Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/06/2024, 22:25

General

  • Target

    6557c9680a90050bb1c517bbd663b5a07a94bd0a0e3799ff957933c6844f7f26.exe

  • Size

    96KB

  • MD5

    8bc84f1a067ff84303f0860dc363c2b9

  • SHA1

    f9979035030504de3276a0f0e2297eceaeadc397

  • SHA256

    6557c9680a90050bb1c517bbd663b5a07a94bd0a0e3799ff957933c6844f7f26

  • SHA512

    9443791c6696e6e2b457f5b998a87f6bcd5a5fd5be68d0756ed1b505a6c3a88461b2b1bb5f6aa07a02269a35885d67117dda75d9776b4c45b120fb9ea02dac15

  • SSDEEP

    1536:tjc4vbrEXofKT1QXqclCclhiPMzB+e9MbinV39+ChnSdFFn7Elz45zFV3zMetM:64zrErHcT3iPm+AMbqV39ThSdn7Elz4K

Score
10/10

Malware Config

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 24 IoCs
  • Executes dropped EXE 12 IoCs
  • Drops file in System32 directory 36 IoCs
  • Program crash 1 IoCs
  • Modifies registry class 39 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6557c9680a90050bb1c517bbd663b5a07a94bd0a0e3799ff957933c6844f7f26.exe
    "C:\Users\Admin\AppData\Local\Temp\6557c9680a90050bb1c517bbd663b5a07a94bd0a0e3799ff957933c6844f7f26.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2004
    • C:\Windows\SysWOW64\Mpdelajl.exe
      C:\Windows\system32\Mpdelajl.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1236
      • C:\Windows\SysWOW64\Nkjjij32.exe
        C:\Windows\system32\Nkjjij32.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Drops file in System32 directory
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:4652
        • C:\Windows\SysWOW64\Nnhfee32.exe
          C:\Windows\system32\Nnhfee32.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Drops file in System32 directory
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:1072
          • C:\Windows\SysWOW64\Nceonl32.exe
            C:\Windows\system32\Nceonl32.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • Drops file in System32 directory
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:4780
            • C:\Windows\SysWOW64\Njogjfoj.exe
              C:\Windows\system32\Njogjfoj.exe
              6⤵
              • Adds autorun key to be loaded by Explorer.exe on startup
              • Executes dropped EXE
              • Drops file in System32 directory
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:4152
              • C:\Windows\SysWOW64\Nafokcol.exe
                C:\Windows\system32\Nafokcol.exe
                7⤵
                • Adds autorun key to be loaded by Explorer.exe on startup
                • Executes dropped EXE
                • Drops file in System32 directory
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:2936
                • C:\Windows\SysWOW64\Ngcgcjnc.exe
                  C:\Windows\system32\Ngcgcjnc.exe
                  8⤵
                  • Adds autorun key to be loaded by Explorer.exe on startup
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • Modifies registry class
                  • Suspicious use of WriteProcessMemory
                  PID:2992
                  • C:\Windows\SysWOW64\Nbhkac32.exe
                    C:\Windows\system32\Nbhkac32.exe
                    9⤵
                    • Adds autorun key to be loaded by Explorer.exe on startup
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    • Modifies registry class
                    • Suspicious use of WriteProcessMemory
                    PID:768
                    • C:\Windows\SysWOW64\Ncihikcg.exe
                      C:\Windows\system32\Ncihikcg.exe
                      10⤵
                      • Adds autorun key to be loaded by Explorer.exe on startup
                      • Executes dropped EXE
                      • Drops file in System32 directory
                      • Modifies registry class
                      • Suspicious use of WriteProcessMemory
                      PID:1724
                      • C:\Windows\SysWOW64\Njcpee32.exe
                        C:\Windows\system32\Njcpee32.exe
                        11⤵
                        • Adds autorun key to be loaded by Explorer.exe on startup
                        • Executes dropped EXE
                        • Drops file in System32 directory
                        • Modifies registry class
                        • Suspicious use of WriteProcessMemory
                        PID:1700
                        • C:\Windows\SysWOW64\Ndidbn32.exe
                          C:\Windows\system32\Ndidbn32.exe
                          12⤵
                          • Adds autorun key to be loaded by Explorer.exe on startup
                          • Executes dropped EXE
                          • Drops file in System32 directory
                          • Modifies registry class
                          • Suspicious use of WriteProcessMemory
                          PID:3324
                          • C:\Windows\SysWOW64\Nkcmohbg.exe
                            C:\Windows\system32\Nkcmohbg.exe
                            13⤵
                            • Executes dropped EXE
                            PID:3820
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 400
                              14⤵
                              • Program crash
                              PID:244
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3820 -ip 3820
    1⤵
      PID:2476

