Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
16/06/2024, 22:14
Static task
static1
Behavioral task
behavioral1
Sample
ce827f13fb262d7afc6b620712647ae6859bc57b3f289f3ae8261a5f607eb558.exe
Resource
win7-20240611-en
General
-
Target
ce827f13fb262d7afc6b620712647ae6859bc57b3f289f3ae8261a5f607eb558.exe
-
Size
92KB
-
MD5
ad197336d243861e0b00345682288eca
-
SHA1
1ff3a98615423b323ed4a245054a529b312d4d6f
-
SHA256
ce827f13fb262d7afc6b620712647ae6859bc57b3f289f3ae8261a5f607eb558
-
SHA512
0cfe2880aaa04e1225e470072a33497261c4342499c25e05864ba8a26ec2e4f73438368fccf4e663a3959fee9dbfcec8f4c0e95c3935d48f1431d7ebd70fdb76
-
SSDEEP
1536:2de+Zk77RN++t4SMKvL/yapmebn4ddJZeY86iLflLJYEIs67rxo:2de+aX3x4AeLK4ddJMY86ipmns6S
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2800 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2816 Logo1_.exe 2872 ce827f13fb262d7afc6b620712647ae6859bc57b3f289f3ae8261a5f607eb558.exe -
Loads dropped DLL 1 IoCs
pid Process 2800 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\on_desktop\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\css\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\id\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\css\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\on_desktop\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BOLDSTRI\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Chess\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre7\bin\kinit.exe Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Mail\ja-JP\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\en-US\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\en_GB\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jre7\bin\plugin2\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\audio_output\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Media Player\ja-JP\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AFTRNOON\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Internet Explorer\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\vi\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\js\_desktop.ini Logo1_.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jre7\lib\zi\Antarctica\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\hi\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\kab\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Media Player\Icons\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jre7\lib\zi\Europe\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Media Player\wmpenc.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\js\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Defender\de-DE\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\_desktop.ini Logo1_.exe File created C:\Program Files\7-Zip\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\Hearts\de-DE\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Mail\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rundl132.exe ce827f13fb262d7afc6b620712647ae6859bc57b3f289f3ae8261a5f607eb558.exe File created C:\Windows\Logo1_.exe ce827f13fb262d7afc6b620712647ae6859bc57b3f289f3ae8261a5f607eb558.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\Dll.dll Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 43 IoCs
