Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

48618ded3c...02.exe

windows7-x64

10

48618ded3c...02.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    167s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/04/2024, 19:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    48618ded3ccbdafe56d4258b89087802.exe

  • Size

    285KB

  • MD5

    48618ded3ccbdafe56d4258b89087802

  • SHA1

    60c0481ead458cf9e95ad560ab531e391feec304

  • SHA256

    8af15f24f1020fd3cd6b6d82925bf9938b351e551efbc6bfec4f5fc9c5676101

  • SHA512

    aa1af8926112503591dc9ec8f1a931e15d87120e3be4f82e32801ac5664630ee5cee50a8884816e926290240526f74c117e3e26fc45f8ee2ed9d3bf0fe659721

  • SSDEEP

    3072:KcLKMnonQYLq69Yv3mBxgPCTejKVcbMloVRr3uMg0kAqSxYiJ2QM4GKch:KcLKMnonRL4GgJjKQIoi7tWa

Score
10/10
persistence

Malware Config

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 26 IoCs
    persistence
  • Executes dropped EXE 13 IoCs
  • Drops file in System32 directory 39 IoCs
  • Program crash 2 IoCs
  • Modifies registry class 42 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\48618ded3ccbdafe56d4258b89087802.exe
    "C:\Users\Admin\AppData\Local\Temp\48618ded3ccbdafe56d4258b89087802.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:408
    • C:\Windows\SysWOW64\Fqikob32.exe
      C:\Windows\system32\Fqikob32.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2072
      • C:\Windows\SysWOW64\Gjficg32.exe
        C:\Windows\system32\Gjficg32.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Drops file in System32 directory
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2544
        • C:\Windows\SysWOW64\Gjhfif32.exe
          C:\Windows\system32\Gjhfif32.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Drops file in System32 directory
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:2236
          • C:\Windows\SysWOW64\Hnkhjdle.exe
            C:\Windows\system32\Hnkhjdle.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • Drops file in System32 directory
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:2600
            • C:\Windows\SysWOW64\Ijmhkchl.exe
              C:\Windows\system32\Ijmhkchl.exe
              6⤵
              • Adds autorun key to be loaded by Explorer.exe on startup
              • Executes dropped EXE
              • Drops file in System32 directory
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:412
              • C:\Windows\SysWOW64\Ilmedf32.exe
                C:\Windows\system32\Ilmedf32.exe
                7⤵
                • Adds autorun key to be loaded by Explorer.exe on startup
                • Executes dropped EXE
                • Drops file in System32 directory
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:456
                • C:\Windows\SysWOW64\Jhfbog32.exe
                  C:\Windows\system32\Jhfbog32.exe
                  8⤵
                  • Adds autorun key to be loaded by Explorer.exe on startup
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • Modifies registry class
                  • Suspicious use of WriteProcessMemory
                  PID:2256
                  • C:\Windows\SysWOW64\Jhkljfok.exe
                    C:\Windows\system32\Jhkljfok.exe
                    9⤵
                    • Adds autorun key to be loaded by Explorer.exe on startup
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    • Modifies registry class
                    • Suspicious use of WriteProcessMemory
                    PID:2316
                    • C:\Windows\SysWOW64\Kahinkaf.exe
                      C:\Windows\system32\Kahinkaf.exe
                      10⤵
                      • Adds autorun key to be loaded by Explorer.exe on startup
                      • Executes dropped EXE
                      • Drops file in System32 directory
                      • Modifies registry class
                      • Suspicious use of WriteProcessMemory
                      PID:4744
                      • C:\Windows\SysWOW64\Ldbefe32.exe
                        C:\Windows\system32\Ldbefe32.exe
                        11⤵
                        • Adds autorun key to be loaded by Explorer.exe on startup
                        • Executes dropped EXE
                        • Drops file in System32 directory
                        • Modifies registry class
                        • Suspicious use of WriteProcessMemory
                        PID:2764
                        • C:\Windows\SysWOW64\Leabphmp.exe
                          C:\Windows\system32\Leabphmp.exe
                          12⤵
                          • Adds autorun key to be loaded by Explorer.exe on startup
                          • Executes dropped EXE
                          • Drops file in System32 directory
                          • Modifies registry class
                          • Suspicious use of WriteProcessMemory
                          PID:948
                          • C:\Windows\SysWOW64\Lkqgno32.exe
                            C:\Windows\system32\Lkqgno32.exe
                            13⤵
                            • Adds autorun key to be loaded by Explorer.exe on startup
                            • Executes dropped EXE
                            • Drops file in System32 directory
                            • Modifies registry class
                            • Suspicious use of WriteProcessMemory
                            PID:2664
                            • C:\Windows\SysWOW64\Ldikgdpe.exe
                              C:\Windows\system32\Ldikgdpe.exe
                              14⤵
                              • Executes dropped EXE
                              • Suspicious use of WriteProcessMemory
                              PID:656
                              • C:\Windows\SysWOW64\WerFault.exe
                                C:\Windows\SysWOW64\WerFault.exe -u -p 656 -s 412
                                15⤵
                                • Program crash
                                PID:4424
                              • C:\Windows\SysWOW64\WerFault.exe
                                C:\Windows\SysWOW64\WerFault.exe -u -p 656 -s 412
                                15⤵
                                • Program crash
                                PID:1432
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 656 -ip 656
    1⤵
      PID:2240
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4140 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:4568

