Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

627959cec0...0N.exe

windows7-x64

10

627959cec0...0N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    115s
  • max time network
    119s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/08/2024, 23:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    627959cec072f79de6e04cda7fb66b10N.exe

  • Size

    71KB

  • MD5

    627959cec072f79de6e04cda7fb66b10

  • SHA1

    c717066b5ab5feab87240c3892f9a6f64cfcc5e2

  • SHA256

    3762ff04571428367c0088ad4cc6c5844e4e4a34890657827b3c486847d71c02

  • SHA512

    59de646556a625d89afb2417dc7d36cc1f7bb6e412f47380108eeef17b0cbcecf04acb1e67896d29f4d663fa9ccd65375eeae10f6c464f6f93dcaac676ec625e

  • SSDEEP

    1536:FBUUWUfAnqMgrFJ+UNoKnUAlVGnIc+8yTuIIj41DpBRQ6DbEyRCRRRoR4Rk:FiUftgWooUg4Ce41pBeUEy032ya

Score
10/10
discoverypersistence

Malware Config

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 32 IoCs
    persistence
  • Executes dropped EXE 16 IoCs
  • Drops file in System32 directory 48 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 51 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\627959cec072f79de6e04cda7fb66b10N.exe
    "C:\Users\Admin\AppData\Local\Temp\627959cec072f79de6e04cda7fb66b10N.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4812
    • C:\Windows\SysWOW64\Bbhildae.exe
      C:\Windows\system32\Bbhildae.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3836
      • C:\Windows\SysWOW64\Cajjjk32.exe
        C:\Windows\system32\Cajjjk32.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:208
        • C:\Windows\SysWOW64\Cdhffg32.exe
          C:\Windows\system32\Cdhffg32.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:2284
          • C:\Windows\SysWOW64\Cienon32.exe
            C:\Windows\system32\Cienon32.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:1920
            • C:\Windows\SysWOW64\Cpogkhnl.exe
              C:\Windows\system32\Cpogkhnl.exe
              6⤵
              • Adds autorun key to be loaded by Explorer.exe on startup
              • Executes dropped EXE
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:3076
              • C:\Windows\SysWOW64\Ckdkhq32.exe
                C:\Windows\system32\Ckdkhq32.exe
                7⤵
                • Adds autorun key to be loaded by Explorer.exe on startup
                • Executes dropped EXE
                • Drops file in System32 directory
                • System Location Discovery: System Language Discovery
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:840
                • C:\Windows\SysWOW64\Cpacqg32.exe
                  C:\Windows\system32\Cpacqg32.exe
                  8⤵
                  • Adds autorun key to be loaded by Explorer.exe on startup
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • System Location Discovery: System Language Discovery
                  • Modifies registry class
                  • Suspicious use of WriteProcessMemory
                  PID:3188
                  • C:\Windows\SysWOW64\Ckggnp32.exe
                    C:\Windows\system32\Ckggnp32.exe
                    9⤵
                    • Adds autorun key to be loaded by Explorer.exe on startup
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    • System Location Discovery: System Language Discovery
                    • Modifies registry class
                    • Suspicious use of WriteProcessMemory
                    PID:3328
                    • C:\Windows\SysWOW64\Cmedjl32.exe
                      C:\Windows\system32\Cmedjl32.exe
                      10⤵
                      • Adds autorun key to be loaded by Explorer.exe on startup
                      • Executes dropped EXE
                      • Drops file in System32 directory
                      • System Location Discovery: System Language Discovery
                      • Modifies registry class
                      • Suspicious use of WriteProcessMemory
                      PID:2844
                      • C:\Windows\SysWOW64\Cpcpfg32.exe
                        C:\Windows\system32\Cpcpfg32.exe
                        11⤵
                        • Adds autorun key to be loaded by Explorer.exe on startup
                        • Executes dropped EXE
                        • Drops file in System32 directory
                        • System Location Discovery: System Language Discovery
                        • Modifies registry class
                        • Suspicious use of WriteProcessMemory
                        PID:3288
                        • C:\Windows\SysWOW64\Cgmhcaac.exe
                          C:\Windows\system32\Cgmhcaac.exe
                          12⤵
                          • Adds autorun key to be loaded by Explorer.exe on startup
                          • Executes dropped EXE
                          • Drops file in System32 directory
                          • System Location Discovery: System Language Discovery
                          • Modifies registry class
                          • Suspicious use of WriteProcessMemory
                          PID:4784
                          • C:\Windows\SysWOW64\Cacmpj32.exe
                            C:\Windows\system32\Cacmpj32.exe
                            13⤵
                            • Adds autorun key to be loaded by Explorer.exe on startup
                            • Executes dropped EXE
                            • Drops file in System32 directory
                            • System Location Discovery: System Language Discovery
                            • Modifies registry class
                            • Suspicious use of WriteProcessMemory
                            PID:1580
                            • C:\Windows\SysWOW64\Dgpeha32.exe
                              C:\Windows\system32\Dgpeha32.exe
                              14⤵
                              • Adds autorun key to be loaded by Explorer.exe on startup
                              • Executes dropped EXE
                              • Drops file in System32 directory
                              • System Location Discovery: System Language Discovery
                              • Modifies registry class
                              • Suspicious use of WriteProcessMemory
                              PID:3548
                              • C:\Windows\SysWOW64\Dinael32.exe
                                C:\Windows\system32\Dinael32.exe
                                15⤵
                                • Adds autorun key to be loaded by Explorer.exe on startup
                                • Executes dropped EXE
                                • Drops file in System32 directory
                                • System Location Discovery: System Language Discovery
                                • Modifies registry class
                                • Suspicious use of WriteProcessMemory
                                PID:3832
                                • C:\Windows\SysWOW64\Ddcebe32.exe
                                  C:\Windows\system32\Ddcebe32.exe
                                  16⤵
                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                  • Executes dropped EXE
                                  • Drops file in System32 directory
                                  • System Location Discovery: System Language Discovery
                                  • Modifies registry class
                                  • Suspicious use of WriteProcessMemory
                                  PID:3624
                                  • C:\Windows\SysWOW64\Diqnjl32.exe
                                    C:\Windows\system32\Diqnjl32.exe
                                    17⤵
                                    • Executes dropped EXE
                                    • System Location Discovery: System Language Discovery
                                    PID:4748
                                    • C:\Windows\SysWOW64\WerFault.exe
                                      C:\Windows\SysWOW64\WerFault.exe -u -p 4748 -s 420
                                      18⤵
                                      • Program crash
                                      PID:2344
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4748 -ip 4748
    1⤵
      PID:1656
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4612,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=4608 /prefetch:8
      1⤵
        PID:4352

