Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
20/08/2023, 04:36
Behavioral task
behavioral1
Sample
a9a6ae77b932e1628624f62af917e2487e1db8d318be8466e0c41adf5c79f0b4.exe
Resource
win7-20230712-en
General
-
Target
a9a6ae77b932e1628624f62af917e2487e1db8d318be8466e0c41adf5c79f0b4.exe
-
Size
7.3MB
-
MD5
f80dadc61dd4a914ce96139252df0aba
-
SHA1
ad8785e358f14f80083ca386b9505fbfa066c4b4
-
SHA256
a9a6ae77b932e1628624f62af917e2487e1db8d318be8466e0c41adf5c79f0b4
-
SHA512
084a10db94dedf772f6ac6b964f13c0279b7fddcaadd69187ca50d994a7a83b143d02d3b5d0cd9c9102b34b5ef7f48a5db355cd97eddfb6e28ae22e3433f963e
-
SSDEEP
196608:H+23b3ntL9L2M8VKXGqIeP3ljBBFNzi3RPKLxhnZKW:H1Xd9L2M8VcIe1jARPKLxhnQW
Malware Config
Signatures
-
Detect Blackmoon payload 6 IoCs
resource yara_rule behavioral1/memory/1512-56-0x0000000000400000-0x00000000010C6000-memory.dmp family_blackmoon behavioral1/memory/1512-57-0x0000000000400000-0x00000000010C6000-memory.dmp family_blackmoon behavioral1/memory/1512-67-0x0000000000400000-0x00000000010C6000-memory.dmp family_blackmoon behavioral1/memory/2568-73-0x0000000000400000-0x00000000010C6000-memory.dmp family_blackmoon behavioral1/memory/2568-74-0x0000000000400000-0x00000000010C6000-memory.dmp family_blackmoon behavioral1/memory/2568-98-0x0000000000400000-0x00000000010C6000-memory.dmp family_blackmoon -
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x00080000000191f1-93.dat acprotect -
Executes dropped EXE 4 IoCs
pid Process 2696 7z.exe 2040 7z.exe 2648 7z.exe 2972 7z.exe -
Loads dropped DLL 2 IoCs
pid Process 2568 mgiibjcj.exe 2568 mgiibjcj.exe -
resource yara_rule behavioral1/memory/1512-53-0x0000000000400000-0x00000000010C6000-memory.dmp themida behavioral1/memory/1512-55-0x0000000000400000-0x00000000010C6000-memory.dmp themida behavioral1/memory/1512-56-0x0000000000400000-0x00000000010C6000-memory.dmp themida behavioral1/memory/1512-57-0x0000000000400000-0x00000000010C6000-memory.dmp themida behavioral1/memory/1512-67-0x0000000000400000-0x00000000010C6000-memory.dmp themida behavioral1/memory/2568-71-0x0000000000400000-0x00000000010C6000-memory.dmp themida behavioral1/memory/2568-72-0x0000000000400000-0x00000000010C6000-memory.dmp themida behavioral1/memory/2568-73-0x0000000000400000-0x00000000010C6000-memory.dmp themida behavioral1/memory/2568-74-0x0000000000400000-0x00000000010C6000-memory.dmp themida behavioral1/memory/2568-98-0x0000000000400000-0x00000000010C6000-memory.dmp themida -
resource yara_rule behavioral1/memory/1512-58-0x0000000010000000-0x000000001011B000-memory.dmp upx behavioral1/memory/1512-63-0x0000000010000000-0x000000001011B000-memory.dmp upx behavioral1/memory/1512-62-0x0000000010000000-0x000000001011B000-memory.dmp upx behavioral1/memory/1512-64-0x0000000010000000-0x000000001011B000-memory.dmp upx behavioral1/memory/1512-70-0x0000000010000000-0x000000001011B000-memory.dmp upx behavioral1/memory/2568-81-0x0000000010000000-0x000000001011B000-memory.dmp