Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
10/04/2024, 23:08
Static task
static1
Behavioral task
behavioral1
Sample
1f7af504348ab6f5df7f32f183a67bec10c1cf2ec6fe9dddb7df76eb97c2ab9e.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
1f7af504348ab6f5df7f32f183a67bec10c1cf2ec6fe9dddb7df76eb97c2ab9e.exe
Resource
win10v2004-20231215-en
General
-
Target
1f7af504348ab6f5df7f32f183a67bec10c1cf2ec6fe9dddb7df76eb97c2ab9e.exe
-
Size
957KB
-
MD5
39c429cd98ca9863321e64fb61feaa3f
-
SHA1
6d4d409f5426da36b1a4f9c47352939c782e16e7
-
SHA256
1f7af504348ab6f5df7f32f183a67bec10c1cf2ec6fe9dddb7df76eb97c2ab9e
-
SHA512
e91b49e26c9cd52fc6ef277358480c280ce28b1ca5e3f5a111b70c179043a4a2565f8f85c87357867b4ca7ace32cc9ebb53218209e7130112357176c78a34e33
-
SSDEEP
12288:Bp7RKcv8Nh7py6Rmi78gkPH3aPI9vyVg/0paQuj3IdD02fKBjtp/:BpEBpDRmi78gkPXlyo0G/jr
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2960 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 888 Logo1_.exe 1040 1f7af504348ab6f5df7f32f183a67bec10c1cf2ec6fe9dddb7df76eb97c2ab9e.exe -
Loads dropped DLL 2 IoCs
pid Process 2960 cmd.exe 2960 cmd.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\VideoLAN\VLC\locale\brx\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\_desktop.ini Logo1_.exe File created C:\Program Files\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jre7\lib\applet\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\lt\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ne\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUEPRNT\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows NT\TableTextService\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ja-JP\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows NT\Accessories\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\js\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\uz\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre7\lib\applet\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre7\lib\fonts\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSOUC.EXE Logo1_.exe File created C:\Program Files\Google\Chrome\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\Multiplayer\Spades\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows NT\TableTextService\it-IT\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\ja-JP\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Synchronization Services\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\az\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Photo Viewer\ja-JP\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\TextConv\it-IT\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RMNSQUE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\FreeCell\de-DE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STUDIO\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\css\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\DAO\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre7\lib\ext\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre7\bin\javaw.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\PROOF\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\INDUST\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Mail\it-IT\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\vDll.dll Logo1_.exe File created C:\Windows\rundl132.exe 1f7af504348ab6f5df7f32f183a67bec10c1cf2ec6fe9dddb7df76eb97c2ab9e.exe File created C:\Windows\Logo1_.exe 1f7af504348ab6f5df7f32f183a67bec10c1cf2ec6fe9dddb7df76eb97c2ab9e.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 888 Logo1_.exe 888 Logo1_.exe 888 Logo1_.exe 888 Logo1_.exe 888 Logo1_.exe 888 Logo1_.exe 888 Logo1_.exe 888 Logo1_.exe 888 Logo1_.exe 888 Logo1_.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1040 1f7af504348ab6f5df7f32f183a67bec10c1cf2ec6fe9dddb7df76eb97c2ab9e.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeRestorePrivilege 1040 1f7af504348ab6f5df7f32f183a67bec10c1cf2ec6fe9dddb7df76eb97c2ab9e.exe Token: 35 1040 1f7af504348ab6f5df7f32f183a67bec10c1cf2ec6fe9dddb7df76eb97c2ab9e.