Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240319-en -
resource tags
arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system -
submitted
27/03/2024, 04:01
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e0b7ab3127f73fc44af1af4362511e71.exe
Resource
win7-20240319-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
e0b7ab3127f73fc44af1af4362511e71.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
e0b7ab3127f73fc44af1af4362511e71.exe
-
Size
166KB
-
MD5
e0b7ab3127f73fc44af1af4362511e71
-
SHA1
ce8ecbb24762f4c03b79a8020ccce06dc25414e4
-
SHA256
47e3e5fbba12babd157f4fb1a8388088384f070847f5e86836898f52c8fc2afc
-
SHA512
4b74979c59a50935f036e1852b7f6fe48e8159d0a45db202f5a356ca306c3ddebfd02de868583602667aecefd0042f3621dd38d332f5dcf0281d9ea852dc99bc
-
SSDEEP
3072:ILe+aX3zvUzAMe5CZbJ/uKtGvF13q/POIekjNbf6JclSN2uAhRG9C+:3+aX3L2ARGFPR+kxmiWAI
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 3028 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2560 Logo1_.exe 2592 e0b7ab3127f73fc44af1af4362511e71.exe -
Loads dropped DLL 2 IoCs
pid Process 3028 cmd.exe 3028 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Internet Explorer\es-ES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\SpiderSolitaire\ja-JP\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\lua\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\it-IT\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Media Player\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ie\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\km\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\gl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\db\bin\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\gd\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Media Player\wmpshare.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Media Player\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\Minesweeper\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Defender\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre7\bin\java.exe Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\km\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Filters\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\JOURNAL\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\lo\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\sv\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\Adobe\Help\en_US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Portal\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Media Player\es-ES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe Logo1_.exe File opened for modification C:\Program Files\Reference Assemblies\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\si\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ug\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Stationery\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Triedit\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Photo Viewer\it-IT\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\_desktop.ini Logo1_.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rundl132.exe e0b7ab3127f73fc44af1af4362511e71.exe File created C:\Windows\Logo1_.exe e0b7ab3127f73fc44af1af4362511e71.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\Dll.dll Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 43 IoCs
pid Process 2972 e0b7ab3127f73fc44af1af4362511e71.exe 2972 e0b7ab3127f73fc44af1af4362511e71.exe 2972 e0b7ab3127f73fc44af1af4362511e71.exe 2972 e0b7ab3127f73fc44af1af4362511e71.exe 2972 e0b7ab3127f73fc44af1af4362511e71.exe 2972 e0b7ab3127f73fc44af1af4362511e71.exe 2972 e0b7ab3127f73fc44af1af4362511e71.exe 2972 e0b7ab3127f73fc44af1af4362511e71.exe 2972 e0b7ab3127f73fc44af1af4362511e71.exe 2972 e0b7ab3127f73fc44af1af4362511e71.exe 2972 e0b7ab3127f73fc44af1af4362511e71.exe 2972 e0b7ab3127f73fc44af1af4362511e71.exe 2972 e0b7ab3127f73fc44af1af4362511e71.exe 2560 Logo1_.exe 2560 Logo1_.exe 2560 Logo1_.exe 2560 Logo1_.exe 2560 Logo1_.exe 2560 Logo1_.exe 2560 Logo1_.exe 2560 Logo1_.exe 2560 Logo1_.exe 2560 Logo1_.exe 2560 Logo1_.exe 2560 Logo1_.exe 2560 Logo1_.exe 2560 Logo1_.exe 2560 Logo1_.exe 2560 Logo1_.exe 2560 Logo1_.exe 2560 Logo1_.exe 2560 Logo1_.exe 2560 Logo1_.exe 2560 Logo1_.exe 2560 Logo1_.exe 2560 Logo1_.exe 2560 Logo1_.exe 2560 Logo1_.exe 2560 Logo1_.exe 2560 Logo1_.exe 2560 Logo1_.exe 2560 Logo1_.exe 2560 Logo1_.