Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
14/08/2024, 07:37
Static task
static1
Behavioral task
behavioral1
Sample
2a1ef429eca43e724324e8351825255ac86cac29b6fc972bb82743620b47382b.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
2a1ef429eca43e724324e8351825255ac86cac29b6fc972bb82743620b47382b.exe
Resource
win10v2004-20240802-en
General
-
Target
2a1ef429eca43e724324e8351825255ac86cac29b6fc972bb82743620b47382b.exe
-
Size
1.1MB
-
MD5
5a8018168c71b8f6e85458bfe043ca52
-
SHA1
e81d346c4584f7574bc9bbeafaff81dad805e45f
-
SHA256
2a1ef429eca43e724324e8351825255ac86cac29b6fc972bb82743620b47382b
-
SHA512
4871a70e741ac705dfd729c873b9dd5d102fe6f1c886187adabe6c021bc0aab52456e29da6d1770092cc7cdb3d97464ee50a6f73b57e10c2a5a04790cfbe22d0
-
SSDEEP
12288:q/S88rXg+wb1EI/QCmhfxl9QR12OAQHwV6V4:28jg+waI/Q/hpleR12O/
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2272 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2584 Logo1_.exe 1916 2a1ef429eca43e724324e8351825255ac86cac29b6fc972bb82743620b47382b.exe -
Loads dropped DLL 3 IoCs
pid Process 2272 cmd.exe 2272 cmd.exe 2920 dw20.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\PublicAssemblies\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\Adobe\Help\en_US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\HostSideAdapters\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\Hearts\ja-JP\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\pa\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\People\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ar\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\lv\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SKY\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Mail\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Americana\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Reference Assemblies\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_filter\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\AccessWeb\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Sort\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EVRGREEN\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Photo Viewer\de-DE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\js\_desktop.ini Logo1_.exe File created C:\Program Files\DVD Maker\es-ES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\it-IT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\meta\art\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Uninstall Information\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows NT\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\gl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Photo Viewer\it-IT\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Biscay\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\hy\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Americana\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\es-ES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\css\_desktop.ini Logo1_.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\1033\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\FreeCell\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\sm\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\am_ET\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\vDll.dll Logo1_.exe File created C:\Windows\rundl132.exe 2a1ef429eca43e724324e8351825255ac86cac29b6fc972bb82743620b47382b.exe File created C:\Windows\Logo1_.exe 2a1ef429eca43e724324e8351825255ac86cac29b6fc972bb82743620b47382b.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2a1ef429eca43e724324e8351825255ac86cac29b6fc972bb82743620b47382b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Logo1_.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2a1ef429eca43e724324e8351825255ac86cac29b6fc972bb82743620b47382b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dw20.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 2584 Logo1_.exe 2584 Logo1_.exe 2584 Logo1_.exe 2584 Logo1_.exe 2584 Logo1_.exe 2584 Logo1_.exe 2584 Logo1_.exe 2584 Logo1_.exe 2584 Logo1_.exe 2584 Logo1_.