upx behavioral1/files/0x00080000000191f1-93.dat upx behavioral1/memory/2568-96-0x0000000073980000-0x0000000073DDF000-memory.dmp upx behavioral1/memory/2568-99-0x0000000010000000-0x000000001011B000-memory.dmp upx behavioral1/memory/2568-102-0x0000000073980000-0x0000000073DDF000-memory.dmp upx behavioral1/memory/2568-158-0x0000000010000000-0x000000001011B000-memory.dmp upx behavioral1/memory/2568-218-0x0000000010000000-0x000000001011B000-memory.dmp upx behavioral1/memory/2568-233-0x0000000010000000-0x000000001011B000-memory.dmp upx behavioral1/memory/2568-238-0x0000000010000000-0x000000001011B000-memory.dmp upx behavioral1/memory/2568-815-0x0000000010000000-0x000000001011B000-memory.dmp upx -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 1512 a9a6ae77b932e1628624f62af917e2487e1db8d318be8466e0c41adf5c79f0b4.exe 2568 mgiibjcj.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1512 a9a6ae77b932e1628624f62af917e2487e1db8d318be8466e0c41adf5c79f0b4.exe 2568 mgiibjcj.exe 2568 mgiibjcj.exe 2568 mgiibjcj.exe 2568 mgiibjcj.exe 2568 mgiibjcj.exe 2568 mgiibjcj.exe 2568 mgiibjcj.exe 2568 mgiibjcj.exe 2568 mgiibjcj.exe 2568 mgiibjcj.exe 2568 mgiibjcj.exe 2568 mgiibjcj.exe 2568 mgiibjcj.exe 2568 mgiibjcj.exe 2568 mgiibjcj.exe 2568 mgiibjcj.exe 2568 mgiibjcj.exe 2568 mgiibjcj.exe 2568 mgiibjcj.exe 2568 mgiibjcj.exe 2568 mgiibjcj.exe 2568 mgiibjcj.exe 2568 mgiibjcj.exe 2568 mgiibjcj.exe 2568 mgiibjcj.exe 2568 mgiibjcj.exe 2568 mgiibjcj.exe 2568 mgiibjcj.exe 2568 mgiibjcj.exe 2568 mgiibjcj.exe 2568 mgiibjcj.exe 2568 mgiibjcj.exe 2568 mgiibjcj.exe 2568 mgiibjcj.exe 2568 mgiibjcj.exe 2568 mgiibjcj.exe 2568 mgiibjcj.exe 2568 mgiibjcj.exe 2568 mgiibjcj.exe 2568 mgiibjcj.exe 2568 mgiibjcj.exe 2568 mgiibjcj.exe 2568 mgiibjcj.exe 2568 mgiibjcj.exe 2568 mgiibjcj.exe 2568 mgiibjcj.exe 2568 mgiibjcj.exe 2568 mgiibjcj.exe 2568 mgiibjcj.exe 2568 mgiibjcj.exe 2568 mgiibjcj.exe 2568 mgiibjcj.exe 2568 mgiibjcj.exe 2568 mgiibjcj.exe 2568 mgiibjcj.exe 2568 mgiibjcj.exe 2568 mgiibjcj.exe 2568 mgiibjcj.exe 2568 mgiibjcj.exe 2568 mgiibjcj.exe 2568 mgiibjcj.exe 2568 mgiibjcj.exe 2568 mgiibjcj.exe -
Suspicious behavior: RenamesItself 2 IoCs
pid Process 1512 a9a6ae77b932e1628624f62af917e2487e1db8d318be8466e0c41adf5c79f0b4.exe 2568 mgiibjcj.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2568 mgiibjcj.exe Token: SeDebugPrivilege 2568 mgiibjcj.exe Token: SeDebugPrivilege 2568 mgiibjcj.exe Token: SeRestorePrivilege 2696 7z.exe Token: 35 2696 7z.exe Token: SeSecurityPrivilege 2696 7z.exe Token: SeSecurityPrivilege 2696 7z.exe Token: SeRestorePrivilege 2040 7z.exe Token: 35 2040 7z.exe Token: SeSecurityPrivilege 2040 7z.exe Token: SeSecurityPrivilege 2040 7z.exe Token: SeDebugPrivilege 2568 mgiibjcj.exe Token: SeDebugPrivilege 2568 mgiibjcj.exe Token: SeRestorePrivilege 2648 7z.exe Token: 35 2648 7z.exe Token: SeSecurityPrivilege 2648 7z.exe Token: