Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
15/10/2024, 07:29
Static task
static1
Behavioral task
behavioral1
Sample
96ede9e65af50e0473209a2b77ebe5ac5b474b333fa27329f77737686ee26d85.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
96ede9e65af50e0473209a2b77ebe5ac5b474b333fa27329f77737686ee26d85.exe
Resource
win10v2004-20241007-en
General
-
Target
96ede9e65af50e0473209a2b77ebe5ac5b474b333fa27329f77737686ee26d85.exe
-
Size
959KB
-
MD5
608071c3294ce3da4277e1cbe9d94fc4
-
SHA1
b4e35bf3a1570cdf4d79218f30cd90cbf669c322
-
SHA256
96ede9e65af50e0473209a2b77ebe5ac5b474b333fa27329f77737686ee26d85
-
SHA512
8bc3d3375e484c168c2ded176b98ee035a2539c738cc3cdea5e66cf3c9e03bb3572af1193cb44d077737bb243198a2ee3411dee7e0fc9dceca4f113e9fdebb38
-
SSDEEP
12288:3ORKcv8Nh7py6Rmi78gkPH3aPI9vyVg/0paQuj3IdD02fKBjtp/:3nBpDRmi78gkPXlyo0G/jr
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2680 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2096 Logo1_.exe 2912 96ede9e65af50e0473209a2b77ebe5ac5b474b333fa27329f77737686ee26d85.exe -
Loads dropped DLL 2 IoCs
pid Process 2680 cmd.exe 2680 cmd.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\7-Zip\7zG.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ml\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ko\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ja-JP\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSQRY32.EXE Logo1_.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\VisualElements\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CASCADE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\1033\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\DVD Maker\Shared\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SETLANG.EXE Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\1033\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Library\SOLVER\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OneNote\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Triedit\es-ES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTO\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\br\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\lua\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EDGE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.EXE Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Components\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\js\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\DEEPBLUE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\si\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Logo1_.exe 96ede9e65af50e0473209a2b77ebe5ac5b474b333fa27329f77737686ee26d85.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\vDll.dll Logo1_.exe File created C:\Windows\rundl132.exe 96ede9e65af50e0473209a2b77ebe5ac5b474b333fa27329f77737686ee26d85.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 96ede9e65af50e0473209a2b77ebe5ac5b474b333fa27329f77737686ee26d85.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Logo1_.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 2096 Logo1_.exe 2096 Logo1_.exe 2096 Logo1_.exe 2096 Logo1_.exe 2096 Logo1_.exe 2096 Logo1_.exe 2096 Logo1_.exe 2096 Logo1_.exe 2096 Logo1_.exe 2096 Logo1_.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2912 96ede9e65af50e0473209a2b77ebe5ac5b474b333fa27329f77737686ee26d85.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeRestorePrivilege 2912 96ede9e65af50e0473209a2b77ebe5ac5b474b333fa27329f77737686ee26d85.exe Token: 35 2912 96ede9e65af50e0473209a2b77ebe5ac5b474b333fa27329f77737686ee26d85.