Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
10/06/2024, 08:51
Static task
static1
Behavioral task
behavioral1
Sample
35792883a3ebdab8569b1b51276e8b85d150613a851d0d5bb3cbc8d4b4ecc20e.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
35792883a3ebdab8569b1b51276e8b85d150613a851d0d5bb3cbc8d4b4ecc20e.exe
Resource
win10v2004-20240508-en
General
-
Target
35792883a3ebdab8569b1b51276e8b85d150613a851d0d5bb3cbc8d4b4ecc20e.exe
-
Size
384KB
-
MD5
ff106ac5c416d17141a11f322d0cf49a
-
SHA1
141992e18745abcae416e9ce3e99acb6663126ec
-
SHA256
35792883a3ebdab8569b1b51276e8b85d150613a851d0d5bb3cbc8d4b4ecc20e
-
SHA512
c523e4c9d04e58d8edddc44584360110ce2ae79987a130015cd3a1585ced6884ab2c33c3fd1c9fbd1a8147abdff8ae09f506f2e32e67ce573786641a2678028e
-
SSDEEP
3072:xAyLd0K/JdOj7Yhy2j14ml3I2LDZm1bRxH2gVMnayzmXtMqRnf1UEDiMvTCfrqUQ:XLZ/Jduwy4ScLZIxH2gGanTf1n
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 4908 Logo1_.exe 4264 35792883a3ebdab8569b1b51276e8b85d150613a851d0d5bb3cbc8d4b4ecc20e.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe Logo1_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\ScreenSketch.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe Logo1_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\SpeechToTextOverlay64-Retail.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe Logo1_.exe File opened for modification C:\Program Files\7-Zip\7z.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe Logo1_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\GameBar.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe Logo1_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\codecpacks.webp.exe Logo1_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\MicrosoftEdgeUpdate.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.187.37\MicrosoftEdgeUpdateComRegisterShell64.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Mail\wab.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe Logo1_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeBackgroundHost.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Media Player\wmpshare.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe Logo1_.exe File opened for modification C:\Program Files\Windows Mail\wab.exe Logo1_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\codecpacks.heif.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe Logo1_.exe File opened for modification C:\Program Files\Windows Photo Viewer\ImagingDevices.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe Logo1_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\{AD0E89CA-0C10-4B2E-B184-BD6C20B5B257}\MicrosoftEdgeUpdateSetup_X86_1.3.187.37.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe Logo1_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\fmui\fmui.exe Logo1_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\XboxApp.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.187.37\MicrosoftEdgeUpdateOnDemand.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe Logo1_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Cortana.exe Logo1_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\3DViewer.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe Logo1_.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\msinfo32.exe Logo1_.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Logo1_.exe 35792883a3ebdab8569b1b51276e8b85d150613a851d0d5bb3cbc8d4b4ecc20e.exe File created C:\Windows\vDll.dll Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 4908 Logo1_.exe 4908 Logo1_.exe 4908 Logo1_.exe 4908 Logo1_.exe 4908 Logo1_.exe 4908 Logo1_.exe 4908 Logo1_.exe 4908 Logo1_.exe 4908 Logo1_.exe 4908 Logo1_.exe 4908 Logo1_.exe 4908 Logo1_.exe 4908 Logo1_.exe 4908 Logo1_.exe 4908 Logo1_.exe 4908 Logo1_.