Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13/05/2024, 20:15
Static task
static1
Behavioral task
behavioral1
Sample
109da4ab2ac58cae981ee416663d723dd0ce0b44bac2f48d101082388ba4c9cc.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
109da4ab2ac58cae981ee416663d723dd0ce0b44bac2f48d101082388ba4c9cc.exe
Resource
win10v2004-20240508-en
General
-
Target
109da4ab2ac58cae981ee416663d723dd0ce0b44bac2f48d101082388ba4c9cc.exe
-
Size
573KB
-
MD5
4c40da2c299470aff4edf636d594d13b
-
SHA1
6491a499509372897548f7e1e5d58f60b481570a
-
SHA256
109da4ab2ac58cae981ee416663d723dd0ce0b44bac2f48d101082388ba4c9cc
-
SHA512
c409c8c2d1741ff3c2419e589d3c9bcdb776d5a5ac174516e7b9a40e9f707ad48ca0036e255e2499845b163575dc838d17614b5341d1b15b29f4a7b887e58af0
-
SSDEEP
6144:MtuJpE7cV3iwbAFRWAbd4nf0H05yqE6Hl0ChW0+ksllAXBu0lWGWUJJQ4t0BHQQG:s7a3iwbihym2g7XO3LWUQfh4Co
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 5104 Logo1_.exe 2600 109da4ab2ac58cae981ee416663d723dd0ce0b44bac2f48d101082388ba4c9cc.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\node_modules\reactxp-experimental-navigation\NavigationExperimental\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows NT\TableTextService\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe Logo1_.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_2019.125.2243.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\zh-CN\View3d\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sv-se\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ja-jp\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\gmp-clearkey\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\XboxApp.UI\Resources\Images\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\plugins\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-gb\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.UI.Xaml.2.0_2.1810.18004.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\hi\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\zh-cn\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\es-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\124.0.2478.80\VisualElements\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\gu\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\fr-FR\View3d\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\Scripts\Me\MeControl\offline\en-US\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\TCUI-Toolkit\Images\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pl-pl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sl-sl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\en-ae\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.2.2_2.2.27405.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sk-sk\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\zh-tw\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\ResiliencyLinks\WidevineCdm\_platform_specific\win_x64\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\legal\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-us\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\plugins\rhp\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\_desktop.ini Logo1_.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ne\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\cs-cz\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\sv-se\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\zh-cn\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\it-it\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\nb-no\_desktop.ini Logo1_.exe File created C:\Program Files\Mozilla Firefox\gmp-clearkey\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\es-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sl-sl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\fr-fr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example1.Diagnostics\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\en-il\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Google\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Media Player\es-ES\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rundl132.exe 109da4ab2ac58cae981ee416663d723dd0ce0b44bac2f48d101082388ba4c9cc.exe File created C:\Windows\Logo1_.exe 109da4ab2ac58cae981ee416663d723dd0ce0b44bac2f48d101082388ba4c9cc.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\vDll.dll Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 5104 Logo1_.exe 5104 Logo1_.exe 5104 Logo1_.exe 5104 Logo1_.exe 5104 Logo1_.exe 5104 Logo1_.exe 5104 Logo1_.exe 5104 Logo1_.exe 5104 Logo1_.exe 5104 Logo1_.exe 5104 Logo1_.exe 5104 Logo1_.exe 5104 Logo1_.exe 5104 Logo1_.exe 5104 Logo1_.exe 5104 Logo1_.exe 5104 Logo1_.exe 5104 Logo1_.exe 5104 Logo1_.exe 5104 Logo1_.