SeSecurityPrivilege 2648 7z.exe Token: SeRestorePrivilege 2972 7z.exe Token: 35 2972 7z.exe Token: SeSecurityPrivilege 2972 7z.exe Token: SeSecurityPrivilege 2972 7z.exe Token: SeDebugPrivilege 2568 mgiibjcj.exe Token: SeDebugPrivilege 2568 mgiibjcj.exe Token: SeDebugPrivilege 2568 mgiibjcj.exe Token: SeDebugPrivilege 2568 mgiibjcj.exe Token: SeDebugPrivilege 2568 mgiibjcj.exe Token: SeDebugPrivilege 2568 mgiibjcj.exe Token: SeDebugPrivilege 2568 mgiibjcj.exe Token: SeDebugPrivilege 2568 mgiibjcj.exe Token: SeDebugPrivilege 2568 mgiibjcj.exe Token: SeDebugPrivilege 2568 mgiibjcj.exe Token: SeDebugPrivilege 2568 mgiibjcj.exe Token: SeDebugPrivilege 2568 mgiibjcj.exe Token: SeDebugPrivilege 2568 mgiibjcj.exe Token: SeDebugPrivilege 2568 mgiibjcj.exe Token: SeDebugPrivilege 2568 mgiibjcj.exe Token: SeDebugPrivilege 2568 mgiibjcj.exe Token: SeDebugPrivilege 2568 mgiibjcj.exe Token: SeDebugPrivilege 2568 mgiibjcj.exe Token: SeDebugPrivilege 2568 mgiibjcj.exe Token: SeDebugPrivilege 2568 mgiibjcj.exe Token: SeDebugPrivilege 2568 mgiibjcj.exe Token: SeDebugPrivilege 2568 mgiibjcj.exe Token: SeDebugPrivilege 2568 mgiibjcj.exe Token: SeDebugPrivilege 2568 mgiibjcj.exe Token: SeDebugPrivilege 2568 mgiibjcj.exe Token: SeDebugPrivilege 2568 mgiibjcj.exe Token: SeDebugPrivilege 2568 mgiibjcj.exe Token: SeDebugPrivilege 2568 mgiibjcj.exe Token: SeDebugPrivilege 2568 mgiibjcj.exe Token: SeDebugPrivilege 2568 mgiibjcj.exe Token: SeDebugPrivilege 2568 mgiibjcj.exe Token: SeDebugPrivilege 2568 mgiibjcj.exe Token: SeDebugPrivilege 2568 mgiibjcj.exe Token: SeDebugPrivilege 2568 mgiibjcj.exe Token: SeDebugPrivilege 2568 mgiibjcj.exe Token: SeDebugPrivilege 2568 mgiibjcj.exe Token: SeDebugPrivilege 2568 mgiibjcj.exe Token: SeDebugPrivilege 2568 mgiibjcj.exe Token: SeDebugPrivilege 2568 mgiibjcj.exe Token: SeDebugPrivilege 2568 mgiibjcj.exe Token: SeDebugPrivilege 2568 mgiibjcj.exe Token: SeDebugPrivilege 2568 mgiibjcj.exe Token: SeDebugPrivilege 2568 mgiibjcj.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 1512 a9a6ae77b932e1628624f62af917e2487e1db8d318be8466e0c41adf5c79f0b4.exe 1512 a9a6ae77b932e1628624f62af917e2487e1db8d318be8466e0c41adf5c79f0b4.exe 2568 mgiibjcj.exe 2568 mgiibjcj.exe 2568 mgiibjcj.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1512 wrote to memory of 2568 1512 a9a6ae77b932e1628624f62af917e2487e1db8d318be8466e0c41adf5c79f0b4.exe 28 PID 1512 wrote to memory of 2568 1512 a9a6ae77b932e1628624f62af917e2487e1db8d318be8466e0c41adf5c79f0b4.exe 28 PID 1512 wrote to memory of 2568 1512 a9a6ae77b932e1628624f62af917e2487e1db8d318be8466e0c41adf5c79f0b4.exe 28 PID 1512 wrote to memory of 2568 1512 a9a6ae77b932e1628624f62af917e2487e1db8d318be8466e0c41adf5c79f0b4.exe 28 PID 2568 wrote to memory of 2696 2568 mgiibjcj.exe 33 PID 2568 wrote to memory of 2696 2568 mgiibjcj.exe 33 PID 2568 wrote to memory of 2696 2568 mgiibjcj.exe 33 PID 2568 wrote to memory of 2696 2568 