Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
09/04/2024, 20:02
Behavioral task
behavioral1
Sample
8d6113a90dd18104a7ae2586fa414ba80beef922083b8bdadfede1f5a81d07e0.exe
Resource
win7-20240221-en
General
-
Target
8d6113a90dd18104a7ae2586fa414ba80beef922083b8bdadfede1f5a81d07e0.exe
-
Size
366KB
-
MD5
a0abc9b568ecaedbaa97275980661174
-
SHA1
efad7f2696246ddbbc46b65303fc56e7740211a9
-
SHA256
8d6113a90dd18104a7ae2586fa414ba80beef922083b8bdadfede1f5a81d07e0
-
SHA512
2ccdde4214afb76ea78c8a99663b6d5a8fc2fa9d8e6ae235fd95a0a2e7cf827968308bd3ea8991eb803ad9f0e065c5ebbe1bd57f7822ad87ee155598e97e67b4
-
SSDEEP
6144:BSfSHl+gv5gY1F53Aul/Egv4+E6qnwEGvIkJ7G9P16:B2SHl+gv5gY1b5Eo4+EsEEIkJ7G9P16
Malware Config
Signatures
-
Detect Blackmoon payload 1 IoCs
resource yara_rule behavioral2/files/0x000b000000023183-8.dat family_blackmoon -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation 8d6113a90dd18104a7ae2586fa414ba80beef922083b8bdadfede1f5a81d07e0.exe -
Deletes itself 1 IoCs
pid Process 3476 Syslemwgszf.exe -
Executes dropped EXE 1 IoCs
pid Process 3476 Syslemwgszf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2604 8d6113a90dd18104a7ae2586fa414ba80beef922083b8bdadfede1f5a81d07e0.exe 2604 8d6113a90dd18104a7ae2586fa414ba80beef922083b8bdadfede1f5a81d07e0.exe 2604 8d6113a90dd18104a7ae2586fa414ba80beef922083b8bdadfede1f5a81d07e0.exe 2604 8d6113a90dd18104a7ae2586fa414ba80beef922083b8bdadfede1f5a81d07e0.exe 2604 8d6113a90dd18104a7ae2586fa414ba80beef922083b8bdadfede1f5a81d07e0.exe 2604 8d6113a90dd18104a7ae2586fa414ba80beef922083b8bdadfede1f5a81d07e0.exe 2604 8d6113a90dd18104a7ae2586fa414ba80beef922083b8bdadfede1f5a81d07e0.exe 2604 8d6113a90dd18104a7ae2586fa414ba80beef922083b8bdadfede1f5a81d07e0.exe 2604 8d6113a90dd18104a7ae2586fa414ba80beef922083b8bdadfede1f5a81d07e0.exe 2604 8d6113a90dd18104a7ae2586fa414ba80beef922083b8bdadfede1f5a81d07e0.exe 2604 8d6113a90dd18104a7ae2586fa414ba80beef922083b8bdadfede1f5a81d07e0.exe 2604 8d6113a90dd18104a7ae2586fa414ba80beef922083b8bdadfede1f5a81d07e0.exe 2604 8d6113a90dd18104a7ae2586fa414ba80beef922083b8bdadfede1f5a81d07e0.exe 2604 8d6113a90dd18104a7ae2586fa414ba80beef922083b8bdadfede1f5a81d07e0.exe 2604 8d6113a90dd18104a7ae2586fa414ba80beef922083b8bdadfede1f5a81d07e0.exe 2604 8d6113a90dd18104a7ae2586fa414ba80beef922083b8bdadfede1f5a81d07e0.exe 3476 Syslemwgszf.exe 3476 Syslemwgszf.exe 3476 Syslemwgszf.exe 3476 Syslemwgszf.exe 3476 Syslemwgszf.exe 3476 Syslemwgszf.exe 3476 Syslemwgszf.exe 3476 Syslemwgszf.exe 3476 Syslemwgszf.exe 3476 Syslemwgszf.exe 3476 Syslemwgszf.exe 3476 Syslemwgszf.exe 3476 Syslemwgszf.exe 3476 Syslemwgszf.exe 3476 Syslemwgszf.exe 3476 Syslemwgszf.exe 3476 Syslemwgszf.exe 3476 Syslemwgszf.exe 3476 Syslemwgszf.exe 3476 Syslemwgszf.exe 3476 Syslemwgszf.exe 3476 Syslemwgszf.exe 3476 Syslemwgszf.exe 3476 Syslemwgszf.exe 3476 Syslemwgszf.exe 3476 Syslemwgszf.exe 3476 Syslemwgszf.exe 3476 Syslemwgszf.exe 3476 Syslemwgszf.exe 3476 Syslemwgszf.exe 3476 Syslemwgszf.exe 3476 Syslemwgszf.exe 3476 Syslemwgszf.exe 3476 Syslemwgszf.exe 3476 Syslemwgszf.exe 3476 Syslemwgszf.exe 3476 Syslemwgszf.exe 3476 Syslemwgszf.exe 3476 Syslemwgszf.exe 3476 Syslemwgszf.exe 3476 Syslemwgszf.exe 3476 Syslemwgszf.exe 3476 Syslemwgszf.exe 3476 Syslemwgszf.exe 3476 Syslemwgszf.exe 3476 Syslemwgszf.exe 3476 Syslemwgszf.exe 3476 Syslemwgszf.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2604 wrote to memory of 3476 2604 8d6113a90dd18104a7ae2586fa414ba80beef922083b8bdadfede1f5a81d07e0.exe 92 PID 2604 wrote to memory of 3476 2604 8d6113a90dd18104a7ae2586fa414ba80beef922083b8bdadfede1f5a81d07e0.exe 92 PID 2604 wrote to memory of 3476 2604 8d6113a90dd18104a7ae2586fa414ba80beef922083b8bdadfede1f5a81d07e0.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\8d6113a90dd18104a7ae2586fa414ba80beef922083b8bdadfede1f5a81d07e0.exe"C:\Users\Admin\AppData\Local\Temp\8d6113a90dd18104a7ae2586fa414ba80beef922083b8bdadfede1f5a81d07e0.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Users\Admin\AppData\Local\Temp\Syslemwgszf.exe"C:\Users\Admin\AppData\Local\Temp\Syslemwgszf.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3476
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
366KB
MD55aeda60d5fb1d46ba53374043a31a8dd
SHA1b2faf6ec962e361342a8ac55a42622a81ebe2a07
SHA2564d8d36faef0067f7ff6340947052977aad326b5a3c9b64f9b85e37217fa5afc3
SHA512280024ba4a4e6ccc4a23ae197a406a49802f2cc64f8b018d4478a763bce2fb72c892c0f761c7ce4511ff6ce33e76e5a6d39354ead99e539af0f44441ae0cc4b0
-
Filesize
102B
MD50fa174849605ad28bd6456cf9b8880ff
SHA15aa88d4d40c5d72169b1a516bf8cd5a3e6ec3780
SHA256dcd64b274111e34910653a332d2b98234fe4f78218207fcdfef867aec5f48ced
SHA512056d3257613a2f85d74b826b75df4147c3a347c17d19e6d3b80a121fdec76a86b978a654018b9deca99542331ba0e391db21dc988e0e5be88dc51e40ae10b82b