Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25/09/2024, 02:11
Static task
static1
Behavioral task
behavioral1
Sample
7124121e5367139bb98a250b634bf65327fd3f4df354b202e07637ded7f0bd0d.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
7124121e5367139bb98a250b634bf65327fd3f4df354b202e07637ded7f0bd0d.exe
Resource
win10v2004-20240910-en
General
-
Target
7124121e5367139bb98a250b634bf65327fd3f4df354b202e07637ded7f0bd0d.exe
-
Size
340KB
-
MD5
ba1555c2c80849921f06654f22d1349a
-
SHA1
8bdf38f63979bc8b78bab7089557398e15372dcc
-
SHA256
7124121e5367139bb98a250b634bf65327fd3f4df354b202e07637ded7f0bd0d
-
SHA512
c1afa6894d444a99cecb7ba34aa1233b85960e271a268324b6333f1df9a0a9e52bd45f6890c821fa65e09df07565af27a7f8ac52f870cd4e105b20fc6422059a
-
SSDEEP
6144:fFpj74Y9Pw2nPuzz2jGzRbLWzgJsesFYdgOKCOEGQVHog7s41VxzDe:9pp9oUkz2KzZC8se9djKyVH6O6
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2164 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2820 Logo1_.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Mail\ja-JP\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\bg\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\fr-FR\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\_desktop.ini Logo1_.exe File created C:\Program Files\Mozilla Firefox\fonts\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\misc\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\css\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\js\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\_desktop.ini Logo1_.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\eo\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Internet Explorer\SIGNUP\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Full\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\DESIGNER\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Library\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ACCICONS.EXE Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ca\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\fi\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Google\Update\Install\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Office14\PROOF\3082\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\FreeCell\ja-JP\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\ink\HWRCustomization\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECLIPSE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\More Games\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\vi\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\d3d9\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\on_desktop\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\id\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\meta_engine\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Minesweeper\fr-FR\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\video_filter\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Photo Viewer\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\js\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\sq\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\audio_mixer\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EDGE\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\js\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rundl132.exe 7124121e5367139bb98a250b634bf65327fd3f4df354b202e07637ded7f0bd0d.exe File created C:\Windows\Logo1_.exe 7124121e5367139bb98a250b634bf65327fd3f4df354b202e07637ded7f0bd0d.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\vDll.dll Logo1_.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Logo1_.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7124121e5367139bb98a250b634bf65327fd3f4df354b202e07637ded7f0bd0d.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 2820 Logo1_.exe 2820 Logo1_.exe 2820 Logo1_.exe 2820 Logo1_.exe 2820 Logo1_.exe 2820 Logo1_.exe 2820 Logo1_.exe 2820 Logo1_.exe 2820 Logo1_.exe 2820 Logo1_.