Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
13/09/2024, 00:55
Static task
static1
Behavioral task
behavioral1
Sample
84e227d9961f1cf5db7032fdb3733a65da0994a5d408c3ea7f4c9616369112fb.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
84e227d9961f1cf5db7032fdb3733a65da0994a5d408c3ea7f4c9616369112fb.exe
Resource
win10v2004-20240802-en
General
-
Target
84e227d9961f1cf5db7032fdb3733a65da0994a5d408c3ea7f4c9616369112fb.exe
-
Size
393KB
-
MD5
bcd56d78f173fb0724699444a7429dec
-
SHA1
2b45440e17f73e6162c4374bd911c6a90d170541
-
SHA256
84e227d9961f1cf5db7032fdb3733a65da0994a5d408c3ea7f4c9616369112fb
-
SHA512
d2fb3034d01b702463e0d4ca9d187cb0a24843f7ad506718dd9f8e0eeeaab5e1f5db82f5ab88f06fa1ef403b41bbb1d226276288ec69e9565a00d9c116cb36ec
-
SSDEEP
6144:fuJOnDXYQ/BWJjmpgtBZQZKQj8p3jyb7HREd4SZ1tzLbF:NDXYJmSTZwYp32bY4qtDF
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 3108 Logo1_.exe 4872 84e227d9961f1cf5db7032fdb3733a65da0994a5d408c3ea7f4c9616369112fb.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\VideoLAN\VLC\locale\ug\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Photo Viewer\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Win32Bridge.Server.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\libs\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ko-kr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\sl-si\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files-select\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\zh-cn\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\sk-sk\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example1.Diagnostics\Diagnostics\Simple\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\IDPValueAssets\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Photo Viewer\es-ES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\uk-ua\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\de-de\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\am\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\de-DE\View3d\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\cs-cz\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\de-de\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\zh-cn\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\it-IT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\fi-fi\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.1.7_1.7.25531.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_neutral_~_8wekyb3d8bbwe\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pt-br\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\hr-hr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\en-il\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ja-jp\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\cs-cz\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk-1.8\jre\legal\javafx\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-black\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pt-br\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\nl-nl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\_platform_specific\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\_Resources\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\pl-pl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\pt-br\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\root\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\nl-nl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows NT\Accessories\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\_desktop.ini Logo1_.exe File created C:\Program Files\Crashpad\reports\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Voices\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\root\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\es-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ru-ru\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\SplashScreen\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\fr-fr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\it-it\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\sl-sl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\fr-fr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\da-dk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\meta\reader\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rundl132.exe 84e227d9961f1cf5db7032fdb3733a65da0994a5d408c3ea7f4c9616369112fb.exe File created C:\Windows\Logo1_.exe 84e227d9961f1cf5db7032fdb3733a65da0994a5d408c3ea7f4c9616369112fb.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\vDll.dll Logo1_.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 84e227d9961f1cf5db7032fdb3733a65da0994a5d408c3ea7f4c9616369112fb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Logo1_.