Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

5f1a6c5b5f...d1.exe

windows7-x64

10

5f1a6c5b5f...d1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    179s
  • max time network
    196s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/03/2024, 20:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5f1a6c5b5ff48822f0feb1837db42dca6785f79142d29f37606c093c91c759d1.exe

  • Size

    101KB

  • MD5

    36b60168bec479ecaefae425f53de5e7

  • SHA1

    db9f0eb6c2be6c9304279c9836010c69dd02e726

  • SHA256

    5f1a6c5b5ff48822f0feb1837db42dca6785f79142d29f37606c093c91c759d1

  • SHA512

    678be0cc3473c994e72663338ba00947c99846c01e489324d2f26493557b05778fc6a463fe1445fc58c13d262c8e70573e8d6a0b57dcc805f7ced1f9d951fb08

  • SSDEEP

    3072:UBG6lEihCgkrQIixrse343/zrB3g3k8p4qI4/HQCC:UBkrVixDEPBZs/HNC

Score
10/10
persistence

Malware Config

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 34 IoCs
    persistence
  • Executes dropped EXE 17 IoCs
  • Drops file in System32 directory 51 IoCs
  • Program crash 1 IoCs
  • Modifies registry class 54 IoCs
  • Suspicious use of WriteProcessMemory 51 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5f1a6c5b5ff48822f0feb1837db42dca6785f79142d29f37606c093c91c759d1.exe
    "C:\Users\Admin\AppData\Local\Temp\5f1a6c5b5ff48822f0feb1837db42dca6785f79142d29f37606c093c91c759d1.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:836
    • C:\Windows\SysWOW64\Hgapmj32.exe
      C:\Windows\system32\Hgapmj32.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1576
      • C:\Windows\SysWOW64\Hchqbkkm.exe
        C:\Windows\system32\Hchqbkkm.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Drops file in System32 directory
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2524
        • C:\Windows\SysWOW64\Hnmeodjc.exe
          C:\Windows\system32\Hnmeodjc.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Drops file in System32 directory
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:3684
          • C:\Windows\SysWOW64\Hcjmhk32.exe
            C:\Windows\system32\Hcjmhk32.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • Drops file in System32 directory
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:4256
            • C:\Windows\SysWOW64\Kongmo32.exe
              C:\Windows\system32\Kongmo32.exe
              6⤵
              • Adds autorun key to be loaded by Explorer.exe on startup
              • Executes dropped EXE
              • Drops file in System32 directory
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:2360
              • C:\Windows\SysWOW64\Kehojiej.exe
                C:\Windows\system32\Kehojiej.exe
                7⤵
                • Adds autorun key to be loaded by Explorer.exe on startup
                • Executes dropped EXE
                • Drops file in System32 directory
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:1656
                • C:\Windows\SysWOW64\Kopcbo32.exe
                  C:\Windows\system32\Kopcbo32.exe
                  8⤵
                  • Adds autorun key to be loaded by Explorer.exe on startup
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • Modifies registry class
                  • Suspicious use of WriteProcessMemory
                  PID:3452
                  • C:\Windows\SysWOW64\Kdmlkfjb.exe
                    C:\Windows\system32\Kdmlkfjb.exe
                    9⤵
                    • Adds autorun key to be loaded by Explorer.exe on startup
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    • Modifies registry class
                    • Suspicious use of WriteProcessMemory
                    PID:1000
                    • C:\Windows\SysWOW64\Kdpiqehp.exe
                      C:\Windows\system32\Kdpiqehp.exe
                      10⤵
                      • Adds autorun key to be loaded by Explorer.exe on startup
                      • Executes dropped EXE
                      • Drops file in System32 directory
                      • Modifies registry class
                      • Suspicious use of WriteProcessMemory
                      PID:3984
                      • C:\Windows\SysWOW64\Lahbei32.exe
                        C:\Windows\system32\Lahbei32.exe
                        11⤵
                        • Adds autorun key to be loaded by Explorer.exe on startup
                        • Executes dropped EXE
                        • Drops file in System32 directory
                        • Modifies registry class
                        • Suspicious use of WriteProcessMemory
                        PID:1268
                        • C:\Windows\SysWOW64\Lhbkac32.exe
