Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09/04/2024, 13:08
Static task
static1
Behavioral task
behavioral1
Sample
4e0ecb99b4ee189092b1aed638135cbc2cdad8321902b9d4330a80e0435dbd9e.exe
Resource
win7-20240221-en
General
-
Target
4e0ecb99b4ee189092b1aed638135cbc2cdad8321902b9d4330a80e0435dbd9e.exe
-
Size
717KB
-
MD5
947fb0a70bedead559e53be801302d4b
-
SHA1
f3768e716d67384870ed06c1cca9911166f2f2d6
-
SHA256
4e0ecb99b4ee189092b1aed638135cbc2cdad8321902b9d4330a80e0435dbd9e
-
SHA512
7da4830f680a307ec75785c6f6cf82b09f5cdca52e631dc86252db2bd0c8668880bb628d4b2434ef13944af90f46e34ab94853b9d6db856b33763a3fca6b1832
-
SSDEEP
12288:A+agfC6Aj+TN5uixZN+8rKhUdTC/wE1ZD0Ca5ZIXV:ABMLOS2opPIXV
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2552 cmd.exe -
Executes dropped EXE 3 IoCs
pid Process 2620 Logo1_.exe 2508 4e0ecb99b4ee189092b1aed638135cbc2cdad8321902b9d4330a80e0435dbd9e.exe 1176 Explorer.EXE -
Loads dropped DLL 3 IoCs
pid Process 2552 cmd.exe 2552 cmd.exe 1176 Explorer.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\Mahjong\ja-JP\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Chess\it-IT\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Media Player\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre7\bin\jp2launcher.exe Logo1_.exe File created C:\Program Files\VideoLAN\VLC\lua\extensions\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\REFINED\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\zu\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\js\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\_desktop.ini Logo1_.exe File created C:\Program Files\DVD Maker\Shared\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\text_renderer\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\MSClientDataMgr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Triedit\ja-JP\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Indiana\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{0CE5CC7E-EAA3-4562-A781-DCB0067BB36A}\chrome_installer.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\css\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\Purble Place\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ast\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\tet\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Journal\es-ES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\css\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\es-ES\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\id\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\Adobe\Acrobat\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\bs\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Triedit\it-IT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre7\lib\applet\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\css\_desktop.ini Logo1_.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\Minesweeper\it-IT\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\el\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Media Player\de-DE\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\css\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Logo1_.exe 4e0ecb99b4ee189092b1aed638135cbc2cdad8321902b9d4330a80e0435dbd9e.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\Dll.dll Logo1_.exe File created C:\Windows\rundl132.exe 4e0ecb99b4ee189092b1aed638135cbc2cdad8321902b9d4330a80e0435dbd9e.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 43 IoCs
