Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
175s -
max time network
62s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09/04/2024, 20:03
Behavioral task
behavioral1
Sample
e76f9b6958fca510d682943b4234893a0e4a8d81d75c8c30aac38e5a916f1428.exe
Resource
win7-20240221-en
General
-
Target
e76f9b6958fca510d682943b4234893a0e4a8d81d75c8c30aac38e5a916f1428.exe
-
Size
366KB
-
MD5
a0307df6eb0b3cce819ad6a5894c08ee
-
SHA1
13725598a9d292256bc6321bf8abeb2220e479c7
-
SHA256
e76f9b6958fca510d682943b4234893a0e4a8d81d75c8c30aac38e5a916f1428
-
SHA512
ba9a10f71653d4a5365db9168a4e2939d10b4e6ec9ef4fd908a288561d20297c819b1bdb4b673113099b07c522fe8d0637a91a160034bdd392e2f666e8bd6a3a
-
SSDEEP
6144:BSfSHl+gv5gY1F53Aul/Egv4+E6qnwEGvIkJ7G9P1p:B2SHl+gv5gY1b5Eo4+EsEEIkJ7G9P1p
Malware Config
Signatures
-
Detect Blackmoon payload 1 IoCs
resource yara_rule behavioral1/files/0x00110000000055a2-7.dat family_blackmoon -
Deletes itself 1 IoCs
pid Process 1932 Syslemajcxy.exe -
Executes dropped EXE 1 IoCs
pid Process 1932 Syslemajcxy.exe -
Loads dropped DLL 2 IoCs
pid Process 2652 e76f9b6958fca510d682943b4234893a0e4a8d81d75c8c30aac38e5a916f1428.exe 2652 e76f9b6958fca510d682943b4234893a0e4a8d81d75c8c30aac38e5a916f1428.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2652 e76f9b6958fca510d682943b4234893a0e4a8d81d75c8c30aac38e5a916f1428.exe 2652 e76f9b6958fca510d682943b4234893a0e4a8d81d75c8c30aac38e5a916f1428.exe 2652 e76f9b6958fca510d682943b4234893a0e4a8d81d75c8c30aac38e5a916f1428.exe 2652 e76f9b6958fca510d682943b4234893a0e4a8d81d75c8c30aac38e5a916f1428.exe 2652 e76f9b6958fca510d682943b4234893a0e4a8d81d75c8c30aac38e5a916f1428.exe 2652 e76f9b6958fca510d682943b4234893a0e4a8d81d75c8c30aac38e5a916f1428.exe 2652 e76f9b6958fca510d682943b4234893a0e4a8d81d75c8c30aac38e5a916f1428.exe 2652 e76f9b6958fca510d682943b4234893a0e4a8d81d75c8c30aac38e5a916f1428.exe 1932 Syslemajcxy.exe 1932 Syslemajcxy.exe 1932 Syslemajcxy.exe 1932 Syslemajcxy.exe 1932 Syslemajcxy.exe 1932 Syslemajcxy.exe 1932 Syslemajcxy.exe 1932 Syslemajcxy.exe 1932 Syslemajcxy.exe 1932 Syslemajcxy.exe 1932 Syslemajcxy.exe 1932 Syslemajcxy.exe 1932 Syslemajcxy.exe 1932 Syslemajcxy.exe 1932 Syslemajcxy.exe 1932 Syslemajcxy.exe 1932 Syslemajcxy.exe 1932 Syslemajcxy.exe 1932 Syslemajcxy.exe 1932 Syslemajcxy.exe 1932 Syslemajcxy.exe 1932 Syslemajcxy.exe 1932 Syslemajcxy.exe 1932 Syslemajcxy.exe 1932 Syslemajcxy.exe 1932 Syslemajcxy.exe 1932 Syslemajcxy.exe 1932 Syslemajcxy.exe 1932 Syslemajcxy.exe 1932 Syslemajcxy.exe 1932 Syslemajcxy.exe 1932 Syslemajcxy.exe 1932 Syslemajcxy.exe 1932 Syslemajcxy.exe 1932 Syslemajcxy.exe 1932 Syslemajcxy.exe 1932 Syslemajcxy.exe 1932 Syslemajcxy.exe 1932 Syslemajcxy.exe 1932 Syslemajcxy.exe 1932 Syslemajcxy.exe 1932 Syslemajcxy.exe 1932 Syslemajcxy.exe 1932 Syslemajcxy.exe 1932 Syslemajcxy.exe 1932 Syslemajcxy.exe 1932 Syslemajcxy.exe 1932 Syslemajcxy.exe 1932 Syslemajcxy.exe 1932 Syslemajcxy.exe 1932 Syslemajcxy.exe 1932 Syslemajcxy.exe 1932 Syslemajcxy.exe 1932 Syslemajcxy.exe 1932 Syslemajcxy.exe 1932 Syslemajcxy.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2652 wrote to memory of 1932 2652 e76f9b6958fca510d682943b4234893a0e4a8d81d75c8c30aac38e5a916f1428.exe 32 PID 2652 wrote to memory of 1932 2652 e76f9b6958fca510d682943b4234893a0e4a8d81d75c8c30aac38e5a916f1428.exe 32 PID 2652 wrote to memory of 1932 2652 e76f9b6958fca510d682943b4234893a0e4a8d81d75c8c30aac38e5a916f1428.exe 32 PID 2652 wrote to memory of 1932 2652 e76f9b6958fca510d682943b4234893a0e4a8d81d75c8c30aac38e5a916f1428.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\e76f9b6958fca510d682943b4234893a0e4a8d81d75c8c30aac38e5a916f1428.exe"C:\Users\Admin\AppData\Local\Temp\e76f9b6958fca510d682943b4234893a0e4a8d81d75c8c30aac38e5a916f1428.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Users\Admin\AppData\Local\Temp\Syslemajcxy.exe"C:\Users\Admin\AppData\Local\Temp\Syslemajcxy.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1932
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
102B
MD51226e6a47fdbfd78df76bdd45cb0564c
SHA18a08de365b4413c6d7882bfd8a3775d26d367712
SHA2562280de56f43d6a590c031f896069615a7aec2a7f749bc20b323eb67a253da6d3
SHA512bd620b7b953abc34714ee711d6b77cac9c81dd195884cb8e37937822cd2884a0775bf7413c92f17784e7f1e500f18951f95e7918f5a6fecfee546a2d34a4f029
-
Filesize
366KB
MD5acc11a8280acb5e6040fc3f0e0f34d27
SHA1c73968a9a441bc510998120d49e987c13ffc8fb3
SHA25691feb5e490281cc17d34f03ea6497b8b42314db355200a41d0e5bb8bd4d9c1c2
SHA5126c390e2d37a8760f5e6b5a66cf43c91aaabe21c4d31c8b8a280c9295f23a9190e19c8a3cde06f3e01471de4bf0f9a1e13f68f0559c32f9ade3148cbe9aa6bb96