Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
30/05/2024, 08:58
Static task
static1
Behavioral task
behavioral1
Sample
e8a42131a7aa2b3f08cedbd402e4877bf2eea179425b14f1b4665b654bed2416.exe
Resource
win7-20231129-en
General
-
Target
e8a42131a7aa2b3f08cedbd402e4877bf2eea179425b14f1b4665b654bed2416.exe
-
Size
3.6MB
-
MD5
b40e72d5ff5fd58c9a28e0cc6c968252
-
SHA1
a2b3cfd65c904cf2a69a36983ab784abedf3df97
-
SHA256
e8a42131a7aa2b3f08cedbd402e4877bf2eea179425b14f1b4665b654bed2416
-
SHA512
d2eb5e85d002afb8919d5fd50bf9a8ed574fbb17c3a706c6d8acbd3a23a65ef7967ab4cf7c5e5c07160baea72a92d1396c8a7fa0283ecca6634f780e7b70d4b5
-
SSDEEP
49152:sBuZrEUWa2hMBZwvwwOfdmoSjF+UHviqF7I4nv+GE0KIy029s4C1eH9t:ykLP2kZwo5fGHvtcOt29s4C1eH9t
Malware Config
Signatures
-
Detect Blackmoon payload 4 IoCs
resource yara_rule behavioral1/memory/2612-100-0x00000000021D0000-0x00000000022BD000-memory.dmp family_blackmoon behavioral1/memory/2612-99-0x00000000021D0000-0x00000000022BD000-memory.dmp family_blackmoon behavioral1/memory/2612-145-0x00000000021D0000-0x00000000022BD000-memory.dmp family_blackmoon behavioral1/memory/2612-146-0x00000000021D0000-0x00000000022BD000-memory.dmp family_blackmoon -
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral1/memory/2612-133-0x0000000010000000-0x0000000010017000-memory.dmp family_gh0strat -
Executes dropped EXE 2 IoCs
pid Process 956 e8a42131a7aa2b3f08cedbd402e4877bf2eea179425b14f1b4665b654bed2416.tmp 2612 jsbbv.exe -
Loads dropped DLL 5 IoCs
pid Process 2264 e8a42131a7aa2b3f08cedbd402e4877bf2eea179425b14f1b4665b654bed2416.exe 956 e8a42131a7aa2b3f08cedbd402e4877bf2eea179425b14f1b4665b654bed2416.tmp 2540 cmd.exe 2540 cmd.exe 2612 jsbbv.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\qdatem = "C:\\Users\\Public\\95120790\\Applicationlsabu.exe" jsbbv.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\R: jsbbv.exe File opened (read-only) \??\S: jsbbv.exe File opened (read-only) \??\U: jsbbv.exe File opened (read-only) \??\W: jsbbv.exe File opened (read-only) \??\B: jsbbv.exe File opened (read-only) \??\E: jsbbv.exe File opened (read-only) \??\L: jsbbv.exe File opened (read-only) \??\O: jsbbv.exe File opened (read-only) \??\Z: jsbbv.exe File opened (read-only) \??\T: jsbbv.exe File opened (read-only) \??\V: jsbbv.exe File opened (read-only) \??\H: jsbbv.exe File opened (read-only) \??\K: jsbbv.exe File opened (read-only) \??\M: jsbbv.exe File opened (read-only) \??\N: jsbbv.exe File opened (read-only) \??\G: jsbbv.exe File opened (read-only) \??\I: jsbbv.exe File opened (read-only) \??\P: jsbbv.exe File opened (read-only) \??\Y: jsbbv.exe File opened (read-only) \??\J: jsbbv.exe File opened (read-only) \??\Q: jsbbv.exe File opened (read-only) \??\X: jsbbv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 jsbbv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz jsbbv.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 2856 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 43 IoCs
