Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    90s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/10/2022, 20:23

General

  • Target

    e3ba5bb057ea8d27bd39fc4d8b607c8c51c5021ec10d5bcf011866317fdc16c6.dll

  • Size

    3.9MB

  • MD5

    9a05d32a9e7fedce9c4fc8cb0afa966c

  • SHA1

    46791e12d3471d9ccd012a9ed52be43dd7a2b8a9

  • SHA256

    e3ba5bb057ea8d27bd39fc4d8b607c8c51c5021ec10d5bcf011866317fdc16c6

  • SHA512

    ef643a5ef313505a0f6b5ca5f4e9635b7d8534b507f129aad61b0b31e2011a44248dd50f7f808544c7c06e8783954d510ba1de175332607a067486d59119c074

  • SSDEEP

    98304:ziSacGY85ycuvTZ6Er4v/YBYSnFP1GashgyiIqoXKkV6:zPZG3y9lEvsYS51ZshgyiIDXKkV

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

  • Detect Blackmoon payload 4 IoCs
  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\e3ba5bb057ea8d27bd39fc4d8b607c8c51c5021ec10d5bcf011866317fdc16c6.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4676
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\e3ba5bb057ea8d27bd39fc4d8b607c8c51c5021ec10d5bcf011866317fdc16c6.dll,#1
      2⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      PID:3468
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3468 -s 688
        3⤵
        • Program crash
        PID:4228
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3468 -ip 3468
    1⤵
      PID:4128

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\987561.bmd

      Filesize

      1.9MB

      MD5

      aae2c15f00256d1a50cd72665e267f36

      SHA1

      de15c39b155a45782313d5523f93e4dcdefe59ac

      SHA256

      691feff90464a118c8390a8d366d6ab407a0642e6d0c937a293f639e23eabe2f

      SHA512

      9fb4751b44e279a3e73131ce5debeb1cac9805a31063cdc265c3cd945db1e7f14dc62a38595bc2311d110467fcb898023a158cf6063cde7939e1fd97ff0a8122

    • memory/3468-133-0x0000000010000000-0x000000001043D000-memory.dmp

      Filesize

      4.2MB

    • memory/3468-134-0x0000000010000000-0x000000001043D000-memory.dmp

      Filesize

      4.2MB

    • memory/3468-135-0x0000000010000000-0x000000001043D000-memory.dmp

      Filesize

      4.2MB

    • memory/3468-136-0x0000000010000000-0x000000001043D000-memory.dmp

      Filesize

      4.2MB

    • memory/3468-138-0x0000000074B40000-0x0000000074FC8000-memory.dmp

      Filesize

      4.5MB

    • memory/3468-139-0x00000000016D0000-0x000000000178F000-memory.dmp

      Filesize

      764KB

    • memory/3468-140-0x0000000074B40000-0x0000000074FC8000-memory.dmp

      Filesize

      4.5MB

    • memory/3468-141-0x00000000016D0000-0x000000000178F000-memory.dmp

      Filesize

      764KB