Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
12/06/2024, 22:48
Static task
static1
Behavioral task
behavioral1
Sample
f137fca8e6bc39ce6245dd4dbc0fa4d0c009112e97745e4b8ca566306151081c.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
f137fca8e6bc39ce6245dd4dbc0fa4d0c009112e97745e4b8ca566306151081c.exe
Resource
win10v2004-20240611-en
General
-
Target
f137fca8e6bc39ce6245dd4dbc0fa4d0c009112e97745e4b8ca566306151081c.exe
-
Size
573KB
-
MD5
aaee7926f1d4dedfae7ccaea011220ed
-
SHA1
6962a9c655a8825f1758266a3ef73ac91dec0ed0
-
SHA256
f137fca8e6bc39ce6245dd4dbc0fa4d0c009112e97745e4b8ca566306151081c
-
SHA512
66628592bd6d2df624c0922d1c61b996a113d5e19d626b7c0b7270cdf72e3b419969dbb3c8409b8f11e7a71aad6d193c82a75a390af721948958adfb9d99974b
-
SSDEEP
6144:4uJpE7cV3iwbAFRWAbd4nf0H05yqE6Hl0ChW0+ksllAXBu0lWGWUJJQ4t0BHQQfu:s7a3iwbihym2g7XO3LWUQfh4Co
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 636 Logo1_.exe 4616 f137fca8e6bc39ce6245dd4dbc0fa4d0c009112e97745e4b8ca566306151081c.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\de-de\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\sl-si\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\sk-sk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-il\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ca-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\eu-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\_desktop.ini Logo1_.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ro-ro\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\es-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\zh-cn\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\WidevineCdm\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\fi-fi\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\fi-fi\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\ja-jp\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\en-il\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\javafx\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Photo Viewer\ja-JP\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\Comprehensive\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\fi-fi\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\en-ae\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\es-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\ja-jp\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\nl-nl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ko-kr\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\Adobe\Acrobat\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk-1.8\legal\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\nb-no\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ru-ru\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\sv-se\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\it-it\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\pl-pl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ja-jp\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\da-dk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\pwahelper.exe Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-black\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-black\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_neutral_split.scale-100_8wekyb3d8bbwe\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sv-se\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\nb-no\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ru-ru\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\ext\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ro-ro\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\fr-ma\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\SlowMotionEditor\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ff\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rundl132.exe f137fca8e6bc39ce6245dd4dbc0fa4d0c009112e97745e4b8ca566306151081c.exe File created C:\Windows\Logo1_.exe f137fca8e6bc39ce6245dd4dbc0fa4d0c009112e97745e4b8ca566306151081c.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\vDll.dll Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 636 Logo1_.exe 636 Logo1_.exe 636 Logo1_.exe 636 Logo1_.exe 636 Logo1_.exe 636 Logo1_.exe 636 Logo1_.exe 636 Logo1_.exe 636 Logo1_.exe 636 Logo1_.exe 636 Logo1_.exe 636 Logo1_.exe 636 Logo1_.exe 636 Logo1_.exe 636 Logo1_.exe 636 Logo1_.exe 636 Logo1_.exe 636 Logo1_.exe 636 Logo1_.exe 636 Logo1_.