Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
23/04/2024, 00:14
Static task
static1
Behavioral task
behavioral1
Sample
b32e65411ba5e9940590c8a97914eaab5648fa7642f13c6f642e0b083f57e864.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
b32e65411ba5e9940590c8a97914eaab5648fa7642f13c6f642e0b083f57e864.exe
Resource
win10v2004-20240412-en
General
-
Target
b32e65411ba5e9940590c8a97914eaab5648fa7642f13c6f642e0b083f57e864.exe
-
Size
49KB
-
MD5
5233018ae9929103e578e6abbe0baee6
-
SHA1
588aec4baaf13e11293f172a15bc49f8a957c461
-
SHA256
b32e65411ba5e9940590c8a97914eaab5648fa7642f13c6f642e0b083f57e864
-
SHA512
1be91ee1775dd674a8c3295c87f10b46d28893219d2e68363b91ee9af486a912b376cdc2ab66d042011e324aaf6cfcdaf9324284f2d5cacb673e361aa8bb3abe
-
SSDEEP
768:pr16GVRu1yK9fMnJG2V9dHS8bnV9P85GB2FlFfNDG7qHUf2h:pB3SHuJV9NHV9kFfO2Uf
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1056 Logo1_.exe 4384 b32e65411ba5e9940590c8a97914eaab5648fa7642f13c6f642e0b083f57e864.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\hu-hu\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\spu\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sk-sk\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\brx\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Viewer\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\cef\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\es-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\wa\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\root\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sl-sl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\da-dk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Defender\uk-UA\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\en-il\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\da\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\gl-ES\View3d\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.1.7_1.7.25531.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ca-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Extensions\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\es-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ca-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\root\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\en-ae\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\legal\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sk-sk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\it-it\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\tr-tr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-white\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ro-ro\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\pt-br\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\it-it\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\hu\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\sq\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-white\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\it-it\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\pl-pl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ar-ae\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ca-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\jsaddins\en-us\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\ImmersiveVideoPlayback\Content\Shaders\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-ae\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Mu\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rundl132.exe b32e65411ba5e9940590c8a97914eaab5648fa7642f13c6f642e0b083f57e864.exe File created C:\Windows\Logo1_.exe b32e65411ba5e9940590c8a97914eaab5648fa7642f13c6f642e0b083f57e864.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\vDll.dll Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 1056 Logo1_.exe 1056 Logo1_.exe 1056 Logo1_.exe 1056 Logo1_.exe 1056 Logo1_.exe 1056 Logo1_.exe 1056 Logo1_.exe 1056 Logo1_.exe 1056 Logo1_.exe 1056 Logo1_.exe 1056 Logo1_.exe 1056 Logo1_.exe 1056 Logo1_.exe 1056 Logo1_.exe 1056 Logo1_.exe 1056 Logo1_.exe 1056 Logo1_.exe 1056 Logo1_.exe 1056 Logo1_.exe 1056 Logo1_.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeManageVolumePrivilege 3868 svchost.