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\SysWOW64\Eopbppjf.dll
        Filesize

        7KB

        MD5

        27ad10cbc14b89e104c0df410a88978a

        SHA1

        a0fff6f3518b563a422f8c902fa76df2528a7eb1

        SHA256

        b41aaca25dcdeda3bc3a3bf53c07d6c2796c2ce4f8ba9d2773dd35ea14ee992c

        SHA512

        158171147d67e00803879c7929babd40ea6bde612119fa7cf32a697c4b383726765337727195ad581a589e6f2e3af35891c01c540fe504d81499f95bb4cf0ca4

        Download Submit

      • C:\Windows\SysWOW64\Fqikob32.exe
        Filesize

        285KB

        MD5

        aa0c69ed66c5dc902c2b2e7c29224673

        SHA1

        0957f9d19357e399e14a1ddcdb124aee3b438d29

        SHA256

        f59c6f5ab6975cb76028b14571d9513a5865335f0d3a47fe950ee3aa3778ea92

        SHA512

        0f5442b05a9f5d6628bd2616d9dba87aceb81ad000bd194037c176f91011d094ea9ce2c982365e381746d29b9f356ac43dc259206aea639546f98e9d556483ad

        Download Submit

      • C:\Windows\SysWOW64\Gjficg32.exe
        Filesize

        285KB

        MD5

        7acf5c3a1a0c7f31cd6374bb52815ff5

        SHA1

        45679548c98dfbb1009fee80f183b503aff110a0

        SHA256

        98ffddc8fb9f4bf807a1cab2ec5b3e5fca9665652c1c709ed56f5fb55d2958dd

        SHA512

        48754d826af149adbf68087c70dab7cb8d021cfd527b576d6ff68b0130098bb31a39ae1f0199d1dc6b306adc8acad23115718fefa195f02c2eab0fd341dcd40f

        Download Submit

      • C:\Windows\SysWOW64\Gjhfif32.exe
        Filesize

        285KB

        MD5

        32a18d1fc3d7a5a47a44a54d8704a1c5

        SHA1

        e5450c39eb9ee6f67c9005620393e36665490829

        SHA256

        d926b4a6cc0c0d6ce73737cb4cb332f7a7e8c7d26baee5da089b624ff0d48561

        SHA512

        49d36d36d01075729a1e345cd7d5c9d3a65b78bf6e86919ff05f339f653d3944030582a658dbf9d9384b9312fc79d22d9dff9785d0b2ffbc9abda61a104d835b

        Download Submit

      • C:\Windows\SysWOW64\Hnkhjdle.exe
        Filesize

        285KB

        MD5

        2755fb9caf96e34ff8d1d5b5744d91c7

        SHA1

        d4d3d68403850896c8c2e2c1ae2b3dd74fe03f8e

        SHA256

        db0fff403f7ebb4c60a3db8ca7f48cd59564c4d2bc3f2aa3a7ad1b3bfb44d8e5

        SHA512

        bfb469e9c28235319ac9b3d839d44c3108383b0a05a4e0515c7cf46631b3d9f4b309c6bc2dfec16f5e1c2f1ed1728dc65948ce93561adf836acf8c8011ebf8c5

        Download Submit

      • C:\Windows\SysWOW64\Ijmhkchl.exe
        Filesize

        285KB

        MD5

        b5453114dbf0d72737f1046b37773f73

        SHA1

        dd05551d31b187bfc2833ac970dd402a48861c4c

        SHA256

        5d6a4e3297cdcafae217fed2696b1fc7bae6ca7fe6bf9ea1170745f7af3dc813

        SHA512

        7a23a3c01628d798756fb8d8f22314d6d68477c26ec687833a2750e9a1e04e4a6c91f1a94b2d1dce4c1f3c81e7d95c18c1755e4f19599f68a9f6b1594b4ca03c