pid Process 2012 4e0ecb99b4ee189092b1aed638135cbc2cdad8321902b9d4330a80e0435dbd9e.exe 2012 4e0ecb99b4ee189092b1aed638135cbc2cdad8321902b9d4330a80e0435dbd9e.exe 2012 4e0ecb99b4ee189092b1aed638135cbc2cdad8321902b9d4330a80e0435dbd9e.exe 2012 4e0ecb99b4ee189092b1aed638135cbc2cdad8321902b9d4330a80e0435dbd9e.exe 2012 4e0ecb99b4ee189092b1aed638135cbc2cdad8321902b9d4330a80e0435dbd9e.exe 2012 4e0ecb99b4ee189092b1aed638135cbc2cdad8321902b9d4330a80e0435dbd9e.exe 2012 4e0ecb99b4ee189092b1aed638135cbc2cdad8321902b9d4330a80e0435dbd9e.exe 2012 4e0ecb99b4ee189092b1aed638135cbc2cdad8321902b9d4330a80e0435dbd9e.exe 2012 4e0ecb99b4ee189092b1aed638135cbc2cdad8321902b9d4330a80e0435dbd9e.exe 2012 4e0ecb99b4ee189092b1aed638135cbc2cdad8321902b9d4330a80e0435dbd9e.exe 2012 4e0ecb99b4ee189092b1aed638135cbc2cdad8321902b9d4330a80e0435dbd9e.exe 2012 4e0ecb99b4ee189092b1aed638135cbc2cdad8321902b9d4330a80e0435dbd9e.exe 2012 4e0ecb99b4ee189092b1aed638135cbc2cdad8321902b9d4330a80e0435dbd9e.exe 2620 Logo1_.exe 2620 Logo1_.exe 2620 Logo1_.exe 2620 Logo1_.exe 2620 Logo1_.exe 2620 Logo1_.exe 2620 Logo1_.exe 2620 Logo1_.exe 2620 Logo1_.exe 2620 Logo1_.exe 2620 Logo1_.exe 2620 Logo1_.exe 2620 Logo1_.exe 2620 Logo1_.exe 2620 Logo1_.exe 2620 Logo1_.exe 2620 Logo1_.exe 2620 Logo1_.exe 2620 Logo1_.exe 2620 Logo1_.exe 2620 Logo1_.exe 2620 Logo1_.exe 2620 Logo1_.exe 2620 Logo1_.exe 2620 Logo1_.exe 2620 Logo1_.exe 2620 Logo1_.exe 2620 Logo1_.exe 2620 Logo1_.exe 2620 Logo1_.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 2012 wrote to memory of 2100 2012 4e0ecb99b4ee189092b1aed638135cbc2cdad8321902b9d4330a80e0435dbd9e.exe 28 PID 2012 wrote to memory of 2100 2012 4e0ecb99b4ee189092b1aed638135cbc2cdad8321902b9d4330a80e0435dbd9e.exe 28 PID 2012 wrote to memory of 2100 2012 4e0ecb99b4ee189092b1aed638135cbc2cdad8321902b9d4330a80e0435dbd9e.exe 28 PID 2012 wrote to memory of 2100 2012 4e0ecb99b4ee189092b1aed638135cbc2cdad8321902b9d4330a80e0435dbd9e.exe 28 PID 2100 wrote to memory of 2836 2100 net.exe 30 PID 2100 wrote to memory of 2836 2100 net.exe 30 PID 2100 wrote to memory of 2836 2100 net.exe 30 PID 2100 wrote to memory of 2836 2100 net.exe 30 PID 2012 wrote to memory of 2552 2012 4e0ecb99b4ee189092b1aed638135cbc2cdad8321902b9d4330a80e0435dbd9e.exe 31 PID 2012 wrote to memory of 2552 2012 4e0ecb99b4ee189092b1aed638135cbc2cdad8321902b9d4330a80e0435dbd9e.exe 31 PID 2012 wrote to memory of 2552 2012 4e0ecb99b4ee189092b1aed638135cbc2cdad8321902b9d4330a80e0435dbd9e.exe 31 PID 2012 wrote to memory of 2552 2012 4e0ecb99b4ee189092b1aed638135cbc2cdad8321902b9d4330a80e0435dbd9e.exe 31 PID 2012 wrote to memory of 2620 2012 4e0ecb99b4ee189092b1aed638135cbc2cdad8321902b9d4330a80e0435dbd9e.exe 33 PID 2012 wrote to memory of 2620 2012 4e0ecb99b4ee189092b1aed638135cbc2cdad8321902b9d4330a80e0435dbd9e.exe 33 PID 2012 wrote to memory of 2620 2012 4e0ecb99b4ee189092b1aed638135cbc2cdad8321902b9d4330a80e0435dbd9e.exe 33 PID 2012 wrote to memory of 2620 2012 4e0ecb99b4ee189092b1aed638135cbc2cdad8321902b9d4330a80e0435dbd9e.exe 33 PID 2620 wrote to memory of 2556 2620 Logo1_.exe 34 PID 2620 wrote to memory of 2556 2620 Logo1_.exe 34 PID 2620 wrote to memory of 2556 2620 Logo1_.exe 34 PID 2620 wrote to memory of 2556 2620 Logo1_.exe 34 PID 2556 wrote to memory of 2724 2556 net.exe 36 PID 2556 wrote to memory of 2724 2556 net.exe 36 PID 2556 wrote to memory of 2724 2556 net.exe 36 PID 2556 wrote to memory of 2724 2556 net.exe 36 PID 2552 wrote to memory of 2508 2552 cmd.exe 37 PID 2552 wrote to