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\Mpdelajl.exe

      Filesize

      96KB

      MD5

      79b044874fdabab91930d70eff96b331

      SHA1

      8c5d518bb86fd708f67c201925c76fcffc220990

      SHA256

      f73684f108a748caf04c1b625ed82e1fccfb2e43a8abc9a431de7062c60017e2

      SHA512

      d36567fc65e3be52c857fd9219a4b1748970d49f7bbc8d45da6ace44a338371d61c204dd333299a762e13ceb57c3da67291b67bd006e2d68d7eb6104608ac884

    • C:\Windows\SysWOW64\Nafokcol.exe

      Filesize

      96KB

      MD5

      244b45a63a54a9d1f356f4f3f81ce95e

      SHA1

      8ddacc03ba871fe644bbb8ce86ff0fbaf1189ff1

      SHA256

      1af659e8d8040eb176f575f4ec3a508e1fc98207cc62c398f6e56ed0cec39e9d

      SHA512

      dfe94cd46b70972fb14aaf0d00b0521cb9305b7d84401eaa800c07e1f2bb3dbc5afba74309a8f628c6e4a5e0aeae92eec4007ced5dc19ec11ea51bfaad1e622b

    • C:\Windows\SysWOW64\Nbhkac32.exe

      Filesize

      96KB

      MD5

      9142148cb9834cf7ddc764d1d055d67d

      SHA1

      0bc25b7114fcaa2e0faf925ee8b22f3adeb66c1e

      SHA256

      1cc87dfc688b28c2525d5911818b91974c33578c3acd2b67ea1a3d3f669584ad

      SHA512

      5677e7f3e8e1bd8442bee1a4c468276bf89c9a821575e8ac21d038110c57d3450d1494beb73d94e87cd855dcd51661496a6ed746aee6705c4407352c99790559

    • C:\Windows\SysWOW64\Nceonl32.exe

      Filesize

      96KB

      MD5

      de32cb124beaa46e06fb7e34b9052bc5

      SHA1

      f8efdaf6bc64606a2fe499ab896d7cbde5a2d5ed

      SHA256

      3aa07d89a829b20222d45d18f070123908c8fa3009ddd9bee3e0c48a9a8c39b6

      SHA512

      a9bbcb934c21d20c60c608d20b5fec910f435b66ef9719611e33f05175f41f7995b9739ead2dd0620720d11ec7151e09397f96081fd6cd1946adaabb41fa0103

    • C:\Windows\SysWOW64\Ncihikcg.exe

      Filesize

      96KB

      MD5

      66042d4b20cd4756ed34ef5a10d240d3

      SHA1

      ef31887d2252650881b3fbff61f84485e9512631

      SHA256

      8291412c538ce24308b1da14eacc617eb75af196189bdf27ae4c61b450207f15

      SHA512

      7cbd06ee134030e5be3eff99cd3cd32aff548b8c7f269176185d7a79b92c17aa6f2e32bdf07a6d89660db0f1dec25ad98b66af8ab49d7031d3b66dda4d613842

    • C:\Windows\SysWOW64\Ndidbn32.exe

      Filesize

      96KB

      MD5

      b85a094dd4b6a41477d7b29332bbad42

      SHA1

      cc553dbb0aedbfba6366e9a5915ae4b83717a94a

      SHA256

      f418c7f6db6701ed474806c61662b7f212dc71dfac02d0f31ebe4d14b0d384b2

      SHA512

      ea8787d67ebcd3dd537c6e8ac2033b68652d682caaddaaf60f4bdf319a862479070a8dcba85a4056b6c4285356044b62d888093fb7beb5a7f070325cba2ed74a

