Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
152s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25/01/2024, 01:41
Behavioral task
behavioral1
Sample
64c2e949a2f92c4f458ea1e18ef0829b.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
64c2e949a2f92c4f458ea1e18ef0829b.exe
Resource
win10v2004-20231215-en
General
-
Target
64c2e949a2f92c4f458ea1e18ef0829b.exe
-
Size
2.0MB
-
MD5
64c2e949a2f92c4f458ea1e18ef0829b
-
SHA1
5274af76387950b897e4cd1fd9f8cf69755dd05e
-
SHA256
6d7eee0253c4fb6bdd946c309f3db823a348b1cdc9dcb2bd3f2412b30eb9590f
-
SHA512
6b52f421f8f03402d012cc185547e26ee5e562b18bdc42cf81e80e6a5463ac57383e1d11099770057149c0a6477564b20efb39960e0f1a44b7ebe9e6e89e8b29
-
SSDEEP
24576:bSH25PwcN2jx23LdZNtWFKVsIdaY5VFt1LuqJhDqGFeyUQPurCD8JYjSK5ECl:blDoOTNtGKOIvfuRVy/Pur2Mgl
Malware Config
Signatures
-
Detect Blackmoon payload 4 IoCs
resource yara_rule behavioral2/files/0x0002000000022775-5.dat family_blackmoon behavioral2/files/0x000900000002303e-19.dat family_blackmoon behavioral2/files/0x0002000000022775-41.dat family_blackmoon behavioral2/files/0x0002000000022775-83.dat family_blackmoon -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation ippatch.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation 64c2e949a2f92c4f458ea1e18ef0829b.exe -
Drops startup file 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\360tray.lnk ippatch.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IP.lnk ipsee.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\360tray.lnk ippatch.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IP.lnk ipsee.exe -
Executes dropped EXE 3 IoCs
pid Process 3716 ippatch.exe 4892 ipsee.exe 1960 ippatch.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 64c2e949a2f92c4f458ea1e18ef0829b.exe File opened for modification \??\PhysicalDrive0 ippatch.exe File opened for modification \??\PhysicalDrive0 ippatch.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 13 IoCs
pid Process 3264 taskkill.exe 3776 taskkill.exe 3592 taskkill.exe 1200 taskkill.exe 3636 taskkill.exe 4028 taskkill.exe 3576 taskkill.exe 4636 taskkill.exe 3456 taskkill.exe 2488 taskkill.exe 1452 taskkill.exe 1000 taskkill.exe 908 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4648 64c2e949a2f92c4f458ea1e18ef0829b.exe 4648 64c2e949a2f92c4f458ea1e18ef0829b.exe 4648 64c2e949a2f92c4f458ea1e18ef0829b.exe 4648 64c2e949a2f92c4f458ea1e18ef0829b.exe 3716 ippatch.exe 3716 ippatch.exe 3716 ippatch.exe 3716 ippatch.exe 3716 ippatch.exe 3716 ippatch.exe 3716 ippatch.exe 3716 ippatch.exe 3716 ippatch.exe 3716 ippatch.exe 3716 ippatch.exe 3716 ippatch.exe 3716 ippatch.exe 3716 ippatch.exe 4892 ipsee.exe 4892 ipsee.exe 3716 ippatch.exe 3716 ippatch.exe 3716 ippatch.exe 3716 ippatch.exe 3716 ippatch.exe 3716 ippatch.exe 3716 ippatch.exe 3716 ippatch.exe 3716 ippatch.exe 3716 ippatch.exe 3716 ippatch.exe 3716 ippatch.exe 3716 ippatch.exe 3716 ippatch.exe 3716 ippatch.exe 3716 ippatch.exe 3716 ippatch.exe 3716 ippatch.exe 4892 ipsee.exe 4892 ipsee.exe 4648 64c2e949a2f92c4f458ea1e18ef0829b.exe 3716 ippatch.exe 