Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18/10/2024, 03:11
Static task
static1
Behavioral task
behavioral1
Sample
33035443578043d6be674eca241bb9aa40ec36b6a7630814c0dca964d96c87ce.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
33035443578043d6be674eca241bb9aa40ec36b6a7630814c0dca964d96c87ce.exe
Resource
win10v2004-20241007-en
General
-
Target
33035443578043d6be674eca241bb9aa40ec36b6a7630814c0dca964d96c87ce.exe
-
Size
662KB
-
MD5
e81af1ea02dd7237e3333d81d2792e7c
-
SHA1
25b73b28075cc8ea10af6225e0427c076b00857b
-
SHA256
33035443578043d6be674eca241bb9aa40ec36b6a7630814c0dca964d96c87ce
-
SHA512
fdc88168dbb653dd53d834e2540e8d0f371dd67bfa6b581a190aabc2c607fffb0534c4a1bde2ddd16e2c934a14210a4d3b7f39d0c60da32ffb3ac548f7fad507
-
SSDEEP
6144:auJpC9LRU0ySj14WH+JPb7uL8zRMnJjNhAp7SO8zRMnJjNhAp7S8FRcdEKFVAh7f:wPFlTz
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 3956 Logo1_.exe 4012 33035443578043d6be674eca241bb9aa40ec36b6a7630814c0dca964d96c87ce.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\VideoLAN\VLC\plugins\meta_engine\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\hr-hr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\fonts\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_2019.716.2316.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\zh-tw\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\de-de\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\root\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Extensions\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\keystore\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\pt-br\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\en-ae\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\nl-nl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\da-dk\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ja-jp\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fr-fr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\fi-fi\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\sl-sl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Media Player\uk-UA\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\include\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\mn\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\MovedPackages\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\cs-cz\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ja-jp\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\sk-sk\_desktop.ini Logo1_.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\hu-hu\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\da-dk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\de-de\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\en-ae\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\1.1.1\Diagnostics\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\de-DE\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ca-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\es-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ja-jp\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\hu\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\hu-hu\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\zh-tw\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\legal\javafx\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\pl-pl\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.ZuneVideo_2019.19071.19011.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ro-ro\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\sl-SI\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\en-ae\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\da-dk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\pt-br\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\vDll.dll Logo1_.exe File created C:\Windows\rundl132.exe 33035443578043d6be674eca241bb9aa40ec36b6a7630814c0dca964d96c87ce.exe File created C:\Windows\Logo1_.exe 33035443578043d6be674eca241bb9aa40ec36b6a7630814c0dca964d96c87ce.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 33035443578043d6be674eca241bb9aa40ec36b6a7630814c0dca964d96c87ce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Logo1_.