                          C:\Windows\system32\Lhbkac32.exe
                          12⤵
                          • Adds autorun key to be loaded by Explorer.exe on startup
                          • Executes dropped EXE
                          • Drops file in System32 directory
                          • Modifies registry class
                          • Suspicious use of WriteProcessMemory
                          PID:1648
                          • C:\Windows\SysWOW64\Lefkkg32.exe
                            C:\Windows\system32\Lefkkg32.exe
                            13⤵
                            • Adds autorun key to be loaded by Explorer.exe on startup
                            • Executes dropped EXE
                            • Drops file in System32 directory
                            • Modifies registry class
                            • Suspicious use of WriteProcessMemory
                            PID:4432
                            • C:\Windows\SysWOW64\Llpchaqg.exe
                              C:\Windows\system32\Llpchaqg.exe
                              14⤵
                              • Adds autorun key to be loaded by Explorer.exe on startup
                              • Executes dropped EXE
                              • Drops file in System32 directory
                              • Modifies registry class
                              • Suspicious use of WriteProcessMemory
                              PID:4168
                              • C:\Windows\SysWOW64\Lamlphoo.exe
                                C:\Windows\system32\Lamlphoo.exe
                                15⤵
                                • Adds autorun key to be loaded by Explorer.exe on startup
                                • Executes dropped EXE
                                • Drops file in System32 directory
                                • Modifies registry class
                                • Suspicious use of WriteProcessMemory
                                PID:3500
                                • C:\Windows\SysWOW64\Mdnebc32.exe
                                  C:\Windows\system32\Mdnebc32.exe
                                  16⤵
                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                  • Executes dropped EXE
                                  • Drops file in System32 directory
                                  • Modifies registry class
                                  • Suspicious use of WriteProcessMemory
                                  PID:380
                                  • C:\Windows\SysWOW64\Dgdgijhp.exe
                                    C:\Windows\system32\Dgdgijhp.exe
                                    17⤵
                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                    • Executes dropped EXE
                                    • Drops file in System32 directory
                                    • Modifies registry class
                                    • Suspicious use of WriteProcessMemory
                                    PID:3340
                                    • C:\Windows\SysWOW64\Dbkhnk32.exe
                                      C:\Windows\system32\Dbkhnk32.exe
                                      18⤵
                                      • Executes dropped EXE
                                      PID:3672
                                      • C:\Windows\SysWOW64\WerFault.exe
                                        C:\Windows\SysWOW64\WerFault.exe -u -p 3672 -s 420
                                        19⤵
                                        • Program crash
                                        PID:1684
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3672 -ip 3672
    1⤵
      PID:4004

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\Dbkhnk32.exe
      Filesize

      101KB

      MD5

      8cc129b3678b6a1454e6ddb8b0f8eb77

      SHA1

      bb666aa00c79804c85c5636e603b933bdc305d2c

      SHA256

      41b3f7dfd0776206fc2114796069f8bbea0fddb560aca99012bb9e1bd3c91641

      SHA512

      02248e7c22d7a2d5aec1c4285eae9f10fe3e56edb94e38f7e618fa23313a0984da714d7b52baad58e0b470cd5e8602f7bbe12bb6cfbbd355688544c7557ba9c5

      Download Submit

    • C:\Windows\SysWOW64\Dgdgijhp.exe
      Filesize

      101KB

      MD5

      7f49c2ad6212d4d0a6069a64505fba65

      SHA1

      11a1cdbdf2228193789c3689590beda6fb3afbb7

      SHA256

      90c77758aad146daf1f6b5a4ff8521267e4b93cd48a0b13a90a7d06acea4323b

      SHA512

      4a6309ecc32e3d9f0eec021ee1ed70da764b663cbcd0512b0e526ba42cac1c47a64ecd8bd20ac2983fa4dddd8fd714b4c9c016727143ce670491829b331fe654

