Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
25/07/2024, 16:52
Static task
static1
Behavioral task
behavioral1
Sample
78ec8a8469dfb480c0a51c3ce2a122342ddf97403007f8e1a9d7b4acedb5849c.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
78ec8a8469dfb480c0a51c3ce2a122342ddf97403007f8e1a9d7b4acedb5849c.exe
Resource
win10v2004-20240704-en
General
-
Target
78ec8a8469dfb480c0a51c3ce2a122342ddf97403007f8e1a9d7b4acedb5849c.exe
-
Size
512KB
-
MD5
008b3ec9907d9a77af4184c4bdd21363
-
SHA1
4eb6cbda2f445ebab6b5e17d24aaf9410f8f0fe2
-
SHA256
78ec8a8469dfb480c0a51c3ce2a122342ddf97403007f8e1a9d7b4acedb5849c
-
SHA512
3a1fd9720e2650a0863cfb1be53815224fbae4654469fa13fbd2a7cefa9ae34e9e8527086c0f667a3c711306e48e00f171b965538603454eb8050ebf3170f2b4
-
SSDEEP
6144:xj9irKZ3HIwK3EsjcNVh4FwGrOg5YnOj/9XTj8Tu6eezwJ:xjErKZ3H1GE86Vh4FwF0O6XcTus
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2060 cmd.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe -
Executes dropped EXE 2 IoCs
pid Process 1460 Logo1_.exe 2944 78ec8a8469dfb480c0a51c3ce2a122342ddf97403007f8e1a9d7b4acedb5849c.exe -
Loads dropped DLL 2 IoCs
pid Process 2060 cmd.exe 2060 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\VideoLAN\VLC\plugins\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\video_output\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Media Player\Media Renderer\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\1033\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUEPRNT\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\Multiplayer\Checkers\de-DE\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\hi\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\INDUST\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\ink\HWRCustomization\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ug\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\_desktop.ini Logo1_.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Journal\ja-JP\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInViews\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Americana\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInViews\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\_desktop.ini Logo1_.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Library\SOLVER\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\oc\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Internet Explorer\es-ES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ar\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\meta_engine\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Logo1_.exe 78ec8a8469dfb480c0a51c3ce2a122342ddf97403007f8e1a9d7b4acedb5849c.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\Dll.dll Logo1_.exe File created C:\Windows\rundl132.exe 78ec8a8469dfb480c0a51c3ce2a122342ddf97403007f8e1a9d7b4acedb5849c.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 78ec8a8469dfb480c0a51c3ce2a122342ddf97403007f8e1a9d7b4acedb5849c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 78ec8a8469dfb480c0a51c3ce2a122342ddf97403007f8e1a9d7b4acedb5849c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Logo1_.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 2040 78ec8a8469dfb480c0a51c3ce2a122342ddf97403007f8e1a9d7b4acedb5849c.exe 2040 78ec8a8469dfb480c0a51c3ce2a122342ddf97403007f8e1a9d7b4acedb5849c.exe 2040 78ec8a8469dfb480c0a51c3ce2a122342ddf97403007f8e1a9d7b4acedb5849c.exe 2040 78ec8a8469dfb480c0a51c3ce2a122342ddf97403007f8e1a9d7b4acedb5849c.exe 2040 78ec8a8469dfb480c0a51c3ce2a122342ddf97403007f8e1a9d7b4acedb5849c.exe 2040 78ec8a8469dfb480c0a51c3ce2a122342ddf97403007f8e1a9d7b4acedb5849c.exe 2040 78ec8a8469dfb480c0a51c3ce2a122342ddf97403007f8e1a9d7b4acedb5849c.exe 2040 78ec8a8469dfb480c0a51c3ce2a122342ddf97403007f8e1a9d7b4acedb5849c.exe 2040 78ec8a8469dfb480c0a51c3ce2a122342ddf97403007f8e1a9d7b4acedb5849c.exe 1460 Logo1_.exe 1460 Logo1_.exe 1460 Logo1_.exe 1460 Logo1_.exe 1460 Logo1_.exe 1460 Logo1_.exe 1460 Logo1_.exe 1460 Logo1_.exe 1460 Logo1_.exe 1460 Logo1_.exe 1460 Logo1_.exe 1460 Logo1_.exe 1460 Logo1_.exe 1460 Logo1_.exe 1460 Logo1_.exe 1460 Logo1_.exe 1460 Logo1_.exe 1460 Logo1_.exe 1460 Logo1_.exe 1460 Logo1_.exe 1460 Logo1_.exe 1460 Logo1_.