Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
20/04/2024, 15:24
Static task
static1
Behavioral task
behavioral1
Sample
bba51aa558cb580d6e7c475b34dea201d622e021b35da45a1163aa6fcc580bc8.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
bba51aa558cb580d6e7c475b34dea201d622e021b35da45a1163aa6fcc580bc8.exe
Resource
win10v2004-20240412-en
General
-
Target
bba51aa558cb580d6e7c475b34dea201d622e021b35da45a1163aa6fcc580bc8.exe
-
Size
88KB
-
MD5
0e18bab366112f1cc14f3bd0607ce80d
-
SHA1
7ca6a3291287edee5f35e822a9a57ba381ecb801
-
SHA256
bba51aa558cb580d6e7c475b34dea201d622e021b35da45a1163aa6fcc580bc8
-
SHA512
948a48a7e5ff0d2d147c0e041b367f7abe739fb816f30063f024b67a3a0798e2b2ca72c3d139d2a548d6599e75c987688ea65daf5cd0e43b099c8a289ee2fe0e
-
SSDEEP
1536:p6/3SHuJV9Ntyapmebn4ddJZeY86iLflLJYEIs67rxo:p6/kuJVL8LK4ddJMY86ipmns6S
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2668 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2908 Logo1_.exe 2804 bba51aa558cb580d6e7c475b34dea201d622e021b35da45a1163aa6fcc580bc8.exe -
Loads dropped DLL 1 IoCs
pid Process 2668 cmd.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Office14\AccessWeb\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\sq\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\Components\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Defender\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\audio_mixer\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\NAMECONTROLSERVER.EXE Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe Logo1_.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\_desktop.ini Logo1_.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\OneNote.en-us\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Photo Viewer\ImagingDevices.exe Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\_desktop.ini Logo1_.exe File created C:\Program Files\MSBuild\Microsoft\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\it-IT\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\de-DE\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\js\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\ja-JP\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.fr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Internet Explorer\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Mail\de-DE\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\on_desktop\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\1.0\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\de-DE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Google\Temp\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\js\_desktop.ini Logo1_.exe File created C:\Program Files\7-Zip\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\js\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_extractor\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.fr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\de\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access_output\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\css\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rundl132.exe bba51aa558cb580d6e7c475b34dea201d622e021b35da45a1163aa6fcc580bc8.exe File created C:\Windows\Logo1_.exe bba51aa558cb580d6e7c475b34dea201d622e021b35da45a1163aa6fcc580bc8.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\vDll.dll Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 2908 Logo1_.exe 2908 Logo1_.exe 2908 Logo1_.exe 2908 Logo1_.exe 2908 Logo1_.exe 2908 Logo1_.exe 2908 Logo1_.exe 2908 Logo1_.exe 2908 Logo1_.exe 2908 Logo1_.