Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
29/06/2024, 22:28
Static task
static1
Behavioral task
behavioral1
Sample
85d1e4d405754ccdb27a0930a7d1dbde517970eb6879d9d88d57814ef8699fce.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
85d1e4d405754ccdb27a0930a7d1dbde517970eb6879d9d88d57814ef8699fce.exe
Resource
win10v2004-20240508-en
General
-
Target
85d1e4d405754ccdb27a0930a7d1dbde517970eb6879d9d88d57814ef8699fce.exe
-
Size
227KB
-
MD5
857d1cd439a55e5db1d16f406abcccbd
-
SHA1
fa73fad215f1fb7808866d7ff03a62dc70ab2a40
-
SHA256
85d1e4d405754ccdb27a0930a7d1dbde517970eb6879d9d88d57814ef8699fce
-
SHA512
bef917a5c52560e24976c1ba48bc739c157c49ac6a1b4a29097f83c71c2a0788166e4ffa73884d13a5d7dade6a91031ed8cb0e05fe2c91c29dfe4cc5bad38d02
-
SSDEEP
3072:phkuJVLUdeKzC/lzMPySe8DnpeIPipoHbKvXWXz9LRnsaJUS+6wPXD3fxNW7gq5n:8uJWdeKzC/leySe8AIqpoHbnDns1ND9m
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2168 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2748 Logo1_.exe 2620 85d1e4d405754ccdb27a0930a7d1dbde517970eb6879d9d88d57814ef8699fce.exe -
Loads dropped DLL 1 IoCs
pid Process 2168 cmd.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Slate\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\gmp-clearkey\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SoftBlue\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Chess\it-IT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\chkrzm.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\lo\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\NAMECONTROLSERVER.EXE Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Mail\wabmig.exe Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Help\1033\_desktop.ini Logo1_.exe File created C:\Program Files\Mozilla Firefox\browser\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\bs\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\on_desktop\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\as_IN\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\IRIS\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SubsetList\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\de-DE\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\de-DE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\or_IN\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CANYON\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SKY\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Google\Update\Offline\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Media Player\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\MSBuild\Microsoft\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\nl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CNFNOT32.EXE Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Defender\de-DE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\km\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\en-US\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CASCADE\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Logo1_.exe 85d1e4d405754ccdb27a0930a7d1dbde517970eb6879d9d88d57814ef8699fce.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\vDll.dll Logo1_.exe File created C:\Windows\rundl132.exe 85d1e4d405754ccdb27a0930a7d1dbde517970eb6879d9d88d57814ef8699fce.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 2748 Logo1_.exe 2748 Logo1_.exe 2748 Logo1_.exe 2748 Logo1_.exe 2748 Logo1_.exe 2748 Logo1_.exe 2748 Logo1_.exe 2748 Logo1_.exe 2748 Logo1_.exe 2748 Logo1_.