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 3956 Logo1_.exe 3956 Logo1_.exe 3956 Logo1_.exe 3956 Logo1_.exe 3956 Logo1_.exe 3956 Logo1_.exe 3956 Logo1_.exe 3956 Logo1_.exe 3956 Logo1_.exe 3956 Logo1_.exe 3956 Logo1_.exe 3956 Logo1_.exe 3956 Logo1_.exe 3956 Logo1_.exe 3956 Logo1_.exe 3956 Logo1_.exe 3956 Logo1_.exe 3956 Logo1_.exe 3956 Logo1_.exe 3956 Logo1_.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 3612 wrote to memory of 220 3612 33035443578043d6be674eca241bb9aa40ec36b6a7630814c0dca964d96c87ce.exe 84 PID 3612 wrote to memory of 220 3612 33035443578043d6be674eca241bb9aa40ec36b6a7630814c0dca964d96c87ce.exe 84 PID 3612 wrote to memory of 220 3612 33035443578043d6be674eca241bb9aa40ec36b6a7630814c0dca964d96c87ce.exe 84 PID 3612 wrote to memory of 3956 3612 33035443578043d6be674eca241bb9aa40ec36b6a7630814c0dca964d96c87ce.exe 85 PID 3612 wrote to memory of 3956 3612 33035443578043d6be674eca241bb9aa40ec36b6a7630814c0dca964d96c87ce.exe 85 PID 3612 wrote to memory of 3956 3612 33035443578043d6be674eca241bb9aa40ec36b6a7630814c0dca964d96c87ce.exe 85 PID 3956 wrote to memory of 3188 3956 Logo1_.exe 87 PID 3956 wrote to memory of 3188 3956 Logo1_.exe 87 PID 3956 wrote to memory of 3188 3956 Logo1_.exe 87 PID 3188 wrote to memory of 868 3188 net.exe 89 PID 3188 wrote to memory of 868 3188 net.exe 89 PID 3188 wrote to memory of 868 3188 net.exe 89 PID 220 wrote to memory of 4012 220 cmd.exe 90 PID 220 wrote to memory of 4012 220 cmd.exe 90 PID 3956 wrote to memory of 3444 3956 Logo1_.exe 56 PID 3956 wrote to memory of 3444 3956 Logo1_.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3444
-
C:\Users\Admin\AppData\Local\Temp\33035443578043d6be674eca241bb9aa40ec36b6a7630814c0dca964d96c87ce.exe"C:\Users\Admin\AppData\Local\Temp\33035443578043d6be674eca241bb9aa40ec36b6a7630814c0dca964d96c87ce.exe"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3612 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7A21.bat3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:220 -
C:\Users\Admin\AppData\Local\Temp\33035443578043d6be674eca241bb9aa40ec36b6a7630814c0dca964d96c87ce.exe"C:\Users\Admin\AppData\Local\Temp\33035443578043d6be674eca241bb9aa40ec36b6a7630814c0dca964d96c87ce.exe"4⤵
- Executes dropped EXE
PID:4012
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3956 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3188 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵
- System Location Discovery: System Language Discovery
PID:868
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
573KB
MD56762b5bccda08243fcf1f527e58e39b5
SHA189caebb8f137b7600ac8f6698edc235322ebcf11
SHA256ae3c4440c65afb8dd47cd5e530c4a8e14b30b151bc915f16d107d3a1a92ad95f
SHA51245121ac3e23f7b4c8271c4faefa8efd973a395b41d80c36d659fc14a07c2005a4510bbc8ca48c9fb4b57f95642a5fe1d9ff712208c675d860dfe2e80f46d20c4
-
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
Filesize639KB
MD5551ae9e9cc67cf901529ee2c39004dc9
SHA185bd72021e0e2bb814841df681bb4087a7cb0912
SHA25647463035ba0f56730a31dde07759fe59fc3dcc23acaa0f7689e40cd6db4f824c
SHA512fa580913e4ad72e919ad24e5170a00acbb533b79eb767ace52c645ba51ddcf9636c18392b629a8f50f6f581519e38d8fb2dcd671d652c52faa5e29001dd3192a
-
Filesize
722B
MD5f6bf10a54d8bffcf3de053ef7b0d03cb
SHA13a8913cb069edc010cb0f96f601682cfec94bf3b
SHA2562e23f080b3617495f27eeaa151da5ee0a411c97f3c973d539c274cc390fffbbc
SHA512aaa7f4bea09dc4465d032e680dd5c071f851368ebf68a88bb0692545e67f158e7b03c17d77c86aecda491429e615fea7cb98278ff4f4c8d444c9308be5f1e717
-
C:\Users\Admin\AppData\Local\Temp\33035443578043d6be674eca241bb9aa40ec36b6a7630814c0dca964d96c87ce.exe.exe
Filesize633KB
MD52e0d056ad62b6ef87a091003714fd512
SHA173150bddb5671c36413d9fbc94a668f132a2edc5
SHA256cb83f04591cc1d602e650dd5c12f4470cf21b04328477bd6a52081f37c04bd7c
SHA512b8e920f8b7547aec6f5771e3e6119b01157e5e36a92c67142b0d73ffe0d501d933581e1fc752e5bba9ce819e3897be9c146bebfc0018e91318b0c99d188a2580
-
Filesize
29KB
MD5ce0db577195cd286df2ff795702e20ac
SHA1c9c883d3494432d600677933117a57e0a89847cb
SHA256ec14dab77f554ce95a1ce757da871e25754988b0fa62820bc662e1bef51b134e
SHA5122b2b184720868f98e2fef2524a03ae2258854320ed532acddd90900da1ac4deee1f542f607d05ebaedcd8dbc14bbb8d0f359af12a76d57ced7cde53d9784a67a
-
Filesize
10B
MD52c51e5c30f050245287a14eb60e30d30
SHA1b59cbcb7f2c8f7f05c0fa80fd351595af1996f0e
SHA2569310f08a28e46a620f4a99b4e12bf599760f5229b2ef0eb6c8e0be72b4197b88
SHA512fb572888fe5c33c9d5f2ee5d138172a57b57e8b3e8b8eca76dea964e99f72692fe4fea9da946d4e5a4871f3c004571a9ea11ef77e3ef100d45f4a806ce2eb5c5