pid Process 956 e8a42131a7aa2b3f08cedbd402e4877bf2eea179425b14f1b4665b654bed2416.tmp 956 e8a42131a7aa2b3f08cedbd402e4877bf2eea179425b14f1b4665b654bed2416.tmp 2612 jsbbv.exe 2612 jsbbv.exe 2612 jsbbv.exe 2612 jsbbv.exe 2612 jsbbv.exe 2612 jsbbv.exe 2612 jsbbv.exe 2612 jsbbv.exe 2612 jsbbv.exe 2612 jsbbv.exe 2612 jsbbv.exe 2612 jsbbv.exe 2612 jsbbv.exe 2612 jsbbv.exe 2612 jsbbv.exe 2612 jsbbv.exe 2612 jsbbv.exe 2612 jsbbv.exe 2612 jsbbv.exe 2612 jsbbv.exe 2612 jsbbv.exe 2612 jsbbv.exe 2612 jsbbv.exe 2612 jsbbv.exe 2612 jsbbv.exe 2612 jsbbv.exe 2612 jsbbv.exe 2612 jsbbv.exe 2612 jsbbv.exe 2612 jsbbv.exe 2612 jsbbv.exe 2612 jsbbv.exe 2612 jsbbv.exe 2612 jsbbv.exe 2612 jsbbv.exe 2612 jsbbv.exe 2612 jsbbv.exe 2612 jsbbv.exe 2612 jsbbv.exe 2612 jsbbv.exe 2612 jsbbv.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 2612 jsbbv.exe Token: SeIncBasePriorityPrivilege 2612 jsbbv.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 956 e8a42131a7aa2b3f08cedbd402e4877bf2eea179425b14f1b4665b654bed2416.tmp -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2612 jsbbv.exe 2612 jsbbv.exe 2612 jsbbv.exe 2612 jsbbv.exe 2612 jsbbv.exe 2612 jsbbv.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 2612 jsbbv.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 2264 wrote to memory of 956 2264 e8a42131a7aa2b3f08cedbd402e4877bf2eea179425b14f1b4665b654bed2416.exe 28 PID 2264 wrote to memory of 956 2264 e8a42131a7aa2b3f08cedbd402e4877bf2eea179425b14f1b4665b654bed2416.exe 28 PID 2264 wrote to memory of 956 2264 e8a42131a7aa2b3f08cedbd402e4877bf2eea179425b14f1b4665b654bed2416.exe 28 PID 2264 wrote to memory of 956 2264 e8a42131a7aa2b3f08cedbd402e4877bf2eea179425b14f1b4665b654bed2416.exe 28 PID 2264 wrote to memory of 956 2264 e8a42131a7aa2b3f08cedbd402e4877bf2eea179425b14f1b4665b654bed2416.exe 28 PID 2264 wrote to memory of 956 2264 e8a42131a7aa2b3f08cedbd402e4877bf2eea179425b14f1b4665b654bed2416.exe 28 PID 2264 wrote to memory of 956 2264 e8a42131a7aa2b3f08cedbd402e4877bf2eea179425b14f1b4665b654bed2416.exe 28 PID 956 wrote to memory of 2540 956 e8a42131a7aa2b3f08cedbd402e4877bf2eea179425b14f1b4665b654bed2416.tmp 29 PID 956 wrote to memory of 2540 956 e8a42131a7aa2b3f08cedbd402e4877bf2eea179425b14f1b4665b654bed2416.tmp 29 PID 956 wrote to memory of 2540 956 e8a42131a7aa2b3f08cedbd402e4877bf2eea179425b14f1b4665b654bed2416.tmp 29 PID 956 wrote to memory of 2540 956 e8a42131a7aa2b3f08cedbd402e4877bf2eea179425b14f1b4665b654bed2416.tmp 29 PID 2540 wrote to memory of 2612 2540 cmd.exe 31 PID 2540 wrote to memory of 2612 2540 cmd.exe 31 PID 2540 wrote to memory of 2612 2540 cmd.exe 31 PID 2540 wrote to memory of 2612 2540 cmd.exe 31 PID 2612 wrote to memory of 2856 2612 jsbbv.exe 32 PID 2612 wrote to memory of 2856 2612 jsbbv.exe 32 PID 2612 wrote to memory of 2856 2612 jsbbv.exe 32 PID 2612 wrote to memory of 2856 2612 jsbbv.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\e8a42131a7aa2b3f08cedbd402e4877bf2eea179425b14f1b4665b654bed2416.exe"C:\Users\Admin\AppData\Local\Temp\e8a42131a7aa2b3f08cedbd402e4877bf2eea179425b14f1b4665b654bed2416.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Users\Admin\AppData\Local\Temp\is-OFEU5.tmp\e8a42131a7aa2b3f08cedbd402e4877bf2eea179425b14f1b4665b654bed2416.tmp"C:\Users\Admin\AppData\Local\Temp\is-OFEU5.tmp\e8a42131a7aa2b3f08cedbd402e4877bf2eea179425b14f1b4665b654bed2416.tmp" /SL5="$70120,2955638,832512,C:\Users\Admin\AppData\Local\Temp\e8a42131a7aa2b3f08cedbd402e4877bf2eea179425b14f1b4665b654bed2416.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\offdnee\auunfs.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2540 -
