Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    151s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/04/2024, 20:02

General

  • Target

    9df901aa003bd47016ef7976233bcfbc63a7f74a21537a38498110cdf1955341.exe

  • Size

    440KB

  • MD5

    d5239ba56ef2f39b1da523e804f33625

  • SHA1

    a9399024792609e7943c95a5e7b61c75255606e4

  • SHA256

    9df901aa003bd47016ef7976233bcfbc63a7f74a21537a38498110cdf1955341

  • SHA512

    ce4257251920599a88e67f36d91585c9b58ba2d7a40023bb35b28241b01752b98afcf569e7777b0fed5a9512d09e15fbc648518b7c6cf2656e68024c1e4e6288

  • SSDEEP

    6144:xozXQKqfmiiyWwuiFOLeyOV0R7YRXxMSaAn:xgXQKSLpOCtV0R8xMSaAn

Score
10/10

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

  • Detect Blackmoon payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9df901aa003bd47016ef7976233bcfbc63a7f74a21537a38498110cdf1955341.exe
    "C:\Users\Admin\AppData\Local\Temp\9df901aa003bd47016ef7976233bcfbc63a7f74a21537a38498110cdf1955341.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4200
    • C:\Users\Admin\AppData\Local\Temp\Syslemthdin.exe
      "C:\Users\Admin\AppData\Local\Temp\Syslemthdin.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2744
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4492 --field-trial-handle=2272,i,17338911640954948469,1637568328132129119,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:3408

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Syslemthdin.exe

      Filesize

      440KB

      MD5

      335732521c64ecfe791c29d41d552a3f

      SHA1

      10fde4effc75c8a22ac534efa7b161f4a428cd2a

      SHA256

      f7fec4fb48bd3a40e557427d31af470b0b99e77ba6f25b12aafdad48fad4d715

      SHA512

      a39b359088e7845f7e5a1f24c6ca6cddad3b3fba21a93b8714e6c9b4f1efac1085bea7d1765c59ede79798c0ed38fbb4c85d591a5f0772a9e0a0a2ad18b0c987

    • C:\Users\Admin\AppData\Local\Temp\lpath.ini

      Filesize

      102B

      MD5

      cf91ff5eb93d270fe15a0b5a5540e521

      SHA1

      26b5fe6abdd6bbde5d4bbd27bddc2408f78fe168

      SHA256

      4e73437b3b3c1878e3a958f52ca16e696fc005af49d7c6dc6aef1f13feffd1e2

      SHA512

      f84e6820396db592fb35d607a82fe048651a3d762175ada0188efeac739a67544ab73d7b1c0a5b370d1db31dd68c138aaab00cc23687d52e66192ff73a7edb1c