4648 64c2e949a2f92c4f458ea1e18ef0829b.exe 3716 ippatch.exe 4648 64c2e949a2f92c4f458ea1e18ef0829b.exe 4648 64c2e949a2f92c4f458ea1e18ef0829b.exe 3716 ippatch.exe 3716 ippatch.exe 3716 ippatch.exe 3716 ippatch.exe 3716 ippatch.exe 3716 ippatch.exe 3716 ippatch.exe 3716 ippatch.exe 3716 ippatch.exe 3716 ippatch.exe 4648 64c2e949a2f92c4f458ea1e18ef0829b.exe 4648 64c2e949a2f92c4f458ea1e18ef0829b.exe 4648 64c2e949a2f92c4f458ea1e18ef0829b.exe 4648 64c2e949a2f92c4f458ea1e18ef0829b.exe 3716 ippatch.exe 3716 ippatch.exe 3716 ippatch.exe 3716 ippatch.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 1000 taskkill.exe Token: SeDebugPrivilege 908 taskkill.exe Token: SeDebugPrivilege 3264 taskkill.exe Token: SeDebugPrivilege 3592 taskkill.exe Token: SeDebugPrivilege 3776 taskkill.exe Token: SeDebugPrivilege 3636 taskkill.exe Token: SeDebugPrivilege 2488 taskkill.exe Token: SeDebugPrivilege 1452 taskkill.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 4648 64c2e949a2f92c4f458ea1e18ef0829b.exe 4648 64c2e949a2f92c4f458ea1e18ef0829b.exe 3716 ippatch.exe 3716 ippatch.exe 4892 ipsee.exe 4892 ipsee.exe 1960 ippatch.exe 1960 ippatch.exe -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 4648 wrote to memory of 1000 4648 64c2e949a2f92c4f458ea1e18ef0829b.exe 89 PID 4648 wrote to memory of 1000 4648 64c2e949a2f92c4f458ea1e18ef0829b.exe 89 PID 4648 wrote to memory of 1000 4648 64c2e949a2f92c4f458ea1e18ef0829b.exe 89 PID 4648 wrote to memory of 908 4648 64c2e949a2f92c4f458ea1e18ef0829b.exe 90 PID 4648 wrote to memory of 908 4648 64c2e949a2f92c4f458ea1e18ef0829b.exe 90 PID 4648 wrote to memory of 908 4648 64c2e949a2f92c4f458ea1e18ef0829b.exe 90 PID 4648 wrote to memory of 3716 4648 64c2e949a2f92c4f458ea1e18ef0829b.exe 94 PID 4648 wrote to memory of 3716 4648 64c2e949a2f92c4f458ea1e18ef0829b.exe 94 PID 4648 wrote to memory of 3716 4648 64c2e949a2f92c4f458ea1e18ef0829b.exe 94 PID 3716 wrote to memory of 3264 3716 ippatch.exe 95 PID 3716 wrote to memory of 3264 3716 ippatch.exe 95 PID 3716 wrote to memory of 3264 3716 ippatch.exe 95 PID 3716 wrote to memory of 4892 3716 ippatch.exe 97 PID 3716 wrote to memory of 4892 3716 ippatch.exe 97 PID 3716 wrote to memory of 4892 3716 ippatch.exe 97 PID 4648 wrote to memory of 1960 4648 64c2e949a2f92c4f458ea1e18ef0829b.exe 98 PID 4648 wrote to memory of 1960 4648 64c2e949a2f92c4f458ea1e18ef0829b.exe 98 PID 4648 wrote to memory of 1960 4648 64c2e949a2f92c4f458ea1e18ef0829b.exe 98 PID 4648 wrote to memory of 3592 4648 64c2e949a2f92c4f458ea1e18ef0829b.exe 100 PID 4648 wrote to memory of 3592 4648 64c2e949a2f92c4f458ea1e18ef0829b.exe 100 PID 4648 wrote to memory of 3592 4648 64c2e949a2f92c4f458ea1e18ef0829b.exe 100 PID 4648 wrote to memory of 3576 4648 64c2e949a2f92c4f458ea1e18ef0829b.exe 99 PID 4648 wrote to memory of 3576 4648 64c2e949a2f92c4f458ea1e18ef0829b.exe 99 PID 4648 wrote to memory of 3576 4648 64c2e949a2f92c4f458ea1e18ef0829b.exe 99 PID 4648 wrote to memory of 3776 4648 64c2e949a2f92c4f458ea1e18ef0829b.exe 105 PID 4648 wrote to memory of 3776 4648 