Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    143s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    07/04/2024, 18:21

General

  • Target

    07e73c9019847b3145bf4083859efc803b19a5bf10ac1664be1d5c1c3c476fb2.exe

  • Size

    1.3MB

  • MD5

    031af142e68d77b3a55e14858fab7ba7

  • SHA1

    8ad2383568b019ea6c719bf4da30a85b0ea467f9

  • SHA256

    07e73c9019847b3145bf4083859efc803b19a5bf10ac1664be1d5c1c3c476fb2

  • SHA512

    9cf444e350705722d5e4242908fcbb253dc22de5df3dd79617f321855f932ca29cf23b51b6cf038ffa3c09f641bfdf2e6fab919ca482383d1de98903b66f7fe3

  • SSDEEP

    12288:SuaxwOGAbaz22cWfVaw0HBHY8r8ABjMn:SzeOGsaK2cWfVaw0HB48r8ABY

Score
10/10

Malware Config

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 18 IoCs
  • Executes dropped EXE 9 IoCs
  • Loads dropped DLL 22 IoCs
  • Drops file in System32 directory 27 IoCs
  • Program crash 1 IoCs
  • Modifies registry class 30 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\07e73c9019847b3145bf4083859efc803b19a5bf10ac1664be1d5c1c3c476fb2.exe
    "C:\Users\Admin\AppData\Local\Temp\07e73c9019847b3145bf4083859efc803b19a5bf10ac1664be1d5c1c3c476fb2.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Loads dropped DLL
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2208
    • C:\Windows\SysWOW64\Pfikmh32.exe
      C:\Windows\system32\Pfikmh32.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2200
      • C:\Windows\SysWOW64\Qqeicede.exe
        C:\Windows\system32\Qqeicede.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2540
        • C:\Windows\SysWOW64\Aaolidlk.exe
          C:\Windows\system32\Aaolidlk.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:2556
          • C:\Windows\SysWOW64\Bejdiffp.exe
            C:\Windows\system32\Bejdiffp.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in System32 directory
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:2708
            • C:\Windows\SysWOW64\Bobhal32.exe
              C:\Windows\system32\Bobhal32.exe
              6⤵
              • Adds autorun key to be loaded by Explorer.exe on startup
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in System32 directory
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:2568
              • C:\Windows\SysWOW64\Chkmkacq.exe
                C:\Windows\system32\Chkmkacq.exe
                7⤵
                • Adds autorun key to be loaded by Explorer.exe on startup
                • Executes dropped EXE
                • Loads dropped DLL
                • Drops file in System32 directory
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:2444
                • C:\Windows\SysWOW64\Cpfaocal.exe
                  C:\Windows\system32\Cpfaocal.exe
                  8⤵
                  • Adds autorun key to be loaded by Explorer.exe on startup
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Drops file in System32 directory
                  • Modifies registry class
                  • Suspicious use of WriteProcessMemory
                  PID:2324
                  • C:\Windows\SysWOW64\Cmjbhh32.exe
                    C:\Windows\system32\Cmjbhh32.exe
                    9⤵
                    • Adds autorun key to be loaded by Explorer.exe on startup
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Drops file in System32 directory
                    • Modifies registry class
                    • Suspicious use of WriteProcessMemory
                    PID:464
                    • C:\Windows\SysWOW64\Ceegmj32.exe
                      C:\Windows\system32\Ceegmj32.exe
                      10⤵
                      • Executes dropped EXE
                      • Suspicious use of WriteProcessMemory
                      PID:1500
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 140
                        11⤵
                        • Loads dropped DLL
                        • Program crash
                        PID:2680

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\Cmjbhh32.exe

    Filesize

    1.3MB

    MD5

    0fbb869ff3f730a5a407fdc0036b4cf9

    SHA1

    c27881aa4e90d0ad097782b6757eae2165c1be07

    SHA256

    09c22f620699bc25839287ff4777c731e38ec9205d52f8f8d5d39826ab61f772

    SHA512

    1b7357e5ea9f0b5b3fb388bacc16e41ad9f2a4b6ca52433d063dc1ad498e34efa0661861b85656133d4f8b4e5982b4e8bb83c9679e383fbdd73b33558ede7b74

  • C:\Windows\SysWOW64\Imklkg32.dll

    Filesize

    7KB

    MD5

    d26a4bdaa2c95f1e794fe94cc949c79e

    SHA1

    4eb236568651a116b31d5b9bde1f02fccfcaba15

    SHA256

    48dce6b0ce3d5364b58ee35ea58367516928b8894cab2628f0f3d916e118dd26

    SHA512

    4c26c6d47e612ac39b882d7f2285783e733cb84bd72aadfae5a38bad4847f18ee7f7805f74969bf6b3d3bb41f002396e2134a3c868efedb2acb106caf2f3e0bd

  • \Windows\SysWOW64\Aaolidlk.exe

    Filesize

    1.3MB

    MD5

    b6953af7d7ad5297bc148c49e0069011

    SHA1

    5258b62416760f51759b91d13624440456520cc0

    SHA256

    d75502b838e6ac96ca7bf62a6e8959c53c21b9c7c5d704c42b2a871026a5f7da

    SHA512

    b7f66e96d9fd2ec01554d101fe9a9ffae8b09a81ba4c719cbdc742ded6a82ad5b5f222ff39ac24b6a7804afc634fb1c22561b946f4ad53eb096d4b13a90c9669

  • \Windows\SysWOW64\Bejdiffp.exe

    Filesize

    1.3MB

    MD5

    9e6f37c45238291dd56c5232e698f618

    SHA1

    a87fb431a39a36f3026c54464e6323e1acb27ce7

    SHA256

    e6c69ccd4beccd6b56b7e303fc8ead94b9db66a1ebe6fde3bbf9d4f0a9f1d48b

    SHA512

    9e07e6ccc17407efa04c15950d52e6632cdad5f318e43422b3c5133387f229e8e6183f552de15e7e5445395e001774ce93ad2e0858cdc5aebefc6a00acff35c6