pid Process 2108 ce827f13fb262d7afc6b620712647ae6859bc57b3f289f3ae8261a5f607eb558.exe 2108 ce827f13fb262d7afc6b620712647ae6859bc57b3f289f3ae8261a5f607eb558.exe 2108 ce827f13fb262d7afc6b620712647ae6859bc57b3f289f3ae8261a5f607eb558.exe 2108 ce827f13fb262d7afc6b620712647ae6859bc57b3f289f3ae8261a5f607eb558.exe 2108 ce827f13fb262d7afc6b620712647ae6859bc57b3f289f3ae8261a5f607eb558.exe 2108 ce827f13fb262d7afc6b620712647ae6859bc57b3f289f3ae8261a5f607eb558.exe 2108 ce827f13fb262d7afc6b620712647ae6859bc57b3f289f3ae8261a5f607eb558.exe 2108 ce827f13fb262d7afc6b620712647ae6859bc57b3f289f3ae8261a5f607eb558.exe 2108 ce827f13fb262d7afc6b620712647ae6859bc57b3f289f3ae8261a5f607eb558.exe 2108 ce827f13fb262d7afc6b620712647ae6859bc57b3f289f3ae8261a5f607eb558.exe 2108 ce827f13fb262d7afc6b620712647ae6859bc57b3f289f3ae8261a5f607eb558.exe 2108 ce827f13fb262d7afc6b620712647ae6859bc57b3f289f3ae8261a5f607eb558.exe 2108 ce827f13fb262d7afc6b620712647ae6859bc57b3f289f3ae8261a5f607eb558.exe 2816 Logo1_.exe 2816 Logo1_.exe 2816 Logo1_.exe 2816 Logo1_.exe 2816 Logo1_.exe 2816 Logo1_.exe 2816 Logo1_.exe 2816 Logo1_.exe 2816 Logo1_.exe 2816 Logo1_.exe 2816 Logo1_.exe 2816 Logo1_.exe 2816 Logo1_.exe 2816 Logo1_.exe 2816 Logo1_.exe 2816 Logo1_.exe 2816 Logo1_.exe 2816 Logo1_.exe 2816 Logo1_.exe 2816 Logo1_.exe 2816 Logo1_.exe 2816 Logo1_.exe 2816 Logo1_.exe 2816 Logo1_.exe 2816 Logo1_.exe 2816 Logo1_.exe 2816 Logo1_.exe 2816 Logo1_.exe 2816 Logo1_.exe 2816 Logo1_.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 2108 wrote to memory of 2856 2108 ce827f13fb262d7afc6b620712647ae6859bc57b3f289f3ae8261a5f607eb558.exe 28 PID 2108 wrote to memory of 2856 2108 ce827f13fb262d7afc6b620712647ae6859bc57b3f289f3ae8261a5f607eb558.exe 28 PID 2108 wrote to memory of 2856 2108 ce827f13fb262d7afc6b620712647ae6859bc57b3f289f3ae8261a5f607eb558.exe 28 PID 2108 wrote to memory of 2856 2108 ce827f13fb262d7afc6b620712647ae6859bc57b3f289f3ae8261a5f607eb558.exe 28 PID 2856 wrote to memory of 2416 2856 net.exe 30 PID 2856 wrote to memory of 2416 2856 net.exe 30 PID 2856 wrote to memory of 2416 2856 net.exe 30 PID 2856 wrote to memory of 2416 2856 net.exe 30 PID 2108 wrote to memory of 2800 2108 ce827f13fb262d7afc6b620712647ae6859bc57b3f289f3ae8261a5f607eb558.exe 31 PID 2108 wrote to memory of 2800 2108 ce827f13fb262d7afc6b620712647ae6859bc57b3f289f3ae8261a5f607eb558.exe 31 PID 2108 wrote to memory of 2800 2108 ce827f13fb262d7afc6b620712647ae6859bc57b3f289f3ae8261a5f607eb558.exe 31 PID 2108 wrote to memory of 2800 2108 ce827f13fb262d7afc6b620712647ae6859bc57b3f289f3ae8261a5f607eb558.exe 31 PID 2108 wrote to memory of 2816 2108 ce827f13fb262d7afc6b620712647ae6859bc57b3f289f3ae8261a5f607eb558.exe 32 PID 2108 wrote to memory of 2816 2108 ce827f13fb262d7afc6b620712647ae6859bc57b3f289f3ae8261a5f607eb558.exe 32 PID 2108 wrote to memory of 2816 2108 ce827f13fb262d7afc6b620712647ae6859bc57b3f289f3ae8261a5f607eb558.exe 32 PID 2108 wrote to memory of 2816 2108 ce827f13fb262d7afc6b620712647ae6859bc57b3f289f3ae8261a5f607eb558.exe 32 PID 2816 wrote to memory of 2828 2816 Logo1_.exe 34 PID 2816 wrote to memory of 2828 2816 Logo1_.exe 34 PID 2816 wrote to memory of 2828 2816 Logo1_.exe 34 PID 2816 wrote to memory of 2828 2816 Logo1_.exe 34 PID 2828 wrote to memory of 2836 2828 net.exe 36 PID 2828 wrote to memory of 2836 2828 net.exe 36 PID 2828 wrote to memory of 2836 2828 net.exe 36 PID 2828 wrote to memory of 2836 2828 net.exe 36 PID 2800 wrote to memory of 2872 2800 cmd.exe 37 PID 2800 wrote to memory of 2872 2800 cmd.exe 37 PID 2800 wrote to memory of 2872 2800 