        Download Submit

      • C:\Windows\SysWOW64\Ilmedf32.exe
        Filesize

        285KB

        MD5

        9f58925868bba951dac91917b617084d

        SHA1

        a873c1bd54d171a4884f0067b68344fabdd91c54

        SHA256

        c268b60ca4c3941d61aa60f7d7959d83f9cedd9b38afad6ba6ac6be471cc7877

        SHA512

        b503a65f1334afd8d5d137580af1ff3182ce7b2be55a1caa60361cdbe41222f906705434decad856a570561d5869cb40351273eb1f28f7338a8f7b8f3be762c7

        Download Submit

      • C:\Windows\SysWOW64\Jhfbog32.exe
        Filesize

        285KB

        MD5

        55baeb33792f88303315974648290a10

        SHA1

        41b76beda04f918689ae3a7d4597826aeafb0ccc

        SHA256

        24cbde59ff09e3dc78cfb106a33952601e86fb4074bbce4922b31625cdf9c395

        SHA512

        8615e51d7187408c4649edcaa934f6726ef31e0dba95150ed648ce15dbaab72c68a891bb8d57a44053f91724718bcc940adad3e081ad4c6f986f2c9cb6dcb672

        Download Submit

      • C:\Windows\SysWOW64\Jhkljfok.exe
        Filesize

        285KB

        MD5

        37020c88c736bc734b63cf162535fc96

        SHA1

        3723d46dfe863dc5ede7ae90f54788bb2c460f5d

        SHA256

        c6c4a6a643f6ee9ab7e0479e960de8b21274831c615ba71964373bc6f08fe7c8

        SHA512

        ba5e4bcf8c0ab9fcba19b01b961d64e0a0079e50bd77f15ca63a786d0f8c49736b5ac827f881fb5b619a2b71130a0d966e7226f4dc6cd434b23637075ce0fbc9

        Download Submit

      • C:\Windows\SysWOW64\Kahinkaf.exe
        Filesize

        285KB

        MD5

        ed20051a277063f458a2fe79e4ecee2f

        SHA1

        6c2b52e2ef2acb71d4a9a730e52342efc72f5d55

        SHA256

        ddafa352dbf88fe271a0e01d2d4b78eea45c08eb5981c7fb16fa051fbb8f6522

        SHA512

        52e9b64b6f0415172f5e20248cb4198cbf3451a97bac6a603b2d1df0100b4a85ee8e40e6d7af93121b4df4b0eee8d95f93e1457af567e49ca249d6f27026c0dc

        Download Submit

      • C:\Windows\SysWOW64\Ldbefe32.exe
        Filesize

        285KB

        MD5

        c37791a89b50f4de4857a52e30c83208

        SHA1

        65963e1281a06dd399215f78763f468709f52381

        SHA256

        ec52ce3b8d5c41dff33e8061b8847b381d56fdcc2a70cf0649745ba48e9f5571

        SHA512

        ac353b0b544e1ae03fff3f153556a69f518d077f5a7045a5d21099ef13e75b003b55ed49fc072c163476e22060d3203ed5c0a78480c1a4eb01710150715bf709

        Download Submit

      • C:\Windows\SysWOW64\Ldikgdpe.exe
        Filesize

        285KB

        MD5

        695202b488065689a70749dba8759c86

        SHA1

        3d77042447865419893695773296796ffbb5d396

        SHA256

        d6be9c4055cd86ab0a1388a0f8f2609254144f6576ccfc6d53a16036daf259d9

        SHA512

        cab64ea4ff21e174b41aeb2f5fe46c1c2db8d9fddcb042cd4998fd91dc7752ff1aa7c1268505d30a4658967c06d00dfb035c237896e8b8a1be1f98f0a3b39982

        Download Submit

      • C:\Windows\SysWOW64\Leabphmp.exe
        Filesize

        285KB

        MD5

        fcc6f2eb6ab510b0ab39282bd60cbd78

        SHA1

        696e457f0d94a6dfb262b0da1574d730b380a261

        SHA256

        472087f363ce2b24e87242014b2aad2e974c3d193983a1d55e64f66a4a4492f7

        SHA512

        5625097e6e698d8fd076192ccf44f57978a5606a45f191694e30d8e7a0f7e542fb88f17d880babc1dbe250052bbc9d96ed3a81921198c8e58b8fef47b242411f

