Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09/09/2024, 19:33
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4c097ef714de4e0ba7ddcbe7cd7b1eae8eec1c2597c15449b16ba3a80e10da61.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
4c097ef714de4e0ba7ddcbe7cd7b1eae8eec1c2597c15449b16ba3a80e10da61.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
4c097ef714de4e0ba7ddcbe7cd7b1eae8eec1c2597c15449b16ba3a80e10da61.exe
-
Size
52KB
-
MD5
fa2a8fcf49048bc8c095c6db30042ef7
-
SHA1
e53cd9957713e1e17e4e31a5d02742ba301a9a91
-
SHA256
4c097ef714de4e0ba7ddcbe7cd7b1eae8eec1c2597c15449b16ba3a80e10da61
-
SHA512
63e31442627636c840d23abe27d173d247e1fd9008e2d2796e57ff80215de37696c81fc79e27e87df3300252b33df9abc3b7da95f7b3caca96462cbaa355b688
-
SSDEEP
768:/b016GVRu1yK9fMnJG2V9dDClcxGqgt6jpYU5ltbDrYiI0oPxWExI:Te3SHuJV9Qaxo6jWWvr78Pxc
Score
7/10
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 3028 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2336 Logo1_.exe 2848 4c097ef714de4e0ba7ddcbe7cd7b1eae8eec1c2597c15449b16ba3a80e10da61.exe -
Loads dropped DLL 5 IoCs
pid Process 3028 cmd.exe 2732 WerFault.exe 2732 WerFault.exe 2732 WerFault.exe 2732 WerFault.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\FreeCell\de-DE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Americana\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Defender\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe Logo1_.exe File created C:\Program Files\Java\jre7\lib\zi\America\Indiana\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\meta_engine\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VC\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre7\lib\images\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\stream_out\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Google\CrashReports\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\mn\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\Multiplayer\Backgammon\ja-JP\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CANYON\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EXPEDITN\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Photo Viewer\es-ES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PAPYRUS\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENFR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Photo Viewer\ja-JP\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSOUC.EXE Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jre7\bin\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Templates\1033\FAX\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\it-IT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RADIAL\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jre7\lib\zi\America\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Minesweeper\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\cy\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rundl132.exe 4c097ef714de4e0ba7ddcbe7cd7b1eae8eec1c2597c15449b16ba3a80e10da61.exe File created C:\Windows\Logo1_.exe 4c097ef714de4e0ba7ddcbe7cd7b1eae8eec1c2597c15449b16ba3a80e10da61.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\vDll.dll Logo1_.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4c097ef714de4e0ba7ddcbe7cd7b1eae8eec1c2597c15449b16ba3a80e10da61.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Logo1_.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 2336 Logo1_.exe 2336 Logo1_.exe 2336 Logo1_.exe 2336 Logo1_.exe 2336 Logo1_.exe 2336 Logo1_.exe 2336 Logo1_.exe 2336 Logo1_.exe 2336 Logo1_.exe 2336 Logo1_.