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\SysWOW64\Bbhildae.exe
        Filesize

        71KB

        MD5

        70f91067787e3baf472ca11b933ba222

        SHA1

        a008f8ea41954d4e208156154eeb0144cb39ace3

        SHA256

        9487b924fe557a8da73f854e50775c295931f99552917f6dc111962574f1bc81

        SHA512

        e0fa3e7ad676c63007603c0ec525eea639bd5bad44575e56db5e021df431a009b4baa826e54f66dfb47ad83a89056271c97aaee418e7936c82a3839e21d8d38a

        Download Submit

      • C:\Windows\SysWOW64\Cacmpj32.exe
        Filesize

        71KB

        MD5

        3d81c734de857bf27a08f710654471af

        SHA1

        03edcc2a385c3e5bba0c0ea327941589a1d4f1d9

        SHA256

        bf7a34b87efcc1e35671d10d04f94f67483504a4dd02baad7acda7b2883c92c4

        SHA512

        22be1efc8589f816b592dfc3b285662b8411df6b1f5bc00c4b2e8b73181a74825b4333ad0b87e935e2b800e9156bbecd02a33474b4a093af29179bb984b80c05

        Download Submit

      • C:\Windows\SysWOW64\Cajjjk32.exe
        Filesize

        71KB

        MD5

        af938689f53adf73e73942f0ed023e4d

        SHA1

        99a69c8d73a134de54e11d5d4c11750e14fefdb5

        SHA256

        bba1909bb183676baa25daffe224a4203f2ec42aa0ed61a536ab34c35e246d66

        SHA512

        364268b4702492f6ed56603acc7b7c8332ed4349dcaf52f268985a7574c21e051e90c07fe66329680834d60c036ca5c8df1cec361bc7ada2a90d9d497a9806f8

        Download Submit

      • C:\Windows\SysWOW64\Cdhffg32.exe
        Filesize

        71KB

        MD5

        5cba88bf0a1856b1b6b745661cea5b2e

        SHA1

        404f7069da427762fa92acc342dcedf5c7935cc1

        SHA256

        79e43c79aa13f8fc861fa3c60d664da05eba93a84789b6fdc6c97ef47d4c5781

        SHA512

        006211c0ba0e6a390ff18ee4dbd0e5691b95a6136073243b325579dae0667d5e829cbf437618c9981fdcbc0fe3d712969ef4308bcc9aeb495d384b74d71e58da

