Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
30/05/2024, 08:50
Static task
static1
Behavioral task
behavioral1
Sample
e8a42131a7aa2b3f08cedbd402e4877bf2eea179425b14f1b4665b654bed2416.exe
Resource
win10v2004-20240508-en
General
-
Target
e8a42131a7aa2b3f08cedbd402e4877bf2eea179425b14f1b4665b654bed2416.exe
-
Size
3.6MB
-
MD5
b40e72d5ff5fd58c9a28e0cc6c968252
-
SHA1
a2b3cfd65c904cf2a69a36983ab784abedf3df97
-
SHA256
e8a42131a7aa2b3f08cedbd402e4877bf2eea179425b14f1b4665b654bed2416
-
SHA512
d2eb5e85d002afb8919d5fd50bf9a8ed574fbb17c3a706c6d8acbd3a23a65ef7967ab4cf7c5e5c07160baea72a92d1396c8a7fa0283ecca6634f780e7b70d4b5
-
SSDEEP
49152:sBuZrEUWa2hMBZwvwwOfdmoSjF+UHviqF7I4nv+GE0KIy029s4C1eH9t:ykLP2kZwo5fGHvtcOt29s4C1eH9t
Malware Config
Signatures
-
Detect Blackmoon payload 4 IoCs
resource yara_rule behavioral1/memory/1548-88-0x0000000002A50000-0x0000000002B3D000-memory.dmp family_blackmoon behavioral1/memory/1548-86-0x0000000002A50000-0x0000000002B3D000-memory.dmp family_blackmoon behavioral1/memory/1548-132-0x0000000002A50000-0x0000000002B3D000-memory.dmp family_blackmoon behavioral1/memory/1548-133-0x0000000002A50000-0x0000000002B3D000-memory.dmp family_blackmoon -
Gh0st RAT payload 3 IoCs
resource yara_rule behavioral1/memory/1548-120-0x0000000010001000-0x000000001000F000-memory.dmp family_gh0strat behavioral1/memory/1548-121-0x0000000010000000-0x0000000010017000-memory.dmp family_gh0strat behavioral1/memory/1548-138-0x0000000010000000-0x0000000010003000-memory.dmp family_gh0strat -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation e8a42131a7aa2b3f08cedbd402e4877bf2eea179425b14f1b4665b654bed2416.tmp Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation jsbbv.exe -
Executes dropped EXE 2 IoCs
pid Process 1816 e8a42131a7aa2b3f08cedbd402e4877bf2eea179425b14f1b4665b654bed2416.tmp 1548 jsbbv.exe -
Loads dropped DLL 1 IoCs
pid Process 1548 jsbbv.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qdatem = "C:\\Users\\Public\\62893048\\Applicationgjrza.exe" jsbbv.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: jsbbv.exe File opened (read-only) \??\G: jsbbv.exe File opened (read-only) \??\Q: jsbbv.exe File opened (read-only) \??\U: jsbbv.exe File opened (read-only) \??\X: jsbbv.exe File opened (read-only) \??\Y: jsbbv.exe File opened (read-only) \??\Z: jsbbv.exe File opened (read-only) \??\B: jsbbv.exe File opened (read-only) \??\J: jsbbv.exe File opened (read-only) \??\K: jsbbv.exe File opened (read-only) \??\L: jsbbv.exe File opened (read-only) \??\M: jsbbv.exe File opened (read-only) \??\S: jsbbv.exe File opened (read-only) \??\T: jsbbv.exe File opened (read-only) \??\H: jsbbv.exe File opened (read-only) \??\P: jsbbv.exe File opened (read-only) \??\R: jsbbv.exe File opened (read-only) \??\N: jsbbv.exe File opened (read-only) \??\O: jsbbv.exe File opened (read-only) \??\V: jsbbv.exe File opened (read-only) \??\W: jsbbv.exe File opened (read-only) \??\I: jsbbv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 jsbbv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz jsbbv.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings jsbbv.