Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
13/03/2024, 18:58
Static task
static1
Behavioral task
behavioral1
Sample
db90ba0c6d918ff7913344d42e1c64faab7d636dc19fe237499b44c2bcd661ff.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
db90ba0c6d918ff7913344d42e1c64faab7d636dc19fe237499b44c2bcd661ff.exe
Resource
win10v2004-20240226-en
General
-
Target
db90ba0c6d918ff7913344d42e1c64faab7d636dc19fe237499b44c2bcd661ff.exe
-
Size
297KB
-
MD5
2d2fd82cf3a3bc026aa320530352b1d1
-
SHA1
fc42c5f1f01792885e149de31e7570fa853b671e
-
SHA256
db90ba0c6d918ff7913344d42e1c64faab7d636dc19fe237499b44c2bcd661ff
-
SHA512
dd57584dd2f42c56c51b495597bd43c2eb904685319960f1ad9cd04bb270edf98844ed1dddc1e45a40037cc7066a7dc175056fa0547fc42ee1be3eb517f8cdde
-
SSDEEP
6144:5VfjmNTXEsQ8sX8DohN09wzABEtot5AOxdsJapJ9Q:P7+Be8CN0QIfryJapJ9Q
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 4872 Logo1_.exe 4932 db90ba0c6d918ff7913344d42e1c64faab7d636dc19fe237499b44c2bcd661ff.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ja\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\hr-hr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Security\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.18101.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\zh-cn\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files-select\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\sk-sk\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\WidevineCdm\_platform_specific\win_x64\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\HelpAndFeedback\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\CoreEngine\Data\BrushProfile\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\pt-br\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\nb-no\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe Logo1_.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-white\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-125_8wekyb3d8bbwe\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hu-hu\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\fr-fr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ru-ru\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\hu-hu\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\hr-hr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\de-de\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\images\cursors\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ga\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ca-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\en-il\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\da\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.ScreenSketch_2019.904.1644.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\sv-se\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\eu-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Media Player\Skins\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Examples\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sl-si\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\amd64\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Defender\uk-UA\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\TCUI-Toolkit\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\dotnet\host\fxr\8.0.0\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\SlowMotionEditor\UserControls\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\eu-es\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\hu\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\pt-br\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Configuration\Schema\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sv-se\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\en-il\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\tr-tr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Services\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Logo1_.exe db90ba0c6d918ff7913344d42e1c64faab7d636dc19fe237499b44c2bcd661ff.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\vDll.dll Logo1_.exe File created C:\Windows\rundl132.exe db90ba0c6d918ff7913344d42e1c64faab7d636dc19fe237499b44c2bcd661ff.