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 3184 wrote to memory of 3756 3184 b32e65411ba5e9940590c8a97914eaab5648fa7642f13c6f642e0b083f57e864.exe 87 PID 3184 wrote to memory of 3756 3184 b32e65411ba5e9940590c8a97914eaab5648fa7642f13c6f642e0b083f57e864.exe 87 PID 3184 wrote to memory of 3756 3184 b32e65411ba5e9940590c8a97914eaab5648fa7642f13c6f642e0b083f57e864.exe 87 PID 3184 wrote to memory of 1056 3184 b32e65411ba5e9940590c8a97914eaab5648fa7642f13c6f642e0b083f57e864.exe 88 PID 3184 wrote to memory of 1056 3184 b32e65411ba5e9940590c8a97914eaab5648fa7642f13c6f642e0b083f57e864.exe 88 PID 3184 wrote to memory of 1056 3184 b32e65411ba5e9940590c8a97914eaab5648fa7642f13c6f642e0b083f57e864.exe 88 PID 1056 wrote to memory of 1744 1056 Logo1_.exe 90 PID 1056 wrote to memory of 1744 1056 Logo1_.exe 90 PID 1056 wrote to memory of 1744 1056 Logo1_.exe 90 PID 1744 wrote to memory of 996 1744 net.exe 92 PID 1744 wrote to memory of 996 1744 net.exe 92 PID 1744 wrote to memory of 996 1744 net.exe 92 PID 3756 wrote to memory of 4384 3756 cmd.exe 93 PID 3756 wrote to memory of 4384 3756 cmd.exe 93 PID 1056 wrote to memory of 3344 1056 Logo1_.exe 56 PID 1056 wrote to memory of 3344 1056 Logo1_.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3344
-
C:\Users\Admin\AppData\Local\Temp\b32e65411ba5e9940590c8a97914eaab5648fa7642f13c6f642e0b083f57e864.exe"C:\Users\Admin\AppData\Local\Temp\b32e65411ba5e9940590c8a97914eaab5648fa7642f13c6f642e0b083f57e864.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3184 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a368C.bat3⤵
- Suspicious use of WriteProcessMemory
PID:3756 -
C:\Users\Admin\AppData\Local\Temp\b32e65411ba5e9940590c8a97914eaab5648fa7642f13c6f642e0b083f57e864.exe"C:\Users\Admin\AppData\Local\Temp\b32e65411ba5e9940590c8a97914eaab5648fa7642f13c6f642e0b083f57e864.exe"4⤵
- Executes dropped EXE
PID:4384
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:996
-
-
-
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵PID:4044
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3868
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
254KB
MD531b58266e648b3ce129dbb398da4eb8d
SHA13fef7bf9dc3e9a9cbeb336f961122328e98728b0
SHA256f7ff76094663c11af4a4849043227d365924ab84b94b2bbcb533a87f20ccff58
SHA512f9dd0e0cebdeb060f238d071672c2f6aa808eaebce5c8ff016c90ca6d74b35467e86596e7fba8d2b2b37b8f90a650cad74530e024d1b6ff717a308393ab1e334
-
Filesize
573KB
MD53888ffddbafbbba14619f7feb8539dff
SHA1f51bf92ee7697f5e93dcb946e35962d48482faef
SHA25668266f939fe4989bf6c860d512f01f0610a8d0978379a4e3cee18b309a189bf8
SHA5122bd5374aee1f24205c74ebe97f4dd7a281f67227447a6b84e58e900f3e8dadce0fcb95c47a27648a7630d7eb53e758d6edb590a20fab7667fca442438f1f7271
-
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
Filesize639KB
MD5c8d281da4c32df16eef470c27c8cb459
SHA100efc9f6844bfaa37c264b6452c6a7356638ab10
SHA256058c81e5a07f2c6c33cf28dff71d07ad8f179046108d945159957e891bfd9c62
SHA512e3c79e19f620068f668d4ebaa5097f1a95a30dabb8dce75f3787171dddbea9f684fc7ce8d1011a398f38084d7af96dd1ff9a02d25906aab9b13861b8363d24bb
-
Filesize
722B
MD591858fe5e0a031f68c720aa5276ecc86
SHA1d9581dbd276fe6536788b8ee15fdd6dcf9e9e7fe
SHA256b17bf3b90c2584196655f51292c4d7f353a669f129cb8183850e436bcd5aea32
SHA512617f7b5595fc73101e38db39381c0a00ce86ab1709af670ca363d3604a0c7a50e45e3a78ce8a7a7648d8856f8aeb5c88374e918f315af6798170dac095644356
-
C:\Users\Admin\AppData\Local\Temp\b32e65411ba5e9940590c8a97914eaab5648fa7642f13c6f642e0b083f57e864.exe.exe
Filesize20KB
MD5041c541459d66173349737675707f8e8
SHA1675368be6d2585d97c58d904981037a4dd255af7
SHA2563e7712361e0ae26920b3b6caa299ef06a62fcc86301ec97c44df4981b3f2a446
SHA512c876e48e386602fd7f7353a7e0d7126ff2b890ebce04ffe751cf898509198ae8264c448b02894309d24e4f1e5315aae2a08402583cab838439af501bcad5aead
-
Filesize
29KB
MD5bc2a08f1fe0430eb261fa12807b391db
SHA1cfc8edda8d2a0eb6677468da30013b8c54a7a37c
SHA2567e2c164ef33df9f9c8d4493d7ba3ddffeb8d6a9a6363a76334472f52feb3f5bc
SHA51236419d572cc6e7f08c401dde59233bb4d50939c1471147572f11f1a4896eeb5a89228a945eb43d94fe0a6c44775a16c3b2f1c49691275d814f86105a1a346a49
-
Filesize
9B
MD55e45e0c42537212b4bfef35112ec91ba
SHA110c59c091fd35facc82bbc96938f118ce5a60546
SHA2569f6b7a83161db36757e96dc40936aec1e5a9a41f9fca089f9cf5a4d695dd5ed5
SHA512ee964e08687daa53fdc8e063402791acb104bd59f5d0f8a6d11d3e889db476315641c38032ade4177cd794b060f9fc4e6fd161989e452aae828c875c747e4bfb