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 1680 wrote to memory of 3028 1680 4c097ef714de4e0ba7ddcbe7cd7b1eae8eec1c2597c15449b16ba3a80e10da61.exe 30 PID 1680 wrote to memory of 3028 1680 4c097ef714de4e0ba7ddcbe7cd7b1eae8eec1c2597c15449b16ba3a80e10da61.exe 30 PID 1680 wrote to memory of 3028 1680 4c097ef714de4e0ba7ddcbe7cd7b1eae8eec1c2597c15449b16ba3a80e10da61.exe 30 PID 1680 wrote to memory of 3028 1680 4c097ef714de4e0ba7ddcbe7cd7b1eae8eec1c2597c15449b16ba3a80e10da61.exe 30 PID 1680 wrote to memory of 2336 1680 4c097ef714de4e0ba7ddcbe7cd7b1eae8eec1c2597c15449b16ba3a80e10da61.exe 31 PID 1680 wrote to memory of 2336 1680 4c097ef714de4e0ba7ddcbe7cd7b1eae8eec1c2597c15449b16ba3a80e10da61.exe 31 PID 1680 wrote to memory of 2336 1680 4c097ef714de4e0ba7ddcbe7cd7b1eae8eec1c2597c15449b16ba3a80e10da61.exe 31 PID 1680 wrote to memory of 2336 1680 4c097ef714de4e0ba7ddcbe7cd7b1eae8eec1c2597c15449b16ba3a80e10da61.exe 31 PID 2336 wrote to memory of 2696 2336 Logo1_.exe 32 PID 2336 wrote to memory of 2696 2336 Logo1_.exe 32 PID 2336 wrote to memory of 2696 2336 Logo1_.exe 32 PID 2336 wrote to memory of 2696 2336 Logo1_.exe 32 PID 2696 wrote to memory of 2860 2696 net.exe 35 PID 2696 wrote to memory of 2860 2696 net.exe 35 PID 2696 wrote to memory of 2860 2696 net.exe 35 PID 2696 wrote to memory of 2860 2696 net.exe 35 PID 3028 wrote to memory of 2848 3028 cmd.exe 36 PID 3028 wrote to memory of 2848 3028 cmd.exe 36 PID 3028 wrote to memory of 2848 3028 cmd.exe 36 PID 3028 wrote to memory of 2848 3028 cmd.exe 36 PID 2848 wrote to memory of 2732 2848 4c097ef714de4e0ba7ddcbe7cd7b1eae8eec1c2597c15449b16ba3a80e10da61.exe 37 PID 2848 wrote to memory of 2732 2848 4c097ef714de4e0ba7ddcbe7cd7b1eae8eec1c2597c15449b16ba3a80e10da61.exe 37 PID 2848 wrote to memory of 2732 2848 4c097ef714de4e0ba7ddcbe7cd7b1eae8eec1c2597c15449b16ba3a80e10da61.exe 37 PID 2336 wrote to memory of 1208 2336 Logo1_.exe 21 PID 2336 wrote to memory of 1208 2336 Logo1_.exe 21
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1208
-
C:\Users\Admin\AppData\Local\Temp\4c097ef714de4e0ba7ddcbe7cd7b1eae8eec1c2597c15449b16ba3a80e10da61.exe"C:\Users\Admin\AppData\Local\Temp\4c097ef714de4e0ba7ddcbe7cd7b1eae8eec1c2597c15449b16ba3a80e10da61.exe"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\$$a930C.bat3⤵
- Deletes itself
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Users\Admin\AppData\Local\Temp\4c097ef714de4e0ba7ddcbe7cd7b1eae8eec1c2597c15449b16ba3a80e10da61.exe"C:\Users\Admin\AppData\Local\Temp\4c097ef714de4e0ba7ddcbe7cd7b1eae8eec1c2597c15449b16ba3a80e10da61.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2848 -s 1245⤵
- Loads dropped DLL
PID:2732
-
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵
- System Location Discovery: System Language Discovery
PID:2860
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
254KB
MD5921fc83c2208656c013a85865169346e
SHA17f886d05d016adde3346fe23bd35e12d52885e1c
SHA2560d6759c38d4c270b3203ebd0de92161c34944e0fe837f2b58a23251fdd3e666f
SHA5121fcef614784f4d7e7d89e6b29f08535afdf0a656b0a398926847dec43e6a7462cc195398105af560384fd6c13df770d3bf41aa84a618b56e056e109f99bf51b0
-
Filesize
474KB
MD545ba25b4e6fe57152a1966bdea786d3c
SHA1b79b3a4f2d3b525688edf4b7818a400822834361
SHA256d309f5130994c60441620daef072bc849b8a4e8af881f25946ecbe8761448834
SHA5128ddb1e63c9454ae572f25d9353cafcffc238d5be3b6ddec87cefcf8280fcbaa3e7c59db2cff67a458c55bb0da9c07cee3c972f7ab18cee8dcbfcf3b5b1a5d699
-
Filesize
722B
MD51548b98f30e78e4c7f1b21e0beebcd9a
SHA1454a3331a4be0f8be3070f71dc378ab5bcbff191
SHA256c091386f6a14bc0854eeedd653163d60e4acfa3f5188892889451a2d7a515690
SHA512ec0d4247eb668578caeefc52487b6b4829c7a1ce1850c3804c5a0efbb36f28d40ca3f2b834e32fe4c1f55186c398eaefc166a66e927b76a67b0118ba533679ba
-
C:\Users\Admin\AppData\Local\Temp\4c097ef714de4e0ba7ddcbe7cd7b1eae8eec1c2597c15449b16ba3a80e10da61.exe.exe
Filesize23KB
MD53f9dbfee668294872ef01b90740b01d0
SHA199a4702b65485cd14736b1c2cdfb81b455dda01c
SHA25640b32fea1fcadcb2db369475e2bba58b0b83f5c3bb647e2e63877726c35a9f86
SHA5120113cec160d97ea0cce70860cc5b79b502d16191ee237a3abb84309499be193aa0127dbcb41fc05a90fa61484b061ec4332ad29a918db598e32fe832b74bd1e3
-
Filesize
29KB
MD5b2a95470179dbfc67491209da01c3a73
SHA11f71702eab91e66d604b5e37508dc0997fb0cc18
SHA25626f51b187a06a048a401aa37ad05f8d8ee31c47494ddecb6b665f2f8c56a888f
SHA5127d3488eb2f0411b51b105aa304bc85ac1bb3c0baedc20255feb466ee457673f91cd3b4a2369b1302f39616ae9b1097d0bfe8ac885777e7d9a87f98fe07fdd0a4
-
Filesize
8B
MD55d65d1288c9ecedfd5f28d17a01a30bc
SHA1e5bb89b8ad5c73516abf7e3baeaf1855154381dc
SHA2563501728ad227b52ce4d4f85ddd0e6d28dfa7acce977ae27f1e337be209825a5f
SHA5126177ce001dd535382c3bae5e8c3cfda85d8d8b76b68bce10fa8e5e1e748fd1512a531ffc93fef1316f2c27d93b5b4a5b60a6391f0e131ccc5cc0a65c2755868e