64c2e949a2f92c4f458ea1e18ef0829b.exe 105 PID 4648 wrote to memory of 3776 4648 64c2e949a2f92c4f458ea1e18ef0829b.exe 105 PID 4648 wrote to memory of 1200 4648 64c2e949a2f92c4f458ea1e18ef0829b.exe 103 PID 4648 wrote to memory of 1200 4648 64c2e949a2f92c4f458ea1e18ef0829b.exe 103 PID 4648 wrote to memory of 1200 4648 64c2e949a2f92c4f458ea1e18ef0829b.exe 103 PID 4648 wrote to memory of 3636 4648 64c2e949a2f92c4f458ea1e18ef0829b.exe 108 PID 4648 wrote to memory of 3636 4648 64c2e949a2f92c4f458ea1e18ef0829b.exe 108 PID 4648 wrote to memory of 3636 4648 64c2e949a2f92c4f458ea1e18ef0829b.exe 108 PID 4648 wrote to memory of 4636 4648 64c2e949a2f92c4f458ea1e18ef0829b.exe 107 PID 4648 wrote to memory of 4636 4648 64c2e949a2f92c4f458ea1e18ef0829b.exe 107 PID 4648 wrote to memory of 4636 4648 64c2e949a2f92c4f458ea1e18ef0829b.exe 107 PID 4648 wrote to memory of 2488 4648 64c2e949a2f92c4f458ea1e18ef0829b.exe 114 PID 4648 wrote to memory of 2488 4648 64c2e949a2f92c4f458ea1e18ef0829b.exe 114 PID 4648 wrote to memory of 2488 4648 64c2e949a2f92c4f458ea1e18ef0829b.exe 114 PID 4648 wrote to memory of 3456 4648 64c2e949a2f92c4f458ea1e18ef0829b.exe 111 PID 4648 wrote to memory of 3456 4648 64c2e949a2f92c4f458ea1e18ef0829b.exe 111 PID 4648 wrote to memory of 3456 4648 64c2e949a2f92c4f458ea1e18ef0829b.exe 111 PID 4648 wrote to memory of 1452 4648 64c2e949a2f92c4f458ea1e18ef0829b.exe 116 PID 4648 wrote to memory of 1452 4648 64c2e949a2f92c4f458ea1e18ef0829b.exe 116 PID 4648 wrote to memory of 1452 4648 64c2e949a2f92c4f458ea1e18ef0829b.exe 116 PID 4648 wrote to memory of 4028 4648 64c2e949a2f92c4f458ea1e18ef0829b.exe 115 PID 4648 wrote to memory of 4028 4648 64c2e949a2f92c4f458ea1e18ef0829b.exe 115 PID 4648 wrote to memory of 4028 4648 64c2e949a2f92c4f458ea1e18ef0829b.exe 115
Processes
-
C:\Users\Admin\AppData\Local\Temp\64c2e949a2f92c4f458ea1e18ef0829b.exe"C:\Users\Admin\AppData\Local\Temp\64c2e949a2f92c4f458ea1e18ef0829b.exe"1⤵
- Checks computer location settings
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im ippatch.exe /f2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1000
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im ipsee.exe /f2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:908
-
-
C:\Users\Admin\AppData\Roaming\ippatch.exe"C:\Users\Admin\AppData\Roaming\ippatch.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3716 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im ipsee.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3264
-
-
C:\Users\Admin\AppData\Roaming\ipsee.exe"C:\Users\Admin\AppData\Roaming\ipsee.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4892
-
-
-
C:\Users\Admin\AppData\Roaming\ippatch.exe"C:\Users\Admin\AppData\Roaming\ippatch.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
PID:1960
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im QQ .EXE /f2⤵
- Kills process with taskkill
PID:3576
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im QQ.EXE /f2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3592
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im QQ .EXE /f2⤵