        Download Submit

      • C:\Windows\SysWOW64\Cgmhcaac.exe
        Filesize

        71KB

        MD5

        d4da1131f1f7f3b6e170bb30195758d9

        SHA1

        9164706c93807c752f40838423ce789a3612b2cb

        SHA256

        cc28d64509570ab8192dfc4339f3e090fb4de1f15131c161a56544e5dac64905

        SHA512

        8fcf5f5e5fa89d5acd6b2c79fb6f80de208d8a75688b852fe60ed8d11dd9822ebb064c780e90bcff0dfd79ef4bfe6a3fd0eb265cfd556d96602f8ce546db161f

        Download Submit

      • C:\Windows\SysWOW64\Cienon32.exe
        Filesize

        71KB

        MD5

        ed0e25fb1c4fba4b3d9452c2131e5648

        SHA1

        a92f756738d78763bf6ef3cf6c9604868f1d3f44

        SHA256

        86345e40c3edd6aba24ea2057d3648b6a7cefe68aca57d5f6baa2cbcb942a869

        SHA512

        c4e1d6827f16c75657c1670a5ec9285f0a5111a3a8b8e647ba82cf06e8228889af3c052e5056044db869d8acc8a9bd9d5a168a9c8a85f0a6898230d488b12875

        Download Submit

      • C:\Windows\SysWOW64\Ckdkhq32.exe
        Filesize

        71KB

        MD5

        71506688324e896edeca45880158c81b

        SHA1

        f7b76d449f23b32da3022aacc67f5274709ca647

        SHA256

        4c7613d18ed189777ca501b92830935b440624747e8faf50e8fcfbf8fd0fc602

        SHA512

        54f41ef68757df4e469e3109963fd637003041725d298cb67377773e4ab66ff4b02ac0030d4059d694d0bbd2d19aee147575dfa69d2755a11126b868e61c1a20

        Download Submit

      • C:\Windows\SysWOW64\Ckggnp32.exe
        Filesize

        71KB

        MD5

        609f06f84e01b1769d7580ea6e1be80e

        SHA1

        fef324e2ea6fffcf70a3401d531714bd6000e736

        SHA256

        cf90eeb2240aa1db2a119a9c76840962cdff2344f10a6d144e8c247d67104bc5

        SHA512

        b53d8793c427eb0655f314b2c319a648cc2ebc75a92073e230817c4427090874a464e5c509770112e6d8f7d154669984021fe28b08c8d2885a3b7da486dc8754

        Download Submit

      • C:\Windows\SysWOW64\Cmedjl32.exe
        Filesize

        71KB

        MD5

        16053af3c5405725c17bf0f3cdce10c3

        SHA1

        78104afbabd1a85da040218bc2dd049de20d933f

        SHA256

        37cf1990cf5198a8f647cfe62909c0fd5037ed506c4637ac20e8af77c14b9bd2

        SHA512

        97974e0bb3798ba59de4bb4b326266f688b1e9d59e3e07115bde0856f18e5ce5a021bf8a81d861abfb4801a67c1368242ed54fb2d0c37577f1ff6c4a4c6593e3

        Download Submit

      • C:\Windows\SysWOW64\Cpacqg32.exe
        Filesize

        71KB

        MD5

        e5e96b469d365bb23792999116a62d91

        SHA1

        9906f2d9d56e980c97bd506d9ad1bbfc6b2060fc

        SHA256

        2990bd9d0058946f9e7f9be275841be14c48e65df03ce0c3aa594b035850ba9f

        SHA512

        6474ae24435836e1455d82386167f5fade6f5816c73fed60c5642d98177cd60722f05084c27fea302943e4ecb54fc1b4c3235f37068b0ad79ed89836c45bf6ab

        Download Submit

      • C:\Windows\SysWOW64\Cpcpfg32.exe
        Filesize

        71KB

        MD5

        e6cbfe5a1ed44ba367e272b443af173b

        SHA1

        ab3f5786e0acddabf86196e5ae12d25bc85c5199

        SHA256

        e08078af42bb252edab30024c6f78c83a64e46513548d6d0dbc0e0e4489da35f

        SHA512

        b089ab3d736b641732d25a02649e002f5a86360cf72b030795e19cc6465534deee59d1802f3b8f314b79b01a56cab0334735c788331510361b6a348b87787b02

