Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
03/06/2024, 22:32
Static task
static1
Behavioral task
behavioral1
Sample
37149157a50d5cf19a0772e3630ad85f77164193b2e8d0fd6eeeb8bd3bbf7a8e.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
37149157a50d5cf19a0772e3630ad85f77164193b2e8d0fd6eeeb8bd3bbf7a8e.exe
Resource
win10v2004-20240426-en
General
-
Target
37149157a50d5cf19a0772e3630ad85f77164193b2e8d0fd6eeeb8bd3bbf7a8e.exe
-
Size
101KB
-
MD5
99c3a63d1ecdd268ecded4677e785f8d
-
SHA1
fb9083c78e20b7cbced36047a33cabd4ecd04bfa
-
SHA256
37149157a50d5cf19a0772e3630ad85f77164193b2e8d0fd6eeeb8bd3bbf7a8e
-
SHA512
eb3a82d70eb616abbc87fac3fc0afc15f08342462cd4deb0313f326a0cf46581e04aca109de41a664543439d91960ceeb6071112a9a59e0f3a0f3af1cab53a64
-
SSDEEP
1536:tfgLdQAQfcfymNa2Go0VeoE4p9nV5Icq+cRXZ2N4xHuF8sQWNe5lb1PW:tftffjmNfGvE4pL4zv2NL6sRe5lxe
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 4824 Logo1_.exe 4352 37149157a50d5cf19a0772e3630ad85f77164193b2e8d0fd6eeeb8bd3bbf7a8e.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ru-ru\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\sl-si\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Google\Update\Install\{F3190C87-06A4-407A-A58A-3F71181B4541}\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\Scripts\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\zh-cn\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Media Player\Network Sharing\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\da-dk\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-ma\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\hu-hu\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themes\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Mail\wab.exe Logo1_.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\video_output\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\fr-fr\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\fi-FI\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\hu-HU\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\tr-tr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hu-hu\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\zh-tw\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\es-es\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\am-ET\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Time.exe Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\en-ae\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\de-de\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\da-dk\_desktop.ini Logo1_.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\nl-nl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\fr-fr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\da-dk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Voices\en-IN\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\tr-tr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-100_8wekyb3d8bbwe\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ro-ro\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ar-ae\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\VisualElements\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\lua\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-black\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\images\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\nl-nl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\pt-br\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ar-ae\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\lua\playlist\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\root\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe Logo1_.exe File created C:\Program Files (x86)\Common Files\Oracle\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\fr-FR\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\x86\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\vDll.dll Logo1_.exe File created C:\Windows\rundl132.exe 37149157a50d5cf19a0772e3630ad85f77164193b2e8d0fd6eeeb8bd3bbf7a8e.exe File created C:\Windows\Logo1_.exe 37149157a50d5cf19a0772e3630ad85f77164193b2e8d0fd6eeeb8bd3bbf7a8e.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 4824 Logo1_.exe 4824 Logo1_.exe 4824 Logo1_.exe 4824 Logo1_.exe 4824 Logo1_.exe 4824 Logo1_.exe 4824 Logo1_.exe 4824 Logo1_.exe 4824 Logo1_.exe 4824 Logo1_.exe 4824 Logo1_.exe 4824 Logo1_.exe 4824 Logo1_.exe 4824 Logo1_.exe 4824 Logo1_.exe 4824 Logo1_.exe 4824 Logo1_.exe 4824 Logo1_.exe 4824 Logo1_.exe 4824 Logo1_.