- Kills process with taskkill
PID:1200
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im QQ.EXE /f2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3776
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im QQ .EXE /f2⤵
- Kills process with taskkill
PID:4636
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im QQ.EXE /f2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3636
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im QQ .EXE /f2⤵
- Kills process with taskkill
PID:3456
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im QQ.EXE /f2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2488
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im QQ .EXE /f2⤵
- Kills process with taskkill
PID:4028
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im QQ.EXE /f2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1452
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
868KB
MD57af7c62d50dec501bfc58e901c2bbbd8
SHA1eb3f934e1a945f99a2d6a236a3121afb79b3a62f
SHA25692ed44ca0b55f08046c95851af3cbeacacf11e83266fec7f57553084e00fdaa3
SHA512b8a06aab4271e8f7c9a9b1e82a8eef485834f4faee15d020d51217a5d552ef07b6b8dcfb14a6c9974ca22ba8957db199c0190ebbcc79cae2eb6a02042bc2f7f5
-
Filesize
771B
MD5dc3680bf14b0a5fd30028468e4d25ff7
SHA18b9ff1998c8f6b6e3d9dfd5d9f21f6e840758504
SHA256d10eb01b3025a6e516254283643256de86f90d7ab94ddfe348d1a5981e7704a3
SHA512f0b7b0f4e54c5163d5c022976f5ead7b4e06decec704c88f93c555553ead5c6f87a2a1ccd6997a4b5d0896a021d752c1700403e32d8d6ed2611962adfb546a56
-
Filesize
154B
MD540b80bda339faae4739d77caa3ebd0eb
SHA154e11813769d714dbf3153ec6f2620b919a00fca
SHA256c551be73cdf086d8b11a4b92910c939cec35e1a8805ee3099b18c5a26f14aff3
SHA512ab087ef1fb1a60772dcd091dc45a47d5b3f5f17f3aa6ae0f1293983b4015a7b1217e69bea95d6f3e4085962f8ef3ca3f529e76d083ab805648aa1bb76480e376
-
Filesize
2.0MB
MD55a02df66de9f06f1c663f4de15e4cf76
SHA1351ed739292d7dd8c625960208686fc7a31a565c
SHA256f61cbb8e4c5afa716af3b5f63827d30bd6f1db0c2b75199df9a2ad351470686d
SHA512e74a88ccbf537b8fd688925526896da63d0e8d4cdd049ad04a40df410a4747200aa35279dc0393a28b541371d04828b7e3e92541ee176586093fb55555b680dd
-
Filesize
256KB
MD574769dd065370932047c9d1857e7c17a
SHA11ec56e2ad227f47b1314a5497776ec992b927873
SHA2561df3bfbe43b5f7503e2a6144f588f67186f0e734b62cb8282fae469971e41aac
SHA512c04515d0887dc92c8a26c6480ee9a800a0bbb98dca90f680532c2e75aefe4ff3348709eacee7dc9d90663eabdb710523993d2b56ff2a91777acb8d31c9eb302a
-
Filesize
256KB
MD528fc9f34712a112403dcf2e20409b934
SHA16cb9a8accf922f056f048c533e00193506b4e9bf
SHA2562f1f9a34716ac06c8b820c7bdc11362e45edbd5e2e1b7eb47f8bcf0813d118ae
SHA512c2dd346f2bf5730747acdfb9cb011e3b702cdfc0d4332ef2fc45b406821afff6a6906090ed78e816fb737c0b0309b3fe4e60b9fdc8d7fad9087be5888d6e227e
-
Filesize
256KB
MD5a9898e8a6837513918a139b3db7d1814
SHA1879e897fa85cee1b289f132e50a2694a1b6f0f6c
SHA2564eaf4dbc1563c05f7363d8fb5e5a0d27828f46a5d882d9b0148bb45239ffe2a5
SHA5123f51d05669f04475578b7a4e87cebdd98946c25c4d3bcd98267eb65423b00ed64bd05e5c7c8001dae9f9b4a098dc45854f9c81a318fadc297a2a2173e3981f34