Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
25/04/2024, 02:25
Static task
static1
Behavioral task
behavioral1
Sample
b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe
Resource
win10v2004-20240412-en
General
-
Target
b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe
-
Size
474KB
-
MD5
38d935266944c5f49d35c42ce150086a
-
SHA1
7bfad76c6b3844f2cea23ffc7bd4702fe737fe73
-
SHA256
b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f
-
SHA512
398927af28bcd3ad101481dd72c40aad7707b6963990e75e11d9c2ac8c57c71770e5a97aee4d0c2bcc6d7df6f12822a81746925e6fd1f561fe4581a52ec0f8c8
-
SSDEEP
6144:vdspDeDrxkg/vrMuJIgwhEFHyOrJcX/Pgqwzm5IzkWjS4e4azExBKO1t4Kb70Nqq:l8kxNhOZElO5kkWjhD4A
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2776 FTKJLPK.EXE -
Modifies system executable filetype association 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command FTKJLPK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\PerfLogs\\VAJ.EXE \"%1\" %*" FTKJLPK.EXE -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FUSCV.EXE = "C:\\Program Files\\JMQSE.EXE" b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe -
Enumerates connected drives 3 TTPs 34 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\N: b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe File opened (read-only) \??\Q: FTKJLPK.EXE File opened (read-only) \??\Q: b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe File opened (read-only) \??\M: FTKJLPK.EXE File opened (read-only) \??\O: FTKJLPK.EXE File opened (read-only) \??\G: b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe File opened (read-only) \??\O: b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe File opened (read-only) \??\R: b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe File opened (read-only) \??\T: b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe File opened (read-only) \??\N: FTKJLPK.EXE File opened (read-only) \??\R: FTKJLPK.EXE File opened (read-only) \??\S: FTKJLPK.EXE File opened (read-only) \??\V: FTKJLPK.EXE File opened (read-only) \??\H: b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe File opened (read-only) \??\G: FTKJLPK.EXE File opened (read-only) \??\L: b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe File opened (read-only) \??\H: FTKJLPK.EXE File opened (read-only) \??\I: FTKJLPK.EXE File opened (read-only) \??\J: FTKJLPK.EXE File opened (read-only) \??\U: FTKJLPK.EXE File opened (read-only) \??\K: b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe File opened (read-only) \??\U: b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe File opened (read-only) \??\V: b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe File opened (read-only) \??\E: FTKJLPK.EXE File opened (read-only) \??\P: FTKJLPK.EXE File opened (read-only) \??\J: b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe File opened (read-only) \??\M: b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe File opened (read-only) \??\P: b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe File opened (read-only) \??\S: b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe File opened (read-only) \??\K: FTKJLPK.EXE File opened (read-only) \??\L: FTKJLPK.EXE File opened (read-only) \??\T: FTKJLPK.EXE File opened (read-only) \??\E: b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe File opened (read-only) \??\I: b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files\ODOI.EXE b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe File created C:\Program Files\JMQSE.EXE b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe File created C:\Program Files\WLLN.EXE b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\FTKJLPK.EXE b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe -
Modifies registry class 18 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open\command\ = "C:\\PerfLogs\\OBD.EXE \"%1\"" b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open\command\ = "C:\\PerfLogs\\FTHS.EXE \"%1\"" b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\PerfLogs\\VAJ.EXE \"%1\" %*" FTKJLPK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell\open\command b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open\command b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\$Recycle.Bin\\BBY.EXE %1" b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell\open b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell\open\command\ = "C:\\$Recycle.Bin\\XKA.EXE %1" b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command\ = "C:\\Program Files\\WLLN.EXE %1" b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open\command\ = "C:\\Program Files\\ODOI.EXE \"%1\" %*" b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command FTKJLPK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2776 FTKJLPK.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1960 wrote to memory of 2776 1960 b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe 28 PID 1960 wrote to memory of 2776 1960 b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe 28 PID 1960 wrote to memory of 2776 1960 b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe 28 PID 1960 wrote to memory of 2776 1960 b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe"C:\Users\Admin\AppData\Local\Temp\b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\FTKJLPK.EXEC:\Windows\FTKJLPK.EXE2⤵
- Executes dropped EXE
- Modifies system executable filetype association
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:2776
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Change Default File Association
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
474KB
MD58590f1246b56a2dfce2c5af76d6a859b
SHA1bf89273075bdc66339082f4047f94054026e029d
SHA256efc3bf059b74570d658505e4bdb761cc2984c7d147e47c0c5880e4a2d557e3e8
SHA512ae5d84d61af63878dac691ff993ff979ea2cc3d7aa16e068e34fbd492645d7fc1153fe719496b1ef3c34ee835ad63ec8f905886ce47309e5c31ca9cad75d8147
-
Filesize
475KB
MD5b36ccb73fbed11046af1a0c061f3f8e6
SHA12e50b0ee4cc89b1968ebe3df7091d74ab337a5f1
SHA25628d698875ab968f1d667e2b7d223e340d847b27f373beabacf27db7e996c1f3b
SHA512ef1e8dcec1d05d4981104c35c08761c11bab79eb6de75faac8a68f215b80af94f1c9d0e4ea271cf24e705ec0ede0787b06ce74b6e87e859817d2d41c49a062ad
-
Filesize
224B
MD5dbb98258af2c77de023366b52446d1a7
SHA1310e3525a362ff1c94ed1519bedb3d74111629dd
SHA2565cbf349fad1cb508d75df861915535521f041c21680c9eb7409e785b0a92a75c
SHA512e10fc030c331774f5361aeb9590c2cf21ee517550848c855b3fee41fc98afbce73e5a30ecfe8ca07234995327ba2fd8b5f699be9bd43b60ae7c455ecb38b6cc2
-
Filesize
245B
MD575e8700a4e7641311286c520dd9d1b33
SHA100d1d9550f8b6f79a8675920f07f5327a7f69217
SHA25642bff9556b7375e763e72e6500f5696c5b1430a120a30ab89b62d79b8a85761b
SHA512419c8f0ac6e0b47baeb99fade1357bf29ebb8d0b5c9b0027fa99b9fe5d667f4a513bfc109412856dff814621f4d005635a9d4a61119fe234b3de5baf45e37974