Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28/03/2024, 19:05
Static task
static1
Behavioral task
behavioral1
Sample
e1710acee077fd85633d88c9f14110bb6f39b6f4fa19a1237fbb570237aa65ee.exe
Resource
win7-20240221-en
General
-
Target
e1710acee077fd85633d88c9f14110bb6f39b6f4fa19a1237fbb570237aa65ee.exe
-
Size
62KB
-
MD5
b448a4ed020d6d8280086c0a7c1c9431
-
SHA1
954dc1dab428145a82e4c85e1b94fa1adddf58b6
-
SHA256
e1710acee077fd85633d88c9f14110bb6f39b6f4fa19a1237fbb570237aa65ee
-
SHA512
46b0af3e5f1102d62cde17bc6ea893a704e6abea3ef8cd354d2feb7e28fe401515ac73f00fb0f311b1fc23fef2f87a7cbc57aa5d4e932720a8ea5c84554173b4
-
SSDEEP
1536:4uue+Zk77RNtMy/tgTM/OqxPAq9khDRGadegghOgmgk:4Ze+aX3tM6gT9oL9k9dehhOgo
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2880 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2020 Logo1_.exe 2632 e1710acee077fd85633d88c9f14110bb6f39b6f4fa19a1237fbb570237aa65ee.exe -
Loads dropped DLL 1 IoCs
pid Process 2880 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\EURO\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Triedit\fr-FR\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\js\_desktop.ini Logo1_.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Full\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\visualization\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Triedit\it-IT\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\zu\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\en-US\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\js\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\it-IT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\css\_desktop.ini Logo1_.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\bn\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Help\1036\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows NT\Accessories\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\_desktop.ini Logo1_.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\_desktop.ini Logo1_.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\Purble Place\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Media Player\wmplayer.exe Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\fr-FR\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\en-US\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\js\_desktop.ini Logo1_.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\hu\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Help\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\1033\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SONORA\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\css\_desktop.ini Logo1_.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\lua\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Journal\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\css\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\en-US\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\MSBuild\Microsoft\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rundl132.exe e1710acee077fd85633d88c9f14110bb6f39b6f4fa19a1237fbb570237aa65ee.exe File created C:\Windows\Logo1_.exe e1710acee077fd85633d88c9f14110bb6f39b6f4fa19a1237fbb570237aa65ee.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\Dll.dll Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 43 IoCs