        Download Submit

      • C:\Windows\SysWOW64\Cpogkhnl.exe
        Filesize

        71KB

        MD5

        e099fff51e02eb8371d7063d616f246a

        SHA1

        cf22acd32ee8df9144460a01d0f1db51e4988766

        SHA256

        d6860c25b0251faeee08309a04da4ac97723aecd448bfd5397c771a02f2a2948

        SHA512

        bb2ca8d70e591555eded6ced5c7e8978fd26306212158c453e949ac0a97b4b5e951c42daabc979460fe2b5fb77d19e527fe5e8f0afbd24af707816aacb92d96c

        Download Submit

      • C:\Windows\SysWOW64\Ddcebe32.exe
        Filesize

        71KB

        MD5

        32c8558fbad71a688333bd5983e13bea

        SHA1

        2e210f86b05dd3d9a0c8dec5ddd728a738fee205

        SHA256

        cdfffe785b0897629e12e98b1c00dc183bf6f9b82ba701119a3caa3ae4b4cf52

        SHA512

        b6741c6a9f63830f999734f9202946dbb20fd9189de7fc00e01d5bdb8d3f8d0602c4da065be215a10f606a378c05d9afb6ef22ee12177bc2556e653292532cf3

        Download Submit

      • C:\Windows\SysWOW64\Dgpeha32.exe
        Filesize

        71KB

        MD5

        01f33cd657c363a84ecd27c75e52bac8

        SHA1

        d2cfa1e4003fa98b0b58268bdb024efb981f774e

        SHA256

        4d35bcb6fbe31f93d56869368f8af46828607fc464a78a2b7742c16f9a51195f

        SHA512

        dc4b4494bc2790b91cfd1e0f45cd3b43231f2483cf3d4c80f2b28b2b8963d73a9cd60f3f36d57602994bb7a09abf8216320ad4d59aed1a21681726f542d766d9

        Download Submit

      • C:\Windows\SysWOW64\Dinael32.exe
        Filesize

        71KB

        MD5

        827caa33d94b7b4ba15b31980fd9bf55

        SHA1

        953ede95f731c1921443f26f028daef407c58345

        SHA256

        18c99fee54b63ad4f7ce078d06db2bd2504071a9d0ec01045407f2e6cb735ab7

        SHA512

        549e5183312484ef8af5d21de726b84ec34af2024deb44300b723917f68e7f6a010113a134b57a0f9b29f07b6deb9557296c01bfb325c56552557052224067a4

        Download Submit

      • C:\Windows\SysWOW64\Dinael32.exe
        Filesize

        71KB

        MD5

        a8d8653b0c39e40f5a2d471d5809723e

        SHA1

        2546cc33af96cd73d0065851fa0ff0b9b836fcbc

        SHA256

        4729464f98b77a0a5b5ecebc0b2da200b4cf2684008fc219d277e7e927236fa3

        SHA512

        276498efe9b5ed68861f086135baa43fb2c8bb006064b315cd01faa32ca3291dade24d2e35b899dfa5bdb490bc97a800dfead505c036b3433abb801a2755e38b

        Download Submit

      • C:\Windows\SysWOW64\Diqnjl32.exe
        Filesize

        71KB

        MD5

        c7c3530dc8ca7608874f7ffcaef7d72f

        SHA1

        1224eabc41741b35f7718cc9b89fef1263c1b254

        SHA256

        bfd34a3efae2c4c45ded8f8c5768a4dbe086b688a5ee63a23407032164b80315

        SHA512

        c0f3ec2dc7669fe3765ddd7b8d729ccba9caae5e9c7370639f59e88ca4422be734fc9682f30b8de159b1f4cec870ba2dd77f588048c21ef020a2ca5c14c79701

        Download Submit

      • C:\Windows\SysWOW64\Gkbilm32.dll
        Filesize

        7KB

        MD5

        d73313d39a7074cc838dfbb197073cf5

        SHA1

        66abedd082e660d186d8e952bdb6da0160aa9ebb

        SHA256

        430be544c5bb816081eeaad2f6b155cbbb8934eeac68c92ccd0574e4cc7682a9

        SHA512

        7ffd0997810c3f55f8d7ca630f6901ffa51a6c244a2c6e859d8b662a99dfa6ded57a36cd08f172c5f64639324cf13812efc2b9d6db157419800dff11fea4dc09

