Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
30/05/2024, 04:47
Static task
static1
Behavioral task
behavioral1
Sample
ee703982a8258bd7f378317b2e22f22911e656d0cb520604c7aa5bae476d511a.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ee703982a8258bd7f378317b2e22f22911e656d0cb520604c7aa5bae476d511a.exe
Resource
win10v2004-20240508-en
General
-
Target
ee703982a8258bd7f378317b2e22f22911e656d0cb520604c7aa5bae476d511a.exe
-
Size
179KB
-
MD5
81325cd4b583dd573500319142c6ec53
-
SHA1
2ca3d9cac674694e1366916117f9238b3576b4bb
-
SHA256
ee703982a8258bd7f378317b2e22f22911e656d0cb520604c7aa5bae476d511a
-
SHA512
c879f57aba2904a4a12037ef7939cc2a9c1ba3217179f6bdb505540fe2511b69b36638c2ac59b19233e952aa73e5472a200bc75873712a339a4a5888fabadb2a
-
SSDEEP
3072:xAyLd0K/JdOydO/COH//kxBsg87jT14yBHlMCTok+sul:XLZ/JdnOTHkxOg87GyBH9j+5l
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1016 Logo1_.exe 1240 ee703982a8258bd7f378317b2e22f22911e656d0cb520604c7aa5bae476d511a.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe Logo1_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{125326D0-F6C3-409C-BC6D-35A6D8D3AF5D}\chrome_installer.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Media Player\wmlaunch.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe Logo1_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.187.37\MicrosoftEdgeUpdateSetup_X86_1.3.187.37.exe Logo1_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Microsoft.MicrosoftSolitaireCollection.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\124.0.2478.80\elevation_service.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe Logo1_.exe File opened for modification C:\Program Files\Windows Mail\wabmig.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\124.0.2478.80\msedge.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\notification_helper.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\124.0.2478.80\identity_helper.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe Logo1_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\WindowsCamera.exe Logo1_.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxCalendarAppImm.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe Logo1_.exe File opened for modification C:\Program Files\7-Zip\7z.exe Logo1_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\WhatsNew.Store.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.187.37\MicrosoftEdgeComRegisterShellARM64.exe Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe Logo1_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\XboxApp.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_105437\javaws.exe Logo1_.exe File opened for modification C:\Program Files\Windows Mail\wab.exe Logo1_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\View3D.ResourceResolver.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\124.0.2478.80\msedgewebview2.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe Logo1_.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\124.0.2478.80\pwahelper.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\124.0.2478.80\msedge_proxy.exe Logo1_.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe Logo1_.exe File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe Logo1_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Maps.exe Logo1_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\msedgewebview2.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe Logo1_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\GetHelp.exe Logo1_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\MixedRealityPortal.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe Logo1_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\YourPhone.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe Logo1_.