Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    118s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    07/04/2024, 23:22

General

  • Target

    907dd6fa9a521211d55df07e6acce1dc64dedbbed440e35dfb2e305b67e1e196.exe

  • Size

    320KB

  • MD5

    86f2c4d723e39f6252ad86678f630068

  • SHA1

    61435ae885c8fd657e709baeed475acfa9f7f2fe

  • SHA256

    907dd6fa9a521211d55df07e6acce1dc64dedbbed440e35dfb2e305b67e1e196

  • SHA512

    27e79f370742bc3fdd82abcddfdd2c7b9afe291507a288b00289520d62b3a391da280eed44fc1495ba82f3daaa918cce2921ff3c63d15006d306e5cf70e43c1d

  • SSDEEP

    6144:T2kcxNQjwXrCPXbo92ynnZlVrtv35CPXbo92ynn8sbeWDSqHB8oF8KdBT:TL0FHRFbe5qfF8KfT

Score
10/10

Malware Config

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 22 IoCs
  • Executes dropped EXE 11 IoCs
  • Loads dropped DLL 26 IoCs
  • Drops file in System32 directory 33 IoCs
  • Program crash 1 IoCs
  • Modifies registry class 36 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\907dd6fa9a521211d55df07e6acce1dc64dedbbed440e35dfb2e305b67e1e196.exe
    "C:\Users\Admin\AppData\Local\Temp\907dd6fa9a521211d55df07e6acce1dc64dedbbed440e35dfb2e305b67e1e196.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Loads dropped DLL
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2208
    • C:\Windows\SysWOW64\Pjldghjm.exe
      C:\Windows\system32\Pjldghjm.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2600
      • C:\Windows\SysWOW64\Pokieo32.exe
        C:\Windows\system32\Pokieo32.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2572
        • C:\Windows\SysWOW64\Pmccjbaf.exe
          C:\Windows\system32\Pmccjbaf.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:2648
          • C:\Windows\SysWOW64\Qbbhgi32.exe
            C:\Windows\system32\Qbbhgi32.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in System32 directory
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:2880
            • C:\Windows\SysWOW64\Anlfbi32.exe
              C:\Windows\system32\Anlfbi32.exe
              6⤵
              • Adds autorun key to be loaded by Explorer.exe on startup
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in System32 directory
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:2400
              • C:\Windows\SysWOW64\Afkdakjb.exe
                C:\Windows\system32\Afkdakjb.exe
                7⤵
                • Adds autorun key to be loaded by Explorer.exe on startup
                • Executes dropped EXE
                • Loads dropped DLL
                • Drops file in System32 directory
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:2660
                • C:\Windows\SysWOW64\Acpdko32.exe
                  C:\Windows\system32\Acpdko32.exe
                  8⤵
                  • Adds autorun key to be loaded by Explorer.exe on startup
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Drops file in System32 directory
                  • Modifies registry class
                  • Suspicious use of WriteProcessMemory
                  PID:2004
                  • C:\Windows\SysWOW64\Bajomhbl.exe
                    C:\Windows\system32\Bajomhbl.exe
                    9⤵
                    • Adds autorun key to be loaded by Explorer.exe on startup
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Drops file in System32 directory
                    • Modifies registry class
                    • Suspicious use of WriteProcessMemory
                    PID:1100
                    • C:\Windows\SysWOW64\Bejdiffp.exe
                      C:\Windows\system32\Bejdiffp.exe
                      10⤵
                      • Adds autorun key to be loaded by Explorer.exe on startup
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Drops file in System32 directory
                      • Modifies registry class
                      • Suspicious use of WriteProcessMemory
                      PID:2716
                      • C:\Windows\SysWOW64\Cpfaocal.exe
                        C:\Windows\system32\Cpfaocal.exe
                        11⤵
                        • Adds autorun key to be loaded by Explorer.exe on startup
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • Drops file in System32 directory
                        • Modifies registry class
                        • Suspicious use of WriteProcessMemory
                        PID:996
                        • C:\Windows\SysWOW64\Ceegmj32.exe
                          C:\Windows\system32\Ceegmj32.exe
                          12⤵
                          • Executes dropped EXE
                          • Suspicious use of WriteProcessMemory
                          PID:2000
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 140
                            13⤵
                            • Loads dropped DLL
                            • Program crash
                            PID:2136

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\Acpdko32.exe

    Filesize

    320KB

    MD5

    f3976d5c4f460179b57a313ed566617b

    SHA1

    67bbdd18995677c10554340c89242a07806aaf12

    SHA256

    a6b52d93fbcf3a174e032acb5989724ef82866670d286e749203b3014f5fa82d

    SHA512

    6e0c4f8914b2fbbfa8647c58feb675d2c024749bf605ca2e19da5eb1ed94dcb7eb4d0e8df64e14e7bb3cf95af7e30e657b9e70a5ba14ae1592846e2a136882c8

