Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
108s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
25/04/2024, 02:14 UTC
Static task
static1
Behavioral task
behavioral1
Sample
d8d68a4cd2cb9e6dc2b6a2deef71379db805b640a49ff87896e2b05514322dd1.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
d8d68a4cd2cb9e6dc2b6a2deef71379db805b640a49ff87896e2b05514322dd1.exe
Resource
win10v2004-20240226-en
General
-
Target
d8d68a4cd2cb9e6dc2b6a2deef71379db805b640a49ff87896e2b05514322dd1.exe
-
Size
66KB
-
MD5
8e7d06f73c3b09ef05898f8c4f25a12d
-
SHA1
beb6e663072fc2cb0b9058a2dc0a862c4e847dab
-
SHA256
d8d68a4cd2cb9e6dc2b6a2deef71379db805b640a49ff87896e2b05514322dd1
-
SHA512
74ccd60b44ca1c1200534b3ee5aa2aaee1c7f281db3d6d88eccb199f5088f84686554c6e8f0aff0f4f62fe5a25fb94b3797c23193b8740c26449ed1537b011e3
-
SSDEEP
1536:p3C3SHuJV9NBriw+d9bHrkT5gUHz7FxtJ:pSkuJVLBrBkfkT5xHzD
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 4732 Logo1_.exe 2900 d8d68a4cd2cb9e6dc2b6a2deef71379db805b640a49ff87896e2b05514322dd1.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\_desktop.ini Logo1_.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\_desktop.ini Logo1_.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\_desktop.ini Logo1_.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\createdump.exe Logo1_.exe File created C:\Program Files\Java\jdk-1.8\include\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\legal\javafx\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\server\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\deploy\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\security\_desktop.ini Logo1_.exe File created C:\Program Files\Mozilla Firefox\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\cmm\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe Logo1_.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\include\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe Logo1_.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\tr\_desktop.ini Logo1_.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\dotnet\dotnet.exe Logo1_.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\de\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe Logo1_.exe File created C:\Program Files\Reference Assemblies\Microsoft\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\7-Zip\7zG.exe Logo1_.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hant\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\_desktop.ini Logo1_.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ja\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\fonts\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe Logo1_.exe File created C:\Program Files\MSBuild\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\cs\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\management\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\jfr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe Logo1_.exe File created C:\Program Files\Java\jdk-1.8\jre\legal\javafx\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jre-1.8\bin\server\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jre-1.8\lib\management\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\MSBuild\_desktop.ini Logo1_.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\_desktop.ini Logo1_.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\de\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\legal\jdk\_desktop.ini Logo1_.exe File created C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\amd64\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rundl132.exe d8d68a4cd2cb9e6dc2b6a2deef71379db805b640a49ff87896e2b05514322dd1.exe File created C:\Windows\Logo1_.exe d8d68a4cd2cb9e6dc2b6a2deef71379db805b640a49ff87896e2b05514322dd1.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\vDll.dll Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 4732 Logo1_.exe 4732 Logo1_.exe 4732 Logo1_.exe 4732 Logo1_.exe 4732 Logo1_.exe 4732 Logo1_.exe 4732 Logo1_.exe 4732 Logo1_.exe 4732 Logo1_.exe 4732 Logo1_.exe 4732 Logo1_.exe 4732 Logo1_.exe 4732 Logo1_.exe 4732 Logo1_.exe 4732 Logo1_.exe 4732 Logo1_.exe 4732 Logo1_.exe 4732 Logo1_.exe 4732 Logo1_.exe 4732 Logo1_.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2252 wrote to memory of 2240 2252 d8d68a4cd2cb9e6dc2b6a2deef71379db805b640a49ff87896e2b05514322dd1.exe 91 PID 2252 wrote to memory of 2240 2252 d8d68a4cd2cb9e6dc2b6a2deef71379db805b640a49ff87896e2b05514322dd1.exe 91 PID 2252 wrote to memory of 2240 2252 d8d68a4cd2cb9e6dc2b6a2deef71379db805b640a49ff87896e2b05514322dd1.exe 91 PID 2252 wrote to memory of 4732 2252 d8d68a4cd2cb9e6dc2b6a2deef71379db805b640a49ff87896e2b05514322dd1.exe 92 PID 2252 wrote to memory of 4732 2252 d8d68a4cd2cb9e6dc2b6a2deef71379db805b640a49ff87896e2b05514322dd1.exe 92 PID 2252 wrote to memory of 4732 2252 d8d68a4cd2cb9e6dc2b6a2deef71379db805b640a49ff87896e2b05514322dd1.exe 92 PID 4732 wrote to memory of 820 4732 Logo1_.exe 94 PID 4732 wrote to memory of 820 4732 Logo1_.exe 94 PID 4732 wrote to memory of 820 4732 Logo1_.exe 94 PID 2240 wrote to memory of 2900 2240 cmd.exe 96 PID 2240 wrote to memory of 2900 2240 cmd.exe 96 PID 820 wrote to memory of 1456 820 net.exe 97 PID 820 wrote to memory of 1456 820 net.exe 97 PID 820 wrote to memory of 1456 820 net.exe 97 PID 4732 wrote to memory of 3300 4732 Logo1_.exe 55 PID 4732 wrote to memory of 3300 4732 Logo1_.exe 55
