Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
10/06/2024, 14:30
Static task
static1
Behavioral task
behavioral1
Sample
ea1ba2000d1cf9c777a61f0ff984010580c0c05b160b861e8120eea90fbb7732.exe
Resource
win7-20240221-en
General
-
Target
ea1ba2000d1cf9c777a61f0ff984010580c0c05b160b861e8120eea90fbb7732.exe
-
Size
963KB
-
MD5
45ce8f6166a2ab1ed33ee0c6ad7e5ec2
-
SHA1
250d43209a3add8f5f87b1e107a744bc1aeb39fa
-
SHA256
ea1ba2000d1cf9c777a61f0ff984010580c0c05b160b861e8120eea90fbb7732
-
SHA512
be6b2362fe1aa3504851eccf6da9362d29324d81503669a3602b4865e4df22adec59d2cc3c3962949bd4f7c4c8317918c3af262585ca5cf1649b8814b63cd7f9
-
SSDEEP
24576:KbB5PmFtYSm0nVYnbuZycUit/rldx5Xeh:GBBmLlOnyZycUGzldrXeh
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2540 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2544 Logo1_.exe 2436 ea1ba2000d1cf9c777a61f0ff984010580c0c05b160b861e8120eea90fbb7732.exe -
Loads dropped DLL 2 IoCs
pid Process 2540 cmd.exe 2540 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\VideoLAN\VLC\lua\http\requests\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\css\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Mail\wabmig.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Mail\es-ES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Portable Devices\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\de-DE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\More Games\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Uninstall Information\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\.data\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\JOURNAL\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\fa\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\VSTA\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\es-ES\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\SpiderSolitaire\it-IT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\1.0\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Media Player\Visualizations\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\css\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\fi\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\Office14\1033\_desktop.ini Logo1_.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FREN\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Triedit\de-DE\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Defender\en-US\_desktop.ini Logo1_.exe File created C:\Program Files\Internet Explorer\images\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ARFR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Google\Update\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Defender\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\css\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\or\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Defender\fr-FR\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Media Player\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Media Player\it-IT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\it-IT\_desktop.ini Logo1_.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\js\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rundl132.exe ea1ba2000d1cf9c777a61f0ff984010580c0c05b160b861e8120eea90fbb7732.exe File created C:\Windows\Logo1_.exe ea1ba2000d1cf9c777a61f0ff984010580c0c05b160b861e8120eea90fbb7732.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\Dll.dll Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 43 IoCs