  • C:\Windows\SysWOW64\Anlfbi32.exe

    Filesize

    320KB

    MD5

    c8f60926fb4908d72a2023a16fb8fae3

    SHA1

    ee79365d21266e6ff5d18ee7ffa6db5140782057

    SHA256

    dc08c4266f7f15f97018f94bb9e6f2bd9d665d48c4127468589449f439186660

    SHA512

    4edcd4917fd7222e882793bfb1cfd1e8ed5e7877e9e28060fbcd35b50a66e61743e7125db1d5844955cf432bed4f15e0c468812970d0036f420e1320f4aaa042

  • C:\Windows\SysWOW64\Pmccjbaf.exe

    Filesize

    320KB

    MD5

    93cddfca1cdb99e02a919d7c4c1852df

    SHA1

    42736ad6a8fce023f09bde411b74b40c6f7f81a3

    SHA256

    91d7a5f95119e9796024d39e3d38727e0834f8129787db987f90b3e7310d0fe4

    SHA512

    6e3ad04ae740fc5fe91d0b1ad9fd5beeddc1d1824ad312e98515d920e0634487fa328d477dd93cd0de6fbfd97552ee4f8d6fdf06aea3d2d9bae1afbce0cdd51c

  • C:\Windows\SysWOW64\Pokieo32.exe

    Filesize

    320KB

    MD5

    352435c3c5ba2ef4a9d726ff8f86e631

    SHA1

    e1262a23d34bf98f725e2021482dba5f7b8df217

    SHA256

    284352735787c37aa5b0d64ebba5af667528f2cce249b422f0e079daee9d155d

    SHA512

    68e6ef7daaa23594957a7c08c3d6fe76551a09dbc81065427b5a2cb1bb8f910a71a796708382f281c98b11f3789eb9fb3823d30244c25032b52b1f9166d0f7ff

  • \Windows\SysWOW64\Afkdakjb.exe

    Filesize

    320KB

    MD5

    43f1dbfe3258b6ce60fb1a0b015e8bcd

    SHA1

    c61b3432b5b01ff8f46852e2ad99c0885f15856d

    SHA256

    c60f37e390afcb7b3f4d1b8d7252d56bfc84940db3871c880eba93a7f533b8c6

    SHA512

    3ef354ec93d449abfe6899e7bb9c5a0900b91b4c00e614865ee6b655d8da7b8e7e5064299d26fe5418d9e583dfca0d16fe1e94576eff5f860a7b063e0cad07e7

  • \Windows\SysWOW64\Bajomhbl.exe

    Filesize

    320KB

    MD5

    f2c4beeb67a7aa9febbacac6615778c0

    SHA1

    fe5f832f0ae501bd409a80b593bc08c6525f0664

    SHA256

    4b16b8852417a9416ace2f1107fdf89d49a265eef9c1199bfefa6e3e3c1b87b3

    SHA512

    90136a1b92d1b5fecc6dd82a8828176add2ea7ecf2752ad94032a5ac9f57e9d47a031cef31e97a4c271702cce432094fd31e46673fd213f922c9d5628ec4b26b

  • \Windows\SysWOW64\Bejdiffp.exe

    Filesize

    320KB

    MD5

    7a35d09e13e2550e9730b4ecf91f2142

    SHA1

    bee36c6b41240123b9de4806b75f137bf0f98fc8

    SHA256

    76a6805d15c2e288135055f78936b44157ca6112e212ece050256bb1bcaf69df

    SHA512

    dcd2cf56bf5866991491cfdc0aed518e0a9b055666a1b1940f87100de710d898610c2d7a6188ce5f4419605e2a70ed383a4847e9882de2e7ebae6ab2cf89a231

  • \Windows\SysWOW64\Ceegmj32.exe

    Filesize

    320KB

    MD5

    d11956fae14bf97afbe3b59ec91c4436

    SHA1

    ae35699fb1ae11013e0cdf23817c134669e670bb

    SHA256

    770c799dd6e76c4b58cbe689a8179cb3521d88bdd0ba6ab620a1adf554aef61c

    SHA512

    b16a0d4bb1e79f478df0d0f242d7433f4cc9fd700160e946676b28d413c4623e2a63f05eb86ad12deaf857a17b7c9922bccc7d7f088cd29f4265989e50ccabad

