Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
53s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
14/06/2024, 22:17
Static task
static1
Behavioral task
behavioral1
Sample
7719a3589236c9e95cab982476ba737705e31f127dbbc751383e97a417149d86.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
7719a3589236c9e95cab982476ba737705e31f127dbbc751383e97a417149d86.exe
Resource
win10v2004-20240508-en
General
-
Target
7719a3589236c9e95cab982476ba737705e31f127dbbc751383e97a417149d86.exe
-
Size
857KB
-
MD5
ae0a75bd41fa2777cc5096949459040a
-
SHA1
6e82d670d5cefe953db3460e0ac5f4b0a81d4dbe
-
SHA256
7719a3589236c9e95cab982476ba737705e31f127dbbc751383e97a417149d86
-
SHA512
de0031d76adb3a3a9aacebcf3d20dab998cefc50ca304d44e2511ab5037db6b72e2e004eeea346b6eba0a3c9391a62a50f49acfb206ebfa9388cf7ae4c684d27
-
SSDEEP
12288:U7+1X+9w78ram/BfkkHQ08KsRsVzaVtSCUcoMkkvNFx:U7JkAhQ0bsRsVzctSC/oGzx
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 4840 Logo1_.exe 3132 7719a3589236c9e95cab982476ba737705e31f127dbbc751383e97a417149d86.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\et-EE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\nb-no\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\fy\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\lua\http\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-ma\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nl-nl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ar-ae\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ko-kr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\zh-tw\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fr-fr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeApp.exe Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\VideoFrameExtractor\UserControls\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\cef\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ca-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\eu\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ku_IQ\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\pl-pl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\it-it\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\fi-fi\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\ja-jp\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\lg\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sk-sk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\nl-nl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Media Player\Media Renderer\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\pt_PT\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-150_8wekyb3d8bbwe\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\bn-BD\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\fi-fi\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_2019.1111.2029.0_neutral_~_8wekyb3d8bbwe\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sk-sk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ko-kr\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\lua\http\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ja-jp\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\he-il\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\tr-tr\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-white\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-fr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\root\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\zh-cn\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\sl-si\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe Logo1_.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\2.0.1\Diagnostics\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\lua\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\it-it\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\pt-br\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\Diagnostics\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\sr-latn-cs\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\Scripts\Me\MeControl\offline\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Logo1_.exe 7719a3589236c9e95cab982476ba737705e31f127dbbc751383e97a417149d86.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\vDll.dll Logo1_.exe File created C:\Windows\rundl132.exe 7719a3589236c9e95cab982476ba737705e31f127dbbc751383e97a417149d86.