Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/03/2024, 23:40

General

  • Target

    b8dfc5ed03ddfa5073ea245dd4f8a3957004c8f745eca64c92431650729c9a16.exe

  • Size

    366KB

  • MD5

    02f045f3b7bb7ee410e65cc95131c7f9

  • SHA1

    a155d58ecabd7e6d1c6ffe3dd3cd9f1914dbad01

  • SHA256

    b8dfc5ed03ddfa5073ea245dd4f8a3957004c8f745eca64c92431650729c9a16

  • SHA512

    3d0a1bc8f4fb059ebe106d5a736cfef7d96ce2e28bdb886876217b9b67b59c725fa1bbf9c39ce0f28df9b63cdbb29b3fcac953c4ee3b94df5e9f5a85e7a4df9f

  • SSDEEP

    6144:BSfSHl+gv5gY1F53Aul/Egv4+E6qnwEGvIkJ7G9P1V:B2SHl+gv5gY1b5Eo4+EsEEIkJ7G9P1V

Score
10/10

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

  • Detect Blackmoon payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b8dfc5ed03ddfa5073ea245dd4f8a3957004c8f745eca64c92431650729c9a16.exe
    "C:\Users\Admin\AppData\Local\Temp\b8dfc5ed03ddfa5073ea245dd4f8a3957004c8f745eca64c92431650729c9a16.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4780
    • C:\Users\Admin\AppData\Local\Temp\Syslemshwub.exe
      "C:\Users\Admin\AppData\Local\Temp\Syslemshwub.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:4392
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1348 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:3012

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Syslemshwub.exe

      Filesize

      366KB

      MD5

      5ccdb9b2f8ae46eb32486e29988632eb

      SHA1

      eeeb93bad405ef7fa3f2413188921b8133350951

      SHA256

      59f64bd6d895e224123958df534c13ccda9c79e03f621bb4f8245e1c09dcdd43

      SHA512

      250ca81653a220ef105a4b1c1dee8ac18017c9789de2a3c815ff8d98e456542c968a07644a2e799b889d230075bb54356a89966c94b2e1b88850a0e6c93eff2b

    • C:\Users\Admin\AppData\Local\Temp\lpath.ini

      Filesize

      102B

      MD5

      906f4f2e2628169c30890acbe81f7638

      SHA1

      e7e190f829624adc9740218af963e010eabd2951

      SHA256

      0fa3af936c52d26660c64846eaa930d63f1a9f386b4f9066d3d581a5d30ed8ce

      SHA512

      7166e391ce6f38ba32f74bbbdb373da1132d3709c3609a9138c2b66424f4904b488c94292eeaeab7268e58cb9736a98c4c0b1555c4e5837068e2d4fe4677b9f4