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 2252 wrote to memory of 2680 2252 96ede9e65af50e0473209a2b77ebe5ac5b474b333fa27329f77737686ee26d85.exe 28 PID 2252 wrote to memory of 2680 2252 96ede9e65af50e0473209a2b77ebe5ac5b474b333fa27329f77737686ee26d85.exe 28 PID 2252 wrote to memory of 2680 2252 96ede9e65af50e0473209a2b77ebe5ac5b474b333fa27329f77737686ee26d85.exe 28 PID 2252 wrote to memory of 2680 2252 96ede9e65af50e0473209a2b77ebe5ac5b474b333fa27329f77737686ee26d85.exe 28 PID 2252 wrote to memory of 2096 2252 96ede9e65af50e0473209a2b77ebe5ac5b474b333fa27329f77737686ee26d85.exe 29 PID 2252 wrote to memory of 2096 2252 96ede9e65af50e0473209a2b77ebe5ac5b474b333fa27329f77737686ee26d85.exe 29 PID 2252 wrote to memory of 2096 2252 96ede9e65af50e0473209a2b77ebe5ac5b474b333fa27329f77737686ee26d85.exe 29 PID 2252 wrote to memory of 2096 2252 96ede9e65af50e0473209a2b77ebe5ac5b474b333fa27329f77737686ee26d85.exe 29 PID 2096 wrote to memory of 2728 2096 Logo1_.exe 31 PID 2096 wrote to memory of 2728 2096 Logo1_.exe 31 PID 2096 wrote to memory of 2728 2096 Logo1_.exe 31 PID 2096 wrote to memory of 2728 2096 Logo1_.exe 31 PID 2728 wrote to memory of 2876 2728 net.exe 33 PID 2728 wrote to memory of 2876 2728 net.exe 33 PID 2728 wrote to memory of 2876 2728 net.exe 33 PID 2728 wrote to memory of 2876 2728 net.exe 33 PID 2680 wrote to memory of 2912 2680 cmd.exe 34 PID 2680 wrote to memory of 2912 2680 cmd.exe 34 PID 2680 wrote to memory of 2912 2680 cmd.exe 34 PID 2680 wrote to memory of 2912 2680 cmd.exe 34 PID 2096 wrote to memory of 1220 2096 Logo1_.exe 21 PID 2096 wrote to memory of 1220 2096 Logo1_.exe 21
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1220
-
C:\Users\Admin\AppData\Local\Temp\96ede9e65af50e0473209a2b77ebe5ac5b474b333fa27329f77737686ee26d85.exe"C:\Users\Admin\AppData\Local\Temp\96ede9e65af50e0473209a2b77ebe5ac5b474b333fa27329f77737686ee26d85.exe"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\$$a6ED9.bat3⤵
- Deletes itself
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Users\Admin\AppData\Local\Temp\96ede9e65af50e0473209a2b77ebe5ac5b474b333fa27329f77737686ee26d85.exe"C:\Users\Admin\AppData\Local\Temp\96ede9e65af50e0473209a2b77ebe5ac5b474b333fa27329f77737686ee26d85.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2912
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵
- System Location Discovery: System Language Discovery
PID:2876
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
254KB
MD5888fe90f1785f31e7709f9fd7eb99c44
SHA1fa207006c195f3e493a1106bdf4ffb7d90189d62
SHA2568a920e0b7196342c7144048da25f4d9655ec6952f546f4bc69f492fa1a5d9397
SHA512143ce2670a8293aea1bb421ea3f187bdfc41a1972dd8a06d17d08ca96fa066d8418c31ccafa79afd9b489c1508cd3c86ef0f27cb9614b6be552a67f158281af6
-
Filesize
474KB
MD5db8f69c773c40773218d175dd5e0fd0b
SHA141ec4f0e7c66b6d0699f8e2e4125e4d41333f44d
SHA256844d74aff6a0fe5c32ad867e6c4da437d924c576794438dc099b5d4435239a7d
SHA512212ac966254943cbea620c0c63b8e0a2e33d466d586bc194b6deac8fb38fa2e24b1fc8905d98fd58a454d37471a754a24a662b5e26c6d67a1e27b038d6c124db
-
Filesize
722B
MD561590aeee2cdbe118ba17ea56a44a244
SHA13e987ce050485b303bf52c318e404c861dac7077
SHA2568bb009b3fdacff00463212aa136e4e6ce35683886f244ad330e0481b6b3e145a
SHA512f01bdc5ee057c6cdf9fc5e89ad36b6bc78b655edcc6af0c0f5b9a129c072d1c48a40919b5a45b2cd7bb2d58b6b8f3aa99eff3ba78c8a54b50fd597a980553c28
-
C:\Users\Admin\AppData\Local\Temp\96ede9e65af50e0473209a2b77ebe5ac5b474b333fa27329f77737686ee26d85.exe.exe
Filesize930KB
MD530ac0b832d75598fb3ec37b6f2a8c86a
SHA16f47dbfd6ff36df7ba581a4cef024da527dc3046
SHA2561ea0839c8dc95ad2c060af7d042c40c0daed58ce8e4524c0fba12fd73e4afb74
SHA512505870601a4389b7ed2c8fecf85835adfd2944cbc10801f74bc4e08f5a0d6ecc9a52052fc37e216304cd1655129021862294a698ed36b3b43d428698f7263057
-
Filesize
29KB
MD5f1a5c230c008ac88544a42f70081f862
SHA1af50bd6dcdf02c312e569fc861a02befd5f1d501
SHA2564fb055be2b07ebeff596af014fc33d044e97e60da0964c22150d84494d09a332
SHA512f7ebb84dbba01c02b1f25f7ac77988d128c93545f9f600f92463f7a2f9e293d4e15cf8bb6ebd0200921e244978f4c9ea86e2924dfef710e33219e2c35d1e0518
-
Filesize
10B
MD552a225cec34530c05c340f9ae894aa31
SHA1d6553bc25b5bc40447184e9dd520dd7c88f5c2aa
SHA256bddf98f152ff77575c277b91c8f7aa5f69973cd3bfe7aa55ebe61b7d3df17fab
SHA512726f8a96e3dab9ec548bda81a01dc3e0d93afa2363c76c4bf639de4b0471f8a43a8e32e90b230b95639e82b7daa8da3e8d9c848755e2b58398aa48e46e5ba5b5