Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
22/01/2024, 19:12
Static task
static1
Behavioral task
behavioral1
Sample
RFQ-High Star.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
RFQ-High Star.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
hzejkkd.exe
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
hzejkkd.exe
Resource
win10v2004-20231222-en
General
-
Target
hzejkkd.exe
-
Size
261KB
-
MD5
6433e88c2c73b93e935c74e650fee81d
-
SHA1
4293beea2045cf34746a003ebe779f2302a177f5
-
SHA256
f16e83d67d23cae50e5c0b8881ff8206e4e73b026229396615d0b8bd2caec7b0
-
SHA512
f3f1d02345034397ee5e7866ec9d3638f054e4395fe82cbf79bf10e0062ae70bce4d50ffeff018392f85b4799e3bd715780b670606a1decfbe34899805563db7
-
SSDEEP
6144:C4KYr8wAStrwb6E/HtFdbr0vv5R2AJXN5WeSmkMud50:C4Ltrwb6E/HtFdbr0vv5RByeaMud5
Malware Config
Signatures
-
Modifies file permissions 1 TTPs 1 IoCs
pid Process 2728 takeown.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2124 set thread context of 2128 2124 hzejkkd.exe 29 PID 2128 set thread context of 1224 2128 hzejkkd.exe 11 PID 2128 set thread context of 2728 2128 hzejkkd.exe 32 PID 2728 set thread context of 1224 2728 takeown.exe 11 -
Suspicious behavior: EnumeratesProcesses 33 IoCs
pid Process 2128 hzejkkd.exe 2128 hzejkkd.exe 2128 hzejkkd.exe 2128 hzejkkd.exe 2128 hzejkkd.exe 2128 hzejkkd.exe 2128 hzejkkd.exe 2128 hzejkkd.exe 2728 takeown.exe 2728 takeown.exe 2728 takeown.exe 2728 takeown.exe 2728 takeown.exe 2728 takeown.exe 2728 takeown.exe 2728 takeown.exe 2728 takeown.exe 2728 takeown.exe 2728 takeown.exe 2728 takeown.exe 2728 takeown.exe 2728 takeown.exe 2728 takeown.exe 2728 takeown.exe 2728 takeown.exe 2728 takeown.exe 2728 takeown.exe 2728 takeown.exe 2728 takeown.exe 2728 takeown.exe 2728 takeown.exe 2728 takeown.exe 2728 takeown.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
pid Process 2124 hzejkkd.exe 2128 hzejkkd.exe 1224 Explorer.EXE 1224 Explorer.EXE 2728 takeown.exe 2728 takeown.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2124 wrote to memory of 2128 2124 hzejkkd.exe 29 PID 2124 wrote to memory of 2128 2124 hzejkkd.exe 29 PID 2124 wrote to memory of 2128 2124 hzejkkd.exe 29 PID 2124 wrote to memory of 2128 2124 hzejkkd.exe 29 PID 2124 wrote to memory of 2128 2124 hzejkkd.exe 29 PID 1224 wrote to memory of 2728 1224 Explorer.EXE 32 PID 1224 wrote to memory of 2728 1224 Explorer.EXE 32 PID 1224 wrote to memory of 2728 1224 Explorer.EXE 32 PID 1224 wrote to memory of 2728 1224 Explorer.EXE 32
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Users\Admin\AppData\Local\Temp\hzejkkd.exe"C:\Users\Admin\AppData\Local\Temp\hzejkkd.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Users\Admin\AppData\Local\Temp\hzejkkd.exe"C:\Users\Admin\AppData\Local\Temp\hzejkkd.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2128
-
-
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\SysWOW64\takeown.exe"2⤵
- Modifies file permissions
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2728
-