Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
11/05/2024, 02:20
Behavioral task
behavioral1
Sample
875365392d9801b4f6de67e52acf09517dd1741e5b90f0385a803bee8904cf90.exe
Resource
win7-20240215-en
General
-
Target
875365392d9801b4f6de67e52acf09517dd1741e5b90f0385a803bee8904cf90.exe
-
Size
816KB
-
MD5
c26e7efeef74c075d9224d58b5f61f1b
-
SHA1
6761f620d9658e00201353ccc1959c2018d86a35
-
SHA256
875365392d9801b4f6de67e52acf09517dd1741e5b90f0385a803bee8904cf90
-
SHA512
af7f4a8722058ec2ee4bc0d5c52ad8de8388c6316c2af6ffc3b032f52b8067cdee053feb96dff2d6ad51aba2cbaba13c71618cc97f5ccef2ba9472aa89d32726
-
SSDEEP
24576:vS68YscYEzpDOCcbhQCKlrDkXCLw30Q48Ty:vdVscYEz43bnmrDkS44
Malware Config
Signatures
-
Detect Blackmoon payload 3 IoCs
resource yara_rule behavioral1/memory/2316-5-0x0000000010000000-0x0000000010067000-memory.dmp family_blackmoon behavioral1/memory/2316-8-0x0000000002EA0000-0x00000000038A0000-memory.dmp family_blackmoon behavioral1/memory/2608-26-0x0000000000250000-0x000000000028E000-memory.dmp family_blackmoon -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SYSTEM_START.lnk 875365392d9801b4f6de67e52acf09517dd1741e5b90f0385a803bee8904cf90.exe -
Executes dropped EXE 1 IoCs
pid Process 2608 kmvgn.exe -
Loads dropped DLL 2 IoCs
pid Process 2316 875365392d9801b4f6de67e52acf09517dd1741e5b90f0385a803bee8904cf90.exe 2608 kmvgn.exe -
resource yara_rule behavioral1/memory/2316-0-0x0000000000400000-0x00000000005A9000-memory.dmp vmprotect behavioral1/memory/2316-1-0x0000000000400000-0x00000000005A9000-memory.dmp vmprotect behavioral1/files/0x0007000000014702-19.dat vmprotect behavioral1/memory/2608-23-0x0000000010000000-0x000000001005D000-memory.dmp vmprotect behavioral1/memory/2608-21-0x0000000010000000-0x000000001005D000-memory.dmp vmprotect behavioral1/memory/2316-32-0x0000000000400000-0x00000000005A9000-memory.dmp vmprotect behavioral1/memory/2608-35-0x0000000010000000-0x000000001005D000-memory.dmp vmprotect -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2316 875365392d9801b4f6de67e52acf09517dd1741e5b90f0385a803bee8904cf90.exe 2608 kmvgn.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 kmvgn.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier kmvgn.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 kmvgn.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 kmvgn.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz kmvgn.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2316 875365392d9801b4f6de67e52acf09517dd1741e5b90f0385a803bee8904cf90.exe 2608 kmvgn.exe 2608 kmvgn.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2608 kmvgn.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2316 wrote to memory of 2608 2316 875365392d9801b4f6de67e52acf09517dd1741e5b90f0385a803bee8904cf90.exe 28 PID 2316 wrote to memory of 2608 2316 875365392d9801b4f6de67e52acf09517dd1741e5b90f0385a803bee8904cf90.exe 28 PID 2316 wrote to memory of 2608 2316 875365392d9801b4f6de67e52acf09517dd1741e5b90f0385a803bee8904cf90.exe 28 PID 2316 wrote to memory of 2608 2316 875365392d9801b4f6de67e52acf09517dd1741e5b90f0385a803bee8904cf90.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\875365392d9801b4f6de67e52acf09517dd1741e5b90f0385a803bee8904cf90.exe"C:\Users\Admin\AppData\Local\Temp\875365392d9801b4f6de67e52acf09517dd1741e5b90f0385a803bee8904cf90.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Users\Public\Videos\VSTelem\kmvgn\kmvgn.exeC:\Users\Public\Videos\VSTelem\kmvgn\kmvgn.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2608
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
188KB
MD53dc8268e939ea269474b319e6ad64066
SHA137919c320708877525aa0b4443674b3b75d32ebc
SHA2560e807eea09cfb000d965d3f32ac4dfba6fa9a480bf6289ffd3c7576dddfdbb5a
SHA51205c0c4c8eb6e9af30739968bf70c308db9ac74b97d9a58e7adb6a0c42683f261b1018eddedee9fa0898275ca288f1af7cac7fa9a380a7745d80bc0d325f60fde
-
Filesize
73KB
MD57e651e861e25e68820d109b1f2618d79
SHA17a8263f724d1ba5891b3c7d96cbf140c9d731cc7
SHA256e7b0140998a55eac72263fd9d41452851475ef99fea74e201dfb76a963e25b80
SHA5126bc20c4c85c0399dbeb9e2f523b3e0e3368434da074fa669bc026105a8e6e67bf9fd5d78542ba295d8f470ca507eb3b5416bcf5c75f5ac0c9bba0a323ed19c00
-
Filesize
49KB
MD586810e2d993f7327eb5b25b5d17d21c1
SHA192be7e63223f3c7e37161b8fc1ab555813988d70
SHA25663636cec408acbbc4d04c01f9efdbe4b9b08fa0c4390ec8729b9ff0c8be9d246
SHA512148ef0d152260f874d2c32accf4afdc07d7b975fc15d2373d9c4d8fc4975dc4c54f37ca432eddb9b4e0d109386ab9ab8aad2dcea420ed8a5ee42e4aff341fd4c