pid Process 2780 ea1ba2000d1cf9c777a61f0ff984010580c0c05b160b861e8120eea90fbb7732.exe 2780 ea1ba2000d1cf9c777a61f0ff984010580c0c05b160b861e8120eea90fbb7732.exe 2780 ea1ba2000d1cf9c777a61f0ff984010580c0c05b160b861e8120eea90fbb7732.exe 2780 ea1ba2000d1cf9c777a61f0ff984010580c0c05b160b861e8120eea90fbb7732.exe 2780 ea1ba2000d1cf9c777a61f0ff984010580c0c05b160b861e8120eea90fbb7732.exe 2780 ea1ba2000d1cf9c777a61f0ff984010580c0c05b160b861e8120eea90fbb7732.exe 2780 ea1ba2000d1cf9c777a61f0ff984010580c0c05b160b861e8120eea90fbb7732.exe 2780 ea1ba2000d1cf9c777a61f0ff984010580c0c05b160b861e8120eea90fbb7732.exe 2780 ea1ba2000d1cf9c777a61f0ff984010580c0c05b160b861e8120eea90fbb7732.exe 2780 ea1ba2000d1cf9c777a61f0ff984010580c0c05b160b861e8120eea90fbb7732.exe 2780 ea1ba2000d1cf9c777a61f0ff984010580c0c05b160b861e8120eea90fbb7732.exe 2780 ea1ba2000d1cf9c777a61f0ff984010580c0c05b160b861e8120eea90fbb7732.exe 2780 ea1ba2000d1cf9c777a61f0ff984010580c0c05b160b861e8120eea90fbb7732.exe 2544 Logo1_.exe 2544 Logo1_.exe 2544 Logo1_.exe 2544 Logo1_.exe 2544 Logo1_.exe 2544 Logo1_.exe 2544 Logo1_.exe 2544 Logo1_.exe 2544 Logo1_.exe 2544 Logo1_.exe 2544 Logo1_.exe 2544 Logo1_.exe 2544 Logo1_.exe 2544 Logo1_.exe 2544 Logo1_.exe 2544 Logo1_.exe 2544 Logo1_.exe 2544 Logo1_.exe 2544 Logo1_.exe 2544 Logo1_.exe 2544 Logo1_.exe 2544 Logo1_.exe 2544 Logo1_.exe 2544 Logo1_.exe 2544 Logo1_.exe 2544 Logo1_.exe 2544 Logo1_.exe 2544 Logo1_.exe 2544 Logo1_.exe 2544 Logo1_.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 2780 wrote to memory of 2772 2780 ea1ba2000d1cf9c777a61f0ff984010580c0c05b160b861e8120eea90fbb7732.exe 28 PID 2780 wrote to memory of 2772 2780 ea1ba2000d1cf9c777a61f0ff984010580c0c05b160b861e8120eea90fbb7732.exe 28 PID 2780 wrote to memory of 2772 2780 ea1ba2000d1cf9c777a61f0ff984010580c0c05b160b861e8120eea90fbb7732.exe 28 PID 2780 wrote to memory of 2772 2780 ea1ba2000d1cf9c777a61f0ff984010580c0c05b160b861e8120eea90fbb7732.exe 28 PID 2772 wrote to memory of 2924 2772 net.exe 30 PID 2772 wrote to memory of 2924 2772 net.exe 30 PID 2772 wrote to memory of 2924 2772 net.exe 30 PID 2772 wrote to memory of 2924 2772 net.exe 30 PID 2780 wrote to memory of 2540 2780 ea1ba2000d1cf9c777a61f0ff984010580c0c05b160b861e8120eea90fbb7732.exe 31 PID 2780 wrote to memory of 2540 2780 ea1ba2000d1cf9c777a61f0ff984010580c0c05b160b861e8120eea90fbb7732.exe 31 PID 2780 wrote to memory of 2540 2780 ea1ba2000d1cf9c777a61f0ff984010580c0c05b160b861e8120eea90fbb7732.exe 31 PID 2780 wrote to memory of 2540 2780 ea1ba2000d1cf9c777a61f0ff984010580c0c05b160b861e8120eea90fbb7732.exe 31 PID 2780 wrote to memory of 2544 2780 ea1ba2000d1cf9c777a61f0ff984010580c0c05b160b861e8120eea90fbb7732.exe 32 PID 2780 wrote to memory of 2544 2780 ea1ba2000d1cf9c777a61f0ff984010580c0c05b160b861e8120eea90fbb7732.exe 32 PID 2780 wrote to memory of 2544 2780 ea1ba2000d1cf9c777a61f0ff984010580c0c05b160b861e8120eea90fbb7732.exe 32 PID 2780 wrote to memory of 2544 2780 ea1ba2000d1cf9c777a61f0ff984010580c0c05b160b861e8120eea90fbb7732.exe 32 PID 2544 wrote to memory of 2672 2544 Logo1_.exe 34 PID 2544 wrote to memory of 2672 2544 Logo1_.exe 34 PID 2544 wrote to memory of 2672 2544 Logo1_.exe 34 PID 2544 wrote to memory of 2672 2544 Logo1_.exe 34 PID 2672 wrote to memory of 2604 2672 net.exe 36 PID 2672 wrote to memory of 2604 2672 net.exe 36 PID 2672 wrote to memory of 2604 2672 net.exe 36 PID 2672 wrote to memory of 2604 2672 net.exe 36 PID 2540 wrote to memory of 2436 2540 cmd.exe 37 PID 2540 