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 2040 wrote to memory of 2060 2040 78ec8a8469dfb480c0a51c3ce2a122342ddf97403007f8e1a9d7b4acedb5849c.exe 30 PID 2040 wrote to memory of 2060 2040 78ec8a8469dfb480c0a51c3ce2a122342ddf97403007f8e1a9d7b4acedb5849c.exe 30 PID 2040 wrote to memory of 2060 2040 78ec8a8469dfb480c0a51c3ce2a122342ddf97403007f8e1a9d7b4acedb5849c.exe 30 PID 2040 wrote to memory of 2060 2040 78ec8a8469dfb480c0a51c3ce2a122342ddf97403007f8e1a9d7b4acedb5849c.exe 30 PID 2040 wrote to memory of 1460 2040 78ec8a8469dfb480c0a51c3ce2a122342ddf97403007f8e1a9d7b4acedb5849c.exe 32 PID 2040 wrote to memory of 1460 2040 78ec8a8469dfb480c0a51c3ce2a122342ddf97403007f8e1a9d7b4acedb5849c.exe 32 PID 2040 wrote to memory of 1460 2040 78ec8a8469dfb480c0a51c3ce2a122342ddf97403007f8e1a9d7b4acedb5849c.exe 32 PID 2040 wrote to memory of 1460 2040 78ec8a8469dfb480c0a51c3ce2a122342ddf97403007f8e1a9d7b4acedb5849c.exe 32 PID 1460 wrote to memory of 1984 1460 Logo1_.exe 33 PID 1460 wrote to memory of 1984 1460 Logo1_.exe 33 PID 1460 wrote to memory of 1984 1460 Logo1_.exe 33 PID 1460 wrote to memory of 1984 1460 Logo1_.exe 33 PID 2060 wrote to memory of 2944 2060 cmd.exe 35 PID 2060 wrote to memory of 2944 2060 cmd.exe 35 PID 2060 wrote to memory of 2944 2060 cmd.exe 35 PID 2060 wrote to memory of 2944 2060 cmd.exe 35 PID 1984 wrote to memory of 2024 1984 net.exe 36 PID 1984 wrote to memory of 2024 1984 net.exe 36 PID 1984 wrote to memory of 2024 1984 net.exe 36 PID 1984 wrote to memory of 2024 1984 net.exe 36 PID 1460 wrote to memory of 1380 1460 Logo1_.exe 21 PID 1460 wrote to memory of 1380 1460 Logo1_.exe 21
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1380
-
C:\Users\Admin\AppData\Local\Temp\78ec8a8469dfb480c0a51c3ce2a122342ddf97403007f8e1a9d7b4acedb5849c.exe"C:\Users\Admin\AppData\Local\Temp\78ec8a8469dfb480c0a51c3ce2a122342ddf97403007f8e1a9d7b4acedb5849c.exe"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\$$aA62E.bat3⤵
- Deletes itself
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Users\Admin\AppData\Local\Temp\78ec8a8469dfb480c0a51c3ce2a122342ddf97403007f8e1a9d7b4acedb5849c.exe"C:\Users\Admin\AppData\Local\Temp\78ec8a8469dfb480c0a51c3ce2a122342ddf97403007f8e1a9d7b4acedb5849c.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2944
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵
- System Location Discovery: System Language Discovery
PID:2024
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
722B
MD56af390be89f880b485664820c6596a6e
SHA1e125cba7340f28331bdbb9e4906c01998d292e0c
SHA25647c433d473a755474966528f406cc7419397c7cebcacb42cb8d623d0eeecc5a8
SHA51202148ac173c8184cbe0305ac3335afc48462be3b1a2ddb9f36b7fdc25d40961275445642404f164d19be5a109aef35b9fc5a082272afbc830c997d63c7da098c
-
C:\Users\Admin\AppData\Local\Temp\78ec8a8469dfb480c0a51c3ce2a122342ddf97403007f8e1a9d7b4acedb5849c.exe.exe
Filesize468KB
MD5c4ccbfcc0d0a6bb476fb8e8d352b60fa
SHA1681a5f2227fd19e4dbdc61165f1eec37e1cb8abe
SHA256bdcee160a2ee7dcc8309b8db79f5eca7669ace1c06eef7f692a1037bcac1b77a
SHA5128b2685a02eb7670b437e0b3818678a3dd7832026c27520f273dedfdf347a73810d2dafe4863394fd629589ef963c17814c580b65549c0a4594433895be076941
-
Filesize
44KB
MD5a1e83aa49c64944e517bc07a234dab98
SHA1407f1ac960be565208cf819db33efa05f2cb8bed
SHA256bdc5a53d89d55dec88d3b8869e21671b6a219cf99b8ddae8513492f0b8d354c0
SHA512324756cd823e87516dc19831b15b3bda49f0bba854b93fa29b5aca166fae9ba08a6071b05dc03302b8f22382e7967609712a5c7fca8e00eb5afb1f5801c915d4
-
Filesize
9B
MD5c20162cff0e529974834e150d7e6691f
SHA1512e9821581354bd8078227ddf386b17e771ff38
SHA25682f2070eb6138ab12ec2a1f0c3ca7b3b97db75cc19a5076ed382b017f309bdd6
SHA512c2c414232ac5fc3d7ff195523c49610795d0ea4d95c69748ef9ddd4a42203ace52a7da8594cb20102743a21b6eb5bd9e7ee5915513a9c11a0db319323538d744