Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09/04/2024, 20:02
Behavioral task
behavioral1
Sample
8d6113a90dd18104a7ae2586fa414ba80beef922083b8bdadfede1f5a81d07e0.exe
Resource
win7-20240221-en
General
-
Target
8d6113a90dd18104a7ae2586fa414ba80beef922083b8bdadfede1f5a81d07e0.exe
-
Size
366KB
-
MD5
a0abc9b568ecaedbaa97275980661174
-
SHA1
efad7f2696246ddbbc46b65303fc56e7740211a9
-
SHA256
8d6113a90dd18104a7ae2586fa414ba80beef922083b8bdadfede1f5a81d07e0
-
SHA512
2ccdde4214afb76ea78c8a99663b6d5a8fc2fa9d8e6ae235fd95a0a2e7cf827968308bd3ea8991eb803ad9f0e065c5ebbe1bd57f7822ad87ee155598e97e67b4
-
SSDEEP
6144:BSfSHl+gv5gY1F53Aul/Egv4+E6qnwEGvIkJ7G9P16:B2SHl+gv5gY1b5Eo4+EsEEIkJ7G9P16
Malware Config
Signatures
-
Detect Blackmoon payload 1 IoCs
resource yara_rule behavioral1/files/0x0009000000015e07-10.dat family_blackmoon -
Deletes itself 1 IoCs
pid Process 2064 Syslemonlua.exe -
Executes dropped EXE 1 IoCs
pid Process 2064 Syslemonlua.exe -
Loads dropped DLL 2 IoCs
pid Process 2976 8d6113a90dd18104a7ae2586fa414ba80beef922083b8bdadfede1f5a81d07e0.exe 2976 8d6113a90dd18104a7ae2586fa414ba80beef922083b8bdadfede1f5a81d07e0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2976 8d6113a90dd18104a7ae2586fa414ba80beef922083b8bdadfede1f5a81d07e0.exe 2976 8d6113a90dd18104a7ae2586fa414ba80beef922083b8bdadfede1f5a81d07e0.exe 2976 8d6113a90dd18104a7ae2586fa414ba80beef922083b8bdadfede1f5a81d07e0.exe 2976 8d6113a90dd18104a7ae2586fa414ba80beef922083b8bdadfede1f5a81d07e0.exe 2976 8d6113a90dd18104a7ae2586fa414ba80beef922083b8bdadfede1f5a81d07e0.exe 2976 8d6113a90dd18104a7ae2586fa414ba80beef922083b8bdadfede1f5a81d07e0.exe 2976 8d6113a90dd18104a7ae2586fa414ba80beef922083b8bdadfede1f5a81d07e0.exe 2976 8d6113a90dd18104a7ae2586fa414ba80beef922083b8bdadfede1f5a81d07e0.exe 2064 Syslemonlua.exe 2064 Syslemonlua.exe 2064 Syslemonlua.exe 2064 Syslemonlua.exe 2064 Syslemonlua.exe 2064 Syslemonlua.exe 2064 Syslemonlua.exe 2064 Syslemonlua.exe 2064 Syslemonlua.exe 2064 Syslemonlua.exe 2064 Syslemonlua.exe 2064 Syslemonlua.exe 2064 Syslemonlua.exe 2064 Syslemonlua.exe 2064 Syslemonlua.exe 2064 Syslemonlua.exe 2064 Syslemonlua.exe 2064 Syslemonlua.exe 2064 Syslemonlua.exe 2064 Syslemonlua.exe 2064 Syslemonlua.exe 2064 Syslemonlua.exe 2064 Syslemonlua.exe 2064 Syslemonlua.exe 2064 Syslemonlua.exe 2064 Syslemonlua.exe 2064 Syslemonlua.exe 2064 Syslemonlua.exe 2064 Syslemonlua.exe 2064 Syslemonlua.exe 2064 Syslemonlua.exe 2064 Syslemonlua.exe 2064 Syslemonlua.exe 2064 Syslemonlua.exe 2064 Syslemonlua.exe 2064 Syslemonlua.exe 2064 Syslemonlua.exe 2064 Syslemonlua.exe 2064 Syslemonlua.exe 2064 Syslemonlua.exe 2064 Syslemonlua.exe 2064 Syslemonlua.exe 2064 Syslemonlua.exe 2064 Syslemonlua.exe 2064 Syslemonlua.exe 2064 Syslemonlua.exe 2064 Syslemonlua.exe 2064 Syslemonlua.exe 2064 Syslemonlua.exe 2064 Syslemonlua.exe 2064 Syslemonlua.exe 2064 Syslemonlua.exe 2064 Syslemonlua.exe 2064 Syslemonlua.exe 2064 Syslemonlua.exe 2064 Syslemonlua.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2976 wrote to memory of 2064 2976 8d6113a90dd18104a7ae2586fa414ba80beef922083b8bdadfede1f5a81d07e0.exe 29 PID 2976 wrote to memory of 2064 2976 8d6113a90dd18104a7ae2586fa414ba80beef922083b8bdadfede1f5a81d07e0.exe 29 PID 2976 wrote to memory of 2064 2976 8d6113a90dd18104a7ae2586fa414ba80beef922083b8bdadfede1f5a81d07e0.exe 29 PID 2976 wrote to memory of 2064 2976 8d6113a90dd18104a7ae2586fa414ba80beef922083b8bdadfede1f5a81d07e0.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\8d6113a90dd18104a7ae2586fa414ba80beef922083b8bdadfede1f5a81d07e0.exe"C:\Users\Admin\AppData\Local\Temp\8d6113a90dd18104a7ae2586fa414ba80beef922083b8bdadfede1f5a81d07e0.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Users\Admin\AppData\Local\Temp\Syslemonlua.exe"C:\Users\Admin\AppData\Local\Temp\Syslemonlua.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2064
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
366KB
MD5f6d68c37650744d0f897741d2f66449c
SHA15f919ad64530762b964a99f2a59f59644f111a46
SHA2565e89efd1e748186ac5719e9f0efea68c5e31ebfc1055d7e6d652cc9fae969fb1
SHA512272526a29f34072902e674c9e0f636578ca151cd74f926f7cd71e665f628b52d0543a90119e7b336c3e74821ea60c4d89296659a98790053d50aa7446e7f26b7
-
Filesize
102B
MD50fa174849605ad28bd6456cf9b8880ff
SHA15aa88d4d40c5d72169b1a516bf8cd5a3e6ec3780
SHA256dcd64b274111e34910653a332d2b98234fe4f78218207fcdfef867aec5f48ced
SHA512056d3257613a2f85d74b826b75df4147c3a347c17d19e6d3b80a121fdec76a86b978a654018b9deca99542331ba0e391db21dc988e0e5be88dc51e40ae10b82b