Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
22/01/2024, 19:12
Static task
static1
Behavioral task
behavioral1
Sample
RFQ-High Star.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
RFQ-High Star.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
hzejkkd.exe
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
hzejkkd.exe
Resource
win10v2004-20231222-en
General
-
Target
RFQ-High Star.exe
-
Size
432KB
-
MD5
8f7596194540848a34760575eb00b636
-
SHA1
bbb8ad4edae483048d9785e29b829fbfadcbd371
-
SHA256
c3c08b94e956165562366c14e6ace4a5fe4c66edb0e47628ad94883e02f719ce
-
SHA512
f280f059b1126b6107ffdaa59b84c72bf643ed6b2de2ffd448409cb91c744eb41838cd38c5062270a9fb2cb74d3f82320d532a709243001ea6dec0f07980e6df
-
SSDEEP
6144:P8LxBfsjPzbYSQN5DGHGCPLJqzXhCni57u6IUGiTNJy59IDhN4Uy3Veyky43lWoW:esjbDQOHtkLhSy/aEV6UyoykL19in
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 3772 hzejkkd.exe 4192 hzejkkd.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 2528 takeown.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 3772 set thread context of 4192 3772 hzejkkd.exe 90 PID 4192 set thread context of 3464 4192 hzejkkd.exe 49 PID 4192 set thread context of 2528 4192 hzejkkd.exe 99 PID 2528 set thread context of 3464 2528 takeown.exe 49 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \Registry\User\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 takeown.exe -
Suspicious behavior: EnumeratesProcesses 56 IoCs
pid Process 4192 hzejkkd.exe 4192 hzejkkd.exe 4192 hzejkkd.exe 4192 hzejkkd.exe 4192 hzejkkd.exe 4192 hzejkkd.exe 4192 hzejkkd.exe 4192 hzejkkd.exe 4192 hzejkkd.exe 4192 hzejkkd.exe 4192 hzejkkd.exe 4192 hzejkkd.exe 4192 hzejkkd.exe 4192 hzejkkd.exe 4192 hzejkkd.exe 4192 hzejkkd.exe 2528 takeown.exe 2528 takeown.exe 2528 takeown.exe 2528 takeown.exe 2528 takeown.exe 2528 takeown.exe 2528 takeown.exe 2528 takeown.exe 2528 takeown.exe 2528 takeown.exe 2528 takeown.exe 2528 takeown.exe 2528 takeown.exe 2528 takeown.exe 2528 takeown.exe 2528 takeown.exe 2528 takeown.exe 2528 takeown.exe 2528 takeown.exe 2528 takeown.exe 2528 takeown.exe 2528 takeown.exe 2528 takeown.exe 2528 takeown.exe 2528 takeown.exe 2528 takeown.exe 2528 takeown.exe 2528 takeown.exe 2528 takeown.exe 2528 takeown.exe 2528 takeown.exe 2528 takeown.exe 2528 takeown.exe 2528 takeown.exe 2528 takeown.exe 2528 takeown.exe 2528 takeown.exe 2528 takeown.exe 2528 takeown.exe 2528 takeown.exe -
Suspicious behavior: MapViewOfSection 8 IoCs
pid Process 3772 hzejkkd.exe 4192 hzejkkd.exe 3464 Explorer.EXE 3464 Explorer.EXE 2528 takeown.exe 2528 takeown.exe 2528 takeown.exe 2528 takeown.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3464 Explorer.EXE -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 4756 wrote to memory of 3772 4756 RFQ-High Star.exe 88 PID 4756 wrote to memory of 3772 4756 RFQ-High Star.exe 88 PID 4756 wrote to memory of 3772 4756 RFQ-High Star.exe 88 PID 3772 wrote to memory of 4192 3772 hzejkkd.exe 90 PID 3772 wrote to memory of 4192 3772 hzejkkd.exe 90 PID 3772 wrote to memory of 4192 3772 hzejkkd.exe 90 PID 3772 wrote to memory of 4192 3772 hzejkkd.exe 90 PID 3464 wrote to memory of 2528 3464 Explorer.EXE 99 PID 3464 wrote to memory of 2528 3464 Explorer.EXE 99 PID 3464 wrote to memory of 2528 3464 Explorer.EXE 99 PID 2528 wrote to memory of 1032 2528 takeown.exe 100 PID 2528 wrote to memory of 1032 2528 takeown.exe 100 PID 2528 wrote to memory of 1032 2528 takeown.exe 100
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3464 -
C:\Users\Admin\AppData\Local\Temp\RFQ-High Star.exe"C:\Users\Admin\AppData\Local\Temp\RFQ-High Star.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4756 -
C:\Users\Admin\AppData\Local\Temp\hzejkkd.exe"C:\Users\Admin\AppData\Local\Temp\hzejkkd.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3772 -
C:\Users\Admin\AppData\Local\Temp\hzejkkd.exe"C:\Users\Admin\AppData\Local\Temp\hzejkkd.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4192
-
-
-
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\SysWOW64\takeown.exe"2⤵
- Modifies file permissions
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:1032
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
261KB
MD56433e88c2c73b93e935c74e650fee81d
SHA14293beea2045cf34746a003ebe779f2302a177f5
SHA256f16e83d67d23cae50e5c0b8881ff8206e4e73b026229396615d0b8bd2caec7b0
SHA512f3f1d02345034397ee5e7866ec9d3638f054e4395fe82cbf79bf10e0062ae70bce4d50ffeff018392f85b4799e3bd715780b670606a1decfbe34899805563db7
-
Filesize
270KB
MD5f78710ac81ff52b67ca6470a196b5bee
SHA1a0a97137ea9c264f93bef3521b4ef3913ad0c2c0
SHA25682c34e24229c16808fc8baa06413187efa5ca0ab93a9efe807409c1c661cf449
SHA512f1d6331a0f23c228ca248bed2763700b9879b31f309fdaa21e57dd7ea67199333dbde7b74e121c09b119a11d4e10db8a6b32b909274c5886484d2fa3bdc628c6