Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
11/06/2024, 07:32 UTC
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b6abe44b3cd916dd12a2da83e56b8b37612f67f86a6e65a54b823cb9cce656a9.exe
Resource
win7-20231129-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
b6abe44b3cd916dd12a2da83e56b8b37612f67f86a6e65a54b823cb9cce656a9.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
b6abe44b3cd916dd12a2da83e56b8b37612f67f86a6e65a54b823cb9cce656a9.exe
-
Size
940KB
-
MD5
76c4f4ba195592194f32f2503479cf55
-
SHA1
f9e7c610214f948893db8411bb291e3f0bff5198
-
SHA256
b6abe44b3cd916dd12a2da83e56b8b37612f67f86a6e65a54b823cb9cce656a9
-
SHA512
042c8034e5bdf4bdee2f3a0172a1d1281260a241304216ff19e36c00e58d1212c68a2cea610cae41a150d814798e12a86cef03e23d71984b7e13adb60878ef53
-
SSDEEP
6144:3VfjmNjJQu49F5tc5Y8HWJffsLr+kHqwLOyfld9lYBT15sS9oQHfSgtoqbc/XFBH:l7+FCjcdHEffoqKFBS+QXtzcHLPh2eJ
Score
7/10
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2708 cmd.exe -
Executes dropped EXE 3 IoCs
pid Process 2932 Logo1_.exe 2784 b6abe44b3cd916dd12a2da83e56b8b37612f67f86a6e65a54b823cb9cce656a9.exe 1260 Explorer.EXE -
Loads dropped DLL 1 IoCs
pid Process 2708 cmd.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\fi\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Mail\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\_desktop.ini Logo1_.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SLATE\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Defender\es-ES\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Help\3082\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_filter\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Library\SOLVER\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows NT\TableTextService\de-DE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Google\CrashReports\_desktop.ini Logo1_.exe File created C:\Program Files\DVD Maker\Shared\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows NT\TableTextService\it-IT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Defender\es-ES\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\1033\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SLATE\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Help\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\Minesweeper\ja-JP\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\stream_out\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\DVD Maker\Shared\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\Contracts\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Mail\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\_desktop.ini Logo1_.exe File created C:\Program Files\DVD Maker\fr-FR\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ar\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Defender\ja-JP\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\in_sidebar\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\include\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\fur\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Defender\de-DE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Internet Explorer\SIGNUP\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\_desktop.ini Logo1_.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\rundl132.exe b6abe44b3cd916dd12a2da83e56b8b37612f67f86a6e65a54b823cb9cce656a9.exe File created C:\Windows\Logo1_.exe b6abe44b3cd916dd12a2da83e56b8b37612f67f86a6e65a54b823cb9cce656a9.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File opened for modification C:\Windows\DPINST.LOG b6abe44b3cd916dd12a2da83e56b8b37612f67f86a6e65a54b823cb9cce656a9.exe File created C:\Windows\vDll.dll Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 2932 Logo1_.exe 2932 Logo1_.exe 2932 Logo1_.exe 2932 Logo1_.exe 2932 Logo1_.exe 2932 Logo1_.exe 2932 Logo1_.exe 2932 Logo1_.exe 2932 Logo1_.exe 2932 Logo1_.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2784 b6abe44b3cd916dd12a2da83e56b8b37612f67f86a6e65a54b823cb9cce656a9.