memory of 2508 2552 cmd.exe 37 PID 2552 wrote to memory of 2508 2552 cmd.exe 37 PID 2552 wrote to memory of 2508 2552 cmd.exe 37 PID 2620 wrote to memory of 2676 2620 Logo1_.exe 38 PID 2620 wrote to memory of 2676 2620 Logo1_.exe 38 PID 2620 wrote to memory of 2676 2620 Logo1_.exe 38 PID 2620 wrote to memory of 2676 2620 Logo1_.exe 38 PID 2676 wrote to memory of 2416 2676 net.exe 40 PID 2676 wrote to memory of 2416 2676 net.exe 40 PID 2676 wrote to memory of 2416 2676 net.exe 40 PID 2676 wrote to memory of 2416 2676 net.exe 40 PID 2620 wrote to memory of 1176 2620 Logo1_.exe 21 PID 2620 wrote to memory of 1176 2620 Logo1_.exe 21
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1176 -
C:\Users\Admin\AppData\Local\Temp\4e0ecb99b4ee189092b1aed638135cbc2cdad8321902b9d4330a80e0435dbd9e.exe"C:\Users\Admin\AppData\Local\Temp\4e0ecb99b4ee189092b1aed638135cbc2cdad8321902b9d4330a80e0435dbd9e.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"3⤵
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"4⤵PID:2836
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\$$a117E.bat3⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Users\Admin\AppData\Local\Temp\4e0ecb99b4ee189092b1aed638135cbc2cdad8321902b9d4330a80e0435dbd9e.exe"C:\Users\Admin\AppData\Local\Temp\4e0ecb99b4ee189092b1aed638135cbc2cdad8321902b9d4330a80e0435dbd9e.exe"4⤵
- Executes dropped EXE
PID:2508
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:2724
-
-
-
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:2416
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
258KB
MD5ec71a61715110767626fe1094063291b
SHA11fd433c484e987ad74fb6dd5026e94eba029f62f
SHA256e737572195b0c4d8df6f1211e324b97191d66ba2b409cfaa2dd07fd5b96a87f4
SHA51261df3880ff6b71b5b2c522678a1ee69011a9387158e3956f6dd8db8e2c76113772fcf2b9979e27ee84d659925d3d44382d9d5da171dcdfb8a3b21c8034297d6f
-
Filesize
478KB
MD5f5cd7b35ea5f0009cdb5355dbc356066
SHA1c06af0b31cdebdc4e31d57f448acb174e5be44b7
SHA256472ce6c84e17f672782a003fa17f8d412c85a25675f83d16b1a1fb7bfc085f6d
SHA51289573e495959ad60f4a4079248f3cfb6991b8c700223538a269d7553baaacd6de837f26cfe1a4f6a6c0940b8d758406ae2d9e85f2e5738371c9025ea699a7d28
-
Filesize
722B
MD5bb434c45f3153c83565715d52abeea35
SHA1c3561cd7c9652813a44b6df266ebca6ad813bdbd
SHA256950ef3e8fd03dc29051d61960b3a08822c2641a75f461e73ae088dac3e21c992
SHA512c91eb8efa6c1a684383e015813f07032da3d742832ffbf7046ddc2de6828fc57dd72cc3d2ed4264edd3b5f6db09e3d1660ed6d10b6227f27362bd501b171a021
-
C:\Users\Admin\AppData\Local\Temp\4e0ecb99b4ee189092b1aed638135cbc2cdad8321902b9d4330a80e0435dbd9e.exe.exe
Filesize684KB
MD550f289df0c19484e970849aac4e6f977
SHA13dc77c8830836ab844975eb002149b66da2e10be
SHA256b9b179b305c5268ad428b6ae59de10b4fe99cf0199bbc89b7017181905e97305
SHA512877d852ea1062b90e2fd2f3c4dc7d05d9697e9a9b2929c830a770b62741f6a11e06de73275eb871113f11143faf1cb40d99f7c247862ffb778d26833ed5d7e38
-
Filesize
33KB
MD5c4ec2631f0913b349423b6d2bd687a6b
SHA19b9ae1664a063db7e1bd53073f6f1c3a62fa0e55
SHA256cdaed7acb956972ce40a95412620150fcf1428c34a8ddbd0e9f0742df0d885bb
SHA512a8ba683aa3c9d607d7ef9c3ec28a924b23be85a90e5334eb2a9f6edb8117442a818608c44f010b2bdaec052319fcc6436b5628408f4ebb82d207196df1729e86
-
Filesize
8B
MD5eb2b82f341fdb4eae25ceb49373ed303
SHA1cf7db5d16d0cdb9abd32cb4fe1e343e2296142b0
SHA2568a35cc496890b7089f69f59dd7dd7fed74622e8ff18cf9f99d49c94aa5888c5a
SHA512895d5f91dcdf77750063ec0b0112b643597bfcc87ddaa30f07864adeadf185ce062ead7699d964bd05135dcf034ca4028165ec95ab2e17b549c5faf2236f8982