Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
113s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
18/04/2024, 05:57
Static task
static1
Behavioral task
behavioral1
Sample
fa18e10af4ef35d0e8d9967d587b7a9be2b9c6f983b337675e317011f5d6b31f.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
fa18e10af4ef35d0e8d9967d587b7a9be2b9c6f983b337675e317011f5d6b31f.exe
Resource
win10v2004-20240412-en
General
-
Target
fa18e10af4ef35d0e8d9967d587b7a9be2b9c6f983b337675e317011f5d6b31f.exe
-
Size
3.0MB
-
MD5
f6f14b2e7da58a8b03216e62f9669a00
-
SHA1
6f631a93440aca643b8762c4b6ad35882e1dfdaa
-
SHA256
fa18e10af4ef35d0e8d9967d587b7a9be2b9c6f983b337675e317011f5d6b31f
-
SHA512
87a3867a6405534cdd819dda7b79e01a701abe28722f2267293ce6a9326598ea2bf76b6a8940e75f2cb65fc476e5c6c152a655cdd6ed2fdc13f36d6f4f0d2ab0
-
SSDEEP
49152:w7cDNdGSJX4DJ5OSt0CE86GD68BpvvcIoxhhZzlDz9NT7cnbrhcPM:Vjicx868XvcXZNTsF
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1508 Logo1_.exe 3480 fa18e10af4ef35d0e8d9967d587b7a9be2b9c6f983b337675e317011f5d6b31f.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\cs-cz\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files-select\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\eu-es\_desktop.ini Logo1_.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\zu\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\Bundle\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\zh-cn\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ar-ae\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\fr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\pt-br\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\root\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\zh-tw\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\it-it\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sk-sk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\te\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\bn-BD\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\en-GB\View3d\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Voices\en-IN\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sl-si\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ko-kr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\it-it\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\MLModels\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\fi-FI\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\it-it\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\fi-fi\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\ext\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\plugins\rhp\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ca-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ru-ru\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\Java\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Photo Viewer\fr-FR\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ko-kr\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Voices\en-GB\en-GB_female_TTS\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\fr-fr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Images\contrast-black\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ru-ru\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\es-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\tt\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\root\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\hu-hu\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\it-it\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\he-IL\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\pl-PL\View3d\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\nl-nl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ko-kr\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rundl132.exe fa18e10af4ef35d0e8d9967d587b7a9be2b9c6f983b337675e317011f5d6b31f.exe File created C:\Windows\Logo1_.exe fa18e10af4ef35d0e8d9967d587b7a9be2b9c6f983b337675e317011f5d6b31f.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\vDll.dll Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 1508 Logo1_.exe 1508 Logo1_.exe 1508 Logo1_.exe 1508 Logo1_.exe 1508 Logo1_.exe 1508 Logo1_.exe 1508 Logo1_.exe 1508 Logo1_.exe 1508 Logo1_.exe 1508 Logo1_.exe 1508 Logo1_.exe 1508 Logo1_.exe 1508 Logo1_.exe 1508 Logo1_.exe 1508 Logo1_.exe 1508 Logo1_.exe 1508 Logo1_.exe 1508 Logo1_.exe 1508 Logo1_.exe 1508 Logo1_.