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1020 wrote to memory of 1536 1020 f137fca8e6bc39ce6245dd4dbc0fa4d0c009112e97745e4b8ca566306151081c.exe 81 PID 1020 wrote to memory of 1536 1020 f137fca8e6bc39ce6245dd4dbc0fa4d0c009112e97745e4b8ca566306151081c.exe 81 PID 1020 wrote to memory of 1536 1020 f137fca8e6bc39ce6245dd4dbc0fa4d0c009112e97745e4b8ca566306151081c.exe 81 PID 1020 wrote to memory of 636 1020 f137fca8e6bc39ce6245dd4dbc0fa4d0c009112e97745e4b8ca566306151081c.exe 83 PID 1020 wrote to memory of 636 1020 f137fca8e6bc39ce6245dd4dbc0fa4d0c009112e97745e4b8ca566306151081c.exe 83 PID 1020 wrote to memory of 636 1020 f137fca8e6bc39ce6245dd4dbc0fa4d0c009112e97745e4b8ca566306151081c.exe 83 PID 636 wrote to memory of 1568 636 Logo1_.exe 84 PID 636 wrote to memory of 1568 636 Logo1_.exe 84 PID 636 wrote to memory of 1568 636 Logo1_.exe 84 PID 1568 wrote to memory of 4880 1568 net.exe 86 PID 1568 wrote to memory of 4880 1568 net.exe 86 PID 1568 wrote to memory of 4880 1568 net.exe 86 PID 1536 wrote to memory of 4616 1536 cmd.exe 87 PID 1536 wrote to memory of 4616 1536 cmd.exe 87 PID 636 wrote to memory of 3452 636 Logo1_.exe 56 PID 636 wrote to memory of 3452 636 Logo1_.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3452
-
C:\Users\Admin\AppData\Local\Temp\f137fca8e6bc39ce6245dd4dbc0fa4d0c009112e97745e4b8ca566306151081c.exe"C:\Users\Admin\AppData\Local\Temp\f137fca8e6bc39ce6245dd4dbc0fa4d0c009112e97745e4b8ca566306151081c.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a32C8.bat3⤵
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Users\Admin\AppData\Local\Temp\f137fca8e6bc39ce6245dd4dbc0fa4d0c009112e97745e4b8ca566306151081c.exe"C:\Users\Admin\AppData\Local\Temp\f137fca8e6bc39ce6245dd4dbc0fa4d0c009112e97745e4b8ca566306151081c.exe"4⤵
- Executes dropped EXE
PID:4616
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:4880
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
254KB
MD5eaafac1d54759eb89af2aeaddcaf0828
SHA178f325b16ce3e651e1c7eb7c871f72a4bfd620cb
SHA256b781177dade8538ec18a7988488fc8932e049d95823910c9615e22550ef00882
SHA51282d9128cd9bf34f636dd76ac5fb0d02d2d5b50be03914c2d42db107cf51d3318effe50013ead12be81190abae9336ce813b07bf800c3bd82b0967cfde6acde64
-
Filesize
573KB
MD5aaee7926f1d4dedfae7ccaea011220ed
SHA16962a9c655a8825f1758266a3ef73ac91dec0ed0
SHA256f137fca8e6bc39ce6245dd4dbc0fa4d0c009112e97745e4b8ca566306151081c
SHA51266628592bd6d2df624c0922d1c61b996a113d5e19d626b7c0b7270cdf72e3b419969dbb3c8409b8f11e7a71aad6d193c82a75a390af721948958adfb9d99974b
-
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
Filesize639KB
MD5ad5a7e5eb1a1cdd791957e07c93748ae
SHA16e4f8c5f4d791327e11d0d68ca6f514554af8481
SHA256cfee92d916fbbb95d8282c3264d3708ad1ddfdd9db4daaf00e0c96a22854c4dc
SHA512a8acd191aec48dac8d5808a93ee973ea52793140e318b4d870fb10e4e8ba0756fe95654134dd1c175168375a0f7caebfd8a7d46a9b3dc71006f830b53dd9fefe
-
Filesize
722B
MD5f723bf6dd51abc90c57358460228aaeb
SHA107c5633f7d2f0ba5319ad830930b1afe40cddd3e
SHA2567417cb425a8b3e53e4a055822dd38005be6e535a2253396dac7d5636a5c1bc46
SHA5121a44f90800421b3430e1fd569e4fc09abc30b2e3bb7223fd1da6d78dd64bc986a977f6691a9a6e7bfcdfaaf3d339f226889b25b432e6a41dd691024d7c85e396
-
C:\Users\Admin\AppData\Local\Temp\f137fca8e6bc39ce6245dd4dbc0fa4d0c009112e97745e4b8ca566306151081c.exe.exe
Filesize544KB
MD59a1dd1d96481d61934dcc2d568971d06
SHA1f136ef9bf8bd2fc753292fb5b7cf173a22675fb3
SHA2568cebb25e240db3b6986fcaed6bc0b900fa09dad763a56fb71273529266c5c525
SHA5127ac1581f8a29e778ba1a1220670796c47fa5b838417f8f635e2cb1998a01515cff3ee57045dacb78a8ec70d43754b970743aba600379fe6d9481958d32d8a5aa
-
Filesize
29KB
MD54b4afa60ab9612db0737ab7239b8f929
SHA15f0778a55394d8b9d597e5fc31ac44fa97476add
SHA2564ca725a5704a86df766dcff486f19f1edff6e13b5f15f7dc3c96173a80fccbe5
SHA51211830a5968678ec86f6d39e77dc192fb0dc334ce97959ac076adeb3c27e339c328aeda64f6e3f185433a489e5dd8ea64adafc636c13b7ed93c4a73a4c0c736e8
-
Filesize
9B
MD51f206a052c160fd77308863abd810887
SHA13b27ec1dc4b51fb7f1793a9ca9bb0d2e53e60eb1
SHA25645129bd309ca763a88c6bf438896e82b939d6491036658c4512c57f8353938c1
SHA512bd7857c146b01a49d34d4eb84053353eeb586bee6916426179305d5e2360559adea4040fe2184a3a803943ff4e6526cc38c665f9a808355619628868d53fbed5