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 3852 wrote to memory of 4560 3852 37149157a50d5cf19a0772e3630ad85f77164193b2e8d0fd6eeeb8bd3bbf7a8e.exe 80 PID 3852 wrote to memory of 4560 3852 37149157a50d5cf19a0772e3630ad85f77164193b2e8d0fd6eeeb8bd3bbf7a8e.exe 80 PID 3852 wrote to memory of 4560 3852 37149157a50d5cf19a0772e3630ad85f77164193b2e8d0fd6eeeb8bd3bbf7a8e.exe 80 PID 3852 wrote to memory of 4824 3852 37149157a50d5cf19a0772e3630ad85f77164193b2e8d0fd6eeeb8bd3bbf7a8e.exe 81 PID 3852 wrote to memory of 4824 3852 37149157a50d5cf19a0772e3630ad85f77164193b2e8d0fd6eeeb8bd3bbf7a8e.exe 81 PID 3852 wrote to memory of 4824 3852 37149157a50d5cf19a0772e3630ad85f77164193b2e8d0fd6eeeb8bd3bbf7a8e.exe 81 PID 4824 wrote to memory of 2796 4824 Logo1_.exe 82 PID 4824 wrote to memory of 2796 4824 Logo1_.exe 82 PID 4824 wrote to memory of 2796 4824 Logo1_.exe 82 PID 2796 wrote to memory of 5004 2796 net.exe 85 PID 2796 wrote to memory of 5004 2796 net.exe 85 PID 2796 wrote to memory of 5004 2796 net.exe 85 PID 4560 wrote to memory of 4352 4560 cmd.exe 86 PID 4560 wrote to memory of 4352 4560 cmd.exe 86 PID 4824 wrote to memory of 3156 4824 Logo1_.exe 55 PID 4824 wrote to memory of 3156 4824 Logo1_.exe 55
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3156
-
C:\Users\Admin\AppData\Local\Temp\37149157a50d5cf19a0772e3630ad85f77164193b2e8d0fd6eeeb8bd3bbf7a8e.exe"C:\Users\Admin\AppData\Local\Temp\37149157a50d5cf19a0772e3630ad85f77164193b2e8d0fd6eeeb8bd3bbf7a8e.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3852 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3894.bat3⤵
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Users\Admin\AppData\Local\Temp\37149157a50d5cf19a0772e3630ad85f77164193b2e8d0fd6eeeb8bd3bbf7a8e.exe"C:\Users\Admin\AppData\Local\Temp\37149157a50d5cf19a0772e3630ad85f77164193b2e8d0fd6eeeb8bd3bbf7a8e.exe"4⤵
- Executes dropped EXE
PID:4352
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:5004
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
251KB
MD5fa03025a5356ec12c1be2bf6f554120d
SHA12bcdaa6bbce818a1d260c4293a07b5076a104e56
SHA2568906bb45077aeebb6eaca93bccaa133623f3b5e9dcc0b50dc4c6edcc3ea1571a
SHA512c78ac5d658231ba4dfb54941dfd3fb6e0752d6ec6215743679d1274bd16f5e283dca110f63db3955c23091d2de3f75c2fc5b6630e0be36ea37a16eb81b8716b0
-
Filesize
570KB
MD5cdd1e1f44869a40a61f093b2806f23d3
SHA19856dd59b196a7d2100abee9edbd10c85423783f
SHA2560f71dbf0dc35e50d076d2989bb16406ee436bbb1a8cdb051df58bd515fd230fa
SHA512efaad454eef1d53e3ec8c885914fceebd30503c4791dbe32f0aa64f97ada2c207fab228d6e20142ba793cc76bcfc7ed591fc2c25c03872a2798550e07510fb40
-
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
Filesize636KB
MD52500f702e2b9632127c14e4eaae5d424
SHA18726fef12958265214eeb58001c995629834b13a
SHA25682e5b0001f025ca3b8409c98e4fb06c119c68de1e4ef60a156360cb4ef61d19c
SHA512f420c62fa1f6897f51dd7a0f0e910fb54ad14d51973a2d4840eeea0448c860bf83493fb1c07be65f731efc39e19f8a99886c8cfd058cee482fe52d255a33a55c
-
Filesize
722B
MD5d64726b56ec3ef8400d52c2dae57c28b
SHA13a833cbbf729865bdabcc8074a013ad1540befbd
SHA256bc5d5a4ca8c6ede9463e337933ecde58457706efd5a75eff0d7a6c07d8782073
SHA5126201ba4990f7ce87e3640b1c89ba30f193881e5b39fa1880b415a4149b0437d0fc61a488cf0ee7f12fd60d9da22e379012cdad0cbc43aadfa3207df1490a4e76
-
C:\Users\Admin\AppData\Local\Temp\37149157a50d5cf19a0772e3630ad85f77164193b2e8d0fd6eeeb8bd3bbf7a8e.exe.exe
Filesize75KB
MD5a7851a05e83f42f741a804320c485083
SHA1b76d2e6eb6d2bf289a5118c908578906851460d0
SHA2563600ff58fdb37f53562e626fd74d6f4d8d39925d711a96f221bb4aca7992926a
SHA512eadbfbee79aa0f34b35e0a9c9d717b3c8ac18729df8e52332b696352a2a41d0da37119ab1cb81a10bb7854b930e6479686f8fa8b5a447d48213e3c1c9304ce7b
-
Filesize
26KB
MD54298e0c223e6572693e5a6b29279c1da
SHA15bd4c027c9433de22fec622bb7b13b863cee8de4
SHA256bfe4186213f6d4cc116612e337bbe7a4c713d4cd02155dd649b31bf93476bd43
SHA512d5df016ba3a3bcee7370ddd2aca1518fdde68dd681a17c45c8f7cf25a780be5903d49cf03410accfd8d176ce1653d9a49eb0544f5d0d1d091aa2d99fc8186ec1
-
Filesize
8B
MD5a6f28952c332969f9e6d9f7d1a449737
SHA131c0826adb63cc03162fb9e88781f4b50da8f11b
SHA256d9d875805581110dafdfb2ceb34c5e60f50fe720963f9813c287e4845248d208
SHA5128187572ee8fbb9a42af34a3444be3a4309c5a798e7b1f27fce5b28b7168b72d015b1c10e611ccd3a9361af2aaeab831d2734017f77adff341c3fdb876c296eac