  • \Windows\SysWOW64\Bobhal32.exe

    Filesize

    1.3MB

    MD5

    97882c094c0794caa05c2ebb82e0c4bb

    SHA1

    a30d88fe55d56e57c81a1f8f523762a17e73a520

    SHA256

    01211333be96cc866bd563ced5ed394223bf5cba8aaaeebb623d6be10287cbde

    SHA512

    1b3435630f7b02edaf15282fe382bd8c4a6506c0b33db5be7bb85ac0f1cb1ad8a286501f1c5ca2df3356938baacd8445e15b27014b7e7a9a86eaec1e1ac7db53

  • \Windows\SysWOW64\Ceegmj32.exe

    Filesize

    1.3MB

    MD5

    eca10d7ba2d2f32656ffc10b377fb577

    SHA1

    ae60d22ca3d4fef90ec104613e842856a9d52152

    SHA256

    504c42fdb771dbe9c7d1646dde81ee40a8cc2206cfafeb7cb7dd0f485af80104

    SHA512

    1c3cd73cc3476eee87729bdd24727d87eae0b620d4e675c98949d01772880871a4ca6b60ac1841f202de831240e0850d700c855e6cf9c0c35f0a08d0268ff791

  • \Windows\SysWOW64\Chkmkacq.exe

    Filesize

    1.3MB

    MD5

    5c4579f3d6c3b46fcdda95f8462b494a

    SHA1

    79be0fce7298d7bf1a87d6cd2861b05d54ddcb60

    SHA256

    940d5d7a8b54613c887e87fba4a099a611e294a35cdc4c5e633bda29777c717f

    SHA512

    0b13997fb021afdc3124f593277a9ca3917679fccc8f221ad3436a36fd334026438266aa79a69d610c9eb935907ee2a4961b7f2e0a0ee883a0e5b55d72d073b2

  • \Windows\SysWOW64\Cpfaocal.exe

    Filesize

    1.3MB

    MD5

    49966e732c0a0a770a197806a69b95fd

    SHA1

    e4b51aa28be847570a50631fe9e1d9ca578d4ce5

    SHA256

    d655aa0faa171303511280f0232e8df178c3ad59ff059fcd53f4873a36509ced

    SHA512

    09323bccdc2e468ebc1d03e31a8b9b24cd9885c4fc9048597da01de61fb816cc8023fc87365bece7f70570db58b102258313bbb420bcd8bb11b661d2e29810ef

  • \Windows\SysWOW64\Pfikmh32.exe

    Filesize

    1.3MB

    MD5

    9c545908b548ba791846b86d83de1c68

    SHA1

    a30697eccfe8b88cc515a10b6356c36b6fc267dc

    SHA256

    04d316fb01a3feaa6b2ac25eecabe185c072f4e128b9a18ab8178c1a68c65a68

    SHA512

    05aac69e6d6c4730b47ab4a81fe754d52875846a3830ad94dbf1b6903b66919b5d16e0a1373d92373d1179fc55f0a5b9e91a4021190d32a4353278189928baf0

  • \Windows\SysWOW64\Qqeicede.exe

    Filesize

    1.3MB

    MD5

    90bfda139443103bc3fef999e65f7f5f

    SHA1

    250dc787c70daab6408596b35243b8092c1e119a

    SHA256

    5c55b67dacb085c71ae56b78c63104da2af20a989287663ab28a477a60184d4c

    SHA512

    7921e2ad130562a0910c323e366092b46a5e62a8b095239214debfa66346087021dbc4f24a2031af2fcde38afc1731ed76bb9d3774859b163ab132af19118557

  • memory/464-122-0x0000000000400000-0x0000000000434000-memory.dmp

    Filesize

    208KB

  • memory/1500-123-0x0000000000400000-0x0000000000434000-memory.dmp

    Filesize

    208KB

  • memory/2200-21-0x0000000000220000-0x0000000000254000-memory.dmp

    Filesize

    208KB

  • memory/2200-125-0x0000000000400000-0x0000000000434000-memory.dmp

    Filesize

    208KB

  • memory/2200-13-0x0000000000400000-0x0000000000434000-memory.dmp

    Filesize

    208KB

  • memory/2208-124-0x0000000000400000-0x0000000000434000-memory.dmp

    Filesize

    208KB

  • memory/2208-0-0x0000000000400000-0x0000000000434000-memory.dmp

    Filesize

    208KB

  • memory/2208-6-0x0000000000220000-0x0000000000254000-memory.dmp

    Filesize

    208KB

  • memory/2324-121-0x0000000000400000-0x0000000000434000-memory.dmp

    Filesize

    208KB

  • memory/2444-120-0x0000000000400000-0x0000000000434000-memory.dmp

    Filesize

    208KB

  • memory/2540-115-0x0000000000400000-0x0000000000434000-memory.dmp

    Filesize

    208KB

  • memory/2540-116-0x0000000000220000-0x0000000000254000-memory.dmp

    Filesize

    208KB

  • memory/2540-126-0x0000000000400000-0x0000000000434000-memory.dmp

    Filesize

    208KB

  • memory/2556-117-0x0000000000400000-0x0000000000434000-memory.dmp

    Filesize

    208KB

  • memory/2568-119-0x0000000000400000-0x0000000000434000-memory.dmp

    Filesize

    208KB

  • memory/2708-118-0x0000000000400000-0x0000000000434000-memory.dmp

    Filesize

    208KB