Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240730-en -
resource tags
arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system -
submitted
01/08/2024, 22:59
Static task
static1
Behavioral task
behavioral1
Sample
91b929017e801c95d048133c80f0f22907aa4531732155300551e786d25485bc.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
91b929017e801c95d048133c80f0f22907aa4531732155300551e786d25485bc.exe
Resource
win10v2004-20240730-en
General
-
Target
91b929017e801c95d048133c80f0f22907aa4531732155300551e786d25485bc.exe
-
Size
573KB
-
MD5
e85a10cf1c849dcccee64a8c51ed7d67
-
SHA1
38a2dc2635d8362ccf5b28d2f1204011bf226d84
-
SHA256
91b929017e801c95d048133c80f0f22907aa4531732155300551e786d25485bc
-
SHA512
50104c7ae5e0fae75aaa755e1edf51fa306ac290ab3ad9e9829d160d8ac6123a0d81408b60143d363dedbaba8f97861513b3a0f82743ea375be0b94529eeed03
-
SSDEEP
6144:DuJpE7cV3iwbAFRWAbd4nf0H05yqE6Hl0ChW0+ksllAXBu0lWGWUJJQ4t0BHQQfu:l7a3iwbihym2g7XO3LWUQfh4Co
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 3996 Logo1_.exe 2520 91b929017e801c95d048133c80f0f22907aa4531732155300551e786d25485bc.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\it-it\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\jfr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ha-Latn-NG\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\2.0.1\Diagnostics\Simple\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\eu-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MEIPreload\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\en\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\mr\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\cef\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sl-si\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\cmm\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.YourPhone_2019.430.2026.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\pt-br\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ro-ro\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\tr-tr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\zh-tw\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\am_ET\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sv-se\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ko-kr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\nb-no\_desktop.ini Logo1_.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_neutral_split.scale-100_8wekyb3d8bbwe\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\zh-tw\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-il\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\commerce\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-ma\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-ae\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.2.2_2.2.27328.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\root\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-il\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ca-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge.exe Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sl-sl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\he-il\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\pt-br\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\tr-tr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe Logo1_.exe File opened for modification C:\Program Files\Uninstall Information\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\WinMetadata\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\root\_desktop.ini Logo1_.exe File created C:\Program Files\Mozilla Firefox\browser\VisualElements\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\is-IS\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\de-de\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\nb-no\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rundl132.exe 91b929017e801c95d048133c80f0f22907aa4531732155300551e786d25485bc.exe File created C:\Windows\Logo1_.exe 91b929017e801c95d048133c80f0f22907aa4531732155300551e786d25485bc.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\vDll.dll Logo1_.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Logo1_.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 91b929017e801c95d048133c80f0f22907aa4531732155300551e786d25485bc.