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 4472 wrote to memory of 1524 4472 fa18e10af4ef35d0e8d9967d587b7a9be2b9c6f983b337675e317011f5d6b31f.exe 86 PID 4472 wrote to memory of 1524 4472 fa18e10af4ef35d0e8d9967d587b7a9be2b9c6f983b337675e317011f5d6b31f.exe 86 PID 4472 wrote to memory of 1524 4472 fa18e10af4ef35d0e8d9967d587b7a9be2b9c6f983b337675e317011f5d6b31f.exe 86 PID 4472 wrote to memory of 1508 4472 fa18e10af4ef35d0e8d9967d587b7a9be2b9c6f983b337675e317011f5d6b31f.exe 87 PID 4472 wrote to memory of 1508 4472 fa18e10af4ef35d0e8d9967d587b7a9be2b9c6f983b337675e317011f5d6b31f.exe 87 PID 4472 wrote to memory of 1508 4472 fa18e10af4ef35d0e8d9967d587b7a9be2b9c6f983b337675e317011f5d6b31f.exe 87 PID 1508 wrote to memory of 436 1508 Logo1_.exe 88 PID 1508 wrote to memory of 436 1508 Logo1_.exe 88 PID 1508 wrote to memory of 436 1508 Logo1_.exe 88 PID 436 wrote to memory of 1088 436 net.exe 90 PID 436 wrote to memory of 1088 436 net.exe 90 PID 436 wrote to memory of 1088 436 net.exe 90 PID 1508 wrote to memory of 3396 1508 Logo1_.exe 56 PID 1508 wrote to memory of 3396 1508 Logo1_.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3396
-
C:\Users\Admin\AppData\Local\Temp\fa18e10af4ef35d0e8d9967d587b7a9be2b9c6f983b337675e317011f5d6b31f.exe"C:\Users\Admin\AppData\Local\Temp\fa18e10af4ef35d0e8d9967d587b7a9be2b9c6f983b337675e317011f5d6b31f.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a2F9B.bat3⤵PID:1524
-
C:\Users\Admin\AppData\Local\Temp\fa18e10af4ef35d0e8d9967d587b7a9be2b9c6f983b337675e317011f5d6b31f.exe"C:\Users\Admin\AppData\Local\Temp\fa18e10af4ef35d0e8d9967d587b7a9be2b9c6f983b337675e317011f5d6b31f.exe"4⤵
- Executes dropped EXE
PID:3480
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:1088
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
251KB
MD5c65bcc4201f7f618a8ce6de5677fa65a
SHA12992b7d62355470ced5ed4bc5a640f2cf8978278
SHA256d460b00e491d72836b5f489a1c506f03077eda1ceaf7f0fb07bbe6c66c0e0962
SHA512d2b45731d044e91583ef3bde0e33f0c6131ba2145a9211aa866c61cde5d07de2522e3f8713adcc40d5e897789b62eb891f275c2c074c47ceb3934a8fbf2c74cc
-
Filesize
570KB
MD51c434a8089bce96d071ae9a9af3352c3
SHA18a491f89890b07401225fa78ce37a2f27f77659a
SHA2561f977cacc50fbf59979c0dcc35e250abc63309b1e9f95258fe59b74024b44f92
SHA512810648c4c4b5f3f08b3884c59f48158976fe36f1e30bcd505d2c998f342d787518075e3a0a8c00b3eaa464c4b03dff998228d4fe3b87daeb7f10fa0d4a542f73
-
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
Filesize636KB
MD52500f702e2b9632127c14e4eaae5d424
SHA18726fef12958265214eeb58001c995629834b13a
SHA25682e5b0001f025ca3b8409c98e4fb06c119c68de1e4ef60a156360cb4ef61d19c
SHA512f420c62fa1f6897f51dd7a0f0e910fb54ad14d51973a2d4840eeea0448c860bf83493fb1c07be65f731efc39e19f8a99886c8cfd058cee482fe52d255a33a55c
-
Filesize
722B
MD580002797289e6570b84223084ad7d396
SHA1172a777538fc6e0eff0a87e7c9526074239bb117
SHA256c0298b1554b614837c7aaa85d602f4faff764ee1f8530bbb803b37d5a05cb8d5
SHA512d48357ac7d89f8c9d0bbc652cdb753ce4e581aaf52a78fba1c1d56304136bf1d2f0c79baec09492de0cc331887a074852a90cca7ca5b100048eecc3a656eebea
-
C:\Users\Admin\AppData\Local\Temp\fa18e10af4ef35d0e8d9967d587b7a9be2b9c6f983b337675e317011f5d6b31f.exe.exe
Filesize3.0MB
MD5ffa2b8e17f645bcc20f0e0201fef83ed
SHA1a1a1174843ddac048b9fdf2808add848873f320a
SHA2562b42729ba9cd20511a28398279009e10533b0d911164a3f4af58a25ce2916530
SHA5120afcdfc7a7509deed88c81552e881fa5e0405f3b87fb3732c2a2507dd19c47c41a074fa905bdef72bd4a6087b5962054b8953affac13b083eecbdf05552d1ef5
-
Filesize
26KB
MD5736bfccf89b0055bacacf13bc37b50ce
SHA1dabc333f28e954f49aa80a3b0531160ae5bdec82
SHA2566fa3aa279929eee03df371ace16a751b2184da323b9c72ab97bb36c947aa12c3
SHA512a7af014c4f8d3af22c2fe20fbd50a6c52d17d77adf0e59365e67c98fbdbd4890a96d2b010e42728bb33f92ab468e1ec50449fb97c10c3204ac13c49d9ef8d578
-
Filesize
9B
MD572b7e38c6ba037d117f32b55c07b1a9c
SHA135e2435e512e17ca2be885e17d75913f06b90361
SHA256e9719e3c653627668046bac84b77097bfb0cd018d68465c17130ed31d6d6eca6
SHA5122bebd814b81ad2dc547802d42891d833caaad81d004758ec4373f9c7af2971eb822f0a559d2d5d4fca499912fea95e25bab22e92cb0c149d6a4c692eee6ee46a