Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

7

ba1bae585d...c5.dll

windows7-x64

10

ba1bae585d...c5.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230831-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/09/2023, 14:34 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ba1bae585d31cc86d1ac1b36b6022ad97b6af45922c8edf609e0ce656090a5c5.dll

  • Size

    2.6MB

  • MD5

    1efe4082d5b71e8dbfb6f82f18174770

  • SHA1

    1deb9b094611a1ce8d674de8fd084f75fddd7442

  • SHA256

    ba1bae585d31cc86d1ac1b36b6022ad97b6af45922c8edf609e0ce656090a5c5

  • SHA512

    0ecf85655ddecb499c8e560fbc362199ac1e81c5960e966fb7b30ce6b54f5434d5c1188e20bf761254500b62639747c001f9169f8ac30fb956e9b46c2993485b

  • SSDEEP

    49152:ueFQHevutBDJbCBW6YmSPeZwB0Vd1KscNL218oNdHHt6ZMczoOUTw9UwU/I+eLRh:uee+vutFBCBW6tZwBu1KsiL218edn0+Z

Score
10/10
blackmoonbankerpersistencetrojanupx

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 1 IoCs
  • Blocklisted process makes network request 2 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\ba1bae585d31cc86d1ac1b36b6022ad97b6af45922c8edf609e0ce656090a5c5.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4292
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\ba1bae585d31cc86d1ac1b36b6022ad97b6af45922c8edf609e0ce656090a5c5.dll,#1
      2⤵
      • Blocklisted process makes network request
      • Adds Run key to start application
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:4988

Network

  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.a-0001.a-msedge.net
    g-bing-com.a-0001.a-msedge.net
    IN CNAME
    dual-a-0001.a-msedge.net
    dual-a-0001.a-msedge.net
    IN A
    204.79.197.200
    dual-a-0001.a-msedge.net
    IN A
    13.107.21.200
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=fea4abcea7554cc4ae680d26c30b3f8f&localId=w:72CCEFCF-1E8B-80FF-8FEE-BB12795B20EA&deviceId=6966549482693208&anid=
    Remote address:
    204.79.197.200:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=fea4abcea7554cc4ae680d26c30b3f8f&localId=w:72CCEFCF-1E8B-80FF-8FEE-BB12795B20EA&deviceId=6966549482693208&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MUID=3D40F853643D6D5A06FEEBD165976C30; domain=.bing.com; expires=Sat, 28-Sep-2024 14:34:30 GMT; path=/; SameSite=None; Secure; Priority=High;
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: EEFE673F235140048EC9976B458C6C95 Ref B: DUS30EDGE0817 Ref C: 2023-09-04T14:34:30Z
    date: Mon, 04 Sep 2023 14:34:30 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=fea4abcea7554cc4ae680d26c30b3f8f&localId=w:72CCEFCF-1E8B-80FF-8FEE-BB12795B20EA&deviceId=6966549482693208&anid=
    Remote address:
    204.79.197.200:443
    Request
    GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=fea4abcea7554cc4ae680d26c30b3f8f&localId=w:72CCEFCF-1E8B-80FF-8FEE-BB12795B20EA&deviceId=6966549482693208&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=3D40F853643D6D5A06FEEBD165976C30
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 9A3E49E740B847E4BEECE39172115EF8 Ref B: DUS30EDGE0817 Ref C: 2023-09-04T14:34:30Z
    date: Mon, 04 Sep 2023 14:34:30 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=fea4abcea7554cc4ae680d26c30b3f8f&localId=w:72CCEFCF-1E8B-80FF-8FEE-BB12795B20EA&deviceId=6966549482693208&anid=
    Remote address:
    204.79.197.200:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=fea4abcea7554cc4ae680d26c30b3f8f&localId=w:72CCEFCF-1E8B-80FF-8FEE-BB12795B20EA&deviceId=6966549482693208&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=3D40F853643D6D5A06FEEBD165976C30
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: F2BB102BDE174E3B9634BD0CCC1B2554 Ref B: DUS30EDGE0817 Ref C: 2023-09-04T14:34:30Z
    date: Mon, 04 Sep 2023 14:34:30 GMT
  • flag-us
    DNS
    136.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    136.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    9.228.82.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    9.228.82.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    200.197.79.204.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    200.197.79.204.in-addr.arpa
    IN PTR
    Response
    200.197.79.204.in-addr.arpa
    IN PTR
    a-0001a-msedgenet
  • flag-us
    DNS
    105.145.253.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    105.145.253.8.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    68.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    68.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    26.35.223.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.35.223.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    198.1.85.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    198.1.85.104.in-addr.arpa
    IN PTR
    Response
    198.1.85.104.in-addr.arpa
    IN PTR
    a104-85-1-198deploystaticakamaitechnologiescom
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    60.44.125.45.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    60.44.125.45.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    4.ipw.cn
    rundll32.exe
    Remote address:
    8.8.8.8:53
    Request
    4.ipw.cn
    IN A
    Response
    4.ipw.cn
    IN A
    114.132.191.12
  • flag-cn
    GET
    http://4.ipw.cn/api/ip/myip
    rundll32.exe
    Remote address:
    114.132.191.12:80
    Request
    GET /api/ip/myip HTTP/1.1
    Connection: Keep-Alive
    User-Agent: curl/7.83.1
    Host: 4.ipw.cn
    Response
    HTTP/1.1 200 OK
    Date: Mon, 04 Sep 2023 14:34:37 GMT
    Content-Type: application/json;charset=UTF-8
    Content-Length: 12
    Connection: keep-alive
    Access-Control-Allow-Origin: https://ipw.cn
  • flag-us
    DNS
    12.191.132.114.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    12.191.132.114.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    50.23.12.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    50.23.12.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    171.39.242.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    171.39.242.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    113.208.253.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    113.208.253.8.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    22.236.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    22.236.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    14.173.189.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    14.173.189.20.in-addr.arpa
    IN PTR
    Response
  • 204.79.197.200:443
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=fea4abcea7554cc4ae680d26c30b3f8f&localId=w:72CCEFCF-1E8B-80FF-8FEE-BB12795B20EA&deviceId=6966549482693208&anid=
    tls, http2
    1.9kB
     9.3kB
     22
    19