wrote to memory of 2436 2540 cmd.exe 37 PID 2540 wrote to memory of 2436 2540 cmd.exe 37 PID 2540 wrote to memory of 2436 2540 cmd.exe 37 PID 2544 wrote to memory of 2332 2544 Logo1_.exe 38 PID 2544 wrote to memory of 2332 2544 Logo1_.exe 38 PID 2544 wrote to memory of 2332 2544 Logo1_.exe 38 PID 2544 wrote to memory of 2332 2544 Logo1_.exe 38 PID 2332 wrote to memory of 2380 2332 net.exe 40 PID 2332 wrote to memory of 2380 2332 net.exe 40 PID 2332 wrote to memory of 2380 2332 net.exe 40 PID 2332 wrote to memory of 2380 2332 net.exe 40 PID 2544 wrote to memory of 1180 2544 Logo1_.exe 21 PID 2544 wrote to memory of 1180 2544 Logo1_.exe 21
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1180
-
C:\Users\Admin\AppData\Local\Temp\ea1ba2000d1cf9c777a61f0ff984010580c0c05b160b861e8120eea90fbb7732.exe"C:\Users\Admin\AppData\Local\Temp\ea1ba2000d1cf9c777a61f0ff984010580c0c05b160b861e8120eea90fbb7732.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"3⤵
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"4⤵PID:2924
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\$$a364C.bat3⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Users\Admin\AppData\Local\Temp\ea1ba2000d1cf9c777a61f0ff984010580c0c05b160b861e8120eea90fbb7732.exe"C:\Users\Admin\AppData\Local\Temp\ea1ba2000d1cf9c777a61f0ff984010580c0c05b160b861e8120eea90fbb7732.exe"4⤵
- Executes dropped EXE
PID:2436
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:2604
-
-
-
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:2380
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
264KB
MD513f9830e90f8ac821ef27716d2004aae
SHA1d914c3ec48f990a4fce0a7034713b8e7db6efe7c
SHA2564e611a159f33cee85eb06474ccd16df38d9bb649657e844ccb4b1ef1b93ba7a9
SHA5128352af498e96bbe7ce457f9f718e440e0026c5a53c3fa2d53f92e58191f9bb2722000dbff9cf0694c5045a3b82723ee99fc46f4b6a7614a963f3b036d24affe0
-
Filesize
484KB
MD57b714d463f7db900d5b6e757778a8ab8
SHA12cfc0e9f54236af8e10b0bfa551d87a20982b733
SHA256c995370836939a29853611830ca08d437286d4f45603edce88f36aa1f99a0d97
SHA512e8fe8823b5b7f282c24c964cbf4f248b7562259a13410bf95997288727f9bfc6ea51c4aa40182b649a2235bafc02062e0c57f4f62876b5174395071a8d68f9bb
-
Filesize
722B
MD5dace042b0ec71db0e4ce1e3bab4f6d30
SHA16115f52515a2359b1f5d318e383d373214460ce5
SHA2569419df7e04080ed270e7484e358e4362c700247fc7209947323925f55fb246b0
SHA51209aab506ec8149bfe9cdb21b2a3e361f6a194cf90dbe9a79af1c21be72d21e00536edbe736da56553703c01f09021a72e509d2aeb5c06d1a8a76e84094d02846
-
C:\Users\Admin\AppData\Local\Temp\ea1ba2000d1cf9c777a61f0ff984010580c0c05b160b861e8120eea90fbb7732.exe.exe
Filesize924KB
MD530d9ada08a6b9e08b233352cedec77ef
SHA1af4947cf613a4792c713cd354c27e3fc4ea03b0a
SHA256c060a5b0c72335d27b2893b99344c42c1aef930af4e45c2f948a88687089a73c
SHA51208b0d205acc8522e6b6752570d8671d7fd716f0085a05ecedd83e1a95112d078c68f30b9e97199d9f95ca51b13a2f46882f8a0224fd1cb027050f16151f422fb
-
Filesize
39KB
MD52d217bf61506d7c8b29455f0488515bd
SHA112b7ce46a4c1597b93c42f62f5cd037820a856ff
SHA256e44e88919397fb8447a84b8136a3cfb72d8b80da13eac60fd94d7094b792d4d1
SHA512aebe3c0ea2bee6ca29b876b4438ddcc4478697229a00aa71891d5cef131a47f02ff52bf7c32ce6fb5fb6aebf982d052af5bf9da2d07d1a328f63f2b701c84c9f
-
Filesize
9B
MD560b1ffe4d5892b7ae054738eec1fd425
SHA180d4e944617f4132b1c6917345b158f3693f35c8
SHA2565e9944cc48c7ec641cf7b1b0125f47f26102c371a973612f0583f604bc3900d4
SHA5127f5c200924dbb5531df997e6a35cb94f36b54f5651284b0d6404f0576301125ef72b410a170fca889d46c033063663cfc7791f9e4c3c30695af069053eee66cc