mgiibjcj.exe 33 PID 2568 wrote to memory of 2040 2568 mgiibjcj.exe 35 PID 2568 wrote to memory of 2040 2568 mgiibjcj.exe 35 PID 2568 wrote to memory of 2040 2568 mgiibjcj.exe 35 PID 2568 wrote to memory of 2040 2568 mgiibjcj.exe 35 PID 2568 wrote to memory of 2648 2568 mgiibjcj.exe 39 PID 2568 wrote to memory of 2648 2568 mgiibjcj.exe 39 PID 2568 wrote to memory of 2648 2568 mgiibjcj.exe 39 PID 2568 wrote to memory of 2648 2568 mgiibjcj.exe 39 PID 2568 wrote to memory of 2972 2568 mgiibjcj.exe 38 PID 2568 wrote to memory of 2972 2568 mgiibjcj.exe 38 PID 2568 wrote to memory of 2972 2568 mgiibjcj.exe 38 PID 2568 wrote to memory of 2972 2568 mgiibjcj.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\a9a6ae77b932e1628624f62af917e2487e1db8d318be8466e0c41adf5c79f0b4.exe"C:\Users\Admin\AppData\Local\Temp\a9a6ae77b932e1628624f62af917e2487e1db8d318be8466e0c41adf5c79f0b4.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Users\Admin\Documents\BinGo\mgiibjcj.exe"C:\Users\Admin\Documents\BinGo\mgiibjcj.exe" rest2⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Users\Admin\Documents\BinGo\runes\7z.exeC:\Users\Admin\Documents\BinGo\runes\7z.exe x "C:\Users\Admin\Documents\BinGo\runes\\13.16.1-v1692500306000.tgz" -y -p -o"C:\Users\Admin\Documents\BinGo\runes\"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2696
-
-
C:\Users\Admin\Documents\BinGo\runes\7z.exeC:\Users\Admin\Documents\BinGo\runes\7z.exe x "C:\Users\Admin\Documents\BinGo\runes\\13.16.1-v1692500306000.tar" -y -p -o"C:\Users\Admin\Documents\BinGo\runes\"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2040
-
-
C:\Users\Admin\Documents\BinGo\runes\7z.exeC:\Users\Admin\Documents\BinGo\runes\7z.exe x "C:\Users\Admin\Documents\BinGo\runes\\13.16.1-v1692500306000.tar" -y -p -o"C:\Users\Admin\Documents\BinGo\runes\"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2972
-
-
C:\Users\Admin\Documents\BinGo\runes\7z.exeC:\Users\Admin\Documents\BinGo\runes\7z.exe x "C:\Users\Admin\Documents\BinGo\runes\\13.16.1-v1692500306000.tgz" -y -p -o"C:\Users\Admin\Documents\BinGo\runes\"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2648
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD53c44682a2b88c7fb58cffcc3d2111ed7
SHA1ef33304da3047c0110c304373058749c96921094
SHA2566e2bbdfcb1e2c97cc1e56d310b0e018565ab898da57dd6ac5d40be507ca719c3
SHA5121a66b7b66f0525c7fe5c11891152e26d3ffbc3465292831741d5a624e299208e9e540248ee522c2be39284fa520c70ffa55a9581969a44e59e83f0e629f81cb7
-
Filesize
673KB
MD5c56b9e4c865fe1d28adec521600a0003
SHA121f71a5f95827a406223dce2a0226b03b7768d76
SHA25623774bd5dcd902b57572da10fd1eef676ee578dbcc543e063def3daae415b592
SHA512ce2fde4012f04d6146110957e6df761027728e3f066c0ee99f1a333ebe1960764116f48b89e3f8fcc9ed01117cb9947f23d69c73d4ff6e5b496ffc2cbfddfe85
-
Filesize
550KB
MD546d8b7d28fe3316385c6e16b2cbb5327
SHA10602d8a5abf32a12c3085570fb6ecab9cf4062bc
