Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
09/04/2024, 20:02
Behavioral task
behavioral1
Sample
9df901aa003bd47016ef7976233bcfbc63a7f74a21537a38498110cdf1955341.exe
Resource
win7-20240221-en
General
-
Target
9df901aa003bd47016ef7976233bcfbc63a7f74a21537a38498110cdf1955341.exe
-
Size
440KB
-
MD5
d5239ba56ef2f39b1da523e804f33625
-
SHA1
a9399024792609e7943c95a5e7b61c75255606e4
-
SHA256
9df901aa003bd47016ef7976233bcfbc63a7f74a21537a38498110cdf1955341
-
SHA512
ce4257251920599a88e67f36d91585c9b58ba2d7a40023bb35b28241b01752b98afcf569e7777b0fed5a9512d09e15fbc648518b7c6cf2656e68024c1e4e6288
-
SSDEEP
6144:xozXQKqfmiiyWwuiFOLeyOV0R7YRXxMSaAn:xgXQKSLpOCtV0R8xMSaAn
Malware Config
Signatures
-
Detect Blackmoon payload 1 IoCs
resource yara_rule behavioral2/files/0x0003000000022784-8.dat family_blackmoon -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation 9df901aa003bd47016ef7976233bcfbc63a7f74a21537a38498110cdf1955341.exe -
Deletes itself 1 IoCs
pid Process 2744 Syslemthdin.exe -
Executes dropped EXE 1 IoCs
pid Process 2744 Syslemthdin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4200 9df901aa003bd47016ef7976233bcfbc63a7f74a21537a38498110cdf1955341.exe 4200 9df901aa003bd47016ef7976233bcfbc63a7f74a21537a38498110cdf1955341.exe 4200 9df901aa003bd47016ef7976233bcfbc63a7f74a21537a38498110cdf1955341.exe 4200 9df901aa003bd47016ef7976233bcfbc63a7f74a21537a38498110cdf1955341.exe 4200 9df901aa003bd47016ef7976233bcfbc63a7f74a21537a38498110cdf1955341.exe 4200 9df901aa003bd47016ef7976233bcfbc63a7f74a21537a38498110cdf1955341.exe 4200 9df901aa003bd47016ef7976233bcfbc63a7f74a21537a38498110cdf1955341.exe 4200 9df901aa003bd47016ef7976233bcfbc63a7f74a21537a38498110cdf1955341.exe 4200 9df901aa003bd47016ef7976233bcfbc63a7f74a21537a38498110cdf1955341.exe 4200 9df901aa003bd47016ef7976233bcfbc63a7f74a21537a38498110cdf1955341.exe 4200 9df901aa003bd47016ef7976233bcfbc63a7f74a21537a38498110cdf1955341.exe 4200 9df901aa003bd47016ef7976233bcfbc63a7f74a21537a38498110cdf1955341.exe 4200 9df901aa003bd47016ef7976233bcfbc63a7f74a21537a38498110cdf1955341.exe 4200 9df901aa003bd47016ef7976233bcfbc63a7f74a21537a38498110cdf1955341.exe 4200 9df901aa003bd47016ef7976233bcfbc63a7f74a21537a38498110cdf1955341.exe 4200 9df901aa003bd47016ef7976233bcfbc63a7f74a21537a38498110cdf1955341.exe 2744 Syslemthdin.exe 2744 Syslemthdin.exe 2744 Syslemthdin.exe 2744 Syslemthdin.exe 2744 Syslemthdin.exe 2744 Syslemthdin.exe 2744 Syslemthdin.exe 2744 Syslemthdin.exe 2744 Syslemthdin.exe 2744 Syslemthdin.exe 2744 Syslemthdin.exe 2744 Syslemthdin.exe 2744 Syslemthdin.exe 2744 Syslemthdin.exe 2744 Syslemthdin.exe 2744 Syslemthdin.exe 2744 Syslemthdin.exe 2744 Syslemthdin.exe 2744 Syslemthdin.exe 2744 Syslemthdin.exe 2744 Syslemthdin.exe 2744 Syslemthdin.exe 2744 Syslemthdin.exe 2744 Syslemthdin.exe 2744 Syslemthdin.exe 2744 Syslemthdin.exe 2744 Syslemthdin.exe 2744 Syslemthdin.exe 2744 Syslemthdin.exe 2744 Syslemthdin.exe 2744 Syslemthdin.exe 2744 Syslemthdin.exe 2744 Syslemthdin.exe 2744 Syslemthdin.exe 2744 Syslemthdin.exe 2744 Syslemthdin.exe 2744 Syslemthdin.exe 2744 Syslemthdin.exe 2744 Syslemthdin.exe 2744 Syslemthdin.exe 2744 Syslemthdin.exe 2744 Syslemthdin.exe 2744 Syslemthdin.exe 2744 Syslemthdin.exe 2744 Syslemthdin.exe 2744 Syslemthdin.exe 2744 Syslemthdin.exe 2744 Syslemthdin.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4200 wrote to memory of 2744 4200 9df901aa003bd47016ef7976233bcfbc63a7f74a21537a38498110cdf1955341.exe 100 PID 4200 wrote to memory of 2744 4200 9df901aa003bd47016ef7976233bcfbc63a7f74a21537a38498110cdf1955341.exe 100 PID 4200 wrote to memory of 2744 4200 9df901aa003bd47016ef7976233bcfbc63a7f74a21537a38498110cdf1955341.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\9df901aa003bd47016ef7976233bcfbc63a7f74a21537a38498110cdf1955341.exe"C:\Users\Admin\AppData\Local\Temp\9df901aa003bd47016ef7976233bcfbc63a7f74a21537a38498110cdf1955341.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4200 -
C:\Users\Admin\AppData\Local\Temp\Syslemthdin.exe"C:\Users\Admin\AppData\Local\Temp\Syslemthdin.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2744
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4492 --field-trial-handle=2272,i,17338911640954948469,1637568328132129119,262144 --variations-seed-version /prefetch:81⤵PID:3408
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
440KB
MD5335732521c64ecfe791c29d41d552a3f
SHA110fde4effc75c8a22ac534efa7b161f4a428cd2a
SHA256f7fec4fb48bd3a40e557427d31af470b0b99e77ba6f25b12aafdad48fad4d715
SHA512a39b359088e7845f7e5a1f24c6ca6cddad3b3fba21a93b8714e6c9b4f1efac1085bea7d1765c59ede79798c0ed38fbb4c85d591a5f0772a9e0a0a2ad18b0c987
-
Filesize
102B
MD5cf91ff5eb93d270fe15a0b5a5540e521
SHA126b5fe6abdd6bbde5d4bbd27bddc2408f78fe168
SHA2564e73437b3b3c1878e3a958f52ca16e696fc005af49d7c6dc6aef1f13feffd1e2
SHA512f84e6820396db592fb35d607a82fe048651a3d762175ada0188efeac739a67544ab73d7b1c0a5b370d1db31dd68c138aaab00cc23687d52e66192ff73a7edb1c