Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
11/08/2024, 19:56
Static task
static1
Behavioral task
behavioral1
Sample
8784bb93b9c1e49191218d6c0193778dc69a4028e4cef3071ba5020b2747cddf.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
8784bb93b9c1e49191218d6c0193778dc69a4028e4cef3071ba5020b2747cddf.exe
Resource
win10v2004-20240802-en
General
-
Target
8784bb93b9c1e49191218d6c0193778dc69a4028e4cef3071ba5020b2747cddf.exe
-
Size
88KB
-
MD5
b9844b9f674ca46f85caaab2410a8bf7
-
SHA1
eb94964cf3b89ec303d1e317899b55a9f39d792d
-
SHA256
8784bb93b9c1e49191218d6c0193778dc69a4028e4cef3071ba5020b2747cddf
-
SHA512
a2f6c5204c983ebdd6a0fe5f02c89f37042ca69586399b1762b6e67db06ac438898593d13b9c7d44a9f58cee31ae613a8fc7ff7a1f4ad88cb72ab58850820979
-
SSDEEP
1536:pf1d93SHuJV9Ntyapmebn4ddJZeY86iLflLJYEIs67rxo:pfFkuJVL8LK4ddJMY86ipmns6S
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 3608 Logo1_.exe 3852 8784bb93b9c1e49191218d6c0193778dc69a4028e4cef3071ba5020b2747cddf.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Common Files\Adobe\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\1.1.1\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\dtplugin\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\de-DE\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\fi-fi\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\de-de\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\he-il\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ca-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\nb\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Resources\RetailDemo\strings\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\en-il\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\de-de\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\fr-fr\_desktop.ini Logo1_.exe File created C:\Program Files\dotnet\shared\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\amd64\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sl-sl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ru-ru\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Internet Explorer\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\id\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\sm\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Viewpoints\Light\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\it-it\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ro-ro\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\dc-annotations\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\hu-hu\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-black\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-100_8wekyb3d8bbwe\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WidevineCdm\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\sv-se\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\pt-br\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\en-US\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\services_discovery\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ar-SA\View3d\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\zh-CN\View3d\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\es-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\pt-br\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk-1.8\jre\legal\javafx\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\hr-hr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\collect_feedback\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\Temp\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\vi\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\da-dk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\sv-se\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rundl132.exe 8784bb93b9c1e49191218d6c0193778dc69a4028e4cef3071ba5020b2747cddf.exe File created C:\Windows\Logo1_.exe 8784bb93b9c1e49191218d6c0193778dc69a4028e4cef3071ba5020b2747cddf.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\vDll.dll Logo1_.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8784bb93b9c1e49191218d6c0193778dc69a4028e4cef3071ba5020b2747cddf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Logo1_.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 3608 Logo1_.exe 3608 Logo1_.exe 3608 Logo1_.exe 3608 Logo1_.exe 3608 Logo1_.exe 3608 Logo1_.exe 3608 Logo1_.exe 3608 Logo1_.exe 3608 Logo1_.exe 3608 Logo1_.exe 3608 Logo1_.exe 3608 Logo1_.exe 3608 Logo1_.exe 3608 Logo1_.exe 3608 Logo1_.exe 3608 Logo1_.exe 3608 Logo1_.exe 3608 Logo1_.exe 3608 Logo1_.exe 3608 Logo1_.