Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    152s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/01/2024, 01:41

General

  • Target

    64c2e949a2f92c4f458ea1e18ef0829b.exe

  • Size

    2.0MB

  • MD5

    64c2e949a2f92c4f458ea1e18ef0829b

  • SHA1

    5274af76387950b897e4cd1fd9f8cf69755dd05e

  • SHA256

    6d7eee0253c4fb6bdd946c309f3db823a348b1cdc9dcb2bd3f2412b30eb9590f

  • SHA512

    6b52f421f8f03402d012cc185547e26ee5e562b18bdc42cf81e80e6a5463ac57383e1d11099770057149c0a6477564b20efb39960e0f1a44b7ebe9e6e89e8b29

  • SSDEEP

    24576:bSH25PwcN2jx23LdZNtWFKVsIdaY5VFt1LuqJhDqGFeyUQPurCD8JYjSK5ECl:blDoOTNtGKOIvfuRVy/Pur2Mgl

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

  • Detect Blackmoon payload 4 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 4 IoCs
  • Executes dropped EXE 3 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 13 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\64c2e949a2f92c4f458ea1e18ef0829b.exe
    "C:\Users\Admin\AppData\Local\Temp\64c2e949a2f92c4f458ea1e18ef0829b.exe"
    1⤵
    • Checks computer location settings
    • Writes to the Master Boot Record (MBR)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4648
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /im ippatch.exe /f
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1000
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /im ipsee.exe /f
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:908
    • C:\Users\Admin\AppData\Roaming\ippatch.exe
      "C:\Users\Admin\AppData\Roaming\ippatch.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Writes to the Master Boot Record (MBR)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3716
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im ipsee.exe /f
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3264
      • C:\Users\Admin\AppData\Roaming\ipsee.exe
        "C:\Users\Admin\AppData\Roaming\ipsee.exe"
        3⤵
        • Drops startup file
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:4892
    • C:\Users\Admin\AppData\Roaming\ippatch.exe
      "C:\Users\Admin\AppData\Roaming\ippatch.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Writes to the Master Boot Record (MBR)
      • Suspicious use of SetWindowsHookEx
      PID:1960
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /im QQ .EXE /f
      2⤵
      • Kills process with taskkill
      PID:3576
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /im QQ.EXE /f
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3592
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /im QQ .EXE /f
      2⤵
      • Kills process with taskkill
      PID:1200
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /im QQ.EXE /f
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3776
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /im QQ .EXE /f
      2⤵
      • Kills process with taskkill
      PID:4636
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /im QQ.EXE /f
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3636
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /im QQ .EXE /f
      2⤵
      • Kills process with taskkill
      PID:3456
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /im QQ.EXE /f
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2488
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /im QQ .EXE /f
      2⤵
      • Kills process with taskkill
      PID:4028
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /im QQ.EXE /f
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1452

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\RCXDB5E.tmp

    Filesize

    868KB

    MD5

    7af7c62d50dec501bfc58e901c2bbbd8

    SHA1

    eb3f934e1a945f99a2d6a236a3121afb79b3a62f

    SHA256

    92ed44ca0b55f08046c95851af3cbeacacf11e83266fec7f57553084e00fdaa3

    SHA512

    b8a06aab4271e8f7c9a9b1e82a8eef485834f4faee15d020d51217a5d552ef07b6b8dcfb14a6c9974ca22ba8957db199c0190ebbcc79cae2eb6a02042bc2f7f5

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\360tray.lnk

    Filesize

    771B

    MD5

    dc3680bf14b0a5fd30028468e4d25ff7

    SHA1

    8b9ff1998c8f6b6e3d9dfd5d9f21f6e840758504

    SHA256

    d10eb01b3025a6e516254283643256de86f90d7ab94ddfe348d1a5981e7704a3

    SHA512

    f0b7b0f4e54c5163d5c022976f5ead7b4e06decec704c88f93c555553ead5c6f87a2a1ccd6997a4b5d0896a021d752c1700403e32d8d6ed2611962adfb546a56

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\yhxx.dll

    Filesize

    154B

    MD5

    40b80bda339faae4739d77caa3ebd0eb

    SHA1

    54e11813769d714dbf3153ec6f2620b919a00fca

    SHA256

    c551be73cdf086d8b11a4b92910c939cec35e1a8805ee3099b18c5a26f14aff3

    SHA512

    ab087ef1fb1a60772dcd091dc45a47d5b3f5f17f3aa6ae0f1293983b4015a7b1217e69bea95d6f3e4085962f8ef3ca3f529e76d083ab805648aa1bb76480e376

  • C:\Users\Admin\AppData\Roaming\RCXD18A.tmp

    Filesize

    2.0MB

    MD5

    5a02df66de9f06f1c663f4de15e4cf76

    SHA1

    351ed739292d7dd8c625960208686fc7a31a565c

    SHA256

    f61cbb8e4c5afa716af3b5f63827d30bd6f1db0c2b75199df9a2ad351470686d

    SHA512

    e74a88ccbf537b8fd688925526896da63d0e8d4cdd049ad04a40df410a4747200aa35279dc0393a28b541371d04828b7e3e92541ee176586093fb55555b680dd

  • C:\Users\Admin\AppData\Roaming\mydll.dll

    Filesize

    256KB

    MD5

    74769dd065370932047c9d1857e7c17a

    SHA1

    1ec56e2ad227f47b1314a5497776ec992b927873

    SHA256

    1df3bfbe43b5f7503e2a6144f588f67186f0e734b62cb8282fae469971e41aac

    SHA512

    c04515d0887dc92c8a26c6480ee9a800a0bbb98dca90f680532c2e75aefe4ff3348709eacee7dc9d90663eabdb710523993d2b56ff2a91777acb8d31c9eb302a

  • C:\Users\Admin\AppData\Roaming\mydll.dll

    Filesize

    256KB

    MD5

    28fc9f34712a112403dcf2e20409b934

    SHA1

    6cb9a8accf922f056f048c533e00193506b4e9bf

    SHA256

    2f1f9a34716ac06c8b820c7bdc11362e45edbd5e2e1b7eb47f8bcf0813d118ae

    SHA512

    c2dd346f2bf5730747acdfb9cb011e3b702cdfc0d4332ef2fc45b406821afff6a6906090ed78e816fb737c0b0309b3fe4e60b9fdc8d7fad9087be5888d6e227e

  • C:\Users\Admin\AppData\Roaming\mydll.dll

    Filesize

    256KB

    MD5

    a9898e8a6837513918a139b3db7d1814

    SHA1

    879e897fa85cee1b289f132e50a2694a1b6f0f6c

    SHA256

    4eaf4dbc1563c05f7363d8fb5e5a0d27828f46a5d882d9b0148bb45239ffe2a5

    SHA512

    3f51d05669f04475578b7a4e87cebdd98946c25c4d3bcd98267eb65423b00ed64bd05e5c7c8001dae9f9b4a098dc45854f9c81a318fadc297a2a2173e3981f34