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 3004 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1816 e8a42131a7aa2b3f08cedbd402e4877bf2eea179425b14f1b4665b654bed2416.tmp 1816 e8a42131a7aa2b3f08cedbd402e4877bf2eea179425b14f1b4665b654bed2416.tmp 1548 jsbbv.exe 1548 jsbbv.exe 1548 jsbbv.exe 1548 jsbbv.exe 1548 jsbbv.exe 1548 jsbbv.exe 1548 jsbbv.exe 1548 jsbbv.exe 1548 jsbbv.exe 1548 jsbbv.exe 1548 jsbbv.exe 1548 jsbbv.exe 1548 jsbbv.exe 1548 jsbbv.exe 1548 jsbbv.exe 1548 jsbbv.exe 1548 jsbbv.exe 1548 jsbbv.exe 1548 jsbbv.exe 1548 jsbbv.exe 1548 jsbbv.exe 1548 jsbbv.exe 1548 jsbbv.exe 1548 jsbbv.exe 1548 jsbbv.exe 1548 jsbbv.exe 1548 jsbbv.exe 1548 jsbbv.exe 1548 jsbbv.exe 1548 jsbbv.exe 1548 jsbbv.exe 1548 jsbbv.exe 1548 jsbbv.exe 1548 jsbbv.exe 1548 jsbbv.exe 1548 jsbbv.exe 1548 jsbbv.exe 1548 jsbbv.exe 1548 jsbbv.exe 1548 jsbbv.exe 1548 jsbbv.exe 1548 jsbbv.exe 1548 jsbbv.exe 1548 jsbbv.exe 1548 jsbbv.exe 1548 jsbbv.exe 1548 jsbbv.exe 1548 jsbbv.exe 1548 jsbbv.exe 1548 jsbbv.exe 1548 jsbbv.exe 1548 jsbbv.exe 1548 jsbbv.exe 1548 jsbbv.exe 1548 jsbbv.exe 1548 jsbbv.exe 1548 jsbbv.exe 1548 jsbbv.exe 1548 jsbbv.exe 1548 jsbbv.exe 1548 jsbbv.exe 1548 jsbbv.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: 33 1548 jsbbv.exe Token: SeIncBasePriorityPrivilege 1548 jsbbv.exe Token: 33 1548 jsbbv.exe Token: SeIncBasePriorityPrivilege 1548 jsbbv.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1816 e8a42131a7aa2b3f08cedbd402e4877bf2eea179425b14f1b4665b654bed2416.tmp -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 1548 jsbbv.exe 1548 jsbbv.exe 1548 jsbbv.exe 1548 jsbbv.exe 1548 jsbbv.exe 1548 jsbbv.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3576 wrote to memory of 1816 3576 e8a42131a7aa2b3f08cedbd402e4877bf2eea179425b14f1b4665b654bed2416.exe 83 PID 3576 wrote to memory of 1816 3576 e8a42131a7aa2b3f08cedbd402e4877bf2eea179425b14f1b4665b654bed2416.exe 83 PID 3576 wrote to memory of 1816 3576 e8a42131a7aa2b3f08cedbd402e4877bf2eea179425b14f1b4665b654bed2416.exe 83 PID 1816 wrote to memory of 2876 1816 e8a42131a7aa2b3f08cedbd402e4877bf2eea179425b14f1b4665b654bed2416.tmp 85 PID 1816 wrote to memory of 2876 1816 e8a42131a7aa2b3f08cedbd402e4877bf2eea179425b14f1b4665b654bed2416.tmp 85 PID 1816 wrote to memory of 2876 1816 e8a42131a7aa2b3f08cedbd402e4877bf2eea179425b14f1b4665b654bed2416.tmp 85 PID 2876 wrote to memory of 1548 2876 cmd.exe 87 PID 2876 wrote to memory of 1548 2876 cmd.exe 87 PID 2876 wrote to memory of 1548 2876 cmd.exe 87 PID 1548 wrote to memory of 3004 1548 jsbbv.exe 88 PID 1548 wrote to memory of 3004 1548 jsbbv.exe 88 PID 1548 wrote to memory of 3004 1548 jsbbv.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\e8a42131a7aa2b3f08cedbd402e4877bf2eea179425b14f1b4665b654bed2416.exe"C:\Users\Admin\AppData\Local\Temp\e8a42131a7aa2b3f08cedbd402e4877bf2eea179425b14f1b4665b654bed2416.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3576 -
C:\Users\Admin\AppData\Local\Temp\is-UJ4ML.tmp\e8a42131a7aa2b3f08cedbd402e4877bf2eea179425b14f1b4665b654bed2416.tmp"C:\Users\Admin\AppData\Local\Temp\is-UJ4ML.tmp\e8a42131a7aa2b3f08cedbd402e4877bf2eea179425b14f1b4665b654bed2416.tmp" /SL5="$F002A,2955638,832512,C:\Users\Admin\AppData\Local\Temp\e8a42131a7aa2b3f08cedbd402e4877bf2eea179425b14f1b4665b654bed2416.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\offdnee\auunfs.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2876 -