  • \Windows\SysWOW64\Cpfaocal.exe

    Filesize

    320KB

    MD5

    f9b6dcaf6485c05f8a012365a9f03042

    SHA1

    86b933b2dbdda0b5194bf655c65310be90ad6c9d

    SHA256

    00cdc5e8777103b5ca3d6cca00ab4a514dca87fe1d56ae1d767c6cf92e734cb3

    SHA512

    6372b794feae45083125c593ddaee254b1e5d2871eb362a542728ea10fe6a3a831d70c614c58893bfb38ce6ada9929b1e87dbc41e221d897acbbdb38fbca4b71

  • \Windows\SysWOW64\Pjldghjm.exe

    Filesize

    320KB

    MD5

    15b9cb7a3b46c80a2c593a1421cdf0e1

    SHA1

    1c86bae559d2f1ed3be0b962925fb3c29e61ba6f

    SHA256

    1ca126b84f0826bc517be76abea4adbb2e11e2038831cbb5fe69a7c7aaee303f

    SHA512

    72552e714e7aa38beb09c5583a15e1ca670d8f089f2de0a14a60fd393d3b169f20341c763514c983da89ad21a8503e7512a503c99429c503e91bbd87b48d8f4e

  • \Windows\SysWOW64\Qbbhgi32.exe

    Filesize

    320KB

    MD5

    36bbc888aa3f3ff5d817c7f10608b5c1

    SHA1

    63da3af6aa47e01578e0a1818c7571191dc06da3

    SHA256

    6db7b790cde4697556fe3b7469e39b02fd9c8bcf607c66c5ae4ef6b3810eff01

    SHA512

    6d71ddbf5432385db97a70bb1bc9e964e0757ac35f11a70a9fe7019fc01ad2b4904a575ebcdb74b0fd3c337d8b351f5d01381b1532114b3767a122d5c0a256bd

  • memory/996-142-0x0000000000400000-0x0000000000434000-memory.dmp

    Filesize

    208KB

  • memory/1100-110-0x0000000000400000-0x0000000000434000-memory.dmp

    Filesize

    208KB

  • memory/1100-159-0x0000000000400000-0x0000000000434000-memory.dmp

    Filesize

    208KB

  • memory/1100-121-0x0000000000220000-0x0000000000254000-memory.dmp

    Filesize

    208KB

  • memory/2000-150-0x0000000000400000-0x0000000000434000-memory.dmp

    Filesize

    208KB

  • memory/2004-101-0x0000000000400000-0x0000000000434000-memory.dmp

    Filesize

    208KB

  • memory/2208-155-0x0000000000400000-0x0000000000434000-memory.dmp

    Filesize

    208KB

  • memory/2208-13-0x0000000000220000-0x0000000000254000-memory.dmp

    Filesize

    208KB

  • memory/2208-6-0x0000000000220000-0x0000000000254000-memory.dmp

    Filesize

    208KB

  • memory/2208-0-0x0000000000400000-0x0000000000434000-memory.dmp

    Filesize

    208KB

  • memory/2400-99-0x0000000000220000-0x0000000000254000-memory.dmp

    Filesize

    208KB

  • memory/2400-158-0x0000000000400000-0x0000000000434000-memory.dmp

    Filesize

    208KB

  • memory/2400-93-0x0000000000220000-0x0000000000254000-memory.dmp

    Filesize

    208KB

  • memory/2572-34-0x0000000000400000-0x0000000000434000-memory.dmp

    Filesize

    208KB

  • memory/2600-19-0x0000000000400000-0x0000000000434000-memory.dmp

    Filesize

    208KB

  • memory/2600-32-0x0000000000220000-0x0000000000254000-memory.dmp

    Filesize

    208KB

  • memory/2600-33-0x0000000000220000-0x0000000000254000-memory.dmp

    Filesize

    208KB

  • memory/2648-156-0x0000000000400000-0x0000000000434000-memory.dmp

    Filesize

    208KB

  • memory/2648-42-0x0000000000400000-0x0000000000434000-memory.dmp

    Filesize

    208KB

  • memory/2660-100-0x0000000000400000-0x0000000000434000-memory.dmp

    Filesize

    208KB

  • memory/2716-128-0x0000000000400000-0x0000000000434000-memory.dmp

    Filesize

    208KB

  • memory/2716-135-0x0000000000220000-0x0000000000254000-memory.dmp

    Filesize

    208KB

  • memory/2880-63-0x0000000000220000-0x0000000000254000-memory.dmp

    Filesize

    208KB

  • memory/2880-55-0x0000000000400000-0x0000000000434000-memory.dmp

    Filesize

    208KB

  • memory/2880-157-0x0000000000400000-0x0000000000434000-memory.dmp

    Filesize

    208KB