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2316 wrote to memory of 2164 2316 7124121e5367139bb98a250b634bf65327fd3f4df354b202e07637ded7f0bd0d.exe 30 PID 2316 wrote to memory of 2164 2316 7124121e5367139bb98a250b634bf65327fd3f4df354b202e07637ded7f0bd0d.exe 30 PID 2316 wrote to memory of 2164 2316 7124121e5367139bb98a250b634bf65327fd3f4df354b202e07637ded7f0bd0d.exe 30 PID 2316 wrote to memory of 2164 2316 7124121e5367139bb98a250b634bf65327fd3f4df354b202e07637ded7f0bd0d.exe 30 PID 2316 wrote to memory of 2820 2316 7124121e5367139bb98a250b634bf65327fd3f4df354b202e07637ded7f0bd0d.exe 32 PID 2316 wrote to memory of 2820 2316 7124121e5367139bb98a250b634bf65327fd3f4df354b202e07637ded7f0bd0d.exe 32 PID 2316 wrote to memory of 2820 2316 7124121e5367139bb98a250b634bf65327fd3f4df354b202e07637ded7f0bd0d.exe 32 PID 2316 wrote to memory of 2820 2316 7124121e5367139bb98a250b634bf65327fd3f4df354b202e07637ded7f0bd0d.exe 32 PID 2820 wrote to memory of 2840 2820 Logo1_.exe 33 PID 2820 wrote to memory of 2840 2820 Logo1_.exe 33 PID 2820 wrote to memory of 2840 2820 Logo1_.exe 33 PID 2820 wrote to memory of 2840 2820 Logo1_.exe 33 PID 2840 wrote to memory of 2856 2840 net.exe 35 PID 2840 wrote to memory of 2856 2840 net.exe 35 PID 2840 wrote to memory of 2856 2840 net.exe 35 PID 2840 wrote to memory of 2856 2840 net.exe 35 PID 2820 wrote to memory of 1200 2820 Logo1_.exe 21 PID 2820 wrote to memory of 1200 2820 Logo1_.exe 21
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1200
-
C:\Users\Admin\AppData\Local\Temp\7124121e5367139bb98a250b634bf65327fd3f4df354b202e07637ded7f0bd0d.exe"C:\Users\Admin\AppData\Local\Temp\7124121e5367139bb98a250b634bf65327fd3f4df354b202e07637ded7f0bd0d.exe"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\$$a898A.bat3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2164
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵
- System Location Discovery: System Language Discovery
PID:2856
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
252KB
MD580fe904232ff363fd974e7ba8e927756
SHA1f0caf2f9d0b8ec79d37cd3879b4727a08cbd7225
SHA25658fb1ef7e1d817a80ccc3f60146b05df67f5e2f2fc64b0b20fd3c4274bfccda3
SHA5121977a5afd618241f40ae905bf152c0b3fb4d68b4ed088e7cbda782f68f52d6e6443d85bd816b3f8f040a7114241266cf091f2826fd78018cbbb32aaff31373c9
-
Filesize
472KB
MD588eb1bca8c399bc3f46e99cdde2f047e
SHA155fafbceb011e1af2edced978686a90971bd95f2
SHA25642fd78c05bc240d4ded16ac974f17c336f6ae3a1814d548021c48a942cc30428
SHA512149d4de0c024e25a13a7bb17471e6f48391d4f26b1c8388672320eed1c255f84219ad7b72bbebc531ae558d5192dd4bb6d0dddd6c65a45300c8e8348a4fb3728
-
Filesize
722B
MD587c3ad16cf67200bf8234662b4d06342
SHA1dc0042706649f54c2bac93ba2852cd81070db78d
SHA2569667fbd574baefafa82dde5c1d75c16811ac23fe9cad446da231d18e3ec53682
SHA512635c6d2d06d38596da087734346776ae2d0241faa1e52d6969473dd6e3851cba71859bcf6771cba1f1118c5a9b722ab4c2027ada0288cd7c2a325270f8d2ce3f
-
C:\Users\Admin\AppData\Local\Temp\7124121e5367139bb98a250b634bf65327fd3f4df354b202e07637ded7f0bd0d.exe.exe
Filesize313KB
MD592ae9f00c0bbcb18367fffb3dcc78327
SHA100155aac9889e95c1118792b6e62d20a43ccf969
SHA2565494717e7efbba3c5e718aa9f7234ef6451455db6549edacccd36bfa4257616d
SHA512300c84a6cdf79119d6dc0659028151461890df9a34fd9f8c3e483355614ca2f4bb85ef83a5673991c95b0eb5411fb4f68841cd6e224d79818ade85e902e797c6
-
Filesize
27KB
MD5429b669199d868949b1b209c616d9cd5
SHA1ffdc6698d4a9dafba2429594cc02889dc33a8752
SHA25614669ccb9df0cb4b53186454c3b4108d54b757ea7b1247348b33bf2902b1122a
SHA512eb7f77f986239dde153338cac528c8bf7cbc813233ff0e1f47c9d971d5dd6651ab2ef9369f79e95576839d1b79f59850c82e0a3de987a161c8d576ccf12bb1d6
-
Filesize
9B
MD5e02899454c67c7d6d1af854fdcb53b67
SHA126fb213f7c299c2a4d8c4afd234ee0b751d7a30e
SHA2560e67e90646d3ba7b46f935b205c9f89e8bff2dca7aeda3cd5dfb93868b262315
SHA512e1519bebf62ab4cb28e630a201312812e04f815ec0663f7b68b478da97c0bf7c7c2238a8632540d3d1f37acbe83919fb198b39ebeb222c19faa2130ab65ffffa