Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
19/07/2024, 04:55
Static task
static1
Behavioral task
behavioral1
Sample
ab1be4da62098e3d427de141197804441f03cb74313a99e42b820b4ff7e4a440.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
ab1be4da62098e3d427de141197804441f03cb74313a99e42b820b4ff7e4a440.exe
Resource
win10v2004-20240709-en
General
-
Target
ab1be4da62098e3d427de141197804441f03cb74313a99e42b820b4ff7e4a440.exe
-
Size
52KB
-
MD5
8e292fad26fb924c8449c326b876919d
-
SHA1
968348980f7ae2de50cf33988efa2ab640955179
-
SHA256
ab1be4da62098e3d427de141197804441f03cb74313a99e42b820b4ff7e4a440
-
SHA512
5df10465ae21ba23c2d47cdd54102ef10cfc2b500001f3e593bc3eafcc43b7b8936fee19fa4d43b4d81bdac7ed0cbb89a95e85024910e67bcfe13d8cb7cb6c51
-
SSDEEP
768:p5GQ16GVRu1yK9fMnJG2V9dHS85qgt6jpYU5ltbDrYiI0oPxWExI:p593SHuJV9NP6jWWvr78Pxc
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2132 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2184 Logo1_.exe 2160 ab1be4da62098e3d427de141197804441f03cb74313a99e42b820b4ff7e4a440.exe -
Loads dropped DLL 5 IoCs
pid Process 2132 cmd.exe 3000 WerFault.exe 3000 WerFault.exe 3000 WerFault.exe 3000 WerFault.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ku_IQ\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\_desktop.ini Logo1_.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\db\bin\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Templates\1033\FAX\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\css\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\Multiplayer\Spades\en-US\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Defender\de-DE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Media Player\de-DE\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\js\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\_desktop.ini Logo1_.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PrivateAssemblies\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Google\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VC\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInViews\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ARCTIC\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Internet Explorer\de-DE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SubsetList\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ja\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Uninstall Information\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Photo Viewer\es-ES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\_desktop.ini Logo1_.exe File created C:\Program Files\DVD Maker\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ar\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\Chess\fr-FR\_desktop.ini Logo1_.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\et\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ug\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\ja-JP\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jre7\lib\management\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Sync Framework\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Internet Explorer\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rundl132.exe ab1be4da62098e3d427de141197804441f03cb74313a99e42b820b4ff7e4a440.exe File created C:\Windows\Logo1_.exe ab1be4da62098e3d427de141197804441f03cb74313a99e42b820b4ff7e4a440.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\vDll.dll Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 2184 Logo1_.exe 2184 Logo1_.exe 2184 Logo1_.exe 2184 Logo1_.exe 2184 Logo1_.exe 2184 Logo1_.exe 2184 Logo1_.exe 2184 Logo1_.exe 2184 Logo1_.exe 2184 Logo1_.