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 3996 Logo1_.exe 3996 Logo1_.exe 3996 Logo1_.exe 3996 Logo1_.exe 3996 Logo1_.exe 3996 Logo1_.exe 3996 Logo1_.exe 3996 Logo1_.exe 3996 Logo1_.exe 3996 Logo1_.exe 3996 Logo1_.exe 3996 Logo1_.exe 3996 Logo1_.exe 3996 Logo1_.exe 3996 Logo1_.exe 3996 Logo1_.exe 3996 Logo1_.exe 3996 Logo1_.exe 3996 Logo1_.exe 3996 Logo1_.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 4132 wrote to memory of 1032 4132 91b929017e801c95d048133c80f0f22907aa4531732155300551e786d25485bc.exe 83 PID 4132 wrote to memory of 1032 4132 91b929017e801c95d048133c80f0f22907aa4531732155300551e786d25485bc.exe 83 PID 4132 wrote to memory of 1032 4132 91b929017e801c95d048133c80f0f22907aa4531732155300551e786d25485bc.exe 83 PID 4132 wrote to memory of 3996 4132 91b929017e801c95d048133c80f0f22907aa4531732155300551e786d25485bc.exe 84 PID 4132 wrote to memory of 3996 4132 91b929017e801c95d048133c80f0f22907aa4531732155300551e786d25485bc.exe 84 PID 4132 wrote to memory of 3996 4132 91b929017e801c95d048133c80f0f22907aa4531732155300551e786d25485bc.exe 84 PID 3996 wrote to memory of 1352 3996 Logo1_.exe 86 PID 3996 wrote to memory of 1352 3996 Logo1_.exe 86 PID 3996 wrote to memory of 1352 3996 Logo1_.exe 86 PID 1352 wrote to memory of 1324 1352 net.exe 88 PID 1352 wrote to memory of 1324 1352 net.exe 88 PID 1352 wrote to memory of 1324 1352 net.exe 88 PID 1032 wrote to memory of 2520 1032 cmd.exe 89 PID 1032 wrote to memory of 2520 1032 cmd.exe 89 PID 3996 wrote to memory of 3396 3996 Logo1_.exe 56 PID 3996 wrote to memory of 3396 3996 Logo1_.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3396
-
C:\Users\Admin\AppData\Local\Temp\91b929017e801c95d048133c80f0f22907aa4531732155300551e786d25485bc.exe"C:\Users\Admin\AppData\Local\Temp\91b929017e801c95d048133c80f0f22907aa4531732155300551e786d25485bc.exe"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4132 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aBDD2.bat3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Users\Admin\AppData\Local\Temp\91b929017e801c95d048133c80f0f22907aa4531732155300551e786d25485bc.exe"C:\Users\Admin\AppData\Local\Temp\91b929017e801c95d048133c80f0f22907aa4531732155300551e786d25485bc.exe"4⤵
- Executes dropped EXE
PID:2520
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3996 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵
- System Location Discovery: System Language Discovery
PID:1324
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
573KB
MD5e85a10cf1c849dcccee64a8c51ed7d67
SHA138a2dc2635d8362ccf5b28d2f1204011bf226d84
SHA25691b929017e801c95d048133c80f0f22907aa4531732155300551e786d25485bc
SHA51250104c7ae5e0fae75aaa755e1edf51fa306ac290ab3ad9e9829d160d8ac6123a0d81408b60143d363dedbaba8f97861513b3a0f82743ea375be0b94529eeed03
-
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
Filesize639KB
MD54baecb97e22493a7726fa776cd11e9b6
SHA1af2dad28d17ec1220505a475f669bf2663893e0d
SHA256eed9c9a08f13ef7be401e0ce827001aa9849769b16dce74012e3bc6925c4fa5b
SHA51275b604ac8a896dcd06f87b35acd06eb0350b5f624cf325bb7ec1e388491f00c7e79c735a4b37468b1c46f20f34c257406f156ba5490196107b8b5a67364cdb84
-
Filesize
722B
MD55f6f6075a6c9706c9697f8d2e4b3a6b0
SHA1e60acc04ed61551cdeb59c38ae3e895f650855d1
SHA2568ddc360836d412c3e5f8b40a592eb21ff797acfd5032a19b3fffc4afa3516e01
SHA512646f75a05ef82083733a467fe46c25955305323377827af38efa086f683b6679623f6950a5cd46085258514a70fbf31199abd9ac6a0183cff13c8edc27721773
-
C:\Users\Admin\AppData\Local\Temp\91b929017e801c95d048133c80f0f22907aa4531732155300551e786d25485bc.exe.exe
Filesize544KB
MD59a1dd1d96481d61934dcc2d568971d06
SHA1f136ef9bf8bd2fc753292fb5b7cf173a22675fb3
SHA2568cebb25e240db3b6986fcaed6bc0b900fa09dad763a56fb71273529266c5c525
SHA5127ac1581f8a29e778ba1a1220670796c47fa5b838417f8f635e2cb1998a01515cff3ee57045dacb78a8ec70d43754b970743aba600379fe6d9481958d32d8a5aa
-
Filesize
29KB
MD57df4cd4ea9e18ac4eac10b27f9b1befc
SHA1cf3502a223bd7ad9f15dc01f765bdc55304b228d
SHA256d3a2638f1ce0bfb967235ed43cb85a5d429a462d5231af8abee7219f7b8b3ae3
SHA512e7f8467655f3eab4aedbc933740a502ad95525007c27cd0ab923c8a65ce7419fdf895070e593dc5851641bc256b6881dbb728520be892f1b96a6ccd525c8bf33
-
Filesize
8B
MD534f94fcbc939d25f54e986fe97a87522
SHA1dcde2a11c5631b5dbd93ce97e503d0ff42a6f341
SHA25647f454cb045cab0f9ee28683942faddf984b88986cb761e4caa639f91ac4cdd7
SHA512aad5abbdc495f19e0997d67d3daad417eb18f3e3061de2515d3870cc6c2c417aef366de938c8c98d3b62b81ec44f5a16e1227118e28b4624c99b2c1546e1c678