      Download Submit

    • C:\Windows\SysWOW64\Hchqbkkm.exe
      Filesize

      101KB

      MD5

      735ab2205aa2769326c6c8d584cf1464

      SHA1

      b7f50f404649c0d2a42904401ad16bd8ad1b16ac

      SHA256

      22379d3821bc667a4305312ed466ec39d2d5cc0c56920839feaf00dfae2624b9

      SHA512

      34b88348e74f07ad4a6f80ed4169e49e6a9676d705084fad68657b230597718f1561f95a842fea68bab7e2806700d9f30e6d9b731b94a6738500667eb15c0197

      Download Submit

    • C:\Windows\SysWOW64\Hcjmhk32.exe
      Filesize

      101KB

      MD5

      f431406efda4c68b403ad15c0d1253a2

      SHA1

      b1a34e17880f3e122f8e7ec7b805062e8a7bde0d

      SHA256

      7ff79c534a21ee23c7086aa350573253d3a39b764c632936906639720cb0c1a5

      SHA512

      686e26eb261a3762f3cd0164f71227906bb6e54cc78da2e5c6c80fa4f787248aa4b6257ed9d4116c78bba9e32fd1b45b9b678cefb4b95ad445d0519ebeb0b7d4

      Download Submit

    • C:\Windows\SysWOW64\Hgapmj32.exe
      Filesize

      101KB

      MD5

      609291fdfb18416c6e436e10e556cefc

      SHA1

      167dbb1004f7237bd42841f2e3f6d04dea91e09d

      SHA256

      85648ae46a044661c2b12a47ccced02434f976e40fea3c590198c557f594fea3

      SHA512

      21842998a1b7025827d5bdb8274c2436e9fad70db65421210db72ea22c09f072550bd5bf3aca2d3b7b2ab986d7e737b9736cf00079619413038b0667bd97b703

      Download Submit

    • C:\Windows\SysWOW64\Hnmeodjc.exe
      Filesize

      101KB

      MD5

      e8e673218609bd3e1effa80edb59c694

      SHA1

      a67ef93bd04d6e4cdcd4cd3f60477784c99d0432

      SHA256

      a60503b9254b4aaf5f8f532f2fa5cf05af656dfb976bbb81fb09f01e75d2c541

      SHA512

      bb7f72441345f731a20aa0ca488783022b5f354a8f9712c3054b1d10e157f45cad52fd8b961f259f666b458351be9fee71c57520ccac2a6afe5c0b238108b1e8

      Download Submit

    • C:\Windows\SysWOW64\Kdmlkfjb.exe
      Filesize

      101KB

      MD5

      aaa6d7eef946e01542090276021033d7

      SHA1

      d38e1268a3c511d9caae0e33d361d0276fd6d850

      SHA256

      678ee53aaf0cdb05ef71a877db85fd539e26628b52c75228365d0de3e29bf9ec

      SHA512

      e7b0d650c8b66becdf0cd2399226c31e6445c1b8b4e4aa5d5bb3b5aad0f388890136bf55fdfcce4b8e48b75a318aa5e3ddde067bd34d05e670e357cd603b7d94

      Download Submit

    • C:\Windows\SysWOW64\Kdpiqehp.exe
      Filesize

      101KB

      MD5

      f0fa639f1b98c0a56d5f48be222aa3fc

      SHA1

      5f088c7a482c16d4a9b9c6c77768753e580ee115

      SHA256

      d11d10a73909778cc4edf3de91b24cea91b7b862b34046585af4e842b5dcd41e

      SHA512

      b8eef75b3d487bfb0a274ce005ce24d05760458ff19eb5ea7a955480615b3303a4710727dabdae21ecbcf438db8d74e6fa605a2fbbfc18ec4811f8f3dc4287b2