    • C:\Windows\SysWOW64\Ngcgcjnc.exe

      Filesize

      96KB

      MD5

      d1a8a94f77a09a8e2b15868e673d9d4f

      SHA1

      c00b38ff6c376f91b8bca5abd2ac9771c5ade77e

      SHA256

      cade64b49e6ba3c90da8262c0dcacd04c759153adfa284c2cdec335410d90db7

      SHA512

      6148d8e3fb8dd4686e2c6ab87fba1911f8f0e33dc53127c52dad14357b5a432d35c3b0840a4fc2346b96927287c2ecc0f9a5c6249d0ae93694a02b3a429f6f8c

    • C:\Windows\SysWOW64\Njcpee32.exe

      Filesize

      96KB

      MD5

      a4f4a3ae40be25f5380787270609d782

      SHA1

      5b2ee02ba76cd412beaafad88e9aba13fef60c0e

      SHA256

      cb7126db3121e574a2c619a9513b6571c13ea8873b9cbd38f79b6140e54e3b73

      SHA512

      5e7088a4ee9fbe2353f26563edae9c48103da8ab42ccd5b8e38cfc0e3e44f388d03dea12ac62a8674dad54ab2bf1c54e7323157b42fd69b13b459d0e8f4ef95f

    • C:\Windows\SysWOW64\Njogjfoj.exe

      Filesize

      96KB

      MD5

      d83584aa272553f4b14e3d35e4f1859c

      SHA1

      56b86de2e625687fd0828617f0d0a1b5d8b25084

      SHA256

      654c2d839144e1d76d0cf26800d70e35f8c02c26d5533b69ee2d2a568c174a61

      SHA512

      a4714a887bc6895f96eb1520006d2cd02ada8526d60b993e5b9f7b7388de86b2c9510fdd702b2e9ee34e58e048abd63df0d7463c669f279084d07a5b6226b543

    • C:\Windows\SysWOW64\Nkcmohbg.exe

      Filesize

      96KB

      MD5

      3c0faaf51ccc84646ba7f12b58e20cf4

      SHA1

      e6ef6cf03536b098aaa6b429150aeda16dd51069

      SHA256

      861b23bb28a2b50ca17715aa6ee40c9a6603ca3a64b0ab6ec6682cf810c1aa5a

      SHA512

      6a6178696355008e6cc77cde96b92c42801e11168d9ae25bf091eb5331f8eef4d2f8439307333768cf538a90edf7fe5d75718557fafbc6a5103e9d63aae44e16

    • C:\Windows\SysWOW64\Nkjjij32.exe

      Filesize

      96KB

      MD5

      1a78c200c7a571ca4c4dc342110dcac7

      SHA1

      d6e76ab24654fc660cd174d6f9d63859921d5d32

      SHA256

      6ed66b074aa5718a1d39cfe18ace6636c8283ddc2d8e116899de13385af81a74

      SHA512

      e1d5ea1c08dfd24b231ce841e01c94d756983f8a7450539308d8a435194d9cfe181009bef8d946de21c65b3b5920c1c92fde30ce673039868a6d9a4680eafe87

    • C:\Windows\SysWOW64\Nnhfee32.exe

      Filesize

      96KB

      MD5

      30266f9013303fc20c684cdd49d1120c

      SHA1

      68124aaa212f33f54531a1913b664a35e1dfbd82

      SHA256

      ec00358e96e174340be4bd4d864c12add6236fa141b32fa4f5c469bc394055cc

      SHA512

      05467ec70ec8b0a1db820d14419a2eb3b35a0359551c8f99f1a109930c7b080ff7e98357660963e7384d60ed246b244bc81bc94311b6fc3d6b92d62342ff6211

    • memory/768-101-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/768-64-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/1072-106-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/1072-27-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/1236-108-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/1236-8-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/1700-80-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/1700-99-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/1724-72-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/1724-100-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/2004-109-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/2004-0-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/2936-103-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/2936-48-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/2992-102-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/2992-55-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/3324-98-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/3324-87-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/3820-95-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/3820-97-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/4152-104-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/4152-40-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/4652-107-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/4652-17-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/4780-105-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/4780-32-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB