Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13/09/2024, 00:55
Static task
static1
Behavioral task
behavioral1
Sample
84e227d9961f1cf5db7032fdb3733a65da0994a5d408c3ea7f4c9616369112fb.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
84e227d9961f1cf5db7032fdb3733a65da0994a5d408c3ea7f4c9616369112fb.exe
Resource
win10v2004-20240802-en
General
-
Target
84e227d9961f1cf5db7032fdb3733a65da0994a5d408c3ea7f4c9616369112fb.exe
-
Size
393KB
-
MD5
bcd56d78f173fb0724699444a7429dec
-
SHA1
2b45440e17f73e6162c4374bd911c6a90d170541
-
SHA256
84e227d9961f1cf5db7032fdb3733a65da0994a5d408c3ea7f4c9616369112fb
-
SHA512
d2fb3034d01b702463e0d4ca9d187cb0a24843f7ad506718dd9f8e0eeeaab5e1f5db82f5ab88f06fa1ef403b41bbb1d226276288ec69e9565a00d9c116cb36ec
-
SSDEEP
6144:fuJOnDXYQ/BWJjmpgtBZQZKQj8p3jyb7HREd4SZ1tzLbF:NDXYJmSTZwYp32bY4qtDF
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2612 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2616 Logo1_.exe 2828 84e227d9961f1cf5db7032fdb3733a65da0994a5d408c3ea7f4c9616369112fb.exe -
Loads dropped DLL 1 IoCs
pid Process 2612 cmd.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Windows Mail\fr-FR\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\es_MX\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\lua\http\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSTORE.EXE Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\is\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Media Player\Skins\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\STS2\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Mail\fr-FR\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\VC\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\gmp-clearkey\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SONORA\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Google\Update\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre7\lib\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Minesweeper\MineSweeper.exe Logo1_.exe File created C:\Program Files\Microsoft Games\Multiplayer\Backgammon\it-IT\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre7\bin\jp2launcher.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Defender\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre7\lib\fonts\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Google\Update\Install\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\VPREVIEW.EXE Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\_desktop.ini Logo1_.exe File created C:\Program Files\DVD Maker\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\mn\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\mux\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Help\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\FreeCell\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Oasis\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\REFINED\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Templates\1033\FAX\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\gd\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Help\1041\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\es-ES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BREEZE\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Logo1_.exe 84e227d9961f1cf5db7032fdb3733a65da0994a5d408c3ea7f4c9616369112fb.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\vDll.dll Logo1_.exe File created C:\Windows\rundl132.exe 84e227d9961f1cf5db7032fdb3733a65da0994a5d408c3ea7f4c9616369112fb.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 84e227d9961f1cf5db7032fdb3733a65da0994a5d408c3ea7f4c9616369112fb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Logo1_.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 2616 Logo1_.exe 2616 Logo1_.exe 2616 Logo1_.exe 2616 Logo1_.exe 2616 Logo1_.exe 2616 Logo1_.exe 2616 Logo1_.exe 2616 Logo1_.exe 2616 Logo1_.exe 2616 Logo1_.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 2656 wrote to memory of 2612 2656 84e227d9961f1cf5db7032fdb3733a65da0994a5d408c3ea7f4c9616369112fb.exe 30 PID 2656 wrote to memory of 2612 2656 84e227d9961f1cf5db7032fdb3733a65da0994a5d408c3ea7f4c9616369112fb.exe 30 PID 2656 wrote to memory of 2612 2656 84e227d9961f1cf5db7032fdb3733a65da0994a5d408c3ea7f4c9616369112fb.exe 30 PID 2656 wrote to memory of 2612 2656 84e227d9961f1cf5db7032fdb3733a65da0994a5d408c3ea7f4c9616369112fb.exe 30 PID 2656 wrote to memory of 2616 2656 84e227d9961f1cf5db7032fdb3733a65da0994a5d408c3ea7f4c9616369112fb.exe 31 PID 2656 wrote to memory of 2616 2656 84e227d9961f1cf5db7032fdb3733a65da0994a5d408c3ea7f4c9616369112fb.exe 31 PID 2656 wrote to memory of 2616 2656 84e227d9961f1cf5db7032fdb3733a65da0994a5d408c3ea7f4c9616369112fb.exe 31 PID 2656 wrote to memory of 2616 2656 84e227d9961f1cf5db7032fdb3733a65da0994a5d408c3ea7f4c9616369112fb.exe 31 PID 2616 wrote to memory of 2936 2616 Logo1_.exe 32 PID 2616 wrote to memory of 2936 2616 Logo1_.exe 32 PID 2616 wrote to memory of 2936 2616 Logo1_.exe 32 PID 2616 wrote to memory of 2936 2616 Logo1_.exe 32 PID 2936 wrote to memory of 2584 2936 net.exe 35 PID 2936 wrote to memory of 2584 2936 net.exe 35 PID 2936 wrote to memory of 2584 2936 net.exe 35 PID 2936 wrote to memory of 2584 2936 net.exe 35 PID 2612 wrote to memory of 2828 2612 cmd.exe 36 PID 2612 wrote to memory of 2828 2612 cmd.exe 36 PID 2612 wrote to memory of 2828 2612 cmd.exe 36 PID 2612 wrote to memory of 2828 2612 cmd.exe 36 PID 2616 wrote to memory of 1184 2616 Logo1_.exe 21 PID 2616 wrote to memory of 1184 2616 Logo1_.exe 21
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1184
-
C:\Users\Admin\AppData\Local\Temp\84e227d9961f1cf5db7032fdb3733a65da0994a5d408c3ea7f4c9616369112fb.exe"C:\Users\Admin\AppData\Local\Temp\84e227d9961f1cf5db7032fdb3733a65da0994a5d408c3ea7f4c9616369112fb.exe"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\$$a4D46.bat3⤵
- Deletes itself
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Users\Admin\AppData\Local\Temp\84e227d9961f1cf5db7032fdb3733a65da0994a5d408c3ea7f4c9616369112fb.exe"C:\Users\Admin\AppData\Local\Temp\84e227d9961f1cf5db7032fdb3733a65da0994a5d408c3ea7f4c9616369112fb.exe"4⤵
- Executes dropped EXE
PID:2828
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵
- System Location Discovery: System Language Discovery
PID:2584
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
254KB
MD53ca1bf22fc4c86f1ffd00a866ab6ff39
SHA1059063c11ade4cafeb9eea49592aa4a049ee9269
SHA2561123254ef1434c7002e054e89afbbb5a47cba9aff92916c03203e3dff7704220
SHA5125ff6e33ff4e45571b0684ddc95e4ffaf8260151b2fcd2ae9be2bd72be27ee8e8364e2185e1df5f1019e9d9d937b757bcd538483ca12d0eca6cc7f36bd88d81b0
-
Filesize
474KB
MD56eabc463f8025a7e6e65f38cba22f126
SHA13e430ee5ec01c5509ed750b88d3473e7990dfe95
SHA256cc8da3ecd355b519d81415d279ed037c725ba221bf323d250aa92ee2b2b88ca7
SHA512c8fde7026ac8633403bbefee4b044457184388fb7343d8c46f5f7f272724227976bf485ea91da49e2a85dd0cfb73f260ac705d8007333dd3e5539fe5ed67e3ab
-
Filesize
722B
MD5b73dae8052d24a9873bf1820033110c0
SHA1fa36683e4fb65d728f10f5d15d536f4c0e5754ed
SHA2568c921e272d7706b703e30715ffddf361eab96802b329b283ecaf35d3a9d255a6
SHA5121e2fd5692126933b888844596ed0412001e082bde40e64dfb200553ad6fead18cd76cb65664f53baf9ed62a7b4f160be6f63584ee16b768385de21038ed3e6aa
-
C:\Users\Admin\AppData\Local\Temp\84e227d9961f1cf5db7032fdb3733a65da0994a5d408c3ea7f4c9616369112fb.exe.exe
Filesize364KB
MD5213eeb5e8f54231f68e5b26a0fc81bd1
SHA11bc31a42536eacbb57d1cd92ec4b5524a82264d2
SHA256b309045509efc205eb35d6037d64640093fde6c54ec5934e329b447417005a50
SHA512ce35c5f453126c98329df141f821c55692f9252549c76921c231d8170df356cda1689e636758519c0b6898f11b5c836cdb4967d296b99f915e4d1980470a083b
-
Filesize
29KB
MD58e134732e471b77cbaecf5d11f8d6949
SHA162db8b6ef2f8ff0893f692fd3fd36d704fc43c67
SHA2560f65cfb0d4c3fda3b0c30629eee04caa0341dcb465a585c07f9f43652bd9bc71
SHA51230e7ebf198886879a59515016dbc5c752594b18e27de067871a17dacdb478cfc02327e77e8a699c292fa8620c7ca4af230d37d76ed92621c3807c882ba42f6bc
-
Filesize
9B
MD5475984718232cf008bb73666d834f1f4
SHA112f23c9301c222f599a279e02a811d274d0f4abc
SHA256a5b32591119f87eb3c8a00c0c39e26ea6d6414aa9887d85fcb4903e1c14921b5
SHA51280235dc2560b7991d79f9550cdeca6ac02c00cee6bf186f8f20d4ff3fbd7718be937b73ab768d71c4027e153557b08bbfd95ea88d2e0857a7c70cf1da6fa9937