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 4176 wrote to memory of 3952 4176 35792883a3ebdab8569b1b51276e8b85d150613a851d0d5bb3cbc8d4b4ecc20e.exe 83 PID 4176 wrote to memory of 3952 4176 35792883a3ebdab8569b1b51276e8b85d150613a851d0d5bb3cbc8d4b4ecc20e.exe 83 PID 4176 wrote to memory of 3952 4176 35792883a3ebdab8569b1b51276e8b85d150613a851d0d5bb3cbc8d4b4ecc20e.exe 83 PID 4176 wrote to memory of 4908 4176 35792883a3ebdab8569b1b51276e8b85d150613a851d0d5bb3cbc8d4b4ecc20e.exe 84 PID 4176 wrote to memory of 4908 4176 35792883a3ebdab8569b1b51276e8b85d150613a851d0d5bb3cbc8d4b4ecc20e.exe 84 PID 4176 wrote to memory of 4908 4176 35792883a3ebdab8569b1b51276e8b85d150613a851d0d5bb3cbc8d4b4ecc20e.exe 84 PID 4908 wrote to memory of 324 4908 Logo1_.exe 86 PID 4908 wrote to memory of 324 4908 Logo1_.exe 86 PID 4908 wrote to memory of 324 4908 Logo1_.exe 86 PID 324 wrote to memory of 4516 324 net.exe 88 PID 324 wrote to memory of 4516 324 net.exe 88 PID 324 wrote to memory of 4516 324 net.exe 88 PID 3952 wrote to memory of 4264 3952 cmd.exe 89 PID 3952 wrote to memory of 4264 3952 cmd.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\35792883a3ebdab8569b1b51276e8b85d150613a851d0d5bb3cbc8d4b4ecc20e.exe"C:\Users\Admin\AppData\Local\Temp\35792883a3ebdab8569b1b51276e8b85d150613a851d0d5bb3cbc8d4b4ecc20e.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4176 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4834.bat2⤵
- Suspicious use of WriteProcessMemory
PID:3952 -
C:\Users\Admin\AppData\Local\Temp\35792883a3ebdab8569b1b51276e8b85d150613a851d0d5bb3cbc8d4b4ecc20e.exe"C:\Users\Admin\AppData\Local\Temp\35792883a3ebdab8569b1b51276e8b85d150613a851d0d5bb3cbc8d4b4ecc20e.exe"3⤵
- Executes dropped EXE
PID:4264
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"3⤵
- Suspicious use of WriteProcessMemory
PID:324 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"4⤵PID:4516
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
750KB
MD5c8684bbb2310ff4cf1c272f1995c71f3
SHA13a55943a3def1512b041484e9dda83dc2a782e3d
SHA256bc4f6dca71769ff208a33b80e32625ea4ce7ea85c00d45f3dd4641f0edeb1986
SHA51248f3c3231f879d212832682866a529b4bf69bddb14ecc95c80d77a6fadee0badbc9c2e16be4e3b4a4f36362202ada7448d9d98be803116091807d04b5b6aee18
-
Filesize
722B
MD5ea078db0027b92628fc97033fd376daa
SHA1dd44ba592d1575a8f4b8f91c943d79d40c8db559
SHA256dd755702fda4fa32088fa828d619505c25174ae88d56dbc4d9e8800174e10df3
SHA512ae11be830813b10ce7b48ad93f0f86efefd7909cd5e461bce9c4d021645b8c2c595247554fc9a22a22151c5678963c55ef9ecfb09d7812b9e1b4a35aadcebb7f
-
C:\Users\Admin\AppData\Local\Temp\35792883a3ebdab8569b1b51276e8b85d150613a851d0d5bb3cbc8d4b4ecc20e.exe
Filesize318KB
MD5dca5924a3197b5b6925ca549033ff0b7
SHA1c10dfc045a860d4da749b60c06535f3270d74222
SHA256a2206ce83f0270a4b93fc3ac0dd704355c5bd18535b3b642d64bd6f54f08df55
SHA5127a7fb359add41605b93c992edadd68a5f33dc7b675e64cff38d234e8b060a0406dbcd7cf7226cbdd6233f560e6e56ec9b47386be1ad9b2232bcff09ae34d7455
-
Filesize
66KB
MD59e55800e061b59df24521a41562b45e8
SHA166b0c3b70118debcbaa22fe6fb26e7b0f04d0110
SHA25605e7905abaaab25a826c585f6682248ce8f02f5a572c869e248b3604daf7fc6b
SHA512535b6f620688da3b27679453f04b7a5a57c924258cb382ae60838f1653f83214e0fcbb8c053632055068f747ae78c7a4b9aeb91ec2c37247b6a5d96424c25f65