Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09/06/2024, 23:46
Static task
static1
Behavioral task
behavioral1
Sample
1580642643f7916c398f0d18777f19668f6d89cedea30af018438506cfcbd475.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1580642643f7916c398f0d18777f19668f6d89cedea30af018438506cfcbd475.exe
Resource
win10v2004-20240508-en
General
-
Target
1580642643f7916c398f0d18777f19668f6d89cedea30af018438506cfcbd475.exe
-
Size
115KB
-
MD5
6b303388c32d448722310a1540de801c
-
SHA1
bcc7a993254b392d3aef34cec71f615f7de428b9
-
SHA256
1580642643f7916c398f0d18777f19668f6d89cedea30af018438506cfcbd475
-
SHA512
2b80868e0a27c75ecde6404e8f048560435424eddd745baf1f33240abd596ebe730408f478f3cb03674893cbcf0ee636ad7b0d78b4a9cd539f09d218fe1c2aa8
-
SSDEEP
1536:xjMqxL2Q3qOLjp01Y06JdOGZqlSmQBQ0H855ZXcWn/qsL1jTWBrt:xAyLd0K/JdOj0HmXcWn/qajKv
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2680 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2864 Logo1_.exe 2516 1580642643f7916c398f0d18777f19668f6d89cedea30af018438506cfcbd475.exe -
Loads dropped DLL 1 IoCs
pid Process 2680 cmd.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe Logo1_.exe File opened for modification C:\Program Files\DVD Maker\DVDMaker.exe Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{D9005A2B-BC2A-4153-8911-AE3B3F543790}\chrome_installer.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre7\bin\kinit.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre7\bin\unpack200.exe Logo1_.exe File opened for modification C:\Program Files\Windows Defender\MSASCui.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgzm.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSTORE.EXE Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Mail\wab.exe Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\PurblePlace.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SELFCERT.EXE Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\sidebar.exe Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre7\bin\jabswitch.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CLVIEW.EXE Logo1_.exe File opened for modification C:\Program Files\Java\jre7\bin\klist.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre7\bin\rmiregistry.exe Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre7\bin\ssvagent.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\VPREVIEW.EXE Logo1_.exe File opened for modification C:\Program Files\Java\jre7\bin\javaw.exe Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\Solitaire.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre7\bin\pack200.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre7\bin\servertool.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSOHTMED.EXE Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaire.exe Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSOUC.EXE Logo1_.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Logo1_.exe 1580642643f7916c398f0d18777f19668f6d89cedea30af018438506cfcbd475.exe File created C:\Windows\vDll.dll Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2864 Logo1_.exe 2864 Logo1_.exe 2864 Logo1_.exe 2864 Logo1_.exe 2864 Logo1_.exe 2864 Logo1_.exe 2864 Logo1_.exe 2864 Logo1_.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2860 wrote to memory of 2680 2860 1580642643f7916c398f0d18777f19668f6d89cedea30af018438506cfcbd475.exe 28 PID 2860 wrote to memory of 2680 2860 1580642643f7916c398f0d18777f19668f6d89cedea30af018438506cfcbd475.exe 28 PID 2860 wrote to memory of 2680 2860 1580642643f7916c398f0d18777f19668f6d89cedea30af018438506cfcbd475.exe 28 PID 2860 wrote to memory of 2680 2860 1580642643f7916c398f0d18777f19668f6d89cedea30af018438506cfcbd475.exe 28 PID 2860 wrote to memory of 2864 2860 1580642643f7916c398f0d18777f19668f6d89cedea30af018438506cfcbd475.exe 29 PID 2860 wrote to memory of 2864 2860 1580642643f7916c398f0d18777f19668f6d89cedea30af018438506cfcbd475.exe 29 PID 2860 wrote to memory of 2864 2860 1580642643f7916c398f0d18777f19668f6d89cedea30af018438506cfcbd475.exe 29 PID 2860 wrote to memory of 2864 2860 1580642643f7916c398f0d18777f19668f6d89cedea30af018438506cfcbd475.exe 29 PID 2864 wrote to memory of 2996 2864 Logo1_.exe 30 PID 2864 wrote to memory of 2996 2864 Logo1_.exe 30 PID 2864 wrote to memory of 2996 2864 Logo1_.exe 30 PID 2864 wrote to memory of 2996 2864 Logo1_.exe 30 PID 2996 wrote to memory of 2644 2996 net.exe 33 PID 2996 wrote to memory of 2644 2996 net.exe 33 PID 2996 wrote to memory of 2644 2996 net.exe 33 PID 2996 wrote to memory of 2644 2996 net.exe 33 PID 2680 wrote to memory of 2516 2680 cmd.exe 34 PID 2680 wrote to memory of 2516 2680 cmd.exe 34 PID 2680 wrote to memory of 2516 2680 cmd.exe 34 PID 2680 wrote to memory of 2516 2680 cmd.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\1580642643f7916c398f0d18777f19668f6d89cedea30af018438506cfcbd475.exe"C:\Users\Admin\AppData\Local\Temp\1580642643f7916c398f0d18777f19668f6d89cedea30af018438506cfcbd475.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\$$a9195.bat2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Users\Admin\AppData\Local\Temp\1580642643f7916c398f0d18777f19668f6d89cedea30af018438506cfcbd475.exe"C:\Users\Admin\AppData\Local\Temp\1580642643f7916c398f0d18777f19668f6d89cedea30af018438506cfcbd475.exe"3⤵
- Executes dropped EXE
PID:2516
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"3⤵
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"4⤵PID:2644
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
722B
MD5e63593ff4196c7f3d4b4b3f3dbc8b491
SHA1a8df72508f468a3c0a38b13aaa3bd221bc0cc717
SHA2563ddec8de4cd13c3c6831ad731e9c372d735d8aa4061593fb4c542538e14c9c59
SHA512aa2a94928100f66555a6a650d9a84d9fe600a9c24a67dbbe7f40bc9895e532395441b016729d90ab126a50a59c5ba9640ef0cae3a2f1739bee3796832a86bdef
-
C:\Users\Admin\AppData\Local\Temp\1580642643f7916c398f0d18777f19668f6d89cedea30af018438506cfcbd475.exe.exe
Filesize49KB
MD533957dfa6df9e91ddbe5cdae1be4cece
SHA19047a25d9f5934c01100c18773c0b6362c1bad3f
SHA256b72162e82cad37b09057721f9334a96e8efb9f3290619a83c66e69020591397d
SHA5125bc056aac04c87a2973b34b8defe3747b947b6de35939b10c3dd19d32c8b15575d0d089050b2105672befbb92a9a775c4389972d794a8270b4c1c1801fe542ca
-
Filesize
66KB
MD59e55800e061b59df24521a41562b45e8
SHA166b0c3b70118debcbaa22fe6fb26e7b0f04d0110
SHA25605e7905abaaab25a826c585f6682248ce8f02f5a572c869e248b3604daf7fc6b
SHA512535b6f620688da3b27679453f04b7a5a57c924258cb382ae60838f1653f83214e0fcbb8c053632055068f747ae78c7a4b9aeb91ec2c37247b6a5d96424c25f65