Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    122s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    14/03/2024, 09:58 UTC

General

  • Target

    5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c.exe

  • Size

    145KB

  • MD5

    16c2b2255bf7e1a687b6ddc4f99fca81

  • SHA1

    a78332c7802b8eeb59439e4d1de3f9eba955c355

  • SHA256

    5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c

  • SHA512

    6cdb43b9c37d9f654de8ec0c5608c6c6ac7436c1d6950a72c898bdaca163ab362b845fcc776107a787918690ca1959b3a13cceaa1eea4e0e5de019225013b57d

  • SSDEEP

    3072:WWWX0E6LJjGF+dtoj84/9rOnt/cA6QIjeyuuI+4:WmJ4+Tj4/QSA6QI07

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

  • Detect Blackmoon payload 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in System32 directory 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c.exe
    "C:\Users\Admin\AppData\Local\Temp\5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2256
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\mwgttb.exe -U:C -P:E -M:S C:\Users\Admin\AppData\Local\Temp\eitmxl.exe
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2420
      • C:\Users\Admin\AppData\Local\Temp\mwgttb.exe
        C:\Users\Admin\AppData\Local\Temp\mwgttb.exe -U:C -P:E -M:S C:\Users\Admin\AppData\Local\Temp\eitmxl.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2524

Network

  • flag-us
    DNS
    fdjkgs1.cn-gd.ufileos.com
    5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c.exe
    Remote address:
    8.8.8.8:53
    Request
    fdjkgs1.cn-gd.ufileos.com
    IN A
    Response
    fdjkgs1.cn-gd.ufileos.com
    IN A
    106.75.183.118
    fdjkgs1.cn-gd.ufileos.com
    IN A
    106.75.183.117
  • 106.75.183.118:80
    fdjkgs1.cn-gd.ufileos.com
    5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c.exe
    152 B
    3
  • 106.75.183.117:80
    fdjkgs1.cn-gd.ufileos.com
    5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c.exe
    152 B
    3
  • 8.8.8.8:53
    fdjkgs1.cn-gd.ufileos.com
    dns
    5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c.exe
    71 B
    103 B
    1
    1

    DNS Request

    fdjkgs1.cn-gd.ufileos.com

    DNS Response

    106.75.183.118
    106.75.183.117

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\mwgttb.exe

    Filesize

    156KB

    MD5

    7aacfd85b8dff0aa6867bede82cfd147

    SHA1

    e783f6d4b754ea8424699203b8831bdc9cbdd4e6

    SHA256

    871e4f28fe39bcad8d295ae46e148be458778c0195ed660b7db18eb595d00bd8

    SHA512

    59cce358c125368dc5735a28960ddb7ee49835ca19f44255a7ae858ddd8a2db68c72c3f6818eca3678d989041043876e339f9fafe1d81d26001286494a8014f0

  • memory/2256-0-0x0000000000400000-0x0000000000489000-memory.dmp

    Filesize

    548KB

  • memory/2256-1-0x0000000000400000-0x0000000000489000-memory.dmp

    Filesize

    548KB

  • memory/2256-13-0x0000000000400000-0x0000000000489000-memory.dmp

    Filesize

    548KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.