\??\c:\offdnee\jsbbv.exejsbbv.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\jsbbv.txt5⤵
- Opens file in notepad (likely ransom note)
PID:2856
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
649KB
MD5d504f3e79833f38f69ab0696a9ed8205
SHA188ca3e8ec7886048102125539b22b2e7d3ec3dc5
SHA256174c0c0d80346d35c31674baf20f06040341ebd6b5103c762e64fb7e1b4a244c
SHA512bc28d5566b5569f3a69ceb6b7c6db200aa22d6fcc41d4c03b18472143a44b58e8e4afa7d445c573d75f2cd3d375ae3cf568bc23f13e342cc80ee9f84c74638c1
-
Filesize
200B
MD5cc6ca6f3d8bf1f7d9bcdd7ebbe72e4fe
SHA11641a01ff8555e32aa10de54dc6f21f7552c423d
SHA256cd1be6f0225c3ff42c767bf5eb101ba1f496c9a91adbbf3bb21ec75c04977e22
SHA5123a184959815447153d351f3bbfc1baae9c58e9f67900ef812d462e54d78ac5df65caf3decfa06384fa1e30323b4bd0c21dc937934b31e5c820d8745d8780b49a
-
Filesize
337B
MD5ece5ab7244e545593129ed6975fea7ad
SHA1aad3a17e35451b8cb3a16c417d516c426af1d9ee
SHA2561b5c15952e04aba0d9b9a4b52b2fb6cab7fc3be7fa597aa6b94b2158f54f64dd
SHA5122261493189db28dde8b8af488bce1865d1d095f198825d665867c9414936fbd37527dcef008b45bbe1f48170a4ceec97c952ab9b72a53d3ec4601c2f80c104a6
-
Filesize
640KB
MD52aa11fa3b80a06c6eac2dc8fd4ae1ded
SHA16d0234f6139ca7edcfe0e09a57ff09652987c30f
SHA2564ef003d03f19f54e4bc1b39d796628d7a490b29ac2d222df27404225c694e3d7
SHA512666e68672aa085a61656f9e27e76af0afcfd1a993ef62a172966288438cf3a71fd807fac2a1901582a4acb080f5a5c35936d416b1c4fe5d6016201f706debe24
-
Filesize
2B
MD5ac6ad5d9b99757c3a878f2d275ace198
SHA1439baa1b33514fb81632aaf44d16a9378c5664fc
SHA2569b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d
SHA512bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b
-
Filesize
342KB
MD509c53e6211a6f2b4c8f88e903b454442
SHA16c3756b5e5f0dd580552cc6b47197e5a1c289e9e
SHA256fb5c8b5c6dbe07ed87de33cc2fd6d0c4dbdc0c09d48c0501984b23fd219b74c0
SHA512eed140ddebee749544f5adb13b6a2aa4dcbc7ae033896981ef6149ca9521c50c0360aac1b7bf62623bd20c95c81b5417dfc1cdf0877b41dce1726376181c55b3
-
Filesize
91KB
MD525e6ce21e85fab3d21b6ee6df5089a41
SHA17dff799698789779412b1877df1b4b522397c77c
SHA256023a19f93dd20591263656350af905e009dec56f579e33773e8be3dd22bfa089
SHA5120530028eca643f0491ba5d5b07a347354ce28bb188d91e12ed8c20a575cb8f2ee967ecddcfd66b9da4172fc8424508a16f37979eb3693598c3e42e13b2e81f0b
-
\Users\Admin\AppData\Local\Temp\is-OFEU5.tmp\e8a42131a7aa2b3f08cedbd402e4877bf2eea179425b14f1b4665b654bed2416.tmp
Filesize3.1MB
MD5b8b541de47d2028e1461bf8da2b986eb
SHA18d796773655fbaa6bbd1b5dffbd62717137b8dcc
SHA2568235b6262165c66d2176cb9aee2928fd67e399ed6265e7df01104e7f7502bfa6
SHA5128c4cfb0337f858ff8735e983a1422b950589df4427b1a865c3aa95aa9da6b00c1af206baecd2c3a3755b3fef2cc67e8a1483dad29670a53d557a7f22cc2f3b0e
-
Filesize
2KB
MD57943effe67a4647e06def2348949020e
SHA1eabd561f0639a975de259633f63896d82c3f878d
SHA2563fac47db92d581b2daef7a4f9493be2fe441041e5158101d80873d05808d5cfa
SHA512c9db1962e7457c94426c2a5c7f439736697d4399db6982c45357459d58805daa4a9d297912135488b6990e265ffa59d687fd5ba43717aab46ccc212083ef5003
-
Filesize
640KB
MD5e90a533ecf1cc7684fd37be80e2e2702
SHA15d96a64eb8f7be0787229a4cc7a58b5d67d22925
SHA256716a2299a052791abfb5df3820685dfe2c1734a0e8d356e876c68198efe3ef8f
SHA512cce9a52eb1dbe233dbd25f0a12908b395c50641d7feb613c856bd79200db41bd555a7e9785ee9de700649deab91aabeba48db93154d24b4d3ea1e0b85ae440ba