Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
05/06/2024, 14:29
Static task
static1
Behavioral task
behavioral1
Sample
0651eb83a85b3585562268b7f7f1c9a90a8205c01b83f4ce0fa95204100ce48b.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
0651eb83a85b3585562268b7f7f1c9a90a8205c01b83f4ce0fa95204100ce48b.exe
Resource
win10v2004-20240426-en
General
-
Target
0651eb83a85b3585562268b7f7f1c9a90a8205c01b83f4ce0fa95204100ce48b.exe
-
Size
573KB
-
MD5
0fa358463d01292dc0c29cd2cb4d6ae9
-
SHA1
be8615293359814fefcdb50f4938d963c52daef7
-
SHA256
0651eb83a85b3585562268b7f7f1c9a90a8205c01b83f4ce0fa95204100ce48b
-
SHA512
2cbb5396bef624a3dfe784ecae721567146ad8c27a536dc4039d69176a73c48b6f67a9efe5dc92ad7ac0e9ccfce6e23c935d0900d4c3859a5c9dd2a5420d0c12
-
SSDEEP
6144:suJpE7cV3iwbAFRWAbd4nf0H05yqE6Hl0ChW0+ksllAXBu0lWGWUJJQ4t0BHQQfu:47a3iwbihym2g7XO3LWUQfh4Co
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 3588 Logo1_.exe 4876 0651eb83a85b3585562268b7f7f1c9a90a8205c01b83f4ce0fa95204100ce48b.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\am-ET\View3d\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\sv-se\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\it-it\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ja-jp\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\pt-br\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\eu-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\lua\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\0.2.2\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\eu-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\hu-hu\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ro-ro\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\da-dk\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-black\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\1033\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Mu\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\fr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\it-it\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-gb\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\nb-no\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\video_chroma\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Defender\it-IT\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ms-MY\View3d\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\fr-ma\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\cs-cz\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Extensions\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\dotnet\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ar-ae\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\pl-pl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ro-ro\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\it-it\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ko-kr\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\loc_archives\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\de-de\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\en-gb\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows NT\TableTextService\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\ja-JP\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\zh-cn\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\root\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Defender\uk-UA\_desktop.ini Logo1_.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\WinMetadata\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\x64\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\_Resources\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\nb-no\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\pt-br\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.185.29\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Logo1_.exe 0651eb83a85b3585562268b7f7f1c9a90a8205c01b83f4ce0fa95204100ce48b.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\vDll.dll Logo1_.exe File created C:\Windows\rundl132.exe 0651eb83a85b3585562268b7f7f1c9a90a8205c01b83f4ce0fa95204100ce48b.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 3588 Logo1_.exe 3588 Logo1_.exe 3588 Logo1_.exe 3588 Logo1_.exe 3588 Logo1_.exe 3588 Logo1_.exe 3588 Logo1_.exe 3588 Logo1_.exe 3588 Logo1_.exe 3588 Logo1_.exe 3588 Logo1_.exe 3588 Logo1_.exe 3588 Logo1_.exe 3588 Logo1_.exe 3588 Logo1_.exe 3588 Logo1_.exe 3588 Logo1_.exe 3588 Logo1_.exe 3588 Logo1_.exe 3588 Logo1_.