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 1728 wrote to memory of 2960 1728 1f7af504348ab6f5df7f32f183a67bec10c1cf2ec6fe9dddb7df76eb97c2ab9e.exe 29 PID 1728 wrote to memory of 2960 1728 1f7af504348ab6f5df7f32f183a67bec10c1cf2ec6fe9dddb7df76eb97c2ab9e.exe 29 PID 1728 wrote to memory of 2960 1728 1f7af504348ab6f5df7f32f183a67bec10c1cf2ec6fe9dddb7df76eb97c2ab9e.exe 29 PID 1728 wrote to memory of 2960 1728 1f7af504348ab6f5df7f32f183a67bec10c1cf2ec6fe9dddb7df76eb97c2ab9e.exe 29 PID 1728 wrote to memory of 888 1728 1f7af504348ab6f5df7f32f183a67bec10c1cf2ec6fe9dddb7df76eb97c2ab9e.exe 30 PID 1728 wrote to memory of 888 1728 1f7af504348ab6f5df7f32f183a67bec10c1cf2ec6fe9dddb7df76eb97c2ab9e.exe 30 PID 1728 wrote to memory of 888 1728 1f7af504348ab6f5df7f32f183a67bec10c1cf2ec6fe9dddb7df76eb97c2ab9e.exe 30 PID 1728 wrote to memory of 888 1728 1f7af504348ab6f5df7f32f183a67bec10c1cf2ec6fe9dddb7df76eb97c2ab9e.exe 30 PID 888 wrote to memory of 2588 888 Logo1_.exe 32 PID 888 wrote to memory of 2588 888 Logo1_.exe 32 PID 888 wrote to memory of 2588 888 Logo1_.exe 32 PID 888 wrote to memory of 2588 888 Logo1_.exe 32 PID 2960 wrote to memory of 1040 2960 cmd.exe 35 PID 2960 wrote to memory of 1040 2960 cmd.exe 35 PID 2960 wrote to memory of 1040 2960 cmd.exe 35 PID 2960 wrote to memory of 1040 2960 cmd.exe 35 PID 2588 wrote to memory of 2676 2588 net.exe 34 PID 2588 wrote to memory of 2676 2588 net.exe 34 PID 2588 wrote to memory of 2676 2588 net.exe 34 PID 2588 wrote to memory of 2676 2588 net.exe 34 PID 888 wrote to memory of 1072 888 Logo1_.exe 18 PID 888 wrote to memory of 1072 888 Logo1_.exe 18
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1072
-
C:\Users\Admin\AppData\Local\Temp\1f7af504348ab6f5df7f32f183a67bec10c1cf2ec6fe9dddb7df76eb97c2ab9e.exe"C:\Users\Admin\AppData\Local\Temp\1f7af504348ab6f5df7f32f183a67bec10c1cf2ec6fe9dddb7df76eb97c2ab9e.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\$$a15E1.bat3⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Users\Admin\AppData\Local\Temp\1f7af504348ab6f5df7f32f183a67bec10c1cf2ec6fe9dddb7df76eb97c2ab9e.exe"C:\Users\Admin\AppData\Local\Temp\1f7af504348ab6f5df7f32f183a67bec10c1cf2ec6fe9dddb7df76eb97c2ab9e.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1040
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:888 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:2676
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
252KB
MD5884491f20ab9c19ff6a85edc42b37fdd
SHA17da4e52b211caa947498bdfc2fcfe7b56ad7940f
SHA256efc0f29730656326febece0fefe652573822eea84510d777fa8b83fc94b68e5b
SHA512a985f98008efaa59e861e8f23d19720ebbff976b58be58f6b7276c3c2deba58d544a8517fd7601cb30ed8064006e1c6ae8e832171515db6cba9687af2437b474
-
Filesize
472KB
MD588eb1bca8c399bc3f46e99cdde2f047e
SHA155fafbceb011e1af2edced978686a90971bd95f2
SHA25642fd78c05bc240d4ded16ac974f17c336f6ae3a1814d548021c48a942cc30428
SHA512149d4de0c024e25a13a7bb17471e6f48391d4f26b1c8388672320eed1c255f84219ad7b72bbebc531ae558d5192dd4bb6d0dddd6c65a45300c8e8348a4fb3728
-
Filesize
722B
MD53a9ed24cdba3ab19a28a172740d78dc3
SHA1f738cbd23693222943332f961a062661741c1de2
SHA2565318abc15349393375778274ac9271a14c3e6b4a5626c8e3074cce72b529020f
SHA512dc332a514f1bebfa993bbbd94377d267704457addbefb1e05c88bffb9b37959899c033e0a838fe07d8dcc0d293df1d0f8b313d06350d173b44cab613ecd3db4b
-
C:\Users\Admin\AppData\Local\Temp\1f7af504348ab6f5df7f32f183a67bec10c1cf2ec6fe9dddb7df76eb97c2ab9e.exe.exe
Filesize930KB
MD530ac0b832d75598fb3ec37b6f2a8c86a
SHA16f47dbfd6ff36df7ba581a4cef024da527dc3046
SHA2561ea0839c8dc95ad2c060af7d042c40c0daed58ce8e4524c0fba12fd73e4afb74
SHA512505870601a4389b7ed2c8fecf85835adfd2944cbc10801f74bc4e08f5a0d6ecc9a52052fc37e216304cd1655129021862294a698ed36b3b43d428698f7263057
-
Filesize
27KB
MD5a11c098e88fbd8e1071d87ba5b252080
SHA1b9731f888d390d7e53a4e36ca91de322c74a624a
SHA256ab5a703ea2abedf0285e3945bfb2d152daf3830070bcf23c6c8b0f76b7993e0f
SHA51291903cdef6d361f7ee3015f82ab32798b080e0d418fba35f439ff9d3a245ce333953c1891c7cf0eb6172e62f503a5a54027802d40e943e6dc06ab310d44fc0ec
-
Filesize
9B
MD595b3e5fe04e8423c49a7f69a5d13771f
SHA1615b63fb8bf07dbb0565ffd492067309645064c9
SHA2561663db9b496c87701f6c8f6721e92994ffdd747f949ab1070fd844c4d63fb916
SHA512d9a0d342e84c32d4c0aee97be7b9a102963d1aeab7edd87b080548f7dd144d851c558e6706bec441534d8e188938655c2b551e358d342309677511404a34ce81