Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
14/03/2024, 09:58
Behavioral task
behavioral1
Sample
5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c.exe
Resource
win7-20240221-en
General
-
Target
5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c.exe
-
Size
145KB
-
MD5
16c2b2255bf7e1a687b6ddc4f99fca81
-
SHA1
a78332c7802b8eeb59439e4d1de3f9eba955c355
-
SHA256
5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c
-
SHA512
6cdb43b9c37d9f654de8ec0c5608c6c6ac7436c1d6950a72c898bdaca163ab362b845fcc776107a787918690ca1959b3a13cceaa1eea4e0e5de019225013b57d
-
SSDEEP
3072:WWWX0E6LJjGF+dtoj84/9rOnt/cA6QIjeyuuI+4:WmJ4+Tj4/QSA6QI07
Malware Config
Signatures
-
Detect Blackmoon payload 2 IoCs
resource yara_rule behavioral2/memory/2536-1-0x0000000000400000-0x0000000000489000-memory.dmp family_blackmoon behavioral2/memory/2536-10-0x0000000000400000-0x0000000000489000-memory.dmp family_blackmoon -
Executes dropped EXE 1 IoCs
pid Process 60 cntjfw.exe -
resource yara_rule behavioral2/memory/2536-0-0x0000000000400000-0x0000000000489000-memory.dmp upx behavioral2/memory/2536-1-0x0000000000400000-0x0000000000489000-memory.dmp upx behavioral2/memory/2536-10-0x0000000000400000-0x0000000000489000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\rserver30\Radm_log.htm 5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c.exe -
Suspicious behavior: EnumeratesProcesses 42 IoCs
pid Process 2536 5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c.exe 2536 5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c.exe 2536 5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c.exe 2536 5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c.exe 2536 5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c.exe 2536 5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c.exe 2536 5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c.exe 2536 5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c.exe 2536 5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c.exe 2536 5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c.exe 2536 5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c.exe 2536 5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c.exe 2536 5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c.exe 2536 5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c.exe 2536 5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c.exe 2536 5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c.exe 2536 5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c.exe 2536 5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c.exe 2536 5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c.exe 2536 5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c.exe 2536 5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c.exe 2536 5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c.exe 2536 5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c.exe 2536 5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c.exe 2536 5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c.exe 2536 5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c.exe 2536 5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c.exe 2536 5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c.exe 2536 5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c.exe 2536 5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c.exe 2536 5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c.exe 2536 5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c.exe 2536 5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c.exe 2536 5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c.exe 2536 5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c.exe 2536 5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c.exe 2536 5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c.exe 2536 5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c.exe 2536 5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c.exe 2536 5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c.exe 60 cntjfw.exe 60 cntjfw.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2536 5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 60 cntjfw.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2536 5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 2536 wrote to memory of 2248 2536 5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c.exe 105 PID 2536 wrote to memory of 2248 2536 5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c.exe 105 PID 2536 wrote to memory of 2248 2536 5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c.exe 105 PID 2248 wrote to memory of 60 2248 cmd.exe 107 PID 2248 wrote to memory of 60 2248 cmd.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c.exe"C:\Users\Admin\AppData\Local\Temp\5d5d24574f56e090d0bc8a753fdb8e56c2e0232d368d696459e0333b4e34626c.exe"1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\cntjfw.exe -U:C -P:E -M:S C:\Users\Admin\AppData\Local\Temp\itmrqz.exe2⤵
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Users\Admin\AppData\Local\Temp\cntjfw.exeC:\Users\Admin\AppData\Local\Temp\cntjfw.exe -U:C -P:E -M:S C:\Users\Admin\AppData\Local\Temp\itmrqz.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:60
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
156KB
MD57aacfd85b8dff0aa6867bede82cfd147
SHA1e783f6d4b754ea8424699203b8831bdc9cbdd4e6
SHA256871e4f28fe39bcad8d295ae46e148be458778c0195ed660b7db18eb595d00bd8
SHA51259cce358c125368dc5735a28960ddb7ee49835ca19f44255a7ae858ddd8a2db68c72c3f6818eca3678d989041043876e339f9fafe1d81d26001286494a8014f0