Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

99ca10210c...22.exe

windows7-x64

10

99ca10210c...22.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    18/10/2024, 01:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    99ca10210cf21f2dccea2462eb492d64ee17ff63015be7dd5b61b3d003d8b022.exe

  • Size

    91KB

  • MD5

    403695e0826bbfeb7007a5b063877d26

  • SHA1

    cd1bbe691c12482f44019fa4604919e112381690

  • SHA256

    99ca10210cf21f2dccea2462eb492d64ee17ff63015be7dd5b61b3d003d8b022

  • SHA512

    c517af5493ef467ece26a0ff14f55f8f7bfa792e1909d364d1d5ef909f0e0e27b441904b04b09816b5bdcdcb2eaad297bb2b0aa67404b31a9e1c624be192bb08

  • SSDEEP

    1536:PmipZCo3/fgPJHiyicsvSAwfn97ILXfdibTAn6v0DSztOZ/PwimYt/6kiV3REDNE:PmipZ1XgP1iyicsvSAwfn97IT2C68ym6

Score
10/10
discoverypersistence

Malware Config

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 16 IoCs
    persistence
  • Executes dropped EXE 8 IoCs
  • Loads dropped DLL 20 IoCs
  • Drops file in System32 directory 24 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 27 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\99ca10210cf21f2dccea2462eb492d64ee17ff63015be7dd5b61b3d003d8b022.exe
    "C:\Users\Admin\AppData\Local\Temp\99ca10210cf21f2dccea2462eb492d64ee17ff63015be7dd5b61b3d003d8b022.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2884
    • C:\Windows\SysWOW64\Cpceidcn.exe
      C:\Windows\system32\Cpceidcn.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3020
      • C:\Windows\SysWOW64\Cfnmfn32.exe
        C:\Windows\system32\Cfnmfn32.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2916
        • C:\Windows\SysWOW64\Cpfaocal.exe
          C:\Windows\system32\Cpfaocal.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:2656
          • C:\Windows\SysWOW64\Cgpjlnhh.exe
            C:\Windows\system32\Cgpjlnhh.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:2724
            • C:\Windows\SysWOW64\Cmjbhh32.exe
              C:\Windows\system32\Cmjbhh32.exe
              6⤵
              • Adds autorun key to be loaded by Explorer.exe on startup
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:536
              • C:\Windows\SysWOW64\Cphndc32.exe
                C:\Windows\system32\Cphndc32.exe
                7⤵
                • Adds autorun key to be loaded by Explorer.exe on startup
                • Executes dropped EXE
                • Loads dropped DLL
                • Drops file in System32 directory
                • System Location Discovery: System Language Discovery
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:1472
                • C:\Windows\SysWOW64\Cgbfamff.exe
                  C:\Windows\system32\Cgbfamff.exe
                  8⤵
                  • Adds autorun key to be loaded by Explorer.exe on startup
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Drops file in System32 directory
                  • System Location Discovery: System Language Discovery
                  • Modifies registry class
                  • Suspicious use of WriteProcessMemory
                  PID:2108
                  • C:\Windows\SysWOW64\Ceegmj32.exe
                    C:\Windows\system32\Ceegmj32.exe
                    9⤵
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of WriteProcessMemory
                    PID:2088
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 140
                      10⤵
                      • Loads dropped DLL
                      • Program crash
                      PID:2912

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Windows\SysWOW64\Ceegmj32.exe
    Filesize

    91KB

    MD5

    91171ebc07417208a22a7fffeb709277

    SHA1

    4106416a344bd78b377b76d0b41cf9aa2afe36bb

    SHA256

    f66761cafdd773decfae3a1a7a7e656e7430bf5b9e27a9300eb4e03e095ddf02

    SHA512

    f473c9ee3362df6a4d95101236644d170c173944fc2298c0cfc9a0b442d653fad997b90dae2cff5de6e2c7ae6514a8f3f68a83683c3d8d7170e757005a53fa9a

    Download Submit

  • \Windows\SysWOW64\Cfnmfn32.exe
    Filesize

    91KB

    MD5

    f531c642ff5f973bfa601ce0f5edb00a

    SHA1

    836685f8b547291ef31947aa9fbf835df5343d80

    SHA256

    dcba667941ce53b5a80ebc9342abc640e6ac4bc69b8df3fb432511a997d4c4a9

    SHA512

    cd43224404929f3217ce06217ca4ba8cc2fabce624a90a5f507d3276f0106ccc515e63425f2e53d9051cc3f8091e7bdb7d87b977d4aa104d06c7a387ba1e78fb