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 3108 Logo1_.exe 3108 Logo1_.exe 3108 Logo1_.exe 3108 Logo1_.exe 3108 Logo1_.exe 3108 Logo1_.exe 3108 Logo1_.exe 3108 Logo1_.exe 3108 Logo1_.exe 3108 Logo1_.exe 3108 Logo1_.exe 3108 Logo1_.exe 3108 Logo1_.exe 3108 Logo1_.exe 3108 Logo1_.exe 3108 Logo1_.exe 3108 Logo1_.exe 3108 Logo1_.exe 3108 Logo1_.exe 3108 Logo1_.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2704 wrote to memory of 2304 2704 84e227d9961f1cf5db7032fdb3733a65da0994a5d408c3ea7f4c9616369112fb.exe 83 PID 2704 wrote to memory of 2304 2704 84e227d9961f1cf5db7032fdb3733a65da0994a5d408c3ea7f4c9616369112fb.exe 83 PID 2704 wrote to memory of 2304 2704 84e227d9961f1cf5db7032fdb3733a65da0994a5d408c3ea7f4c9616369112fb.exe 83 PID 2704 wrote to memory of 3108 2704 84e227d9961f1cf5db7032fdb3733a65da0994a5d408c3ea7f4c9616369112fb.exe 84 PID 2704 wrote to memory of 3108 2704 84e227d9961f1cf5db7032fdb3733a65da0994a5d408c3ea7f4c9616369112fb.exe 84 PID 2704 wrote to memory of 3108 2704 84e227d9961f1cf5db7032fdb3733a65da0994a5d408c3ea7f4c9616369112fb.exe 84 PID 3108 wrote to memory of 1888 3108 Logo1_.exe 86 PID 3108 wrote to memory of 1888 3108 Logo1_.exe 86 PID 3108 wrote to memory of 1888 3108 Logo1_.exe 86 PID 1888 wrote to memory of 2856 1888 net.exe 89 PID 1888 wrote to memory of 2856 1888 net.exe 89 PID 1888 wrote to memory of 2856 1888 net.exe 89 PID 2304 wrote to memory of 4872 2304 cmd.exe 90 PID 2304 wrote to memory of 4872 2304 cmd.exe 90 PID 3108 wrote to memory of 3416 3108 Logo1_.exe 56 PID 3108 wrote to memory of 3416 3108 Logo1_.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3416
-
C:\Users\Admin\AppData\Local\Temp\84e227d9961f1cf5db7032fdb3733a65da0994a5d408c3ea7f4c9616369112fb.exe"C:\Users\Admin\AppData\Local\Temp\84e227d9961f1cf5db7032fdb3733a65da0994a5d408c3ea7f4c9616369112fb.exe"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6503.bat3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Users\Admin\AppData\Local\Temp\84e227d9961f1cf5db7032fdb3733a65da0994a5d408c3ea7f4c9616369112fb.exe"C:\Users\Admin\AppData\Local\Temp\84e227d9961f1cf5db7032fdb3733a65da0994a5d408c3ea7f4c9616369112fb.exe"4⤵
- Executes dropped EXE
PID:4872
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3108 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵
- System Location Discovery: System Language Discovery
PID:2856
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
247KB
MD59df527acc87f26a8f2c7444df43e085f
SHA12422617c1032273b617371e9499b54a0412396c5
SHA2561b645faae7ad7459e6f330421830287300c911767c45e6feb2c09aba83f4afeb
SHA512ae86248982dc4e0c4b04e0c582e73e96e2267c210c8d211b86e185dc9b656173bb87e1c2e628b3988c00330d3bb2204f35d7c88d2bda0ce6e75be22d2b8393a4
-
Filesize
573KB
MD56b2762087a97b1b3e56309a81dd70270
SHA1d6864f4a0c9e0c50d36f16ba0b02ff25cd197e06
SHA25660b0b5797b7ed230e9421c64b2b9e06aea98ff9827462e40fb18b92786ac376e
SHA512fe17526bbbf3690c9d24bb59d413467aeae46dbe43017b6d9c1ecd47cd96f844efe5bdd46bdfc543f8d2827cfad4dfafab18b19960f046ed45f91b146e5aa2fa
-
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
Filesize639KB
MD5c8d281da4c32df16eef470c27c8cb459
SHA100efc9f6844bfaa37c264b6452c6a7356638ab10
SHA256058c81e5a07f2c6c33cf28dff71d07ad8f179046108d945159957e891bfd9c62
SHA512e3c79e19f620068f668d4ebaa5097f1a95a30dabb8dce75f3787171dddbea9f684fc7ce8d1011a398f38084d7af96dd1ff9a02d25906aab9b13861b8363d24bb
-
Filesize
722B
MD5a525d5c4c918282c10cb8fca1a2deb24
SHA1b75683eba0fc3d9c4f6315b1cea1d80e00fa58c0
SHA2562828ea084c826a6f1107c5de7e63c537858a2582d356d656b5264d84734444d5
SHA512445ea4304f6cdbbbb33b99ece200141e9be8f4381da8e64c8dd7035a39ffa40baa21067a7410cae4ac2967e6755c7874ce3e31c73e45ac490be2e9b07ede8055
-
C:\Users\Admin\AppData\Local\Temp\84e227d9961f1cf5db7032fdb3733a65da0994a5d408c3ea7f4c9616369112fb.exe.exe
Filesize364KB
MD5213eeb5e8f54231f68e5b26a0fc81bd1
SHA11bc31a42536eacbb57d1cd92ec4b5524a82264d2
SHA256b309045509efc205eb35d6037d64640093fde6c54ec5934e329b447417005a50
SHA512ce35c5f453126c98329df141f821c55692f9252549c76921c231d8170df356cda1689e636758519c0b6898f11b5c836cdb4967d296b99f915e4d1980470a083b
-
Filesize
29KB
MD58e134732e471b77cbaecf5d11f8d6949
SHA162db8b6ef2f8ff0893f692fd3fd36d704fc43c67
SHA2560f65cfb0d4c3fda3b0c30629eee04caa0341dcb465a585c07f9f43652bd9bc71
SHA51230e7ebf198886879a59515016dbc5c752594b18e27de067871a17dacdb478cfc02327e77e8a699c292fa8620c7ca4af230d37d76ed92621c3807c882ba42f6bc
-
Filesize
9B
MD5475984718232cf008bb73666d834f1f4
SHA112f23c9301c222f599a279e02a811d274d0f4abc
SHA256a5b32591119f87eb3c8a00c0c39e26ea6d6414aa9887d85fcb4903e1c14921b5
SHA51280235dc2560b7991d79f9550cdeca6ac02c00cee6bf186f8f20d4ff3fbd7718be937b73ab768d71c4027e153557b08bbfd95ea88d2e0857a7c70cf1da6fa9937