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 1728 wrote to memory of 2668 1728 bba51aa558cb580d6e7c475b34dea201d622e021b35da45a1163aa6fcc580bc8.exe 28 PID 1728 wrote to memory of 2668 1728 bba51aa558cb580d6e7c475b34dea201d622e021b35da45a1163aa6fcc580bc8.exe 28 PID 1728 wrote to memory of 2668 1728 bba51aa558cb580d6e7c475b34dea201d622e021b35da45a1163aa6fcc580bc8.exe 28 PID 1728 wrote to memory of 2668 1728 bba51aa558cb580d6e7c475b34dea201d622e021b35da45a1163aa6fcc580bc8.exe 28 PID 1728 wrote to memory of 2908 1728 bba51aa558cb580d6e7c475b34dea201d622e021b35da45a1163aa6fcc580bc8.exe 29 PID 1728 wrote to memory of 2908 1728 bba51aa558cb580d6e7c475b34dea201d622e021b35da45a1163aa6fcc580bc8.exe 29 PID 1728 wrote to memory of 2908 1728 bba51aa558cb580d6e7c475b34dea201d622e021b35da45a1163aa6fcc580bc8.exe 29 PID 1728 wrote to memory of 2908 1728 bba51aa558cb580d6e7c475b34dea201d622e021b35da45a1163aa6fcc580bc8.exe 29 PID 2908 wrote to memory of 2584 2908 Logo1_.exe 31 PID 2908 wrote to memory of 2584 2908 Logo1_.exe 31 PID 2908 wrote to memory of 2584 2908 Logo1_.exe 31 PID 2908 wrote to memory of 2584 2908 Logo1_.exe 31 PID 2668 wrote to memory of 2804 2668 cmd.exe 33 PID 2668 wrote to memory of 2804 2668 cmd.exe 33 PID 2668 wrote to memory of 2804 2668 cmd.exe 33 PID 2668 wrote to memory of 2804 2668 cmd.exe 33 PID 2584 wrote to memory of 2656 2584 net.exe 34 PID 2584 wrote to memory of 2656 2584 net.exe 34 PID 2584 wrote to memory of 2656 2584 net.exe 34 PID 2584 wrote to memory of 2656 2584 net.exe 34 PID 2908 wrote to memory of 1172 2908 Logo1_.exe 21 PID 2908 wrote to memory of 1172 2908 Logo1_.exe 21
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1172
-
C:\Users\Admin\AppData\Local\Temp\bba51aa558cb580d6e7c475b34dea201d622e021b35da45a1163aa6fcc580bc8.exe"C:\Users\Admin\AppData\Local\Temp\bba51aa558cb580d6e7c475b34dea201d622e021b35da45a1163aa6fcc580bc8.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\$$a233A.bat3⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Users\Admin\AppData\Local\Temp\bba51aa558cb580d6e7c475b34dea201d622e021b35da45a1163aa6fcc580bc8.exe"C:\Users\Admin\AppData\Local\Temp\bba51aa558cb580d6e7c475b34dea201d622e021b35da45a1163aa6fcc580bc8.exe"4⤵
- Executes dropped EXE
PID:2804
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:2656
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
254KB
MD518e65d907d829563c7ce11bb985b4e84
SHA1a9c8843656dcc4627d61f5bdcc9dbc99e2bee722
SHA2560aa7e3650145bb8761df0e61535e95ad77a3a1872ad2fd0d1c7b70749ffe60e9
SHA5125450a6a00a9aed6f9686e73a35038606ac9b9f0a33db90dd0e5fa100a61c7efb35e05a13dc13f6ffe7070ba8e9bdfa04a1fbe6df6e060ee333548cc3c6798406
-
Filesize
474KB
MD58beab7d90559fe385c30b08b3cc454d2
SHA165e627284e5c6b1a28618d976575bbade15d7160
SHA2563662c245331ac74241676bc8de866ceadf1b77fd58bd094b05f8921c287f7995
SHA5125c2544684b45354d204d6be7548c57a7e3b00f4042d535dfd2ac4670a99f2ca0590bcd781992178ccf83e56af38db13d646c10c166a05983ebdb050441d2d887
-
Filesize
722B
MD582fe7c50b789a1ae6cda8f1524bc3f1d
SHA139d0895e0a58d622ec0452bef87c12b8e8ab06f3
SHA256484c54f02caaf81db34a3caa71a1bccefbec87d3c13534b01b83a7c91216899e
SHA5126f55fe7e64b72bf5d85803ba38145f039d084e2cd47e30a2ca9e69e45b170a9fbf0b02110ed58931e8e97d001e40b65f46ca83b78f767de998e2c5b095b51f33
-
C:\Users\Admin\AppData\Local\Temp\bba51aa558cb580d6e7c475b34dea201d622e021b35da45a1163aa6fcc580bc8.exe.exe
Filesize59KB
MD5dfc18f7068913dde25742b856788d7ca
SHA1cbaa23f782c2ddcd7c9ff024fd0b096952a2b387
SHA256ff4ac75c02247000da084de006c214d3dd3583867bd3533ba788e22734c7a2bf
SHA512d0c7ec1dae41a803325b51c12490c355ed779d297daa35247889950491e52427810132f0829fc7ffa3022f1a106f4e4ba78ed612223395313a6f267e9ab24945
-
Filesize
29KB
MD559a3b94b96eabb2e6f66bb392487225e
SHA132a84af834c0522cafb7d65911978a7da266ef50
SHA25658c5cd7b74f349cc46e27f7db6fd3a1f6016d7d755f39ecba3afdefb2b9e81f2
SHA512623d9390f1d0b0987eb611d334b61a306bc9ee0bae8536e76578d90448d85a731aadebf8f0792da54bb485819ec31b236baa5611aece214e11830e74c2545048
-
Filesize
9B
MD527729a3995958245e2d6799df42e26e7
SHA1dfe386f53277c8387b50122f3fda9bc2467815ba
SHA2569313041e89d4585b2606afa4809b101e7e8a2c944d063a28c796b0c0f070b5f1
SHA512ba9157cea7ca5c01b52e2a4a758f4e12e018990e49f1ece5fa6d83423f37a0a4dd5246d9b01e5e212d5e8c36a66a8d0e2645bc73753671295965a855a5028ec6