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 4840 Logo1_.exe 4840 Logo1_.exe 4840 Logo1_.exe 4840 Logo1_.exe 4840 Logo1_.exe 4840 Logo1_.exe 4840 Logo1_.exe 4840 Logo1_.exe 4840 Logo1_.exe 4840 Logo1_.exe 4840 Logo1_.exe 4840 Logo1_.exe 4840 Logo1_.exe 4840 Logo1_.exe 4840 Logo1_.exe 4840 Logo1_.exe 4840 Logo1_.exe 4840 Logo1_.exe 4840 Logo1_.exe 4840 Logo1_.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2504 wrote to memory of 1848 2504 7719a3589236c9e95cab982476ba737705e31f127dbbc751383e97a417149d86.exe 81 PID 2504 wrote to memory of 1848 2504 7719a3589236c9e95cab982476ba737705e31f127dbbc751383e97a417149d86.exe 81 PID 2504 wrote to memory of 1848 2504 7719a3589236c9e95cab982476ba737705e31f127dbbc751383e97a417149d86.exe 81 PID 2504 wrote to memory of 4840 2504 7719a3589236c9e95cab982476ba737705e31f127dbbc751383e97a417149d86.exe 82 PID 2504 wrote to memory of 4840 2504 7719a3589236c9e95cab982476ba737705e31f127dbbc751383e97a417149d86.exe 82 PID 2504 wrote to memory of 4840 2504 7719a3589236c9e95cab982476ba737705e31f127dbbc751383e97a417149d86.exe 82 PID 4840 wrote to memory of 2428 4840 Logo1_.exe 84 PID 4840 wrote to memory of 2428 4840 Logo1_.exe 84 PID 4840 wrote to memory of 2428 4840 Logo1_.exe 84 PID 2428 wrote to memory of 212 2428 net.exe 86 PID 2428 wrote to memory of 212 2428 net.exe 86 PID 2428 wrote to memory of 212 2428 net.exe 86 PID 1848 wrote to memory of 3132 1848 cmd.exe 87 PID 1848 wrote to memory of 3132 1848 cmd.exe 87 PID 1848 wrote to memory of 3132 1848 cmd.exe 87 PID 4840 wrote to memory of 3596 4840 Logo1_.exe 56 PID 4840 wrote to memory of 3596 4840 Logo1_.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3596
-
C:\Users\Admin\AppData\Local\Temp\7719a3589236c9e95cab982476ba737705e31f127dbbc751383e97a417149d86.exe"C:\Users\Admin\AppData\Local\Temp\7719a3589236c9e95cab982476ba737705e31f127dbbc751383e97a417149d86.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a5748.bat3⤵
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Users\Admin\AppData\Local\Temp\7719a3589236c9e95cab982476ba737705e31f127dbbc751383e97a417149d86.exe"C:\Users\Admin\AppData\Local\Temp\7719a3589236c9e95cab982476ba737705e31f127dbbc751383e97a417149d86.exe"4⤵
- Executes dropped EXE
PID:3132
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:212
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
251KB
MD5f71e7ba4cf294c07f1a6fe00f1d19e1f
SHA1eca23c78a597fec55f7ae28f4ebd145949db3230
SHA25633d01dbe53df1e155b5e4fc1bb509ae9ff12221644eca05fafa09e9f4e930ade
SHA51287a335884b3e630400bdbd21c65021e06163165bb86a7252ccfdcb18ae3045fba3c0dae4f88dd6bb62865f7c92bfed08d637ba2bef63a1693fd2d1134725d150
-
Filesize
570KB
MD56f1b0e849888e2ef43602ec6c4bc2fc1
SHA1a1ce7850b3fd8eb346f487793fea1be1b087895d
SHA256b94a304ef458f7ac25245d14e8a7ec03be9ed75c403a5f68576f050301259c36
SHA5129c5e35180a2eeb018bdf5b7a74b5777687230532d75a09913a49d133bcc3f3429eff00a5caccded9e37ccc220ca5f14b60d26f7f8f1a8f6052878081d8feaa13
-
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
Filesize636KB
MD52500f702e2b9632127c14e4eaae5d424
SHA18726fef12958265214eeb58001c995629834b13a
SHA25682e5b0001f025ca3b8409c98e4fb06c119c68de1e4ef60a156360cb4ef61d19c
SHA512f420c62fa1f6897f51dd7a0f0e910fb54ad14d51973a2d4840eeea0448c860bf83493fb1c07be65f731efc39e19f8a99886c8cfd058cee482fe52d255a33a55c
-
Filesize
722B
MD586ef2e75c915375cd1409f7431182ae6
SHA1c198043c938f30b4ba20660b7251ff7b77e0e29d
SHA25659aa462a7709d1ec8f6bf61cc5ba41fb9c47065d9910b41dd6239a4ab558c757
SHA512cec1d579f840f4375c669fd07372d076b86d2194c055fb8f3d043f2a7eeec7e49a80f08044cb39693c230542d464e13f4b6c7a174a1b7132ce3c5b5996d4ece2
-
C:\Users\Admin\AppData\Local\Temp\7719a3589236c9e95cab982476ba737705e31f127dbbc751383e97a417149d86.exe.exe
Filesize830KB
MD50150c09dfd718eac6463f41eee871ef5
SHA179c2962349792be52601f0b630e5333f9be83ca6
SHA2564a4d96e152480140c7ffe0831935f85f06626c4bee80beac536a218f0c1dc60a
SHA51227bedd1f14a504bb9b14f40a543ceea871d03ca98ffde2fc88e2501be56c292666db140f8e2f9ef2e3394e66fd7db23e31061ed133460fa7a3ce04597833a416
-
Filesize
26KB
MD55d0921ed2fc491cb71853329ed6569e2
SHA1830b1053672e0399c1dba422d89d6bf6d11e6a0c
SHA25625f63aa8f7382433eba471f2b9cca34d063eaed487c2607c3364c636c004be08
SHA5121c8b94d6108eb656392ae063e37cd3e1dfd1eff05c4dccf6ed112abd6b8c2199a0fe8bb42b7b95ca124e72d063c14af0d24ce5abb647bb2c1b5526657417d1f0
-
Filesize
9B
MD503c36dbecb7f35761f80ba5fc5566da6
SHA1159b7733006187467bda251a1bbb278c141dceb6
SHA25685a53f5b976fb1c26ce14c31e93c1f68997d2d8b09ab9aa2b7e0d32b8e50ec3b
SHA512fe573085d2abef34adcede2f89b1c2810875ab00ef9ba27a1d95ed1dbe93e182fc53d981901a0b8048dd4eb5fdc852b8f0e0c3a0e1a404cbbe70e13a7a14104a