    Download Submit

  • \Windows\SysWOW64\Cgbfamff.exe
    Filesize

    91KB

    MD5

    e9a8223916837c4f59d08ad9924ea90a

    SHA1

    6797e9ee5292745805172118a2d5f57c8816c296

    SHA256

    50e278b0717a7d5c1f489de086ebee9828f924e206699c4a332a33507eeae05f

    SHA512

    d04be4dd8aec7ab2f03320cf69e43d5e62aaa5638a1bc7ac7ea105b67441fe86bc7d24b664e8e40c4e747c0b8cc0d2bbe31ba1241fd6ce0a852204bc6422e9a2

    Download Submit

  • \Windows\SysWOW64\Cgpjlnhh.exe
    Filesize

    91KB

    MD5

    9f70dca20b4f55f74f9765242803a778

    SHA1

    22f7111670700dadd7cb74648cbafe070f10fc01

    SHA256

    3d0fea8b8cde8b8e02776ae90be1f7aa115d617c32366525d367da1efaeeea95

    SHA512

    9da9d081ac4899aaca0f8350409f6b8716086b54f0ace2f3b08c6f64371ec68e0e3e86ebcb10dc0d96baaf1458355f68042efbdd482f061aafeead4e7ea3a7a4

    Download Submit

  • \Windows\SysWOW64\Cmjbhh32.exe
    Filesize

    91KB

    MD5

    a38fa0b3d85e05643639194f45815037

    SHA1

    0a9e169b7aeb9f40b7a02f3d31b6c5fcb678a623

    SHA256

    94dbc6683dddfe3183d3d0ec2d4c7766c397ef194301008c1242c6acbbb9d3d7

    SHA512

    34515fa475a505daf6db086d0b970cf2a76c4a46ff73dbb3a3b0a2f6f34bf7dcdd930bb38cce1dd821597ab62f88878f3d0374234fce67853a05a23e28dc76fe

    Download Submit

  • \Windows\SysWOW64\Cpceidcn.exe
    Filesize

    91KB

    MD5

    0661257dd4425f39baec7e5fd69668dd

    SHA1

    1c791231f3a10e20c7ab53efb4a4c3bb70302f06

    SHA256

    f08abba1627ab2d1ad28174803e14ac92baf43ba75f355f09bb9351f9f517068

    SHA512

    6a51a642c94fb6af0708c5480504b8f758563530963876339f37e21014b70499e1f24ac205d58677520dbf20c9d1268ae6798e307f66549aea15005fb5a34d04

    Download Submit

  • \Windows\SysWOW64\Cpfaocal.exe
    Filesize

    91KB

    MD5

    da13fffce0e85709385e33f8b5c0b9ce

    SHA1

    f3271708c1aad8f18b7834398cd01ded11db83a6

    SHA256

    384a2273b53bd331c39983f7743ce3475536008433e724392f7136ae61822eb3

    SHA512

    b42b6c3e27c95a004bbffeadfb34b7173fbf1d96e6589654d2a47ff063c82ccae5db9ea36a57fc4405dddc935875bce4bfdaf65a221ac9c14aeaf8add8bca930

    Download Submit

  • \Windows\SysWOW64\Cphndc32.exe
    Filesize

    91KB

    MD5

    0ee8771191c081b2e809438e5fe2ec87

    SHA1

    5b84145a59e941e823ce65806c5494e01a50b0cc

    SHA256

    0c1a9bf5bb9c61e3dafc92d6d84f3edde10076da1f53f20ec62d281cc938d0be

    SHA512

    82637a25b53358910c722449b8cc0f246306157a714bc81c94f8d732e9abf66a174f48453d97333aefaef7e7ced84df721c494cc386fcb8f2e8c684d518e4d92

    Download Submit

  • memory/536-111-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download

  • memory/1472-109-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download

  • memory/1472-78-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download

  • memory/2088-104-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download

  • memory/2088-117-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download

  • memory/2108-113-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download

  • memory/2108-91-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download

  • memory/2656-47-0x0000000000300000-0x000000000033D000-memory.dmp

    Filesize

    244KB

    Download

  • memory/2656-110-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download

  • memory/2724-60-0x0000000000250000-0x000000000028D000-memory.dmp

    Filesize

    244KB

    Download

  • memory/2724-112-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download

  • memory/2884-11-0x00000000002D0000-0x000000000030D000-memory.dmp

    Filesize

    244KB

    Download

  • memory/2884-116-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download

  • memory/2884-0-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download

  • memory/2916-114-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download

  • memory/2916-34-0x00000000002D0000-0x000000000030D000-memory.dmp

    Filesize

    244KB

    Download

  • memory/2916-26-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download

  • memory/3020-115-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download

  • memory/3020-13-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download