cmd.exe 37 PID 2800 wrote to memory of 2872 2800 cmd.exe 37 PID 2816 wrote to memory of 2844 2816 Logo1_.exe 38 PID 2816 wrote to memory of 2844 2816 Logo1_.exe 38 PID 2816 wrote to memory of 2844 2816 Logo1_.exe 38 PID 2816 wrote to memory of 2844 2816 Logo1_.exe 38 PID 2844 wrote to memory of 2716 2844 net.exe 40 PID 2844 wrote to memory of 2716 2844 net.exe 40 PID 2844 wrote to memory of 2716 2844 net.exe 40 PID 2844 wrote to memory of 2716 2844 net.exe 40 PID 2816 wrote to memory of 1224 2816 Logo1_.exe 21 PID 2816 wrote to memory of 1224 2816 Logo1_.exe 21
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1224
-
C:\Users\Admin\AppData\Local\Temp\ce827f13fb262d7afc6b620712647ae6859bc57b3f289f3ae8261a5f607eb558.exe"C:\Users\Admin\AppData\Local\Temp\ce827f13fb262d7afc6b620712647ae6859bc57b3f289f3ae8261a5f607eb558.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"3⤵
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"4⤵PID:2416
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\$$a11AD.bat3⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Users\Admin\AppData\Local\Temp\ce827f13fb262d7afc6b620712647ae6859bc57b3f289f3ae8261a5f607eb558.exe"C:\Users\Admin\AppData\Local\Temp\ce827f13fb262d7afc6b620712647ae6859bc57b3f289f3ae8261a5f607eb558.exe"4⤵
- Executes dropped EXE
PID:2872
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:2836
-
-
-
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:2716
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
258KB
MD510a592ae5b5c62f519f12d9350c72e69
SHA11a83db490750920d33cde5c0182d07660835d948
SHA256738a7e7ad8d449047253d33f3a11ada756149b9d9d32b5cbd6c8906e873fc7b2
SHA512aac2103a7cb462979a8e6008f2858b5b3453741d8fa9acc3fd24ff7b7eb9c40004791a2e222b1ffc20e766ac60b397e8a2e757ce90826350dd5bcae5cdf48559
-
Filesize
478KB
MD5f00f90ad5ee9d3dd590b46e8e42efc3a
SHA117fffd38ae6e7471fd977e0e90a7cfb14e2e8d8f
SHA25656ac0953e53d75a53207226d3e70d78611540431905bda50c48f4b47bfa87f71
SHA512004ac5514ebc72901ee138612f5d262935b05c15fd69f6004e6cc127e6dd9710368abb64d70c220ea4444a9ae1d2e74c5054d055ee1354475eb4a270015d25f4
-
Filesize
722B
MD5d0760e639ca80e0a91b532d1b73b2ba8
SHA1a401d692a03a6550e8da68b3854fea71c1ef0e50
SHA256b4a750bf8ff94a14a08cd9ca23e8859172f2348f948e70d1410b8b342dfe967a
SHA51239bcb3a55821b1303d48f9441234a9d88547a79a5039f4efe7d799da51c9ec7b2a0e8d0d9c680dffdd9670442cb6101283b8d7b4678f692ecdbc4306f4539e4c
-
C:\Users\Admin\AppData\Local\Temp\ce827f13fb262d7afc6b620712647ae6859bc57b3f289f3ae8261a5f607eb558.exe.exe
Filesize59KB
MD5dfc18f7068913dde25742b856788d7ca
SHA1cbaa23f782c2ddcd7c9ff024fd0b096952a2b387
SHA256ff4ac75c02247000da084de006c214d3dd3583867bd3533ba788e22734c7a2bf
SHA512d0c7ec1dae41a803325b51c12490c355ed779d297daa35247889950491e52427810132f0829fc7ffa3022f1a106f4e4ba78ed612223395313a6f267e9ab24945
-
Filesize
33KB
MD507daeb795d5b9d954642ef8e65b37cf3
SHA199f211b8054e62c25a79ab4cc3cd811b68b8779c
SHA25693cbf291547872b50c6fc2d8cffaa0f61f7703c315e0b36006e2e010c66dbcbf
SHA5127813b5cb2387b31bf4ec4e149b5982d9affaf56a9120d6f84e60b37be416395b1d2ff72682ee8055f057d75ba009d44c77a2cb06fd5d23a5a2a0d1b9ac50413f
-
Filesize
9B
MD51884bfdeea71ff22db39c196f4447c9c
SHA13eafc7e6e17ba6ce7a087a3588fb1efb596da038
SHA256163167bc5a01ad6b3ed4406c2a9a1baaf2c0ef4620ab7d5b39aeddf976ca776d
SHA512b22124aa3a912462e6face7f71ad3dfec4b27dab16b2e20e3a0adc277f89f631ec889c91b185ac4b9b670933d881b8fd26c25d6f405e465aa8148cdbb7f7c3e2