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Logo1_.exe ee703982a8258bd7f378317b2e22f22911e656d0cb520604c7aa5bae476d511a.exe File created C:\Windows\vDll.dll Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 1016 Logo1_.exe 1016 Logo1_.exe 1016 Logo1_.exe 1016 Logo1_.exe 1016 Logo1_.exe 1016 Logo1_.exe 1016 Logo1_.exe 1016 Logo1_.exe 1016 Logo1_.exe 1016 Logo1_.exe 1016 Logo1_.exe 1016 Logo1_.exe 1016 Logo1_.exe 1016 Logo1_.exe 1016 Logo1_.exe 1016 Logo1_.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 512 wrote to memory of 216 512 ee703982a8258bd7f378317b2e22f22911e656d0cb520604c7aa5bae476d511a.exe 91 PID 512 wrote to memory of 216 512 ee703982a8258bd7f378317b2e22f22911e656d0cb520604c7aa5bae476d511a.exe 91 PID 512 wrote to memory of 216 512 ee703982a8258bd7f378317b2e22f22911e656d0cb520604c7aa5bae476d511a.exe 91 PID 512 wrote to memory of 1016 512 ee703982a8258bd7f378317b2e22f22911e656d0cb520604c7aa5bae476d511a.exe 92 PID 512 wrote to memory of 1016 512 ee703982a8258bd7f378317b2e22f22911e656d0cb520604c7aa5bae476d511a.exe 92 PID 512 wrote to memory of 1016 512 ee703982a8258bd7f378317b2e22f22911e656d0cb520604c7aa5bae476d511a.exe 92 PID 1016 wrote to memory of 2368 1016 Logo1_.exe 93 PID 1016 wrote to memory of 2368 1016 Logo1_.exe 93 PID 1016 wrote to memory of 2368 1016 Logo1_.exe 93 PID 2368 wrote to memory of 1812 2368 net.exe 96 PID 2368 wrote to memory of 1812 2368 net.exe 96 PID 2368 wrote to memory of 1812 2368 net.exe 96 PID 216 wrote to memory of 1240 216 cmd.exe 97 PID 216 wrote to memory of 1240 216 cmd.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\ee703982a8258bd7f378317b2e22f22911e656d0cb520604c7aa5bae476d511a.exe"C:\Users\Admin\AppData\Local\Temp\ee703982a8258bd7f378317b2e22f22911e656d0cb520604c7aa5bae476d511a.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:512 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aE6B6.bat2⤵
- Suspicious use of WriteProcessMemory
PID:216 -
C:\Users\Admin\AppData\Local\Temp\ee703982a8258bd7f378317b2e22f22911e656d0cb520604c7aa5bae476d511a.exe"C:\Users\Admin\AppData\Local\Temp\ee703982a8258bd7f378317b2e22f22911e656d0cb520604c7aa5bae476d511a.exe"3⤵
- Executes dropped EXE
PID:1240
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"3⤵
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"4⤵PID:1812
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4356,i,4686244434963378549,11462511444150484980,262144 --variations-seed-version --mojo-platform-channel-handle=3656 /prefetch:81⤵PID:3508
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
750KB
MD574a562bc868f4b6042abe60236d381e0
SHA11f30ac25a134b2c211ee3280123feb89cc522c87
SHA256ecdace247ec475259f3a7bdddc7390dba1a4c643b1b8456fba7721b29cbc3fc9
SHA512a1ec48ec10da7b63598d8164739fc99ab49c5b604c7aeb87cdb0a3c0a4116ce9e0da498ab0cf8f0a3db3dc34b368cf4f37ed5c6a724bf52e307b2f521d426647
-
Filesize
722B
MD58941b4cbc634477749a2b516eaba100b
SHA133c16c330d0727e5c25eff8bb13c8804ad3cc03a
SHA256e336c577b42fd937bd6ef952a653082c6446c5c091ffa2082b31f568594709c6
SHA5125f74f50dad1d8ac1241b513fc95b0ff5cdcf00e1679fee788a991e284c373e4b813d0522c0da42388c9523dae830253958addf8b2a29b2683c6c5a67ddfc933f
-
C:\Users\Admin\AppData\Local\Temp\ee703982a8258bd7f378317b2e22f22911e656d0cb520604c7aa5bae476d511a.exe.exe
Filesize113KB
MD5b777409e43897fbad31319874035055f
SHA1fd279403092e23136b5c1afa1940d3c24816afd9
SHA256cc1d59f183410a925944c92bb7e67c5f6985c158b0e9039172751ecd27874446
SHA5125e7baf63f18024a7e040d50cfd35c26eaae38fb6472c5575c088c7f4121952422960622e5884f88c643c715322dbbbbde046aeabe0bb0d9774416aeec1fc5ae3
-
Filesize
66KB
MD5bac152d659a8e5c8b297ee885a362ab7
SHA1e35922075011a55e96a69695645985ed2e4d7336
SHA256db778391e2816d919f43276cff95d64e544e28e8f4262a8722e9e904038af413
SHA512ec5a747cd6602130886b0c04638eac550a8dc287368ff3fba6b526bd83f4f678b8ebc3d6482a0282aba720af556df91ae986cccef36c5b77465c4f0003c9a150