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 4872 Logo1_.exe 4872 Logo1_.exe 4872 Logo1_.exe 4872 Logo1_.exe 4872 Logo1_.exe 4872 Logo1_.exe 4872 Logo1_.exe 4872 Logo1_.exe 4872 Logo1_.exe 4872 Logo1_.exe 4872 Logo1_.exe 4872 Logo1_.exe 4872 Logo1_.exe 4872 Logo1_.exe 4872 Logo1_.exe 4872 Logo1_.exe 4872 Logo1_.exe 4872 Logo1_.exe 4872 Logo1_.exe 4872 Logo1_.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 444 wrote to memory of 4364 444 db90ba0c6d918ff7913344d42e1c64faab7d636dc19fe237499b44c2bcd661ff.exe 95 PID 444 wrote to memory of 4364 444 db90ba0c6d918ff7913344d42e1c64faab7d636dc19fe237499b44c2bcd661ff.exe 95 PID 444 wrote to memory of 4364 444 db90ba0c6d918ff7913344d42e1c64faab7d636dc19fe237499b44c2bcd661ff.exe 95 PID 444 wrote to memory of 4872 444 db90ba0c6d918ff7913344d42e1c64faab7d636dc19fe237499b44c2bcd661ff.exe 96 PID 444 wrote to memory of 4872 444 db90ba0c6d918ff7913344d42e1c64faab7d636dc19fe237499b44c2bcd661ff.exe 96 PID 444 wrote to memory of 4872 444 db90ba0c6d918ff7913344d42e1c64faab7d636dc19fe237499b44c2bcd661ff.exe 96 PID 4872 wrote to memory of 1712 4872 Logo1_.exe 97 PID 4872 wrote to memory of 1712 4872 Logo1_.exe 97 PID 4872 wrote to memory of 1712 4872 Logo1_.exe 97 PID 1712 wrote to memory of 3320 1712 net.exe 100 PID 1712 wrote to memory of 3320 1712 net.exe 100 PID 1712 wrote to memory of 3320 1712 net.exe 100 PID 4364 wrote to memory of 4932 4364 cmd.exe 101 PID 4364 wrote to memory of 4932 4364 cmd.exe 101 PID 4364 wrote to memory of 4932 4364 cmd.exe 101 PID 4872 wrote to memory of 3376 4872 Logo1_.exe 56 PID 4872 wrote to memory of 3376 4872 Logo1_.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3376
-
C:\Users\Admin\AppData\Local\Temp\db90ba0c6d918ff7913344d42e1c64faab7d636dc19fe237499b44c2bcd661ff.exe"C:\Users\Admin\AppData\Local\Temp\db90ba0c6d918ff7913344d42e1c64faab7d636dc19fe237499b44c2bcd661ff.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:444 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a5DEF.bat3⤵
- Suspicious use of WriteProcessMemory
PID:4364 -
C:\Users\Admin\AppData\Local\Temp\db90ba0c6d918ff7913344d42e1c64faab7d636dc19fe237499b44c2bcd661ff.exe"C:\Users\Admin\AppData\Local\Temp\db90ba0c6d918ff7913344d42e1c64faab7d636dc19fe237499b44c2bcd661ff.exe"4⤵
- Executes dropped EXE
PID:4932
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:3320
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4416 --field-trial-handle=2264,i,7010714054498059916,1862725710331979271,262144 --variations-seed-version /prefetch:81⤵PID:444
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
251KB
MD515de3119354bf2f7ada1ae847042a205
SHA1332314350f2e545988ab7b1c3e8cc68788fdff1b
SHA25686bcacef389ea0f42219d11c4e9494971f2cb8ba7d7f414b70976a905ce13583
SHA512ac803936cc1e993bcf5e855a7441fe323bbe543d6092bb4951251afd8ae28932c966dd034cf774f1b66362183b071a7ce42653c8cfac4a8a241bc11a62215ce8
-
Filesize
570KB
MD5bee890240c8a47c9a8d17e438b4b62c0
SHA1d44c6e46f65a3c807590aae1706ff5f895de7d9e
SHA25692767fc0daf64b82b6f4cca7cd8f5bb4375446638777c9f3aa7c7511861e68aa
SHA512dcd7b0788af61b0a03cdc005df19b510d11d7c1f08ad652fe1c33401e042dc36df623c74cac305b7bd36a4cdd631b15cca00524fcb5ab860ae2a4f0b617b0642
-
Filesize
722B
MD53db26d5f43ac360d78bf9b1de0406f04
SHA1f345d93da954019aaf70bd67cff06ae39d1175ce
SHA256579c181e254b10ddc7f35b8455146dc5a567d26900b58b32d396406b9e45784d
SHA51234c581c0d765bc6df546ce70c514113988df4d22c650e744ee48f9def1913a2b3624dd65a0684bcc738220e8e31ded49b1d3e6f98198d895bb23e00d627239b4
-
C:\Users\Admin\AppData\Local\Temp\db90ba0c6d918ff7913344d42e1c64faab7d636dc19fe237499b44c2bcd661ff.exe.exe
Filesize270KB
MD5394d109e7c282ed7fecfc78ea0da9dcf
SHA1aadf25ede61ba501a380a3959b7eba196a675999
SHA2565c1c9968df0af2cc56a85ac592389f82d053a74e884e2117e019fb72798ca54a
SHA512924e7b2136b89fcf3e991031beef6c4acb79a14f8a36ddc312e3409325aa287e836cc832cd040727281d265bd978e396369cff2bcc2532aff54c4ca7ee62accd
-
Filesize
26KB
MD5bd5889d3899d3d107d129b64afca9d88
SHA177ea9915b9a4b30d24b4a31909a2ff49ac2e242e
SHA256b811cc0e46ee95219f6345fb788e7639fcb76d29c855a9886f66cbbcc123c2ee
SHA51231c60690421f54b0ac57067c31003f523f5df12d55e98cc6f5ba7b906120215e4cac7a5d7a6f996a45907289ceca1a6123826ebfaa688e18b753a8364998191e
-
Filesize
9B
MD56304f6cd23949a0e203abd81fc93bcfd
SHA1260299dcdd7b9af6298e036322e7493d3598ab44
SHA2566e249dd60655637cf4a7f940b41cfc3b70dc36b986a37babad9180d29d22adb8
SHA512ce9d77f19554bdfdf7bc99adc9a9cdbc79c3d30f901b9f47ffb8e2d737c7a3fceb059de56993f9092c4ba0276b9d6ebc035fd48298dc62e11a9ef05bb9e00ab5