Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    142s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/05/2024, 03:33

General

  • Target

    6ea40c2d02ba5d8f0eec8c3776160050_NeikiAnalytics.exe

  • Size

    1.6MB

  • MD5

    6ea40c2d02ba5d8f0eec8c3776160050

  • SHA1

    773b915271faec00d48d469130dd25bc305b5a80

  • SHA256

    1da94573936cb39e711d0756429bbbc73ac80183632aeebeca54156ad24c6186

  • SHA512

    46166ae388de55a0623aa347eb9443d8d569043a06dc520b8f1f4b1a9dcc9a39536e0ed555fde71021a55d312c43c30c65fb1fd6a56187e85b4e558a61770395

  • SSDEEP

    24576:zYxIAZwWIGiEz/1CUOys8vf9bHMbjshvE/R6njW+qOziufuGebc:zgIAZwWzNvO6flfmRktqDOuGS

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

  • Detect Blackmoon payload 5 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • VMProtect packed file 9 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6ea40c2d02ba5d8f0eec8c3776160050_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\6ea40c2d02ba5d8f0eec8c3776160050_NeikiAnalytics.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2072
    • C:\Windows\SysWOW64\MLclRLRrUZ.exe
      -auto C:\Windows\system32\\MLclRLRrUZ.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3612
      • C:\Windows\system32\MLclRLRrUZ.exe
        -troj
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:5192
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" cmd/c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\[email protected] > nul && exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1628
      • C:\Windows\SysWOW64\PING.EXE
        ping -n 2 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:1016

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\MLclRLRrUZ.exe

    Filesize

    1.6MB

    MD5

    6ea40c2d02ba5d8f0eec8c3776160050

    SHA1

    773b915271faec00d48d469130dd25bc305b5a80

    SHA256

    1da94573936cb39e711d0756429bbbc73ac80183632aeebeca54156ad24c6186

    SHA512

    46166ae388de55a0623aa347eb9443d8d569043a06dc520b8f1f4b1a9dcc9a39536e0ed555fde71021a55d312c43c30c65fb1fd6a56187e85b4e558a61770395

  • memory/2072-10-0x0000000002C30000-0x0000000002CAE000-memory.dmp

    Filesize

    504KB

  • memory/2072-0-0x0000000000400000-0x0000000000706000-memory.dmp

    Filesize

    3.0MB

  • memory/2072-1-0x0000000000400000-0x0000000000706000-memory.dmp

    Filesize

    3.0MB

  • memory/2072-8-0x0000000075E70000-0x0000000075E71000-memory.dmp

    Filesize

    4KB

  • memory/2072-3-0x0000000002540000-0x000000000256E000-memory.dmp

    Filesize

    184KB

  • memory/2072-12-0x0000000002540000-0x000000000256E000-memory.dmp

    Filesize

    184KB

  • memory/2072-11-0x0000000000400000-0x0000000000706000-memory.dmp

    Filesize

    3.0MB

  • memory/3612-18-0x0000000000400000-0x0000000000706000-memory.dmp

    Filesize

    3.0MB

  • memory/3612-7-0x0000000000400000-0x0000000000706000-memory.dmp

    Filesize

    3.0MB

  • memory/3612-13-0x0000000000400000-0x0000000000706000-memory.dmp

    Filesize

    3.0MB

  • memory/3612-15-0x00000000025A0000-0x00000000025CE000-memory.dmp

    Filesize

    184KB

  • memory/5192-19-0x0000000000400000-0x0000000000706000-memory.dmp

    Filesize

    3.0MB

  • memory/5192-20-0x0000000000AC0000-0x0000000000AEE000-memory.dmp

    Filesize

    184KB

  • memory/5192-21-0x0000000002540000-0x000000000254B000-memory.dmp

    Filesize

    44KB

  • memory/5192-22-0x0000000002540000-0x000000000254B000-memory.dmp

    Filesize

    44KB

  • memory/5192-23-0x0000000000400000-0x0000000000706000-memory.dmp

    Filesize

    3.0MB

  • memory/5192-24-0x0000000000AC0000-0x0000000000AEE000-memory.dmp

    Filesize

    184KB

  • memory/5192-25-0x0000000002540000-0x000000000254B000-memory.dmp

    Filesize

    44KB