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 2392 wrote to memory of 2708 2392 b6abe44b3cd916dd12a2da83e56b8b37612f67f86a6e65a54b823cb9cce656a9.exe 28 PID 2392 wrote to memory of 2708 2392 b6abe44b3cd916dd12a2da83e56b8b37612f67f86a6e65a54b823cb9cce656a9.exe 28 PID 2392 wrote to memory of 2708 2392 b6abe44b3cd916dd12a2da83e56b8b37612f67f86a6e65a54b823cb9cce656a9.exe 28 PID 2392 wrote to memory of 2708 2392 b6abe44b3cd916dd12a2da83e56b8b37612f67f86a6e65a54b823cb9cce656a9.exe 28 PID 2392 wrote to memory of 2932 2392 b6abe44b3cd916dd12a2da83e56b8b37612f67f86a6e65a54b823cb9cce656a9.exe 29 PID 2392 wrote to memory of 2932 2392 b6abe44b3cd916dd12a2da83e56b8b37612f67f86a6e65a54b823cb9cce656a9.exe 29 PID 2392 wrote to memory of 2932 2392 b6abe44b3cd916dd12a2da83e56b8b37612f67f86a6e65a54b823cb9cce656a9.exe 29 PID 2392 wrote to memory of 2932 2392 b6abe44b3cd916dd12a2da83e56b8b37612f67f86a6e65a54b823cb9cce656a9.exe 29 PID 2708 wrote to memory of 2784 2708 cmd.exe 32 PID 2708 wrote to memory of 2784 2708 cmd.exe 32 PID 2708 wrote to memory of 2784 2708 cmd.exe 32 PID 2708 wrote to memory of 2784 2708 cmd.exe 32 PID 2932 wrote to memory of 2156 2932 Logo1_.exe 31 PID 2932 wrote to memory of 2156 2932 Logo1_.exe 31 PID 2932 wrote to memory of 2156 2932 Logo1_.exe 31 PID 2932 wrote to memory of 2156 2932 Logo1_.exe 31 PID 2156 wrote to memory of 2660 2156 net.exe 34 PID 2156 wrote to memory of 2660 2156 net.exe 34 PID 2156 wrote to memory of 2660 2156 net.exe 34 PID 2156 wrote to memory of 2660 2156 net.exe 34 PID 2932 wrote to memory of 1260 2932 Logo1_.exe 21 PID 2932 wrote to memory of 1260 2932 Logo1_.exe 21
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Executes dropped EXE
PID:1260 -
C:\Users\Admin\AppData\Local\Temp\b6abe44b3cd916dd12a2da83e56b8b37612f67f86a6e65a54b823cb9cce656a9.exe"C:\Users\Admin\AppData\Local\Temp\b6abe44b3cd916dd12a2da83e56b8b37612f67f86a6e65a54b823cb9cce656a9.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\$$aED0.bat3⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Users\Admin\AppData\Local\Temp\b6abe44b3cd916dd12a2da83e56b8b37612f67f86a6e65a54b823cb9cce656a9.exe"C:\Users\Admin\AppData\Local\Temp\b6abe44b3cd916dd12a2da83e56b8b37612f67f86a6e65a54b823cb9cce656a9.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
PID:2784
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:2660
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
251KB
MD5bcb9e88e90555be4406d1f1990dae6e5
SHA1e73a89da48a32a78ec3637bc4192d9c2a34e86a7
SHA25648f8e46b1ccbb647b81d781442c7f17b3bd9db20d9455812174437bcb80c4d7b
SHA5123d8af1e295260a9fb048a3f140625959f6985ad31aa59873d54ba5e253d918876b7ab36caefc7365ac359883c97784fd168725cb7c7bc9ec792d396e6e90acda
-
Filesize
471KB
MD54cfdb20b04aa239d6f9e83084d5d0a77
SHA1f22863e04cc1fd4435f785993ede165bd8245ac6
SHA25630ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9
SHA51235b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86
-
Filesize
721B
MD526797a915f21a1ce99c0e61e4752b539
SHA138f7f1ab0aae3beb3f8d4f001868786da9404378
SHA2565b289a7cc0f9c5b84e9adeaa900cec55b8a46a3ed33403c394eff522a9511455
SHA5122b2f671960af12a8a035bc22b4891d7c541aa5fdb7a21e2e56187bd275c0aeb3d196597d4ccd2b124ddeeb4a210841de5f1ce87721cb1316c4929982fe8cd618
-
C:\Users\Admin\AppData\Local\Temp\b6abe44b3cd916dd12a2da83e56b8b37612f67f86a6e65a54b823cb9cce656a9.exe.exe
Filesize913KB
MD5e90140ff5f5ff7521ea52f94bec29f8c
SHA1a3aaf4d6705984d2f0b97d277766ebc82a26011f
SHA2560e25afc6f2c17e08afc91f7717b3669cb4de6f77dd62b78674b09e0d59e4aa3c
SHA512f644e4c22be81aeddf380ec8b550c3774a6c8678b9ad4cb210235ae440bd9f1e16df84832babac21672b69a57ebd779bbfb562dd6158f91cc48367ef3e383a3e
-
Filesize
26KB
MD5db1b9d89625483c2be503d426ab3dca2
SHA13f3b288bbbae204ca0d1298361d287a52050d1fa
SHA2566d78e466f96a382cabdc9473590510a217411e74807d803b1ac6b53870298101
SHA512c118d5f1ab8a5e08b9af12a612ce64a43b709237f7c2c8d94bf8f7b7f1e591070385a1352421f5fa89926268e6b372040a968a6b9ebaacc949efce9232d514d9
-
Filesize
9B
MD53b22ce0fee2d1aaf2c66dcd142740e29
SHA194d542b4bb9854a9419753c38e6ffe747653d91c
SHA2568284772f28954a109c16f1583e6e34e29f06673b34e04f268bda961b57ba9f79
SHA512efd4900a49624170e51ea401f0845634f49484a49335845258dc3d41a12e2022bf413a6751fcbcfd1ec68cde506f3363beae57f20e8eaca8b214d28baa138c5b