        Download Submit

      • memory/208-16-0x0000000000400000-0x0000000000439000-memory.dmp

        Filesize

        228KB

        Download

      • memory/208-143-0x0000000000400000-0x0000000000439000-memory.dmp

        Filesize

        228KB

        Download

      • memory/840-139-0x0000000000400000-0x0000000000439000-memory.dmp

        Filesize

        228KB

        Download

      • memory/840-47-0x0000000000400000-0x0000000000439000-memory.dmp

        Filesize

        228KB

        Download

      • memory/1580-95-0x0000000000400000-0x0000000000439000-memory.dmp

        Filesize

        228KB

        Download

      • memory/1580-133-0x0000000000400000-0x0000000000439000-memory.dmp

        Filesize

        228KB

        Download

      • memory/1920-141-0x0000000000400000-0x0000000000439000-memory.dmp

        Filesize

        228KB

        Download

      • memory/1920-31-0x0000000000400000-0x0000000000439000-memory.dmp

        Filesize

        228KB

        Download

      • memory/2284-23-0x0000000000400000-0x0000000000439000-memory.dmp

        Filesize

        228KB

        Download

      • memory/2284-142-0x0000000000400000-0x0000000000439000-memory.dmp

        Filesize

        228KB

        Download

      • memory/2844-136-0x0000000000400000-0x0000000000439000-memory.dmp

        Filesize

        228KB

        Download

      • memory/2844-71-0x0000000000400000-0x0000000000439000-memory.dmp

        Filesize

        228KB

        Download

      • memory/3076-140-0x0000000000400000-0x0000000000439000-memory.dmp

        Filesize

        228KB

        Download

      • memory/3076-39-0x0000000000400000-0x0000000000439000-memory.dmp

        Filesize

        228KB

        Download

      • memory/3188-138-0x0000000000400000-0x0000000000439000-memory.dmp

        Filesize

        228KB

        Download

      • memory/3188-55-0x0000000000400000-0x0000000000439000-memory.dmp

        Filesize

        228KB

        Download

      • memory/3288-80-0x0000000000400000-0x0000000000439000-memory.dmp

        Filesize

        228KB

        Download

      • memory/3288-135-0x0000000000400000-0x0000000000439000-memory.dmp

        Filesize

        228KB

        Download

      • memory/3328-137-0x0000000000400000-0x0000000000439000-memory.dmp

        Filesize

        228KB

        Download

      • memory/3328-63-0x0000000000400000-0x0000000000439000-memory.dmp

        Filesize

        228KB

        Download

      • memory/3548-103-0x0000000000400000-0x0000000000439000-memory.dmp

        Filesize

        228KB

        Download

      • memory/3548-132-0x0000000000400000-0x0000000000439000-memory.dmp

        Filesize

        228KB

        Download

      • memory/3624-130-0x0000000000400000-0x0000000000439000-memory.dmp

        Filesize

        228KB

        Download

      • memory/3624-120-0x0000000000400000-0x0000000000439000-memory.dmp

        Filesize

        228KB

        Download

      • memory/3832-111-0x0000000000400000-0x0000000000439000-memory.dmp

        Filesize

        228KB

        Download

      • memory/3832-131-0x0000000000400000-0x0000000000439000-memory.dmp

        Filesize

        228KB

        Download

      • memory/3836-144-0x0000000000400000-0x0000000000439000-memory.dmp

        Filesize

        228KB

        Download

      • memory/3836-8-0x0000000000400000-0x0000000000439000-memory.dmp

        Filesize

        228KB

        Download

      • memory/4748-129-0x0000000000400000-0x0000000000439000-memory.dmp

        Filesize

        228KB

        Download

      • memory/4748-127-0x0000000000400000-0x0000000000439000-memory.dmp

        Filesize

        228KB

        Download

      • memory/4784-134-0x0000000000400000-0x0000000000439000-memory.dmp

        Filesize

        228KB

        Download

      • memory/4784-87-0x0000000000400000-0x0000000000439000-memory.dmp

        Filesize

        228KB

        Download

      • memory/4812-145-0x0000000000400000-0x0000000000439000-memory.dmp

        Filesize

        228KB

        Download

      • memory/4812-0-0x0000000000400000-0x0000000000439000-memory.dmp

        Filesize

        228KB

        Download