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 4892 wrote to memory of 3216 4892 0651eb83a85b3585562268b7f7f1c9a90a8205c01b83f4ce0fa95204100ce48b.exe 82 PID 4892 wrote to memory of 3216 4892 0651eb83a85b3585562268b7f7f1c9a90a8205c01b83f4ce0fa95204100ce48b.exe 82 PID 4892 wrote to memory of 3216 4892 0651eb83a85b3585562268b7f7f1c9a90a8205c01b83f4ce0fa95204100ce48b.exe 82 PID 4892 wrote to memory of 3588 4892 0651eb83a85b3585562268b7f7f1c9a90a8205c01b83f4ce0fa95204100ce48b.exe 83 PID 4892 wrote to memory of 3588 4892 0651eb83a85b3585562268b7f7f1c9a90a8205c01b83f4ce0fa95204100ce48b.exe 83 PID 4892 wrote to memory of 3588 4892 0651eb83a85b3585562268b7f7f1c9a90a8205c01b83f4ce0fa95204100ce48b.exe 83 PID 3588 wrote to memory of 2616 3588 Logo1_.exe 84 PID 3588 wrote to memory of 2616 3588 Logo1_.exe 84 PID 3588 wrote to memory of 2616 3588 Logo1_.exe 84 PID 2616 wrote to memory of 2316 2616 net.exe 87 PID 2616 wrote to memory of 2316 2616 net.exe 87 PID 2616 wrote to memory of 2316 2616 net.exe 87 PID 3216 wrote to memory of 4876 3216 cmd.exe 88 PID 3216 wrote to memory of 4876 3216 cmd.exe 88 PID 3588 wrote to memory of 3416 3588 Logo1_.exe 56 PID 3588 wrote to memory of 3416 3588 Logo1_.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3416
-
C:\Users\Admin\AppData\Local\Temp\0651eb83a85b3585562268b7f7f1c9a90a8205c01b83f4ce0fa95204100ce48b.exe"C:\Users\Admin\AppData\Local\Temp\0651eb83a85b3585562268b7f7f1c9a90a8205c01b83f4ce0fa95204100ce48b.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a47A8.bat3⤵
- Suspicious use of WriteProcessMemory
PID:3216 -
C:\Users\Admin\AppData\Local\Temp\0651eb83a85b3585562268b7f7f1c9a90a8205c01b83f4ce0fa95204100ce48b.exe"C:\Users\Admin\AppData\Local\Temp\0651eb83a85b3585562268b7f7f1c9a90a8205c01b83f4ce0fa95204100ce48b.exe"4⤵
- Executes dropped EXE
PID:4876
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3588 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:2316
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
254KB
MD5d53dfe8ee60a8ec53507b414770b008c
SHA13428891b51a84cc48294c7c504ff73815eb09ae6
SHA2568b03c2b78678dc4c33f2301edcc9de1128c5cf44a1b532fcb5316c773914007f
SHA5126a5e60f2952a04b6b209cc75ca997f3655cd8cf2a7aea2bc7799eb59e49e638abd7631a6cf3c1455933e961bb6ec1ff3561c6c14027ff4481054243e09af1ab7
-
Filesize
573KB
MD50fa358463d01292dc0c29cd2cb4d6ae9
SHA1be8615293359814fefcdb50f4938d963c52daef7
SHA2560651eb83a85b3585562268b7f7f1c9a90a8205c01b83f4ce0fa95204100ce48b
SHA5122cbb5396bef624a3dfe784ecae721567146ad8c27a536dc4039d69176a73c48b6f67a9efe5dc92ad7ac0e9ccfce6e23c935d0900d4c3859a5c9dd2a5420d0c12
-
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
Filesize639KB
MD58e20cd4ac13828acae9e458cea8e8c56
SHA1794cb8e8b5519214c4d4c89e9d5ff0967e224d72
SHA256ed2019032918ac1a2a246a501166a13f7f2bda2f2ca354ad2db584c41c774e5c
SHA512e5e6d2147fb76a7c11e738fbfacbe0b189862cdb35b7de75c82b4ed5784b90953cfda3d1052fceecf3f76a9f873b7ed052c70a4847669b7657bfce522ff907d4
-
Filesize
722B
MD54b6f70aa09ef8380c87e11dd74b2c7f0
SHA1d85e090f5626cb2517020897901c04c9f010ad6a
SHA256623bde1e54553c9a8bab81d73725b151c4d0127bfbda144ba27c80c8f2fabd7b
SHA51204802add19ad9b9a8758a0b6531456b6eb79a2f27c664e8fac55a56c1e5ede89012510df74bd485e28a78bd7dcdbee430d79b584936ccf30b40857cee0f025eb
-
C:\Users\Admin\AppData\Local\Temp\0651eb83a85b3585562268b7f7f1c9a90a8205c01b83f4ce0fa95204100ce48b.exe.exe
Filesize544KB
MD59a1dd1d96481d61934dcc2d568971d06
SHA1f136ef9bf8bd2fc753292fb5b7cf173a22675fb3
SHA2568cebb25e240db3b6986fcaed6bc0b900fa09dad763a56fb71273529266c5c525
SHA5127ac1581f8a29e778ba1a1220670796c47fa5b838417f8f635e2cb1998a01515cff3ee57045dacb78a8ec70d43754b970743aba600379fe6d9481958d32d8a5aa
-
Filesize
29KB
MD5c3a6498aeafb967730b138db7706cfbd
SHA182c69ca3f3eaf8bb5fa8288db2b88bc735f18017
SHA2569a8bea687af727ad62d8e900f8fa2c686600ddaaa69c8ff9f431a93e1aaae472
SHA5120a06043720af675a122478c9c71dbb78730821361f7b88ac44a05471a870bfef32e6a8bbead08a4d35be897a031dca9bd46966ea9f7727ceb88d1fa6e1cb43a2
-
Filesize
8B
MD5fa8bf97ffdb152205be1f3a9bd9faec3
SHA188a5a98b6074543e357ec7ad221eaee5e30ec82a
SHA25608a129c008511d5fc4ee1e2ad0fad3d0b033407f74285a18c6fe956d5dc2c9cb
SHA512ea0a63f52af441964e4a2cddede537d87f1ad78241c883cf40334801056879bb1639ae75b2d9e3cceb90471837263760fc7d6c6708819c7a73fec703ba098443