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 2972 wrote to memory of 1368 2972 e0b7ab3127f73fc44af1af4362511e71.exe 28 PID 2972 wrote to memory of 1368 2972 e0b7ab3127f73fc44af1af4362511e71.exe 28 PID 2972 wrote to memory of 1368 2972 e0b7ab3127f73fc44af1af4362511e71.exe 28 PID 2972 wrote to memory of 1368 2972 e0b7ab3127f73fc44af1af4362511e71.exe 28 PID 1368 wrote to memory of 1700 1368 net.exe 30 PID 1368 wrote to memory of 1700 1368 net.exe 30 PID 1368 wrote to memory of 1700 1368 net.exe 30 PID 1368 wrote to memory of 1700 1368 net.exe 30 PID 2972 wrote to memory of 3028 2972 e0b7ab3127f73fc44af1af4362511e71.exe 31 PID 2972 wrote to memory of 3028 2972 e0b7ab3127f73fc44af1af4362511e71.exe 31 PID 2972 wrote to memory of 3028 2972 e0b7ab3127f73fc44af1af4362511e71.exe 31 PID 2972 wrote to memory of 3028 2972 e0b7ab3127f73fc44af1af4362511e71.exe 31 PID 2972 wrote to memory of 2560 2972 e0b7ab3127f73fc44af1af4362511e71.exe 33 PID 2972 wrote to memory of 2560 2972 e0b7ab3127f73fc44af1af4362511e71.exe 33 PID 2972 wrote to memory of 2560 2972 e0b7ab3127f73fc44af1af4362511e71.exe 33 PID 2972 wrote to memory of 2560 2972 e0b7ab3127f73fc44af1af4362511e71.exe 33 PID 2560 wrote to memory of 2640 2560 Logo1_.exe 34 PID 2560 wrote to memory of 2640 2560 Logo1_.exe 34 PID 2560 wrote to memory of 2640 2560 Logo1_.exe 34 PID 2560 wrote to memory of 2640 2560 Logo1_.exe 34 PID 2640 wrote to memory of 2420 2640 net.exe 36 PID 2640 wrote to memory of 2420 2640 net.exe 36 PID 2640 wrote to memory of 2420 2640 net.exe 36 PID 2640 wrote to memory of 2420 2640 net.exe 36 PID 3028 wrote to memory of 2592 3028 cmd.exe 37 PID 3028 wrote to memory of 2592 3028 cmd.exe 37 PID 3028 wrote to memory of 2592 3028 cmd.exe 37 PID 3028 wrote to memory of 2592 3028 cmd.exe 37 PID 2560 wrote to memory of 2720 2560 Logo1_.exe 38 PID 2560 wrote to memory of 2720 2560 Logo1_.exe 38 PID 2560 wrote to memory of 2720 2560 Logo1_.exe 38 PID 2560 wrote to memory of 2720 2560 Logo1_.exe 38 PID 2720 wrote to memory of 2824 2720 net.exe 40 PID 2720 wrote to memory of 2824 2720 net.exe 40 PID 2720 wrote to memory of 2824 2720 net.exe 40 PID 2720 wrote to memory of 2824 2720 net.exe 40 PID 2560 wrote to memory of 1232 2560 Logo1_.exe 21 PID 2560 wrote to memory of 1232 2560 Logo1_.exe 21
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1232
-
C:\Users\Admin\AppData\Local\Temp\e0b7ab3127f73fc44af1af4362511e71.exe"C:\Users\Admin\AppData\Local\Temp\e0b7ab3127f73fc44af1af4362511e71.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"3⤵
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"4⤵PID:1700
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\$$a3949.bat3⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Users\Admin\AppData\Local\Temp\e0b7ab3127f73fc44af1af4362511e71.exe"C:\Users\Admin\AppData\Local\Temp\e0b7ab3127f73fc44af1af4362511e71.exe"4⤵
- Executes dropped EXE
PID:2592
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:2420
-
-
-
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:2824
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
258KB
MD536ce325665e80730a87fe419e620ec5a
SHA1c16e07644e07cb2ec85c197f2b25fbf85885b719
SHA2567b8bf83836c593486dc9d1feb32ccebae4282b1f0caaffa89956d48473978c42
SHA512d8bfe548e7f96a8caf19cdb4bd4d10b46c0dc83e35d5a0cd2244c223d47dcb9d2b9fe7929fc73e2a45f2e4f0aa5b73721548d9d6c726ecc6cc3034a7f7807cdd
-
Filesize
478KB
MD513689a976739ee578cca7c130b7fef1a
SHA1fc996cec103246b14384ca0d44f6dda9263e8287
SHA256b834be980b6259818c6bab3ea0c7dce63605f3ffdc3609c7d8969f08e149a22a
SHA512ea0bdbc66ab6b830721433d7f85db4ae4e8c05afa3b72e13553f331b669b1ffe3917fad2426b6f5b21b674a7e1d88474633143c82825a6ea57b7e16778c8654f
-
Filesize
530B
MD508bf07c37e8313273fec2d06166b6f2d
SHA1a8aad71d62224d6a7a7fd38c55927530d9017bac
SHA256b43fba4c0b9dbd53f2814a692fcdbd60280ab5a1e3b92d1efdb898884ac5e110
SHA5124ec94b3a99eb7a7fcd8ec956d854df925cdc17cf4e42797afc1f0ef88dd18a6ec67bc6513f61c23165e85ea6ec42c998275b2735851c16d4e96f77604bb0be51
-
Filesize
133KB
MD5199f5eceb89ea8d47752c7d93282aaca
SHA189bc3c28445228994d2fe2927ed7a58e90d88f6a
SHA256857fdaa2bd8d84efe9ebeda9b8577c30da8cff4e2f7db80b06a07c89c22e6da7
SHA512ae21d78626787f6c07e20473b157548e705d39c05e2167647506c81ca3857c1fda53e959956dec30d61eade5a26b09cad03b2ffa3615ce982fe1412c1d416949
-
Filesize
33KB
MD5882fb7fca0106ebde62148a324a99e18
SHA122c2ed58751ee35ca2b96342c5c42894501e3ec5
SHA256d36e1c820e2e2390f17125140b2d19e092b2a75ba12d7816ec4acec15c3a2dcf
SHA512e92448eb03243d31f04daff133b1db922bfe1ee9a1721bb5afd8c67a426617865e51daa7378ae883598084bf286472cce5288e9ed3210169a01497c1c0064c27
-
Filesize
9B
MD5f290d5b34b77b963189d043630703b29
SHA1f3dbfaa00f863d39575c7adf50bddbf02900d6b3
SHA2564c76a275d94e486451f7797077242c8636df44e88643a2208b0a876c4ad5433b
SHA512b4ffa173d60592b9219d188bd7eb4d96e0543e4c5350b903d96e0afea437f71753a520ac4397df2a39df8b84a9230f51c959995f8e436bcac4ff3567e9b35ef9