      Download Submit

    • C:\Windows\SysWOW64\Kehojiej.exe
      Filesize

      101KB

      MD5

      a399201db350cb6533d74fd2e373803d

      SHA1

      a37482fc40d5ec28b6b2e878bddf07add104a288

      SHA256

      4a16fd9ff02aae5f88cd1f7511f19b79f370d9542d5025baa8485526686e1895

      SHA512

      011b6d9de859d31ccbd16a5802feb649853c37e2679f222e7b2bbbcb8511bd0fdd92bbd7128cc6c0249eaf38369663b9b23056465ddf6a60d5a53f27da0b2635

      Download Submit

    • C:\Windows\SysWOW64\Kongmo32.exe
      Filesize

      101KB

      MD5

      b2772f5833a9fe0c337a0897c3d68606

      SHA1

      c0aa4e4b4dc766efdf438213f85e1d9eebdda1a2

      SHA256

      7d55b2a3c69e0dfd1fd8de492f44075357f47473cef7eeccbf3d3dbd3ea85f71

      SHA512

      5b54d9e605f4c25558d583e154e29a1d0124c7102c90dc7d5e3bc9e209661c9055bbdf8d8e8cb97136b2c3155ae32f91992cf8f9fbe4cf488fbbe0f8be331278

      Download Submit

    • C:\Windows\SysWOW64\Kopcbo32.exe
      Filesize

      101KB

      MD5

      82590bff0bb67f4bda2a9f8b18c640dd

      SHA1

      4def99d9756bbdacd9fcf557d7fba2320c341d89

      SHA256

      960babaf1b9614390934a6524e9b98482172603fe0fb9582f7111812457057d0

      SHA512

      53e2de4c32180fdfcea4c60866987e63c7d2d1edbefc1e39337aacb8e9bad74bba7a979ab5254187b8b9dd8feac0047baf6b6db54580d0b86c996a65cd18cf3e

      Download Submit

    • C:\Windows\SysWOW64\Lahbei32.exe
      Filesize

      101KB

      MD5

      0c13a581771e783447df8f9576093750

      SHA1

      d32e57b8c2233ab0b41ba71d6ec9822c6e9c1dc7

      SHA256

      8efc91f24b4e2c693ee861b4feaba9677fc8251824a3dc220c199050dcbdd44a

      SHA512

      52c0e7901c5a7a4309e2468c4232d82c667ac935ecd0cec16c18e885af73380158a9bfac0f508808165dfd664e08cd63e1a896a4da8bdd61a511d9d973ea9662

      Download Submit

    • C:\Windows\SysWOW64\Lamlphoo.exe
      Filesize

      101KB

      MD5

      da4d033eda3b217cdaba990594ad730b

      SHA1

      1c7f4f832f4a471fcf66504be6b5f0a58c2abde4

      SHA256

      c8a6c7bdbf1650533d3de1451c126b375ae94a3994212e86ff3c89f07d59cbdc

      SHA512

      b716f1782ffe38eef8b9c7cc330cc50e746d5df2971aad15778a4d3d0fdff19724f5b4e86b2e7dc75507eeb5a74fd3eb456858474e241ca3810bda2c79fb7c32

      Download Submit

    • C:\Windows\SysWOW64\Lefkkg32.exe
      Filesize

      101KB

      MD5

      42ec97afbf171684e6838755cbaccd50

      SHA1

      f9ede752a7488b8176ac5e5beafe90e92f2cfa0c

      SHA256

      8a15239caf776118dc2027312a591ad9264c55798ac3fd77bc9e11bde5ca0625

      SHA512

      5c0c0124e3b679aeb43cf20b315711b7e288576b64d0f26f316f554ce5d0c698f5e070fc97b8cb8c48f520cb462bc79d00ba555ab988533a87e4f26028620218