SHA2565d8f9e336740488ad27b06c9eff4051cc2a5f62458b75b423a4383b7995d9412
SHA5125f5f842470737a331231ec705cb0dbf1360448f36e6572d0e8177fa2cc9e894e3e2020c4399a57498ae82208f31a2ba4b58d2e394deffbf35f1e17ebe8d2a4ea
-
Filesize
54KB
MD5411423301601a7f63641a0879c25137d
SHA1293cf0dc82bc67bc9d963773ba634737fbc64da8
SHA256c3624b81d0889821978fe0e01544a2f56cae892187facda4b181735948cb383a
SHA512d75477976b16d59737f66629bfcefc26e4fdf4a041be50bd6d8501ee89fb2255c84a47b559a8cfc78cd0b775ecc355a128a9a3fae792eb99ed233af75955bc36
-
Filesize
41KB
MD549a1818298089983ddd60429a9973244
SHA1fb607cb81f1c68dfd00629a5ec593ae1f8c690cc
SHA25625cdd76451c2d0b1964a121fef788a32f9f375aea9c812bdf16a859ada616e47
SHA512604614210e57755be1845537e95d36f1cc1fbbdc3041d52bd86e8c85422888221f2c63d4e8b0d82207cd2c297fafc03b8f2804ba201b166554a43733eeda14b0
-
Filesize
354KB
MD51f0f641a53fe1535da96c6830ce20688
SHA1247fd5f4ea18f3dbada32784d89c58f9ecb287db
SHA2562151c021ec07eb8d2c1c08c884038e6606d8254d47e436f77fdf8be008891744
SHA5123734dff5c4af534afc634daf2df14207c6d6b0280ab7e731aaff7e9722aed226682c531934e85fa8bca35b5a8aa24640418ffcaa52124f7bbd26f01d168305f3
-
Filesize
354KB
MD51f0f641a53fe1535da96c6830ce20688
SHA1247fd5f4ea18f3dbada32784d89c58f9ecb287db
SHA2562151c021ec07eb8d2c1c08c884038e6606d8254d47e436f77fdf8be008891744
SHA5123734dff5c4af534afc634daf2df14207c6d6b0280ab7e731aaff7e9722aed226682c531934e85fa8bca35b5a8aa24640418ffcaa52124f7bbd26f01d168305f3
-
Filesize
354KB
MD51f0f641a53fe1535da96c6830ce20688
SHA1247fd5f4ea18f3dbada32784d89c58f9ecb287db
SHA2562151c021ec07eb8d2c1c08c884038e6606d8254d47e436f77fdf8be008891744
SHA5123734dff5c4af534afc634daf2df14207c6d6b0280ab7e731aaff7e9722aed226682c531934e85fa8bca35b5a8aa24640418ffcaa52124f7bbd26f01d168305f3
-
Filesize
354KB
MD51f0f641a53fe1535da96c6830ce20688
SHA1247fd5f4ea18f3dbada32784d89c58f9ecb287db
SHA2562151c021ec07eb8d2c1c08c884038e6606d8254d47e436f77fdf8be008891744
SHA5123734dff5c4af534afc634daf2df14207c6d6b0280ab7e731aaff7e9722aed226682c531934e85fa8bca35b5a8aa24640418ffcaa52124f7bbd26f01d168305f3
-
Filesize
354KB
MD51f0f641a53fe1535da96c6830ce20688
SHA1247fd5f4ea18f3dbada32784d89c58f9ecb287db
SHA2562151c021ec07eb8d2c1c08c884038e6606d8254d47e436f77fdf8be008891744
SHA5123734dff5c4af534afc634daf2df14207c6d6b0280ab7e731aaff7e9722aed226682c531934e85fa8bca35b5a8aa24640418ffcaa52124f7bbd26f01d168305f3
-
Filesize
1.8MB
MD56fa08b52d88e7a4967764e099d33663b
SHA106d10ed3766bbaf56c7b6cb23821706dbadc025c
SHA256e295b243ae3e45289b8bfaff537d99ca7039d08a48c4359294dacd753936a0c0
SHA51214f21a29b1c69d82a4f00b9709549c996ab21a9f00e3bd553482110b93418a3c47fccee4cb2ad99f7213906c746a578c051e88b08f6cc3c2ac5ee8fe0a1b1bb0
-
Filesize
354KB
MD51f0f641a53fe1535da96c6830ce20688
SHA1247fd5f4ea18f3dbada32784d89c58f9ecb287db
SHA2562151c021ec07eb8d2c1c08c884038e6606d8254d47e436f77fdf8be008891744
SHA5123734dff5c4af534afc634daf2df14207c6d6b0280ab7e731aaff7e9722aed226682c531934e85fa8bca35b5a8aa24640418ffcaa52124f7bbd26f01d168305f3