Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
28/11/2022, 05:16
Behavioral task
behavioral1
Sample
6ecdb31dd0eac23b2a8ac03b6dfc0da3fbdda45973243775d037aaf89ac5b8a1.exe
Resource
win7-20221111-en
General
-
Target
6ecdb31dd0eac23b2a8ac03b6dfc0da3fbdda45973243775d037aaf89ac5b8a1.exe
-
Size
438KB
-
MD5
edff2cab0b78c2a8fdabc8dbb440d2c3
-
SHA1
113e3b0b233c073a44c06a685f68e9400e21efb6
-
SHA256
6ecdb31dd0eac23b2a8ac03b6dfc0da3fbdda45973243775d037aaf89ac5b8a1
-
SHA512
6a10fb5979b1d66a8461da50ad50f9d73ae1b93d9c9d74be83b97feb52388780bfd290c814bb05707a9374d622ac75d1b2664766db2e399609864945c2f6044a
-
SSDEEP
12288:Z1w/VTZZkBi0awczzzd1VCDlYic4HNfIxoS:H+b+i0aDkBceJ
Malware Config
Signatures
-
Detect Blackmoon payload 2 IoCs
resource yara_rule behavioral2/memory/516-132-0x0000000000400000-0x00000000004B8000-memory.dmp family_blackmoon behavioral2/memory/516-140-0x0000000000400000-0x00000000004B8000-memory.dmp family_blackmoon -
Executes dropped EXE 2 IoCs
pid Process 840 svchost.exe 3256 svchost.exe -
resource yara_rule behavioral2/files/0x0001000000022def-134.dat upx behavioral2/memory/516-132-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral2/files/0x0001000000022def-135.dat upx behavioral2/memory/840-139-0x0000000000D80000-0x0000000000F7A000-memory.dmp upx behavioral2/memory/516-140-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral2/memory/840-141-0x0000000000D80000-0x0000000000F7A000-memory.dmp upx -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\WOW6432Node\CLSID\{A4FC6719-AFD5-4F8E-8138-B35FA78CD671} svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\WOW6432Node\CLSID\{A4FC6719-AFD5-4F8E-8138-B35FA78CD671}\ = "5291" svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3256 svchost.exe 3256 svchost.exe 840 svchost.exe 840 svchost.exe 840 svchost.exe 840 svchost.exe 3256 svchost.exe 3256 svchost.exe 3256 svchost.exe 3256 svchost.exe 3256 svchost.exe 3256 svchost.exe 3256 svchost.exe 3256 svchost.exe 3256 svchost.exe 3256 svchost.exe 3256 svchost.exe 3256 svchost.exe 3256 svchost.exe 3256 svchost.exe 3256 svchost.exe 3256 svchost.exe 3256 svchost.exe 3256 svchost.exe 3256 svchost.exe 3256 svchost.exe 3256 svchost.exe 3256 svchost.exe 3256 svchost.exe 3256 svchost.exe 3256 svchost.exe 3256 svchost.exe 3256 svchost.exe 3256 svchost.exe 3256 svchost.exe 3256 svchost.exe 3256 svchost.exe 3256 svchost.exe 3256 svchost.exe 3256 svchost.exe 3256 svchost.exe 3256 svchost.exe 3256 svchost.exe 3256 svchost.exe 3256 svchost.exe 3256 svchost.exe 3256 svchost.exe 3256 svchost.exe 3256 svchost.exe 3256 svchost.exe 3256 svchost.exe 3256 svchost.exe 3256 svchost.exe 3256 svchost.exe 3256 svchost.exe 3256 svchost.exe 3256 svchost.exe 3256 svchost.exe 3256 svchost.exe 3256 svchost.exe 3256 svchost.exe 3256 svchost.exe 3256 svchost.exe 3256 svchost.