\??\c:\offdnee\jsbbv.exejsbbv.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\jsbbv.txt5⤵
- Opens file in notepad (likely ransom note)
PID:3004
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\is-UJ4ML.tmp\e8a42131a7aa2b3f08cedbd402e4877bf2eea179425b14f1b4665b654bed2416.tmp
Filesize3.1MB
MD5b8b541de47d2028e1461bf8da2b986eb
SHA18d796773655fbaa6bbd1b5dffbd62717137b8dcc
SHA2568235b6262165c66d2176cb9aee2928fd67e399ed6265e7df01104e7f7502bfa6
SHA5128c4cfb0337f858ff8735e983a1422b950589df4427b1a865c3aa95aa9da6b00c1af206baecd2c3a3755b3fef2cc67e8a1483dad29670a53d557a7f22cc2f3b0e
-
Filesize
649KB
MD5d504f3e79833f38f69ab0696a9ed8205
SHA188ca3e8ec7886048102125539b22b2e7d3ec3dc5
SHA256174c0c0d80346d35c31674baf20f06040341ebd6b5103c762e64fb7e1b4a244c
SHA512bc28d5566b5569f3a69ceb6b7c6db200aa22d6fcc41d4c03b18472143a44b58e8e4afa7d445c573d75f2cd3d375ae3cf568bc23f13e342cc80ee9f84c74638c1
-
Filesize
2KB
MD57943effe67a4647e06def2348949020e
SHA1eabd561f0639a975de259633f63896d82c3f878d
SHA2563fac47db92d581b2daef7a4f9493be2fe441041e5158101d80873d05808d5cfa
SHA512c9db1962e7457c94426c2a5c7f439736697d4399db6982c45357459d58805daa4a9d297912135488b6990e265ffa59d687fd5ba43717aab46ccc212083ef5003
-
Filesize
207B
MD568d973a1bd3e6785a4c2269fd2a6b7ab
SHA15799bb713a247876977ebbb3c6227f9659fe4d82
SHA256777179ccb22b62bae6f176a9b17097dd323be66aaa743ef30329d371de2bd770
SHA51237a1e69798e2703605a35bf737f1e1034339e16b47f922c8b9730171d1d9083c7f1fb4e567afcfeb6b6b8c6b7faee40b91987d9c5f509255504a28e34bfa93e2
-
Filesize
337B
MD5ece5ab7244e545593129ed6975fea7ad
SHA1aad3a17e35451b8cb3a16c417d516c426af1d9ee
SHA2561b5c15952e04aba0d9b9a4b52b2fb6cab7fc3be7fa597aa6b94b2158f54f64dd
SHA5122261493189db28dde8b8af488bce1865d1d095f198825d665867c9414936fbd37527dcef008b45bbe1f48170a4ceec97c952ab9b72a53d3ec4601c2f80c104a6
-
Filesize
640KB
MD52aa11fa3b80a06c6eac2dc8fd4ae1ded
SHA16d0234f6139ca7edcfe0e09a57ff09652987c30f
SHA2564ef003d03f19f54e4bc1b39d796628d7a490b29ac2d222df27404225c694e3d7
SHA512666e68672aa085a61656f9e27e76af0afcfd1a993ef62a172966288438cf3a71fd807fac2a1901582a4acb080f5a5c35936d416b1c4fe5d6016201f706debe24
-
Filesize
2B
MD5ac6ad5d9b99757c3a878f2d275ace198
SHA1439baa1b33514fb81632aaf44d16a9378c5664fc
SHA2569b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d
SHA512bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b
-
Filesize
640KB
MD5e90a533ecf1cc7684fd37be80e2e2702
SHA15d96a64eb8f7be0787229a4cc7a58b5d67d22925
SHA256716a2299a052791abfb5df3820685dfe2c1734a0e8d356e876c68198efe3ef8f
SHA512cce9a52eb1dbe233dbd25f0a12908b395c50641d7feb613c856bd79200db41bd555a7e9785ee9de700649deab91aabeba48db93154d24b4d3ea1e0b85ae440ba
-
Filesize
342KB
MD509c53e6211a6f2b4c8f88e903b454442
SHA16c3756b5e5f0dd580552cc6b47197e5a1c289e9e
SHA256fb5c8b5c6dbe07ed87de33cc2fd6d0c4dbdc0c09d48c0501984b23fd219b74c0
SHA512eed140ddebee749544f5adb13b6a2aa4dcbc7ae033896981ef6149ca9521c50c0360aac1b7bf62623bd20c95c81b5417dfc1cdf0877b41dce1726376181c55b3
-
Filesize
91KB
MD525e6ce21e85fab3d21b6ee6df5089a41
SHA17dff799698789779412b1877df1b4b522397c77c
SHA256023a19f93dd20591263656350af905e009dec56f579e33773e8be3dd22bfa089
SHA5120530028eca643f0491ba5d5b07a347354ce28bb188d91e12ed8c20a575cb8f2ee967ecddcfd66b9da4172fc8424508a16f37979eb3693598c3e42e13b2e81f0b