      Download Submit

    • C:\Windows\SysWOW64\Lhbkac32.exe
      Filesize

      101KB

      MD5

      b52e504e66f5a4453cbccab3d4b19681

      SHA1

      74e4298a72d0232e1a4481c0d97c365e90daaabb

      SHA256

      17ebba7e74065e56e79fb0474589cbdf0c0a605d42729419e5ce12aec08df611

      SHA512

      c528538c78f99ac63116c1ec7fbb9293d17c99ae5dc5da562833b8e019d3eb03c0707fc3b0eae10858af78e54be0d5e7e48093f8b6c0938cc774463adcf0cf84

      Download Submit

    • C:\Windows\SysWOW64\Llpchaqg.exe
      Filesize

      101KB

      MD5

      24a5cc3d966cc23750a90305eef35f12

      SHA1

      086f5b2e7f5d858dc3964f9a8a2276607ee9b080

      SHA256

      8b3a681af28fd9ea1d83bdd6d9c27a732f3cfd9a580d37fdd07fc2433932cf4b

      SHA512

      0052146e373f1f1d8999960d986c5b00245d1843f0f9371ac960bff90bd6e0e79d3c48d71656942ee891e388bb612f43c15994d1eb526a2733fe1fa215c2fdcf

      Download Submit

    • C:\Windows\SysWOW64\Mdnebc32.exe
      Filesize

      101KB

      MD5

      4590222d2a95182028acb8fa016be2b7

      SHA1

      7f31e5613261dd149ade5e5b04afca64e959d99e

      SHA256

      97353403b93fae922da0bacb11c7f90b65b2e20bfdecd51f5ab41d23805caac4

      SHA512

      dcc3855114324cbab9ea7ae189e33c0581a8b2e3f25eab720a35bb3ea46a0afb29833919128140df6c30066e1f5458e446f1381be8a6a4548474584661faa2b8

      Download Submit

    • C:\Windows\SysWOW64\Mhfdfbqe.dll
      Filesize

      7KB

      MD5

      81dca36a164a6307b800cdcb3b4d8309

      SHA1

      cdd3664b97f9952cd9f4f53059f46c3bacdbc0d5

      SHA256

      530f38ca8f79c4e75ba729f9ed6b6e0622811f884ce464d32a2b9cf8ebc05084

      SHA512

      e1da4cc6b31beab882a5af698375d1577a912c8ade42055be6cfec229735b6dbd13327e61e9347a63537e5b4039a03ff54dcdaf0f8d0f50928507d3d10ca1db8

      Download Submit

    • memory/380-150-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

      Download

    • memory/380-120-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

      Download

    • memory/836-138-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

      Download

    • memory/836-0-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

      Download

    • memory/1000-64-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

      Download

    • memory/1000-144-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

      Download

    • memory/1268-80-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

      Download

    • memory/1268-146-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

      Download

    • memory/1576-12-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

      Download

    • memory/1648-147-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

      Download

    • memory/1648-87-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

      Download

    • memory/1656-52-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

      Download

    • memory/1656-142-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

      Download

    • memory/2360-44-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

      Download

    • memory/2524-139-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

      Download

    • memory/2524-15-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

      Download

    • memory/3340-151-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

      Download

    • memory/3340-127-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

      Download

    • memory/3452-143-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

      Download

    • memory/3452-56-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

      Download

    • memory/3500-149-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

      Download

    • memory/3500-111-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

      Download

    • memory/3672-152-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

      Download

    • memory/3672-136-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

      Download

    • memory/3684-140-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

      Download

    • memory/3684-24-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

      Download

    • memory/3984-145-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

      Download

    • memory/3984-71-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

      Download

    • memory/4168-108-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

      Download

    • memory/4168-137-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

      Download

    • memory/4256-141-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

      Download

    • memory/4256-36-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

      Download

    • memory/4432-96-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

      Download

    • memory/4432-148-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

      Download