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 1768 wrote to memory of 2132 1768 ab1be4da62098e3d427de141197804441f03cb74313a99e42b820b4ff7e4a440.exe 30 PID 1768 wrote to memory of 2132 1768 ab1be4da62098e3d427de141197804441f03cb74313a99e42b820b4ff7e4a440.exe 30 PID 1768 wrote to memory of 2132 1768 ab1be4da62098e3d427de141197804441f03cb74313a99e42b820b4ff7e4a440.exe 30 PID 1768 wrote to memory of 2132 1768 ab1be4da62098e3d427de141197804441f03cb74313a99e42b820b4ff7e4a440.exe 30 PID 1768 wrote to memory of 2184 1768 ab1be4da62098e3d427de141197804441f03cb74313a99e42b820b4ff7e4a440.exe 31 PID 1768 wrote to memory of 2184 1768 ab1be4da62098e3d427de141197804441f03cb74313a99e42b820b4ff7e4a440.exe 31 PID 1768 wrote to memory of 2184 1768 ab1be4da62098e3d427de141197804441f03cb74313a99e42b820b4ff7e4a440.exe 31 PID 1768 wrote to memory of 2184 1768 ab1be4da62098e3d427de141197804441f03cb74313a99e42b820b4ff7e4a440.exe 31 PID 2184 wrote to memory of 2864 2184 Logo1_.exe 32 PID 2184 wrote to memory of 2864 2184 Logo1_.exe 32 PID 2184 wrote to memory of 2864 2184 Logo1_.exe 32 PID 2184 wrote to memory of 2864 2184 Logo1_.exe 32 PID 2864 wrote to memory of 2840 2864 net.exe 35 PID 2864 wrote to memory of 2840 2864 net.exe 35 PID 2864 wrote to memory of 2840 2864 net.exe 35 PID 2864 wrote to memory of 2840 2864 net.exe 35 PID 2132 wrote to memory of 2160 2132 cmd.exe 36 PID 2132 wrote to memory of 2160 2132 cmd.exe 36 PID 2132 wrote to memory of 2160 2132 cmd.exe 36 PID 2132 wrote to memory of 2160 2132 cmd.exe 36 PID 2160 wrote to memory of 3000 2160 ab1be4da62098e3d427de141197804441f03cb74313a99e42b820b4ff7e4a440.exe 37 PID 2160 wrote to memory of 3000 2160 ab1be4da62098e3d427de141197804441f03cb74313a99e42b820b4ff7e4a440.exe 37 PID 2160 wrote to memory of 3000 2160 ab1be4da62098e3d427de141197804441f03cb74313a99e42b820b4ff7e4a440.exe 37 PID 2184 wrote to memory of 1268 2184 Logo1_.exe 21 PID 2184 wrote to memory of 1268 2184 Logo1_.exe 21
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1268
-
C:\Users\Admin\AppData\Local\Temp\ab1be4da62098e3d427de141197804441f03cb74313a99e42b820b4ff7e4a440.exe"C:\Users\Admin\AppData\Local\Temp\ab1be4da62098e3d427de141197804441f03cb74313a99e42b820b4ff7e4a440.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\$$aB7DA.bat3⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Users\Admin\AppData\Local\Temp\ab1be4da62098e3d427de141197804441f03cb74313a99e42b820b4ff7e4a440.exe"C:\Users\Admin\AppData\Local\Temp\ab1be4da62098e3d427de141197804441f03cb74313a99e42b820b4ff7e4a440.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2160 -s 1245⤵
- Loads dropped DLL
PID:3000
-
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:2840
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
254KB
MD5576f46118027bdc1d7c8e8be75fb64c4
SHA1661955a312849b675e85a66c15b41b163f2886a3
SHA256a509a22398e49890b21ed2a4ef0811a77279c475771c7bced27b5ee9ef957e5c
SHA5122227a3807baa854f1d36f742285a12bb0359779c3533ea932cf3481bbfe4a2887aabf316438fd5511506e3746dbef8ebfec299ef66c3fbae08763d8039464771
-
Filesize
474KB
MD581e51673a97afb89c6762e25450e0afa
SHA163756c6fbc59b14d69aad2d9f6ec8a76161f8882
SHA256ca803738679f2d4b2b0e993df8a2b069cd61043981d0f15e56c6270063b4327f
SHA5120fb8a3eb57004d98ffab71aecc73724a077e796de3d723010f4afe241cd15c0e886d07a12b9927495c5b845bd50e6b4b491d611935b43b10f3fbe4b2d45e2ac3
-
Filesize
722B
MD53a13334c002e69b9533d0991c78cbe01
SHA19ec61fdfd468a150ae51c0bc8a8df33e4db6675b
SHA25662841d097ad34d17e20851eca878341cc1f383e5c768bc509591e7ab709b1821
SHA5123419cd0fac09f3bf677003af35b8994bdabc8d952daec31dd29a638336ba8d34b80db0dd4fbf3bbf53c6ed01d55f2f6a778cfea866406a062ce6078430095d53
-
C:\Users\Admin\AppData\Local\Temp\ab1be4da62098e3d427de141197804441f03cb74313a99e42b820b4ff7e4a440.exe.exe
Filesize23KB
MD53f9dbfee668294872ef01b90740b01d0
SHA199a4702b65485cd14736b1c2cdfb81b455dda01c
SHA25640b32fea1fcadcb2db369475e2bba58b0b83f5c3bb647e2e63877726c35a9f86
SHA5120113cec160d97ea0cce70860cc5b79b502d16191ee237a3abb84309499be193aa0127dbcb41fc05a90fa61484b061ec4332ad29a918db598e32fe832b74bd1e3
-
Filesize
29KB
MD5a138bbeeec7d59fbd516ef0237d829c6
SHA1e32be6ab403d2f1af197ec5543e0142320078a2a
SHA256046edb4bab763c08349077cc670cdfe5eaf12056913bdd6a0beb4acfe7e93e8f
SHA512458ff81f98d79b44edf27d2b0b981d33e9678270dd206ac59ed0333a0f2535dd7062b75e56dbe5976fc80d67c89460278eec982b025743d9465fe5360119879c
-
Filesize
9B
MD51368e4d784ef82633de86fa6bc6e37f9
SHA177c7384e886b27647bb4f2fd364e7947e7b6abc6
SHA25657507bed6cf91d70e66bd4cc287634889ef30b648cb7c44a4edec0e2cb68b772
SHA5123cb7168e776eb564768e30eba43174014a85108ab306a7c07a1522fb42173c381a5bff9ac10944fd345dd5308061cbe2878c60d1e878f8768281c1adcf5dd85b