Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
13/03/2024, 23:10
Static task
static1
Behavioral task
behavioral1
Sample
c35935bc666ebfdec5c306508928c29fcc984165166e348a0c6f8db4edb329e8.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c35935bc666ebfdec5c306508928c29fcc984165166e348a0c6f8db4edb329e8.exe
Resource
win10v2004-20240226-en
General
-
Target
c35935bc666ebfdec5c306508928c29fcc984165166e348a0c6f8db4edb329e8.exe
-
Size
182KB
-
MD5
6bc1a74ad2949cd87554036930689aca
-
SHA1
da2878bb7b13df1abc4564598a868a347b8b6fa6
-
SHA256
c35935bc666ebfdec5c306508928c29fcc984165166e348a0c6f8db4edb329e8
-
SHA512
e734b3ec73c7b3c5a1ab26f4a988f68c2147c95220d5a0c7efbd2884062d0cb8e808953daa7e461decbf12e0949094465a98f97951666bf19ae36ac18fd9ab70
-
SSDEEP
3072:xftffepVPhsJCQIZHJTpprL8FZjuAZcU6xeZ/swaOL+2aDOI+MzGVNgZb+9EeMK:5VfgPK4QIZHJTAuAZVmeZ/6OLX+vXZC3
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2732 Logo1_.exe 1248 c35935bc666ebfdec5c306508928c29fcc984165166e348a0c6f8db4edb329e8.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Fonts\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\dev\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\root\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themeless\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsAppRuntime.1.2_2000.802.31.0_x86__8wekyb3d8bbwe\sq-AL\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\zh-cn\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\plugins\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\zh-tw\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\css\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\sv\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ru-ru\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\themes\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\nl-nl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x64\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Defender\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fi-fi\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\tr-tr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\en-ae\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\cs\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jre-1.8\lib\security\policy\limited\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\hr-hr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\sk-sk\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\es-es\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\lt-LT\View3d\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Content\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\de-de\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\fr-fr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\sv-se\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ta\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\modules\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\nb-no\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ar-ae\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\el-GR\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fi-fi\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\fi-fi\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\text_renderer\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\es-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\root\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\pt-br\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\it-it\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\te\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\skins\fonts\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\en-US\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\fi-fi\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\lua\meta\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\sv-se\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rundl132.exe c35935bc666ebfdec5c306508928c29fcc984165166e348a0c6f8db4edb329e8.exe File created C:\Windows\Logo1_.exe c35935bc666ebfdec5c306508928c29fcc984165166e348a0c6f8db4edb329e8.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\vDll.dll Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 2732 Logo1_.exe 2732 Logo1_.exe 2732 Logo1_.exe 2732 Logo1_.exe 2732 Logo1_.exe 2732 Logo1_.exe 2732 Logo1_.exe 2732 Logo1_.exe 2732 Logo1_.exe 2732 Logo1_.exe 2732 Logo1_.exe 2732 Logo1_.exe 2732 Logo1_.exe 2732 Logo1_.exe 2732 Logo1_.exe 2732 Logo1_.exe 2732 Logo1_.exe 2732 Logo1_.exe 2732 Logo1_.exe 2732 Logo1_.