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=fea4abcea7554cc4ae680d26c30b3f8f&localId=w:72CCEFCF-1E8B-80FF-8FEE-BB12795B20EA&deviceId=6966549482693208&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=fea4abcea7554cc4ae680d26c30b3f8f&localId=w:72CCEFCF-1E8B-80FF-8FEE-BB12795B20EA&deviceId=6966549482693208&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=fea4abcea7554cc4ae680d26c30b3f8f&localId=w:72CCEFCF-1E8B-80FF-8FEE-BB12795B20EA&deviceId=6966549482693208&anid=

    HTTP Response

    204
  • 45.125.44.60:5777
    rundll32.exe
    1.8kB
     600 B
     17
    14
  • 114.132.191.12:80
    http://4.ipw.cn/api/ip/myip
    http
    rundll32.exe
    370 B
     415 B
     6
    5

    HTTP Request

    GET http://4.ipw.cn/api/ip/myip

    HTTP Response

    200
  • 8.8.8.8:53
    g.bing.com
    dns
    56 B
     158 B
     1
    1

    DNS Request

    g.bing.com

    DNS Response

    204.79.197.200
    13.107.21.200

  • 8.8.8.8:53
    136.32.126.40.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    136.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    9.228.82.20.in-addr.arpa
    dns
    70 B
     156 B
     1
    1

    DNS Request

    9.228.82.20.in-addr.arpa

  • 8.8.8.8:53
    200.197.79.204.in-addr.arpa
    dns
    73 B
     106 B
     1
    1

    DNS Request

    200.197.79.204.in-addr.arpa

  • 8.8.8.8:53
    105.145.253.8.in-addr.arpa
    dns
    72 B
     126 B
     1
    1

    DNS Request

    105.145.253.8.in-addr.arpa

  • 8.8.8.8:53
    68.159.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    68.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    26.35.223.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    26.35.223.20.in-addr.arpa

  • 8.8.8.8:53
    198.1.85.104.in-addr.arpa
    dns
    71 B
     135 B
     1
    1

    DNS Request

    198.1.85.104.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    60.44.125.45.in-addr.arpa
    dns
    71 B
     125 B
     1
    1

    DNS Request

    60.44.125.45.in-addr.arpa

  • 8.8.8.8:53
    4.ipw.cn
    dns
    rundll32.exe
    54 B
     70 B
     1
    1

    DNS Request

    4.ipw.cn

    DNS Response

    114.132.191.12

  • 8.8.8.8:53
    12.191.132.114.in-addr.arpa
    dns
    73 B
     130 B
     1
    1

    DNS Request

    12.191.132.114.in-addr.arpa

  • 8.8.8.8:53
    50.23.12.20.in-addr.arpa
    dns
    70 B
     156 B
     1
    1

    DNS Request

    50.23.12.20.in-addr.arpa

  • 8.8.8.8:53
    171.39.242.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    171.39.242.20.in-addr.arpa

  • 8.8.8.8:53
    113.208.253.8.in-addr.arpa
    dns
    72 B
     126 B
     1
    1

    DNS Request

    113.208.253.8.in-addr.arpa

  • 8.8.8.8:53
    22.236.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    22.236.111.52.in-addr.arpa

  • 8.8.8.8:53
    14.173.189.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    14.173.189.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4988-0-0x0000000074DD0000-0x00000000752CD000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/4988-1-0x0000000010000000-0x00000000101AD000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/4988-4-0x0000000002710000-0x0000000002735000-memory.dmp

    Filesize

    148KB

    Download

  • memory/4988-8-0x0000000010000000-0x00000000101AD000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/4988-9-0x0000000010000000-0x00000000101AD000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/4988-10-0x0000000010000000-0x00000000101AD000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/4988-11-0x0000000010000000-0x00000000101AD000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/4988-12-0x0000000010000000-0x00000000101AD000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/4988-13-0x0000000010000000-0x00000000101AD000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/4988-14-0x0000000010000000-0x00000000101AD000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/4988-15-0x0000000010000000-0x00000000101AD000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/4988-16-0x0000000010000000-0x00000000101AD000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/4988-18-0x0000000010000000-0x00000000101AD000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/4988-17-0x0000000010000000-0x00000000101AD000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/4988-19-0x0000000010000000-0x00000000101AD000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/4988-20-0x0000000010000000-0x00000000101AD000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/4988-21-0x0000000010000000-0x00000000101AD000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/4988-22-0x0000000010000000-0x00000000101AD000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/4988-23-0x0000000010000000-0x00000000101AD000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/4988-24-0x0000000010000000-0x00000000101AD000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/4988-25-0x0000000010000000-0x00000000101AD000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/4988-26-0x0000000074DD0000-0x00000000752CD000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/4988-38-0x0000000074DD0000-0x00000000752CD000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/4988-39-0x0000000074DD0000-0x00000000752CD000-memory.dmp

    Filesize

    5.0MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.