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 1780 wrote to memory of 2168 1780 85d1e4d405754ccdb27a0930a7d1dbde517970eb6879d9d88d57814ef8699fce.exe 28 PID 1780 wrote to memory of 2168 1780 85d1e4d405754ccdb27a0930a7d1dbde517970eb6879d9d88d57814ef8699fce.exe 28 PID 1780 wrote to memory of 2168 1780 85d1e4d405754ccdb27a0930a7d1dbde517970eb6879d9d88d57814ef8699fce.exe 28 PID 1780 wrote to memory of 2168 1780 85d1e4d405754ccdb27a0930a7d1dbde517970eb6879d9d88d57814ef8699fce.exe 28 PID 1780 wrote to memory of 2748 1780 85d1e4d405754ccdb27a0930a7d1dbde517970eb6879d9d88d57814ef8699fce.exe 29 PID 1780 wrote to memory of 2748 1780 85d1e4d405754ccdb27a0930a7d1dbde517970eb6879d9d88d57814ef8699fce.exe 29 PID 1780 wrote to memory of 2748 1780 85d1e4d405754ccdb27a0930a7d1dbde517970eb6879d9d88d57814ef8699fce.exe 29 PID 1780 wrote to memory of 2748 1780 85d1e4d405754ccdb27a0930a7d1dbde517970eb6879d9d88d57814ef8699fce.exe 29 PID 2168 wrote to memory of 2620 2168 cmd.exe 31 PID 2168 wrote to memory of 2620 2168 cmd.exe 31 PID 2168 wrote to memory of 2620 2168 cmd.exe 31 PID 2168 wrote to memory of 2620 2168 cmd.exe 31 PID 2748 wrote to memory of 2676 2748 Logo1_.exe 32 PID 2748 wrote to memory of 2676 2748 Logo1_.exe 32 PID 2748 wrote to memory of 2676 2748 Logo1_.exe 32 PID 2748 wrote to memory of 2676 2748 Logo1_.exe 32 PID 2676 wrote to memory of 2604 2676 net.exe 34 PID 2676 wrote to memory of 2604 2676 net.exe 34 PID 2676 wrote to memory of 2604 2676 net.exe 34 PID 2676 wrote to memory of 2604 2676 net.exe 34 PID 2748 wrote to memory of 1196 2748 Logo1_.exe 21 PID 2748 wrote to memory of 1196 2748 Logo1_.exe 21
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1196
-
C:\Users\Admin\AppData\Local\Temp\85d1e4d405754ccdb27a0930a7d1dbde517970eb6879d9d88d57814ef8699fce.exe"C:\Users\Admin\AppData\Local\Temp\85d1e4d405754ccdb27a0930a7d1dbde517970eb6879d9d88d57814ef8699fce.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\$$a19B8.bat3⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Users\Admin\AppData\Local\Temp\85d1e4d405754ccdb27a0930a7d1dbde517970eb6879d9d88d57814ef8699fce.exe"C:\Users\Admin\AppData\Local\Temp\85d1e4d405754ccdb27a0930a7d1dbde517970eb6879d9d88d57814ef8699fce.exe"4⤵
- Executes dropped EXE
PID:2620
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:2604
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
254KB
MD5c295e2b1817981d3069bd9edb806ce94
SHA1279cf50d10979bcd202e32bde0a466188fc8a03f
SHA2562a57a828cf4a902515bac66dfa253d1514dae139aa72b18a459b164bf6ae4735
SHA5122f4433d50630578c2f2386281aa06d2fccb5927dd4690d1bac322c4c4cc9894acbb70c20ea2df7261ec6de01da4d03165f92a5b8a7703c9314581589e10cbc67
-
Filesize
474KB
MD51ca79e3c2539763b0aaac5de49795afe
SHA12d240aef9a2cce22578f42ebecd3058e37a404a8
SHA256e3e49eceb810b34fc826d70c6556d927a363f29c90b347ee4cfd61d7ba3ff2d9
SHA5124e24d3ebcefa6545d85517bbc5bff3285f85a5967da1642a6e4e53bc2c41efc8b9092a3bbb56c1670b215d623ff5c320bcb06f654ac97482a5dff0da208349e6
-
Filesize
722B
MD5865207fa02e5907a6d871e38944c7c20
SHA14b2cccba2b18c4d355caf06529af06cd0ff35318
SHA25669c014ae12af86fbbe501f3014f63755a9eac36d77849f1c40a485a6b64c6b0b
SHA512f99811e2707a65f2f38207d2a98bf4de015d50e1b9e719511386e755432d6cceffd2df4f81953a8c6b5bea95c89b33f54fd1c3cf777c23188d5f314c1a00fcf0
-
C:\Users\Admin\AppData\Local\Temp\85d1e4d405754ccdb27a0930a7d1dbde517970eb6879d9d88d57814ef8699fce.exe.exe
Filesize198KB
MD5e133c2d85cff4edd7fe8e8f0f8be6cdb
SHA1b8269209ebb6fe44bc50dab35f97b0ae244701b4
SHA2566c5e7d9c81a409e67c143cd3aed33bddc3967fa4c9ab3b98560b7d3bf57d093d
SHA512701b7d1c7e154519d77043f7de09d60c1ff76c95f820fc1c9afca19724efb0847d646686053354156fd4e8a9dab1f29a79d3223f939a3ff1b3613770dc8603b1
-
Filesize
29KB
MD538c1b05745204278dcfebbb43891f584
SHA11ad063f9c1318e9688e441318a9495f56c927a71
SHA25691aab80139a2af5b1f94020bcffa8b761365e3059688bf6eefbbd748ae3aff59
SHA512055535da3fa5044bed3a989e1846c71ad69b03ebe887776e509535bfe26ceb9962f8a9d0ef0d5bfdd4b42c5e2da238f1ac113fe8b719e234602a7d7d43575f0e
-
Filesize
9B
MD52822854d33e24347f613c750df46b810
SHA1c2ea2529c032aa552d5a8301900cf27fc0f6045c
SHA25673f2f888bdeaf9427c7aa3355fbe711e6570fb5e9e48c3f64cd229198ce85ad2
SHA51221fff5d14e03a0420d9242a095c2e93ac2b7e6b9e49d12da907394ac9725bb746896721ceded88411895e9630a8ffbface168f0c02630b33300647d3d9e3326c