pid Process 2940 e1710acee077fd85633d88c9f14110bb6f39b6f4fa19a1237fbb570237aa65ee.exe 2940 e1710acee077fd85633d88c9f14110bb6f39b6f4fa19a1237fbb570237aa65ee.exe 2940 e1710acee077fd85633d88c9f14110bb6f39b6f4fa19a1237fbb570237aa65ee.exe 2940 e1710acee077fd85633d88c9f14110bb6f39b6f4fa19a1237fbb570237aa65ee.exe 2940 e1710acee077fd85633d88c9f14110bb6f39b6f4fa19a1237fbb570237aa65ee.exe 2940 e1710acee077fd85633d88c9f14110bb6f39b6f4fa19a1237fbb570237aa65ee.exe 2940 e1710acee077fd85633d88c9f14110bb6f39b6f4fa19a1237fbb570237aa65ee.exe 2940 e1710acee077fd85633d88c9f14110bb6f39b6f4fa19a1237fbb570237aa65ee.exe 2940 e1710acee077fd85633d88c9f14110bb6f39b6f4fa19a1237fbb570237aa65ee.exe 2940 e1710acee077fd85633d88c9f14110bb6f39b6f4fa19a1237fbb570237aa65ee.exe 2940 e1710acee077fd85633d88c9f14110bb6f39b6f4fa19a1237fbb570237aa65ee.exe 2940 e1710acee077fd85633d88c9f14110bb6f39b6f4fa19a1237fbb570237aa65ee.exe 2940 e1710acee077fd85633d88c9f14110bb6f39b6f4fa19a1237fbb570237aa65ee.exe 2020 Logo1_.exe 2020 Logo1_.exe 2020 Logo1_.exe 2020 Logo1_.exe 2020 Logo1_.exe 2020 Logo1_.exe 2020 Logo1_.exe 2020 Logo1_.exe 2020 Logo1_.exe 2020 Logo1_.exe 2020 Logo1_.exe 2020 Logo1_.exe 2020 Logo1_.exe 2020 Logo1_.exe 2020 Logo1_.exe 2020 Logo1_.exe 2020 Logo1_.exe 2020 Logo1_.exe 2020 Logo1_.exe 2020 Logo1_.exe 2020 Logo1_.exe 2020 Logo1_.exe 2020 Logo1_.exe 2020 Logo1_.exe 2020 Logo1_.exe 2020 Logo1_.exe 2020 Logo1_.exe 2020 Logo1_.exe 2020 Logo1_.exe 2020 Logo1_.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 2940 wrote to memory of 2352 2940 e1710acee077fd85633d88c9f14110bb6f39b6f4fa19a1237fbb570237aa65ee.exe 28 PID 2940 wrote to memory of 2352 2940 e1710acee077fd85633d88c9f14110bb6f39b6f4fa19a1237fbb570237aa65ee.exe 28 PID 2940 wrote to memory of 2352 2940 e1710acee077fd85633d88c9f14110bb6f39b6f4fa19a1237fbb570237aa65ee.exe 28 PID 2940 wrote to memory of 2352 2940 e1710acee077fd85633d88c9f14110bb6f39b6f4fa19a1237fbb570237aa65ee.exe 28 PID 2352 wrote to memory of 3064 2352 net.exe 30 PID 2352 wrote to memory of 3064 2352 net.exe 30 PID 2352 wrote to memory of 3064 2352 net.exe 30 PID 2352 wrote to memory of 3064 2352 net.exe 30 PID 2940 wrote to memory of 2880 2940 e1710acee077fd85633d88c9f14110bb6f39b6f4fa19a1237fbb570237aa65ee.exe 31 PID 2940 wrote to memory of 2880 2940 e1710acee077fd85633d88c9f14110bb6f39b6f4fa19a1237fbb570237aa65ee.exe 31 PID 2940 wrote to memory of 2880 2940 e1710acee077fd85633d88c9f14110bb6f39b6f4fa19a1237fbb570237aa65ee.exe 31 PID 2940 wrote to memory of 2880 2940 e1710acee077fd85633d88c9f14110bb6f39b6f4fa19a1237fbb570237aa65ee.exe 31 PID 2940 wrote to memory of 2020 2940 e1710acee077fd85633d88c9f14110bb6f39b6f4fa19a1237fbb570237aa65ee.exe 33 PID 2940 wrote to memory of 2020 2940 e1710acee077fd85633d88c9f14110bb6f39b6f4fa19a1237fbb570237aa65ee.exe 33 PID 2940 wrote to memory of 2020 2940 e1710acee077fd85633d88c9f14110bb6f39b6f4fa19a1237fbb570237aa65ee.exe 33 PID 2940 wrote to memory of 2020 2940 e1710acee077fd85633d88c9f14110bb6f39b6f4fa19a1237fbb570237aa65ee.exe 33 PID 2020 wrote to memory of 2584 2020 Logo1_.exe 34 PID 2020 wrote to memory of 2584 2020 Logo1_.exe 34 PID 2020 wrote to memory of 2584 2020 Logo1_.exe 34 PID 2020 wrote to memory of 2584 2020 Logo1_.exe 34 PID 2584 wrote to memory of 2736 2584 net.exe 36 PID 2584 wrote to memory of 2736 2584 net.exe 36 PID 2584 