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 4768 wrote to memory of 1928 4768 c35935bc666ebfdec5c306508928c29fcc984165166e348a0c6f8db4edb329e8.exe 87 PID 4768 wrote to memory of 1928 4768 c35935bc666ebfdec5c306508928c29fcc984165166e348a0c6f8db4edb329e8.exe 87 PID 4768 wrote to memory of 1928 4768 c35935bc666ebfdec5c306508928c29fcc984165166e348a0c6f8db4edb329e8.exe 87 PID 4768 wrote to memory of 2732 4768 c35935bc666ebfdec5c306508928c29fcc984165166e348a0c6f8db4edb329e8.exe 88 PID 4768 wrote to memory of 2732 4768 c35935bc666ebfdec5c306508928c29fcc984165166e348a0c6f8db4edb329e8.exe 88 PID 4768 wrote to memory of 2732 4768 c35935bc666ebfdec5c306508928c29fcc984165166e348a0c6f8db4edb329e8.exe 88 PID 2732 wrote to memory of 4960 2732 Logo1_.exe 90 PID 2732 wrote to memory of 4960 2732 Logo1_.exe 90 PID 2732 wrote to memory of 4960 2732 Logo1_.exe 90 PID 4960 wrote to memory of 832 4960 net.exe 92 PID 4960 wrote to memory of 832 4960 net.exe 92 PID 4960 wrote to memory of 832 4960 net.exe 92 PID 1928 wrote to memory of 1248 1928 cmd.exe 93 PID 1928 wrote to memory of 1248 1928 cmd.exe 93 PID 2732 wrote to memory of 3448 2732 Logo1_.exe 56 PID 2732 wrote to memory of 3448 2732 Logo1_.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3448
-
C:\Users\Admin\AppData\Local\Temp\c35935bc666ebfdec5c306508928c29fcc984165166e348a0c6f8db4edb329e8.exe"C:\Users\Admin\AppData\Local\Temp\c35935bc666ebfdec5c306508928c29fcc984165166e348a0c6f8db4edb329e8.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4D55.bat3⤵
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Users\Admin\AppData\Local\Temp\c35935bc666ebfdec5c306508928c29fcc984165166e348a0c6f8db4edb329e8.exe"C:\Users\Admin\AppData\Local\Temp\c35935bc666ebfdec5c306508928c29fcc984165166e348a0c6f8db4edb329e8.exe"4⤵
- Executes dropped EXE
PID:1248
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:832
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
251KB
MD5770e80db366145f997b81f8040496869
SHA14d924c50b0c714b97047df34a0bd4adaf2de6a83
SHA256dccf1246394aab3657a9ebd19ebd4150b9420f438bd50e40aafbc8ac8d51ebdb
SHA512754b5ee9fdcc4614ad626ece4d684fdc2f4b20d5c20042dba268f4c7b1c913b2b707ac1903bfb85a79598975e4b6ab4eb508660a242cb9feb2196d6368a6ff8d
-
Filesize
570KB
MD51e01d1160ba6e43d35de151fd823151e
SHA1aa378c2982b0fa49a83d04e0f7bebfe1113fd4bc
SHA256a93e95c61e248218eb6cd565a920c93f42d33366e1615da351c5e4309ee9fa76
SHA512faf4fa464b333397505d0221fd5c31b4d9559f0880256f67dd52470d9add4c56386494fa0f233faace154ea022cd9f78e5a25f5335e2f62170e18edc9a09dbe7
-
Filesize
481KB
MD5d9a20f38778ddec5c48e2acde4956248
SHA1fe41d404f38c2d570cd55158524d450f5ed50da3
SHA256f39c91803fd8d891849aa7b16cd6f82fa4a3b0eaf12d6699127206f48dbf9c63
SHA512c879087690924c702a818643329c7c8c2fae5fae3d9a2c6b1c5eb608f3c899ba4bd4708cde9565e957b669c09fa8ab11ad289128bc5871dd85fe4fa90c31e4b4
-
Filesize
722B
MD5fb4cb8d3947ba767e704bba1b7a7c8e7
SHA1296c36e8ecd5d845fb92c097f1f12b1b41ea758d
SHA256538431d2b8cc1bb685520a292e42bda1d87a434c6e591a053842a5c6d5fff9b6
SHA51238dfbc6bf3dbcbfa0522c2f8861baf39d6f6d34720f8f13b087555c3faecfaf6e1a138cfcf82e6418495d4e34705f3c1fe68a65f3b80ad9569105659b7919737
-
C:\Users\Admin\AppData\Local\Temp\c35935bc666ebfdec5c306508928c29fcc984165166e348a0c6f8db4edb329e8.exe.exe
Filesize156KB
MD539e25fdcbc0fe52d96da002d453561fd
SHA145ff4ac06ed22d72700b17463c798b7a7133d048
SHA256e77946b429093c874157b1dbc11cc69a137747ef1eab9bd3c2fb3d8e991934c3
SHA51248add6448f3da3336fbf0efeee7b199f6d9508da31911df82f22ef0f6b8408e3100d4c21390cb420e45ee7eb037231e6e5a2c84b8a4022239053521c92bf0d30
-
Filesize
26KB
MD58758044db9fce67ea2ad542f86e69e57
SHA160cc4d25ea4e17f676e8ac8be10b9dfe2f7ed67d
SHA2560c91b552dc6db19b6711e32cb8c9c604b60dc9d674be06cccb6adf08b4dbd82d
SHA512411737be53feaef0829190b6610c729b925949bcc0b4a65063ab393acb1a92c577093e6377a373704ce54d27a593f2faddc23c80c660638f7c304a93f1972c93
-
Filesize
9B
MD56304f6cd23949a0e203abd81fc93bcfd
SHA1260299dcdd7b9af6298e036322e7493d3598ab44
SHA2566e249dd60655637cf4a7f940b41cfc3b70dc36b986a37babad9180d29d22adb8
SHA512ce9d77f19554bdfdf7bc99adc9a9cdbc79c3d30f901b9f47ffb8e2d737c7a3fceb059de56993f9092c4ba0276b9d6ebc035fd48298dc62e11a9ef05bb9e00ab5