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3300
-
C:\Users\Admin\AppData\Local\Temp\d8d68a4cd2cb9e6dc2b6a2deef71379db805b640a49ff87896e2b05514322dd1.exe"C:\Users\Admin\AppData\Local\Temp\d8d68a4cd2cb9e6dc2b6a2deef71379db805b640a49ff87896e2b05514322dd1.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB17.bat3⤵
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Users\Admin\AppData\Local\Temp\d8d68a4cd2cb9e6dc2b6a2deef71379db805b640a49ff87896e2b05514322dd1.exe"C:\Users\Admin\AppData\Local\Temp\d8d68a4cd2cb9e6dc2b6a2deef71379db805b640a49ff87896e2b05514322dd1.exe"4⤵
- Executes dropped EXE
PID:2900
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:820 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:1456
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4396 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:81⤵PID:4672
Network
-
Remote address:8.8.8.8:53Request241.150.49.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request249.197.17.2.in-addr.arpaIN PTRResponse249.197.17.2.in-addr.arpaIN PTRa2-17-197-249deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request14.160.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request13.86.106.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request149.220.183.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request50.23.12.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request18.31.95.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request17.143.109.104.in-addr.arpaIN PTRResponse17.143.109.104.in-addr.arpaIN PTRa104-109-143-17deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request96.136.73.23.in-addr.arpaIN PTRResponse96.136.73.23.in-addr.arpaIN PTRa23-73-136-96deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request23.236.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request218.110.86.104.in-addr.arpaIN PTRResponse218.110.86.104.in-addr.arpaIN PTRa104-86-110-218deploystaticakamaitechnologiescom
-
72 B 158 B 1 1
DNS Request
241.150.49.20.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
249.197.17.2.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
14.160.190.20.in-addr.arpa
-
146 B 144 B 2 1
DNS Request
95.221.229.192.in-addr.arpa
DNS Request
95.221.229.192.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
13.86.106.20.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
149.220.183.52.in-addr.arpa
-
70 B 156 B 1 1
DNS Request
50.23.12.20.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
18.31.95.13.in-addr.arpa
-
73 B 139 B 1 1
DNS Request
17.143.109.104.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
96.136.73.23.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
23.236.111.52.in-addr.arpa
-
73 B 139 B 1 1
DNS Request
218.110.86.104.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
41KB
MD5b9f374aaadad9fcad59af55d73719649
SHA133712387e466d06f5e4b26c54e8298c9861042af
SHA256807d72b8f6ebdaacc86660f06f404d54e00eaba546c54258d3e105a835eafeb5
SHA5129547abe2214af1f9fdc6558a613e1890f28d9dead4c131b56aa3ab1cbbf0b154719c4ebc46939717932afabaff42c2d7c345ccbaaa253a2749aae89d32757f9a
-
Filesize
396KB
MD5aadfa2155c6085c8ceee53471b7d6333
SHA18e595cef42bc3bda65af8ebe89f5ec437f7d499b
SHA256f2628936221d41606b949c19a3ef2390f1b86c531fa90857c5e66b10b475d105
SHA512dafeb74cf7ec6296bfbe7b9948388c67b97080d30f6f10b7aa96a5e26ec60ea4003c28b3870be59055bc8f0065517353d351af02e659dfd90a434a4d7de7d8cd
-
Filesize
721B
MD5b65b21e0db39fa82b4681d4c19ce62b7
SHA17e007641060c984a10b8b3bb869a1f2d150d6003
SHA256e50f58d633e1c9e9e3995f3dab8b59328b7abf7abb3101f3b5065184dfd94629
SHA512001d7680084b4c37a3b73be9c715579101e3015d1a934f77f246de8e81af2119e11c96b426d72098f1ca73d981ff6c4985f0da4bbc70aa6c3388a90597fa0543
-
C:\Users\Admin\AppData\Local\Temp\d8d68a4cd2cb9e6dc2b6a2deef71379db805b640a49ff87896e2b05514322dd1.exe.exe
Filesize36KB
MD59f498971cbe636662f3d210747d619e1
SHA144b8e2732fa1e2f204fc70eaa1cb406616250085
SHA2568adf6748981c3e7b62f5dbca992be6675574fffbce7673743f2d7fe787d56a41
SHA512b73083c2f7b028d2946cb8f7b4fe2289fedaa4175364a2aac37db0aeff4602aede772ccc9eba7e6dcfcb7276e52604ca45d8021952201b5834485b48bca3dc93
-
Filesize
29KB
MD525953e4f0f0e4091d08c35a393bd1085
SHA1ae497a759bf8fa1223e3afa4b54819b173d4be19
SHA256809b14b494567b982e5c4b70c57c78362ea5eafaf81ade1e1a156cda75f70846
SHA5123a25d7816bcf28fbb267e5fcc1f39e820c5b732cfced164e7110184d704e49b05b3cd298b7fc3108b59b9b403a32e8b24344cfd2d72dbe616837157ba3b03a6a
-
Filesize
9B
MD57ef570b2b21e58fd906ef1a980d64425
SHA118502489f652e74f8972bbfa100d5c163d719ab7
SHA256c3ce1b9216b58ac7d9ed3b93e5e3a1d6a2473b53b5bc1f008a621def49517055
SHA512e1175d861a79d62b85cd18661375f1c956dcc97e958765dc225f3aa4b0f0100ca9e17b9c61f5e18fc2a96e5167c0563f60645033aff1be1ec2f372c1b9a8b35f