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 2192 wrote to memory of 2272 2192 2a1ef429eca43e724324e8351825255ac86cac29b6fc972bb82743620b47382b.exe 30 PID 2192 wrote to memory of 2272 2192 2a1ef429eca43e724324e8351825255ac86cac29b6fc972bb82743620b47382b.exe 30 PID 2192 wrote to memory of 2272 2192 2a1ef429eca43e724324e8351825255ac86cac29b6fc972bb82743620b47382b.exe 30 PID 2192 wrote to memory of 2272 2192 2a1ef429eca43e724324e8351825255ac86cac29b6fc972bb82743620b47382b.exe 30 PID 2192 wrote to memory of 2584 2192 2a1ef429eca43e724324e8351825255ac86cac29b6fc972bb82743620b47382b.exe 31 PID 2192 wrote to memory of 2584 2192 2a1ef429eca43e724324e8351825255ac86cac29b6fc972bb82743620b47382b.exe 31 PID 2192 wrote to memory of 2584 2192 2a1ef429eca43e724324e8351825255ac86cac29b6fc972bb82743620b47382b.exe 31 PID 2192 wrote to memory of 2584 2192 2a1ef429eca43e724324e8351825255ac86cac29b6fc972bb82743620b47382b.exe 31 PID 2584 wrote to memory of 1720 2584 Logo1_.exe 33 PID 2584 wrote to memory of 1720 2584 Logo1_.exe 33 PID 2584 wrote to memory of 1720 2584 Logo1_.exe 33 PID 2584 wrote to memory of 1720 2584 Logo1_.exe 33 PID 1720 wrote to memory of 2660 1720 net.exe 35 PID 1720 wrote to memory of 2660 1720 net.exe 35 PID 1720 wrote to memory of 2660 1720 net.exe 35 PID 1720 wrote to memory of 2660 1720 net.exe 35 PID 2272 wrote to memory of 1916 2272 cmd.exe 36 PID 2272 wrote to memory of 1916 2272 cmd.exe 36 PID 2272 wrote to memory of 1916 2272 cmd.exe 36 PID 2272 wrote to memory of 1916 2272 cmd.exe 36 PID 1916 wrote to memory of 2920 1916 2a1ef429eca43e724324e8351825255ac86cac29b6fc972bb82743620b47382b.exe 37 PID 1916 wrote to memory of 2920 1916 2a1ef429eca43e724324e8351825255ac86cac29b6fc972bb82743620b47382b.exe 37 PID 1916 wrote to memory of 2920 1916 2a1ef429eca43e724324e8351825255ac86cac29b6fc972bb82743620b47382b.exe 37 PID 1916 wrote to memory of 2920 1916 2a1ef429eca43e724324e8351825255ac86cac29b6fc972bb82743620b47382b.exe 37 PID 2584 wrote to memory of 1340 2584 Logo1_.exe 21 PID 2584 wrote to memory of 1340 2584 Logo1_.exe 21
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1340
-
C:\Users\Admin\AppData\Local\Temp\2a1ef429eca43e724324e8351825255ac86cac29b6fc972bb82743620b47382b.exe"C:\Users\Admin\AppData\Local\Temp\2a1ef429eca43e724324e8351825255ac86cac29b6fc972bb82743620b47382b.exe"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\$$a1C38.bat3⤵
- Deletes itself
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Users\Admin\AppData\Local\Temp\2a1ef429eca43e724324e8351825255ac86cac29b6fc972bb82743620b47382b.exe"C:\Users\Admin\AppData\Local\Temp\2a1ef429eca43e724324e8351825255ac86cac29b6fc972bb82743620b47382b.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 4165⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2920
-
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵
- System Location Discovery: System Language Discovery
PID:2660
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
254KB
MD5586340b58f02ffb1b754d46c776ecaa9
SHA1d860ee44aedafb70befe321b936c5eba49dbdda3
SHA2563f2a34592999a9ed095c898b45cb55f54712ed0486bda1f3bb54ae798516639b
SHA5128c3b824fa1462406a81f60ffaa1ff8f517d3d0503e6653eee5b1d5f312ee0e13d2b9d2767f5b1f3f8644f28e5c40da1956a781551752c056332ed76ef62dbe58
-
Filesize
474KB
MD5c14a5111b798cff20d7d66b0e035d409
SHA129f0894552b30815fed6ad231b5721e876869552
SHA256fd6f57dc1b82f6301cbecbf9db5728a9a69b10e3edbf4f8a1dfef571c77a6cb6
SHA512a4d8b74216c76fa3d48ab7300452725602bc6d5bcc0e6c23d458d65362cd24751f23755180ae69633090b172e95f18f225c0cb4a71dd1e050d8b3dff466e7f1b
-
Filesize
722B
MD5a51f0bfb5fccfd09c854d32a9e28eb5a
SHA146d7ac7620ba8e08c47c41b3f7cc4ff760a84570
SHA256bd50d1362f3109b00c839ca5b4454267881821eaa156d15c868e7d4d0d9de9f3
SHA512557fb3e07c36ab5d6d145fbb2694293e63c5e2a16116d75c3e480b12a9431164c602d048d5814c3102bbd6d2224dfb225db28dd6acccaa81df563bd46670982a
-
C:\Users\Admin\AppData\Local\Temp\2a1ef429eca43e724324e8351825255ac86cac29b6fc972bb82743620b47382b.exe.exe
Filesize1.1MB
MD5aea8a93c9b6c176ad19580c0a9e5b480
SHA1c0d71d5fef8257837a0f1ce4867755416484a05a
SHA2564a27a6824e34a250a350d42461e0768e306f908cb8e5a2faf3e2eae22d218c25
SHA512c539a02963e5aa3aaa453ce1c14b9e92cbf079f9f5ee593cc653192f57aed2dd05fe6c221fc53d633e45bdca4a879cc0175b4bb349c7b89126bbedb1059fe033
-
Filesize
29KB
MD5e204efa82c4df71160c451caec4787e5
SHA1e56ddb6d0afdb9aa1bf4808765b25cf4a2fdc279
SHA2564ff7272e95a79354eb6d72c784593bd6a0820fe9e512ff176a51fef8929b5bd9
SHA5126ee14cc010de5b04eee707242a6f4471739cc62bf86a332d5c0e90f15a778fe2ef1d8e1bf7f86a603cbf00fa8e302c09f533f837f5d67f62743396074ed030c9
-
Filesize
9B
MD5fa81249b1f991386d1e1de2a5a03499e
SHA170e9b6e238a42e7472c1f5f2f4ea3f86f8352185
SHA2565421d45a710074ffe77329c2300e528ce8feceb0748aacbd89ef2ed0aae5a87f
SHA512bc652d20db7ab6bde42b15f5639c2b36e000179c232c4b9e3e218e670b93a6d7b73530b3bd6fdfca5d61c5a578c1e7508fb97f9bffdfa17dff214359b094e409