Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/05/2024, 02:20

General

  • Target

    875365392d9801b4f6de67e52acf09517dd1741e5b90f0385a803bee8904cf90.exe

  • Size

    816KB

  • MD5

    c26e7efeef74c075d9224d58b5f61f1b

  • SHA1

    6761f620d9658e00201353ccc1959c2018d86a35

  • SHA256

    875365392d9801b4f6de67e52acf09517dd1741e5b90f0385a803bee8904cf90

  • SHA512

    af7f4a8722058ec2ee4bc0d5c52ad8de8388c6316c2af6ffc3b032f52b8067cdee053feb96dff2d6ad51aba2cbaba13c71618cc97f5ccef2ba9472aa89d32726

  • SSDEEP

    24576:vS68YscYEzpDOCcbhQCKlrDkXCLw30Q48Ty:vdVscYEz43bnmrDkS44

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

  • Detect Blackmoon payload 2 IoCs
  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • VMProtect packed file 7 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\875365392d9801b4f6de67e52acf09517dd1741e5b90f0385a803bee8904cf90.exe
    "C:\Users\Admin\AppData\Local\Temp\875365392d9801b4f6de67e52acf09517dd1741e5b90f0385a803bee8904cf90.exe"
    1⤵
    • Drops startup file
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:644
    • C:\Users\Public\Videos\VSTelem\jcozx\jcozx.exe
      C:\Users\Public\Videos\VSTelem\jcozx\jcozx.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:4032
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:1976

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Public\Videos\VSTelem\jcozx\Language.dll

    Filesize

    188KB

    MD5

    3dc8268e939ea269474b319e6ad64066

    SHA1

    37919c320708877525aa0b4443674b3b75d32ebc

    SHA256

    0e807eea09cfb000d965d3f32ac4dfba6fa9a480bf6289ffd3c7576dddfdbb5a

    SHA512

    05c0c4c8eb6e9af30739968bf70c308db9ac74b97d9a58e7adb6a0c42683f261b1018eddedee9fa0898275ca288f1af7cac7fa9a380a7745d80bc0d325f60fde

  • C:\Users\Public\Videos\VSTelem\jcozx\Update.log

    Filesize

    73KB

    MD5

    7e651e861e25e68820d109b1f2618d79

    SHA1

    7a8263f724d1ba5891b3c7d96cbf140c9d731cc7

    SHA256

    e7b0140998a55eac72263fd9d41452851475ef99fea74e201dfb76a963e25b80

    SHA512

    6bc20c4c85c0399dbeb9e2f523b3e0e3368434da074fa669bc026105a8e6e67bf9fd5d78542ba295d8f470ca507eb3b5416bcf5c75f5ac0c9bba0a323ed19c00

  • C:\Users\Public\Videos\VSTelem\jcozx\jcozx.exe

    Filesize

    49KB

    MD5

    86810e2d993f7327eb5b25b5d17d21c1

    SHA1

    92be7e63223f3c7e37161b8fc1ab555813988d70

    SHA256

    63636cec408acbbc4d04c01f9efdbe4b9b08fa0c4390ec8729b9ff0c8be9d246

    SHA512

    148ef0d152260f874d2c32accf4afdc07d7b975fc15d2373d9c4d8fc4975dc4c54f37ca432eddb9b4e0d109386ab9ab8aad2dcea420ed8a5ee42e4aff341fd4c

  • memory/644-0-0x0000000000400000-0x00000000005A9000-memory.dmp

    Filesize

    1.7MB

  • memory/644-1-0x0000000000400000-0x00000000005A9000-memory.dmp

    Filesize

    1.7MB

  • memory/644-4-0x0000000010000000-0x0000000010067000-memory.dmp

    Filesize

    412KB

  • memory/644-28-0x0000000000400000-0x00000000005A9000-memory.dmp

    Filesize

    1.7MB

  • memory/4032-19-0x0000000010000000-0x000000001005D000-memory.dmp

    Filesize

    372KB

  • memory/4032-21-0x0000000010000000-0x000000001005D000-memory.dmp

    Filesize

    372KB

  • memory/4032-23-0x00000000008A0000-0x00000000008DE000-memory.dmp

    Filesize

    248KB

  • memory/4032-32-0x0000000010000000-0x000000001005D000-memory.dmp

    Filesize

    372KB