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeDebugPrivilege 840 svchost.exe Token: SeDebugPrivilege 840 svchost.exe Token: SeDebugPrivilege 840 svchost.exe Token: SeDebugPrivilege 840 svchost.exe Token: SeDebugPrivilege 840 svchost.exe Token: SeDebugPrivilege 840 svchost.exe Token: SeDebugPrivilege 840 svchost.exe Token: SeDebugPrivilege 840 svchost.exe Token: SeDebugPrivilege 840 svchost.exe Token: SeDebugPrivilege 840 svchost.exe Token: SeDebugPrivilege 840 svchost.exe Token: SeDebugPrivilege 840 svchost.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 516 wrote to memory of 840 516 6ecdb31dd0eac23b2a8ac03b6dfc0da3fbdda45973243775d037aaf89ac5b8a1.exe 81 PID 516 wrote to memory of 840 516 6ecdb31dd0eac23b2a8ac03b6dfc0da3fbdda45973243775d037aaf89ac5b8a1.exe 81 PID 516 wrote to memory of 840 516 6ecdb31dd0eac23b2a8ac03b6dfc0da3fbdda45973243775d037aaf89ac5b8a1.exe 81 PID 516 wrote to memory of 3256 516 6ecdb31dd0eac23b2a8ac03b6dfc0da3fbdda45973243775d037aaf89ac5b8a1.exe 82 PID 516 wrote to memory of 3256 516 6ecdb31dd0eac23b2a8ac03b6dfc0da3fbdda45973243775d037aaf89ac5b8a1.exe 82 PID 516 wrote to memory of 3256 516 6ecdb31dd0eac23b2a8ac03b6dfc0da3fbdda45973243775d037aaf89ac5b8a1.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\6ecdb31dd0eac23b2a8ac03b6dfc0da3fbdda45973243775d037aaf89ac5b8a1.exe"C:\Users\Admin\AppData\Local\Temp\6ecdb31dd0eac23b2a8ac03b6dfc0da3fbdda45973243775d037aaf89ac5b8a1.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:516 -
C:\Users\Admin\AppData\Local\Temp\33196\svchost.exeC:\Users\Admin\AppData\Local\Temp\33196\svchost.exe2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:840
-
-
C:\Users\Admin\AppData\Local\Temp\331962\svchost.exeC:\Users\Admin\AppData\Local\Temp\331962\svchost.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3256
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
176KB
MD55d917c38c107a8a1a51431639721e148
SHA1913e0ae47537d6e023e4bd46cc4e7d9da8bd128f
SHA25604bc5a5b0bbf8e52fa5305df4e7cc87b96b06c8952e43e7ba801f4a34e074ea7
SHA512b476963d93f5cab6ee5c2232af71a7bcbee6a26def69fb12694f6d87106b796d587e70ee619dd149bf5017b1d5f2997babfe8bc04b71c91dd4bf0ed89d09461b
-
Filesize
176KB
MD55d917c38c107a8a1a51431639721e148
SHA1913e0ae47537d6e023e4bd46cc4e7d9da8bd128f
SHA25604bc5a5b0bbf8e52fa5305df4e7cc87b96b06c8952e43e7ba801f4a34e074ea7
SHA512b476963d93f5cab6ee5c2232af71a7bcbee6a26def69fb12694f6d87106b796d587e70ee619dd149bf5017b1d5f2997babfe8bc04b71c91dd4bf0ed89d09461b
-
Filesize
328KB
MD59240869c842b43abde5d9064c0517926
SHA1ef13f9926408f2fc4a225de7b7b0fdf5120008ca
SHA256a89ff31455e29d91ba1320b67bb063bbfb7761011d300f489f886ec2e9b0f2d8
SHA512385b18b8dcc5f77078cf6fb0d76a213439dad6cb5d8c53220eb9d0e92c62c873681cd2aaaabf1ec726096606edef5306c6bd871529b0b8ae00f3b92941e16565
-
Filesize
328KB
MD59240869c842b43abde5d9064c0517926
SHA1ef13f9926408f2fc4a225de7b7b0fdf5120008ca
SHA256a89ff31455e29d91ba1320b67bb063bbfb7761011d300f489f886ec2e9b0f2d8
SHA512385b18b8dcc5f77078cf6fb0d76a213439dad6cb5d8c53220eb9d0e92c62c873681cd2aaaabf1ec726096606edef5306c6bd871529b0b8ae00f3b92941e16565