        Download Submit

      • C:\Windows\SysWOW64\Lkqgno32.exe
        Filesize

        285KB

        MD5

        48b54deb962c1e439f83a4bb571ebfb8

        SHA1

        de3b57f6fae15377a0910acfc3f3f52dff19f3b9

        SHA256

        804f6fda1148563ab197ab0c4a9da10e1ca385ecdbb324893dde37974223a161

        SHA512

        87fda747ad73e4b80b80612ffdb6eeaabd05008c908f0da7be81da540743d438756433944a36a1a64cdfc66bc16f7ea1aab9c243d99862888e2c0dcea087b867

        Download Submit

      • memory/408-106-0x0000000000400000-0x0000000000433000-memory.dmp

        Filesize

        204KB

        Download

      • memory/408-0-0x0000000000400000-0x0000000000433000-memory.dmp

        Filesize

        204KB

        Download

      • memory/408-1-0x0000000000400000-0x0000000000433000-memory.dmp

        Filesize

        204KB

        Download

      • memory/412-111-0x0000000000400000-0x0000000000433000-memory.dmp

        Filesize

        204KB

        Download

      • memory/412-41-0x0000000000400000-0x0000000000433000-memory.dmp

        Filesize

        204KB

        Download

      • memory/456-112-0x0000000000400000-0x0000000000433000-memory.dmp

        Filesize

        204KB

        Download

      • memory/456-49-0x0000000000400000-0x0000000000433000-memory.dmp

        Filesize

        204KB

        Download

      • memory/656-119-0x0000000000400000-0x0000000000433000-memory.dmp

        Filesize

        204KB

        Download

      • memory/656-104-0x0000000000400000-0x0000000000433000-memory.dmp

        Filesize

        204KB

        Download

      • memory/948-117-0x0000000000400000-0x0000000000433000-memory.dmp

        Filesize

        204KB

        Download

      • memory/948-89-0x0000000000400000-0x0000000000433000-memory.dmp

        Filesize

        204KB

        Download

      • memory/2072-9-0x0000000000400000-0x0000000000433000-memory.dmp

        Filesize

        204KB

        Download

      • memory/2072-107-0x0000000000400000-0x0000000000433000-memory.dmp

        Filesize

        204KB

        Download

      • memory/2236-109-0x0000000000400000-0x0000000000433000-memory.dmp

        Filesize

        204KB

        Download

      • memory/2236-25-0x0000000000400000-0x0000000000433000-memory.dmp

        Filesize

        204KB

        Download

      • memory/2256-113-0x0000000000400000-0x0000000000433000-memory.dmp

        Filesize

        204KB

        Download

      • memory/2256-56-0x0000000000400000-0x0000000000433000-memory.dmp

        Filesize

        204KB

        Download

      • memory/2316-64-0x0000000000400000-0x0000000000433000-memory.dmp

        Filesize

        204KB

        Download

      • memory/2316-114-0x0000000000400000-0x0000000000433000-memory.dmp

        Filesize

        204KB

        Download

      • memory/2544-108-0x0000000000400000-0x0000000000433000-memory.dmp

        Filesize

        204KB

        Download

      • memory/2544-16-0x0000000000400000-0x0000000000433000-memory.dmp

        Filesize

        204KB

        Download

      • memory/2600-110-0x0000000000400000-0x0000000000433000-memory.dmp

        Filesize

        204KB

        Download

      • memory/2600-32-0x0000000000400000-0x0000000000433000-memory.dmp

        Filesize

        204KB

        Download

      • memory/2664-97-0x0000000000400000-0x0000000000433000-memory.dmp

        Filesize

        204KB

        Download

      • memory/2664-118-0x0000000000400000-0x0000000000433000-memory.dmp

        Filesize

        204KB

        Download

      • memory/2764-116-0x0000000000400000-0x0000000000433000-memory.dmp

        Filesize

        204KB

        Download

      • memory/2764-80-0x0000000000400000-0x0000000000433000-memory.dmp

        Filesize

        204KB

        Download

      • memory/4744-72-0x0000000000400000-0x0000000000433000-memory.dmp

        Filesize

        204KB

        Download

      • memory/4744-115-0x0000000000400000-0x0000000000433000-memory.dmp

        Filesize

        204KB

        Download