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 4856 wrote to memory of 4348 4856 109da4ab2ac58cae981ee416663d723dd0ce0b44bac2f48d101082388ba4c9cc.exe 89 PID 4856 wrote to memory of 4348 4856 109da4ab2ac58cae981ee416663d723dd0ce0b44bac2f48d101082388ba4c9cc.exe 89 PID 4856 wrote to memory of 4348 4856 109da4ab2ac58cae981ee416663d723dd0ce0b44bac2f48d101082388ba4c9cc.exe 89 PID 4856 wrote to memory of 5104 4856 109da4ab2ac58cae981ee416663d723dd0ce0b44bac2f48d101082388ba4c9cc.exe 90 PID 4856 wrote to memory of 5104 4856 109da4ab2ac58cae981ee416663d723dd0ce0b44bac2f48d101082388ba4c9cc.exe 90 PID 4856 wrote to memory of 5104 4856 109da4ab2ac58cae981ee416663d723dd0ce0b44bac2f48d101082388ba4c9cc.exe 90 PID 5104 wrote to memory of 1084 5104 Logo1_.exe 91 PID 5104 wrote to memory of 1084 5104 Logo1_.exe 91 PID 5104 wrote to memory of 1084 5104 Logo1_.exe 91 PID 1084 wrote to memory of 1880 1084 net.exe 95 PID 1084 wrote to memory of 1880 1084 net.exe 95 PID 1084 wrote to memory of 1880 1084 net.exe 95 PID 4348 wrote to memory of 2600 4348 cmd.exe 97 PID 4348 wrote to memory of 2600 4348 cmd.exe 97 PID 5104 wrote to memory of 3460 5104 Logo1_.exe 56 PID 5104 wrote to memory of 3460 5104 Logo1_.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3460
-
C:\Users\Admin\AppData\Local\Temp\109da4ab2ac58cae981ee416663d723dd0ce0b44bac2f48d101082388ba4c9cc.exe"C:\Users\Admin\AppData\Local\Temp\109da4ab2ac58cae981ee416663d723dd0ce0b44bac2f48d101082388ba4c9cc.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aF2BC.bat3⤵
- Suspicious use of WriteProcessMemory
PID:4348 -
C:\Users\Admin\AppData\Local\Temp\109da4ab2ac58cae981ee416663d723dd0ce0b44bac2f48d101082388ba4c9cc.exe"C:\Users\Admin\AppData\Local\Temp\109da4ab2ac58cae981ee416663d723dd0ce0b44bac2f48d101082388ba4c9cc.exe"4⤵
- Executes dropped EXE
PID:2600
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:1880
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3772,i,14486271492189381216,15799931579469722648,262144 --variations-seed-version --mojo-platform-channel-handle=4216 /prefetch:81⤵PID:2916
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
254KB
MD5f134d58f0c72c193a05ff5819d09f8d6
SHA185c6d5b8cb938c5b8b7437693a4f6e97caa94fdf
SHA2560b329835e955ce06b673448b91b9bea022bc741cd855123dd5f8988d4385b031
SHA51227c84f45bacb5c95ca340b6a8da7a81ece4cdb3adf2c3f85726f79c7a35cf7b6eb37c6703b6c275d5861ea0585c43c2bbc95f5331aec240ee234fceb72ed33c6
-
Filesize
573KB
MD54c40da2c299470aff4edf636d594d13b
SHA16491a499509372897548f7e1e5d58f60b481570a
SHA256109da4ab2ac58cae981ee416663d723dd0ce0b44bac2f48d101082388ba4c9cc
SHA512c409c8c2d1741ff3c2419e589d3c9bcdb776d5a5ac174516e7b9a40e9f707ad48ca0036e255e2499845b163575dc838d17614b5341d1b15b29f4a7b887e58af0
-
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
Filesize639KB
MD5c15cc0560a1f2ab80b80767643b0c1c5
SHA1351e72917155ff3e811334fd55a35be7c7cdf6ea
SHA256c17ea05f90a728f32aa972ff92de25f799ce043ba5a3db5f10b5557f31916858
SHA51211bb18446a38b70dd24c9877ef95d5764d001a8c936cfcb9a5a15275942226cdbb74a1c331d423ccf05b27ea68259e6306dba5ab0ad85b17ec41a15fcdcd4289
-
Filesize
722B
MD5e7f1b9debfe664cd9c067e9740d12eb1
SHA1e293329e8eb4a5035c2f7cf22d10afd0e4bae7b4
SHA2561fb15c01786ccadc0ef8518b2aad610ce09ad292f389b0fdc73ee90c1fc0aed6
SHA5126e0ff36b8d46514b32350b0810a25f363d28b6b89d14432e890b153fd4f5c52a4b2567b4d65fca0b47db5270b987e67bb8ad70b18eb88b9010eb3f403d8c037d
-
C:\Users\Admin\AppData\Local\Temp\109da4ab2ac58cae981ee416663d723dd0ce0b44bac2f48d101082388ba4c9cc.exe.exe
Filesize544KB
MD59a1dd1d96481d61934dcc2d568971d06
SHA1f136ef9bf8bd2fc753292fb5b7cf173a22675fb3
SHA2568cebb25e240db3b6986fcaed6bc0b900fa09dad763a56fb71273529266c5c525
SHA5127ac1581f8a29e778ba1a1220670796c47fa5b838417f8f635e2cb1998a01515cff3ee57045dacb78a8ec70d43754b970743aba600379fe6d9481958d32d8a5aa
-
Filesize
29KB
MD5af29fb6a5adf025d9127df13f942d7d2
SHA172d13969443440eb123cfb43f924c4959eae7638
SHA256d83088ef692a221a033bfb31d7178f7f04182df4480ac946b53807fda9cdd040
SHA51210c6c2a56386b35f52e8b220def9cace7a57a70672a97aeb3c95df14d832416d6057fabccd86c4f473e354a87e378ff0ac3cf0e503ee3db9f909897ef7776079
-
Filesize
9B
MD5392ab9dcf5a9daf53626ea1f2e61d0b9
SHA10a2cdc7f8f9edf33f9fde3f8b90e0020190c8fb7
SHA2569bbc94aad502d7d7a7f502ddb9cbd93b1c89eff13e445971c94ac09215ada67d
SHA5125d1fea63a7793a65dc63c32cfe3ab2e1af941ded8e760f08fbe991e5b30433f86f920d717235a635020740c8f6f7996b4b8e8147e331b29141fcbb7bdc68144d