Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
14/03/2024, 09:58 UTC
Behavioral task
behavioral1
Sample
5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c.exe
Resource
win7-20240221-en
General
-
Target
5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c.exe
-
Size
145KB
-
MD5
16c2b2255bf7e1a687b6ddc4f99fca81
-
SHA1
a78332c7802b8eeb59439e4d1de3f9eba955c355
-
SHA256
5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c
-
SHA512
6cdb43b9c37d9f654de8ec0c5608c6c6ac7436c1d6950a72c898bdaca163ab362b845fcc776107a787918690ca1959b3a13cceaa1eea4e0e5de019225013b57d
-
SSDEEP
3072:WWWX0E6LJjGF+dtoj84/9rOnt/cA6QIjeyuuI+4:WmJ4+Tj4/QSA6QI07
Malware Config
Signatures
-
Detect Blackmoon payload 2 IoCs
resource yara_rule behavioral1/memory/2256-1-0x0000000000400000-0x0000000000489000-memory.dmp family_blackmoon behavioral1/memory/2256-13-0x0000000000400000-0x0000000000489000-memory.dmp family_blackmoon -
Executes dropped EXE 2 IoCs
pid Process 2524 mwgttb.exe 1188 Process not Found -
Loads dropped DLL 2 IoCs
pid Process 2420 cmd.exe 1188 Process not Found -
resource yara_rule behavioral1/memory/2256-0-0x0000000000400000-0x0000000000489000-memory.dmp upx behavioral1/memory/2256-1-0x0000000000400000-0x0000000000489000-memory.dmp upx behavioral1/memory/2256-13-0x0000000000400000-0x0000000000489000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\rserver30\Radm_log.htm 5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 2256 5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c.exe 2256 5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c.exe 2256 5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c.exe 2256 5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c.exe 2256 5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c.exe 2256 5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c.exe 2256 5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c.exe 2256 5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c.exe 2256 5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c.exe 2256 5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c.exe 2256 5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c.exe 2256 5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c.exe 2256 5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c.exe 2256 5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c.exe 2256 5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c.exe 2256 5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c.exe 2256 5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c.exe 2256 5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c.exe 2256 5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c.exe 2256 5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c.exe 2524 mwgttb.exe 2524 mwgttb.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2256 5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2524 mwgttb.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2256 5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2256 wrote to memory of 2420 2256 5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c.exe 31 PID 2256 wrote to memory of 2420 2256 5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c.exe 31 PID 2256 wrote to memory of 2420 2256 5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c.exe 31 PID 2256 wrote to memory of 2420 2256 5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c.exe 31 PID 2420 wrote to memory of 2524 2420 cmd.exe 33 PID 2420 wrote to memory of 2524 2420 cmd.exe 33 PID 2420 wrote to memory of 2524 2420 cmd.exe 33 PID 2420 wrote to memory of 2524 2420 cmd.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c.exe"C:\Users\Admin\AppData\Local\Temp\5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c.exe"1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\mwgttb.exe -U:C -P:E -M:S C:\Users\Admin\AppData\Local\Temp\eitmxl.exe2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Users\Admin\AppData\Local\Temp\mwgttb.exeC:\Users\Admin\AppData\Local\Temp\mwgttb.exe -U:C -P:E -M:S C:\Users\Admin\AppData\Local\Temp\eitmxl.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2524
-
-
Network
-
Remote address:8.8.8.8:53Requestfdjkgs1.cn-gd.ufileos.comIN AResponsefdjkgs1.cn-gd.ufileos.comIN A106.75.183.118fdjkgs1.cn-gd.ufileos.comIN A106.75.183.117
-
106.75.183.118:80fdjkgs1.cn-gd.ufileos.com5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c.exe152 B 3
-
106.75.183.117:80fdjkgs1.cn-gd.ufileos.com5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c.exe152 B 3
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
156KB
MD57aacfd85b8dff0aa6867bede82cfd147
SHA1e783f6d4b754ea8424699203b8831bdc9cbdd4e6
SHA256871e4f28fe39bcad8d295ae46e148be458778c0195ed660b7db18eb595d00bd8
SHA51259cce358c125368dc5735a28960ddb7ee49835ca19f44255a7ae858ddd8a2db68c72c3f6818eca3678d989041043876e339f9fafe1d81d26001286494a8014f0