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 3392 wrote to memory of 2140 3392 8784bb93b9c1e49191218d6c0193778dc69a4028e4cef3071ba5020b2747cddf.exe 84 PID 3392 wrote to memory of 2140 3392 8784bb93b9c1e49191218d6c0193778dc69a4028e4cef3071ba5020b2747cddf.exe 84 PID 3392 wrote to memory of 2140 3392 8784bb93b9c1e49191218d6c0193778dc69a4028e4cef3071ba5020b2747cddf.exe 84 PID 3392 wrote to memory of 3608 3392 8784bb93b9c1e49191218d6c0193778dc69a4028e4cef3071ba5020b2747cddf.exe 85 PID 3392 wrote to memory of 3608 3392 8784bb93b9c1e49191218d6c0193778dc69a4028e4cef3071ba5020b2747cddf.exe 85 PID 3392 wrote to memory of 3608 3392 8784bb93b9c1e49191218d6c0193778dc69a4028e4cef3071ba5020b2747cddf.exe 85 PID 3608 wrote to memory of 1792 3608 Logo1_.exe 87 PID 3608 wrote to memory of 1792 3608 Logo1_.exe 87 PID 3608 wrote to memory of 1792 3608 Logo1_.exe 87 PID 1792 wrote to memory of 2744 1792 net.exe 89 PID 1792 wrote to memory of 2744 1792 net.exe 89 PID 1792 wrote to memory of 2744 1792 net.exe 89 PID 2140 wrote to memory of 3852 2140 cmd.exe 90 PID 2140 wrote to memory of 3852 2140 cmd.exe 90 PID 3608 wrote to memory of 3436 3608 Logo1_.exe 56 PID 3608 wrote to memory of 3436 3608 Logo1_.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3436
-
C:\Users\Admin\AppData\Local\Temp\8784bb93b9c1e49191218d6c0193778dc69a4028e4cef3071ba5020b2747cddf.exe"C:\Users\Admin\AppData\Local\Temp\8784bb93b9c1e49191218d6c0193778dc69a4028e4cef3071ba5020b2747cddf.exe"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3392 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB14E.bat3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Users\Admin\AppData\Local\Temp\8784bb93b9c1e49191218d6c0193778dc69a4028e4cef3071ba5020b2747cddf.exe"C:\Users\Admin\AppData\Local\Temp\8784bb93b9c1e49191218d6c0193778dc69a4028e4cef3071ba5020b2747cddf.exe"4⤵
- Executes dropped EXE
PID:3852
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3608 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵
- System Location Discovery: System Language Discovery
PID:2744
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
247KB
MD5c956a319f9e83c47efe8f30acbcab757
SHA1f964d8f25a289f378a4024c3fa1f5e5c434547e8
SHA256fc6f3029b993595c3371740bbc1f7efa4b17d5aca1daea44987e39f38a3025f9
SHA512f66f2b06c720f27da9f6348d25cf1dd7035d87968293e72191eb005f74cf953546f7e3533f7d269dfa291c827b2efa072f5ae3134f86e4afaba6352cdc92282d
-
Filesize
573KB
MD539a67a77ab1a78736038d9ae9dacd472
SHA126a271cd615916609a10d6faff8b0c50933625b3
SHA256d5368cca1488205a338f6c4164ad686df03b43f22f303489eb8f079880295be4
SHA5128c0da41980ae18d3bfea44dc6f2b8db6dae72356230c4496433f875e83fe84dc63dc4ee1a6f161ad7a69a53627d6d5f0e3ac7060f00adc2b3c5b5f623f9568e9
-
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
Filesize639KB
MD5fd93240910d7b1f0744b83d0f7bc706a
SHA1508d162f4e5c8541f6cc1389a9f83c049bf848c0
SHA2563803edada5f998dc92eb477e572fb4785eb4003285dab3ad2e0bc269e7ff2152
SHA512d6f65e92a7afddd3e1879449a64943daeaa435fa217f386f7bee28a602a091998bf31bc29c01879228e705dcef59794c3361aa4b3417a2b653d9d40aaf764500
-
Filesize
722B
MD5ae1327c514f972f5d8f1973e849af7f0
SHA12ed26e6bfe08f82c3ee1300b436f8cb8d441b25d
SHA256d61ff64942af9c5d425e0b0af6b4756d9b0c43c63a58b87c40c5db0239dbabda
SHA512e2979af38e0a6fe7a6d076d7a7ce9a9b1112c1e994d1ec642f4fa615e72e4dbc6f825906956f3d9ef4c5800e87f436de9f87599f806ad1c6728c4df14b084b63
-
C:\Users\Admin\AppData\Local\Temp\8784bb93b9c1e49191218d6c0193778dc69a4028e4cef3071ba5020b2747cddf.exe.exe
Filesize59KB
MD5dfc18f7068913dde25742b856788d7ca
SHA1cbaa23f782c2ddcd7c9ff024fd0b096952a2b387
SHA256ff4ac75c02247000da084de006c214d3dd3583867bd3533ba788e22734c7a2bf
SHA512d0c7ec1dae41a803325b51c12490c355ed779d297daa35247889950491e52427810132f0829fc7ffa3022f1a106f4e4ba78ed612223395313a6f267e9ab24945
-
Filesize
29KB
MD544e459665555aa71b27739a4c8e0ce2e
SHA1a356a45529a77684280cab95f9658263facadedc
SHA256791918b0fdd6d93878a051a648a2d60d04f2e12fb5428d138dcc2b63fbf94c13
SHA512ede586c602defafd40a4507989f664d3345a5b0b2172251e10f84d87e44ee56b9546e04c7f7aeb621d72be7714de56f01ca06c0cf266938165d3408cc92969b7
-
Filesize
9B
MD579a2fb76ad00a8ac07f11b6a179f5297
SHA172b4f589fd7945d8c80b370d1d3a1f2467f3eb81
SHA2562f723e98c3a3556269a4d81d4a27d6a0ab13a84c5ba737493c07354a2608684f
SHA5123a21c2e60e8e035fb90d428e86bb927077d8354a16f1abc291ccba4a4d7fee4f51cf781fa9202e5602a88ca70a6ba264ac49762100be5f6e09a2ec930e098168