Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

hkjgffghjm...mn.exe

windows7-x64

7

Analysis

  • max time kernel
    300s
  • max time network
    300s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    23/02/2024, 16:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    hkjgffghjmndfghjkmn.exe

  • Size

    214KB

  • MD5

    ff597c410849c7990349bc95fc699a6a

  • SHA1

    ae95a9414774ffbda7ca417df206c80b66bf93fa

  • SHA256

    1a3113c913b5e7c840c17d3c63a66fa32ea62aae5e4da54aac3488b520e3ed15

  • SHA512

    b9b09ec63f15bb0464cc02c280fa016cecd5eb90c84ab67c71b2c9db10539e3c6ea3bf575ecba62336d29c41985bd92d82d572bb1b9d80bce8e8e1c2efceb7c8

  • SSDEEP

    6144:U/z9zavM92B+64kQ2EJam2dNREz9FdOZMJwGuE4QyZom8exsrPR5TE7D0XuDTTo6:U/8s2B+64kQHam2dNREz9FdOZMJwGuEu

Score
7/10
persistence

Malware Config

Signatures

  • Drops startup file 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
  • Kills process with taskkill 2 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\hkjgffghjmndfghjkmn.exe
    "C:\Users\Admin\AppData\Local\Temp\hkjgffghjmndfghjkmn.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1268
    • C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /F /IM wscript.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2288
    • C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /F /IM cmd.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2284

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1268-0-0x00000000747B0000-0x0000000074D5B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1268-1-0x00000000747B0000-0x0000000074D5B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1268-2-0x0000000001FF0000-0x0000000002030000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1268-17-0x0000000001FF0000-0x0000000002030000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1268-18-0x00000000747B0000-0x0000000074D5B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1268-19-0x00000000747B0000-0x0000000074D5B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1268-20-0x0000000001FF0000-0x0000000002030000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1268-21-0x0000000001FF0000-0x0000000002030000-memory.dmp

    Filesize

    256KB

    Download