wrote to memory of 2736 2584 net.exe 36 PID 2584 wrote to memory of 2736 2584 net.exe 36 PID 2880 wrote to memory of 2632 2880 cmd.exe 37 PID 2880 wrote to memory of 2632 2880 cmd.exe 37 PID 2880 wrote to memory of 2632 2880 cmd.exe 37 PID 2880 wrote to memory of 2632 2880 cmd.exe 37 PID 2020 wrote to memory of 2600 2020 Logo1_.exe 38 PID 2020 wrote to memory of 2600 2020 Logo1_.exe 38 PID 2020 wrote to memory of 2600 2020 Logo1_.exe 38 PID 2020 wrote to memory of 2600 2020 Logo1_.exe 38 PID 2600 wrote to memory of 2828 2600 net.exe 40 PID 2600 wrote to memory of 2828 2600 net.exe 40 PID 2600 wrote to memory of 2828 2600 net.exe 40 PID 2600 wrote to memory of 2828 2600 net.exe 40 PID 2020 wrote to memory of 1204 2020 Logo1_.exe 21 PID 2020 wrote to memory of 1204 2020 Logo1_.exe 21
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1204
-
C:\Users\Admin\AppData\Local\Temp\e1710acee077fd85633d88c9f14110bb6f39b6f4fa19a1237fbb570237aa65ee.exe"C:\Users\Admin\AppData\Local\Temp\e1710acee077fd85633d88c9f14110bb6f39b6f4fa19a1237fbb570237aa65ee.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"3⤵
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"4⤵PID:3064
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\$$a10B3.bat3⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Users\Admin\AppData\Local\Temp\e1710acee077fd85633d88c9f14110bb6f39b6f4fa19a1237fbb570237aa65ee.exe"C:\Users\Admin\AppData\Local\Temp\e1710acee077fd85633d88c9f14110bb6f39b6f4fa19a1237fbb570237aa65ee.exe"4⤵
- Executes dropped EXE
PID:2632
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:2736
-
-
-
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:2828
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
477KB
MD549d515b044bbad65c9307b89dd66e79a
SHA1d0edd7c63488d72b6ba185eee80e63df89df6966
SHA256c696990b3d0f156f8e572201d9ac44dd5a79c95235c9b84c2a8ffcd098789ebe
SHA512aedd7b238961a154477d8704082691ab64a75f4c3bbb584ce55b62845b46b94dd2e39a1eb8939398f662db6cc504da9af788c054a4d054e683d02fcbad0d5d84
-
Filesize
722B
MD50e43c1a131bcb8bbf77cf9c6f2a84d66
SHA176599178d81a22ad6bb38014d3cc8b1531393974
SHA2567dff88aa35d24134c375d3e2fa011912809ade0112e870bd064702d1b8ad74bb
SHA512688e29c57feb2c855042b84318a11800ead2a03a14120827950478ffe2648a77a4b40f03c355b94d3c4ede24ad38b4b7c02805023bd55cd9b6805f266c43268b
-
C:\Users\Admin\AppData\Local\Temp\e1710acee077fd85633d88c9f14110bb6f39b6f4fa19a1237fbb570237aa65ee.exe.exe
Filesize29KB
MD50cac659cc68e68ed44223ddb7343275a
SHA1cb75dd7034e31eb575668f7c69b7d990653c0248
SHA2567c32fe8ec1851e273763a2742a67a1f9c09a3725c9eaec76e22fcfc92dda7c88
SHA5121c0c3b170bed3a3cbd7821dfa008e776df675f620afe85905f84f7d86b68b487206af0c6acf8207ae346b8ae7deb71a756128cb5c199bf648952d2c582aa9023
-
Filesize
33KB
MD51eb46052207e9bdf5c8cc6aa7dcccf89
SHA137ed03cd7c2ccade09093134c6a2b6099d450227
SHA256db79ee7697ddc2795271dd97e4910c9343f58758e913ba19df70e7a481555cda
SHA512f4b0fdfebbbc9fa25563f2da3d6171cde29306ff5ac5ac024c05da231b3150c11dd52021162ba8f13926f6defa611968628bd776b9f4f8660c995915b43c9eca
-
Filesize
9B
MD5a7058e06d084fd947f7dddc2897ebb22
SHA1400bcc9cc3cbab99b910b4696cc0163ba8713226
SHA256da0976fbb0588170763cb9b0d9b3ce23b0ff3e7cc146ecf1840a40e7655f1287
SHA5124921df984df8d792e9cde40d30fd19e315b2af1b034966c6fc397ef92e3cb25cfa258400758277e9ec01b5609f3041ba42c8e5911b79eff5a08843a91ad9c9c9