Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07/03/2024, 23:40
Behavioral task
behavioral1
Sample
b8dfc5ed03ddfa5073ea245dd4f8a3957004c8f745eca64c92431650729c9a16.exe
Resource
win7-20240221-en
General
-
Target
b8dfc5ed03ddfa5073ea245dd4f8a3957004c8f745eca64c92431650729c9a16.exe
-
Size
366KB
-
MD5
02f045f3b7bb7ee410e65cc95131c7f9
-
SHA1
a155d58ecabd7e6d1c6ffe3dd3cd9f1914dbad01
-
SHA256
b8dfc5ed03ddfa5073ea245dd4f8a3957004c8f745eca64c92431650729c9a16
-
SHA512
3d0a1bc8f4fb059ebe106d5a736cfef7d96ce2e28bdb886876217b9b67b59c725fa1bbf9c39ce0f28df9b63cdbb29b3fcac953c4ee3b94df5e9f5a85e7a4df9f
-
SSDEEP
6144:BSfSHl+gv5gY1F53Aul/Egv4+E6qnwEGvIkJ7G9P1V:B2SHl+gv5gY1b5Eo4+EsEEIkJ7G9P1V
Malware Config
Signatures
-
Detect Blackmoon payload 1 IoCs
resource yara_rule behavioral2/files/0x0008000000023251-8.dat family_blackmoon -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation b8dfc5ed03ddfa5073ea245dd4f8a3957004c8f745eca64c92431650729c9a16.exe -
Deletes itself 1 IoCs
pid Process 4392 Syslemshwub.exe -
Executes dropped EXE 1 IoCs
pid Process 4392 Syslemshwub.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4780 b8dfc5ed03ddfa5073ea245dd4f8a3957004c8f745eca64c92431650729c9a16.exe 4780 b8dfc5ed03ddfa5073ea245dd4f8a3957004c8f745eca64c92431650729c9a16.exe 4780 b8dfc5ed03ddfa5073ea245dd4f8a3957004c8f745eca64c92431650729c9a16.exe 4780 b8dfc5ed03ddfa5073ea245dd4f8a3957004c8f745eca64c92431650729c9a16.exe 4780 b8dfc5ed03ddfa5073ea245dd4f8a3957004c8f745eca64c92431650729c9a16.exe 4780 b8dfc5ed03ddfa5073ea245dd4f8a3957004c8f745eca64c92431650729c9a16.exe 4780 b8dfc5ed03ddfa5073ea245dd4f8a3957004c8f745eca64c92431650729c9a16.exe 4780 b8dfc5ed03ddfa5073ea245dd4f8a3957004c8f745eca64c92431650729c9a16.exe 4780 b8dfc5ed03ddfa5073ea245dd4f8a3957004c8f745eca64c92431650729c9a16.exe 4780 b8dfc5ed03ddfa5073ea245dd4f8a3957004c8f745eca64c92431650729c9a16.exe 4780 b8dfc5ed03ddfa5073ea245dd4f8a3957004c8f745eca64c92431650729c9a16.exe 4780 b8dfc5ed03ddfa5073ea245dd4f8a3957004c8f745eca64c92431650729c9a16.exe 4780 b8dfc5ed03ddfa5073ea245dd4f8a3957004c8f745eca64c92431650729c9a16.exe 4780 b8dfc5ed03ddfa5073ea245dd4f8a3957004c8f745eca64c92431650729c9a16.exe 4780 b8dfc5ed03ddfa5073ea245dd4f8a3957004c8f745eca64c92431650729c9a16.exe 4780 b8dfc5ed03ddfa5073ea245dd4f8a3957004c8f745eca64c92431650729c9a16.exe 4392 Syslemshwub.exe 4392 Syslemshwub.exe 4392 Syslemshwub.exe 4392 Syslemshwub.exe 4392 Syslemshwub.exe 4392 Syslemshwub.exe 4392 Syslemshwub.exe 4392 Syslemshwub.exe 4392 Syslemshwub.exe 4392 Syslemshwub.exe 4392 Syslemshwub.exe 4392 Syslemshwub.exe 4392 Syslemshwub.exe 4392 Syslemshwub.exe 4392 Syslemshwub.exe 4392 Syslemshwub.exe 4392 Syslemshwub.exe 4392 Syslemshwub.exe 4392 Syslemshwub.exe 4392 Syslemshwub.exe 4392 Syslemshwub.exe 4392 Syslemshwub.exe 4392 Syslemshwub.exe 4392 Syslemshwub.exe 4392 Syslemshwub.exe 4392 Syslemshwub.exe 4392 Syslemshwub.exe 4392 Syslemshwub.exe 4392 Syslemshwub.exe 4392 Syslemshwub.exe 4392 Syslemshwub.exe 4392 Syslemshwub.exe 4392 Syslemshwub.exe 4392 Syslemshwub.exe 4392 Syslemshwub.exe 4392 Syslemshwub.exe 4392 Syslemshwub.exe 4392 Syslemshwub.exe 4392 Syslemshwub.exe 4392 Syslemshwub.exe 4392 Syslemshwub.exe 4392 Syslemshwub.exe 4392 Syslemshwub.exe 4392 Syslemshwub.exe 4392 Syslemshwub.exe 4392 Syslemshwub.exe 4392 Syslemshwub.exe 4392 Syslemshwub.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4780 wrote to memory of 4392 4780 b8dfc5ed03ddfa5073ea245dd4f8a3957004c8f745eca64c92431650729c9a16.exe 97 PID 4780 wrote to memory of 4392 4780 b8dfc5ed03ddfa5073ea245dd4f8a3957004c8f745eca64c92431650729c9a16.exe 97 PID 4780 wrote to memory of 4392 4780 b8dfc5ed03ddfa5073ea245dd4f8a3957004c8f745eca64c92431650729c9a16.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\b8dfc5ed03ddfa5073ea245dd4f8a3957004c8f745eca64c92431650729c9a16.exe"C:\Users\Admin\AppData\Local\Temp\b8dfc5ed03ddfa5073ea245dd4f8a3957004c8f745eca64c92431650729c9a16.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\Users\Admin\AppData\Local\Temp\Syslemshwub.exe"C:\Users\Admin\AppData\Local\Temp\Syslemshwub.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4392
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1348 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:81⤵PID:3012
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
366KB
MD55ccdb9b2f8ae46eb32486e29988632eb
SHA1eeeb93bad405ef7fa3f2413188921b8133350951
SHA25659f64bd6d895e224123958df534c13ccda9c79e03f621bb4f8245e1c09dcdd43
SHA512250ca81653a220ef105a4b1c1dee8ac18017c9789de2a3c815ff8d98e456542c968a07644a2e799b889d230075bb54356a89966c94b2e1b88850a0e6c93eff2b
-
Filesize
102B
MD5906f4f2e2628169c30890acbe81f7638
SHA1e7e190f829624adc9740218af963e010eabd2951
SHA2560fa3af936c52d26660c64846eaa930d63f1a9f386b4f9066d3d581a5d30ed8ce
SHA5127166e391ce6f38ba32f74bbbdb373da1132d3709c3609a9138c2b66424f4904b488c94292eeaeab7268e58cb9736a98c4c0b1555c4e5837068e2d4fe4677b9f4