923f97d6c147d53684192f7f4161e5c1a340959ec432ecaac127b0abe7d08f70c387e08ee4f617
-
Filesize
722B
MD59321159710e041c44faae8eb4cb21aa0
SHA1e8803ae676380ec31470ae6455055ea39a5fefa8
SHA256c7db0dd62beefa41c0e87dfed83e6aa03da846fe1d4cc3313b5ce0f42262c208
SHA5125336e10ed0958bf482e4e935b7b8e8d16cf5404ffd7813c346895cce649dfc7a2386ee752a0ee71427a5521a4ad1e0026aad877200faf5b0e0bfb200be451cf5
-
C:\Users\Admin\AppData\Local\Temp\31d3d7d119de686232e9d19128b2ff3d67e2259b131c11525b22787b197db9dc.exe.exe
Filesize354KB
MD5e552401ea07d0e12ca80e294a78819cd
SHA136d05c8c18cc9c073d6488a4cf63ba7be8e61c55
SHA256d8dfc83a5cf4d0567437ba971e3b712631c85666767c900f62695abca447f728
SHA512c75b4cda661b14e79dd20add36bbf8584b6bbc4e9068f7d613765bf5d633c50d18d71a1954be896b4244de17c784335b0241dcc368bd00877dc86d7eed8548d2
-
Filesize
26KB
MD5bbe25ec5fb983e881cda55b0a827d9b9
SHA1448be06c535598b29e10e7feec613612f0030121
SHA2560b9164da17c3f89558fac9e2a2f5362619ea58990822d6171ffa43eb8b579c7a
SHA5121fea6f1ee33645476fbf8e7cbf21dfb06b113aea208f238fa274f43d7a54af87a6966b0bed9ea10543613732656fec5535ac4e973d724d99f6016a47410757ef
-
Filesize
8B
MD5eb3fe7085aac4986a5db69d6c382011f
SHA119c0d93bf576dc3bcf232628428d6218f91767a0
SHA25641f6ad8112406e684ecf32a535c20fbac2db8d577e00b14197146b599a4b6ab2
SHA51226ed6484407c76b27987c2ed0e5ec2522ea6053de299c486841195690c536d72d0569fb291a9b9a91ce74fa22f4c37c43b491f4d0ff00afb8771bd36a7dcf508