Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/05/2024, 08:58

General

  • Target

    e8a42131a7aa2b3f08cedbd402e4877bf2eea179425b14f1b4665b654bed2416.exe

  • Size

    3.6MB

  • MD5

    b40e72d5ff5fd58c9a28e0cc6c968252

  • SHA1

    a2b3cfd65c904cf2a69a36983ab784abedf3df97

  • SHA256

    e8a42131a7aa2b3f08cedbd402e4877bf2eea179425b14f1b4665b654bed2416

  • SHA512

    d2eb5e85d002afb8919d5fd50bf9a8ed574fbb17c3a706c6d8acbd3a23a65ef7967ab4cf7c5e5c07160baea72a92d1396c8a7fa0283ecca6634f780e7b70d4b5

  • SSDEEP

    49152:sBuZrEUWa2hMBZwvwwOfdmoSjF+UHviqF7I4nv+GE0KIy029s4C1eH9t:ykLP2kZwo5fGHvtcOt29s4C1eH9t

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

  • Detect Blackmoon payload 4 IoCs
  • Gh0st RAT payload 4 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e8a42131a7aa2b3f08cedbd402e4877bf2eea179425b14f1b4665b654bed2416.exe
    "C:\Users\Admin\AppData\Local\Temp\e8a42131a7aa2b3f08cedbd402e4877bf2eea179425b14f1b4665b654bed2416.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4992
    • C:\Users\Admin\AppData\Local\Temp\is-A6PSV.tmp\e8a42131a7aa2b3f08cedbd402e4877bf2eea179425b14f1b4665b654bed2416.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-A6PSV.tmp\e8a42131a7aa2b3f08cedbd402e4877bf2eea179425b14f1b4665b654bed2416.tmp" /SL5="$8006A,2955638,832512,C:\Users\Admin\AppData\Local\Temp\e8a42131a7aa2b3f08cedbd402e4877bf2eea179425b14f1b4665b654bed2416.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:2188
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\offdnee\auunfs.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:472
        • \??\c:\offdnee\jsbbv.exe
          jsbbv.exe
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4620
          • C:\Windows\SysWOW64\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\jsbbv.txt
            5⤵
            • Opens file in notepad (likely ransom note)
            PID:1072
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4620 -s 1988
            5⤵
            • Program crash
            PID:4360
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4620 -ip 4620
    1⤵
      PID:4272

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\is-A6PSV.tmp\e8a42131a7aa2b3f08cedbd402e4877bf2eea179425b14f1b4665b654bed2416.tmp

      Filesize

      3.1MB

      MD5

      b8b541de47d2028e1461bf8da2b986eb

      SHA1

      8d796773655fbaa6bbd1b5dffbd62717137b8dcc

      SHA256

      8235b6262165c66d2176cb9aee2928fd67e399ed6265e7df01104e7f7502bfa6

      SHA512

      8c4cfb0337f858ff8735e983a1422b950589df4427b1a865c3aa95aa9da6b00c1af206baecd2c3a3755b3fef2cc67e8a1483dad29670a53d557a7f22cc2f3b0e

    • C:\Users\Admin\AppData\Local\Temp\jsbbv.txt

      Filesize

      649KB

      MD5

      d504f3e79833f38f69ab0696a9ed8205

      SHA1

      88ca3e8ec7886048102125539b22b2e7d3ec3dc5

      SHA256

      174c0c0d80346d35c31674baf20f06040341ebd6b5103c762e64fb7e1b4a244c

      SHA512

      bc28d5566b5569f3a69ceb6b7c6db200aa22d6fcc41d4c03b18472143a44b58e8e4afa7d445c573d75f2cd3d375ae3cf568bc23f13e342cc80ee9f84c74638c1

    • C:\Users\Public\Documents\ahbvf.dll

      Filesize

      2KB

      MD5

      7943effe67a4647e06def2348949020e

      SHA1

      eabd561f0639a975de259633f63896d82c3f878d

      SHA256

      3fac47db92d581b2daef7a4f9493be2fe441041e5158101d80873d05808d5cfa

      SHA512

      c9db1962e7457c94426c2a5c7f439736697d4399db6982c45357459d58805daa4a9d297912135488b6990e265ffa59d687fd5ba43717aab46ccc212083ef5003

    • C:\Users\Public\Documents\sjsw.log

      Filesize

      207B

      MD5

      1f48ec34cbb3f2133f0db123f28781c2

      SHA1

      4d5b94aab5a281ce91ff1ffb9f7b7529fc5c91ca

      SHA256

      8274e041222194ac750c128a29ab7e6dd2f7bef46338a5c66c2640be64ad8597

      SHA512

      7a9573515769c88fb51cdaf2bfb8d946a934e0bfe64b61cad4baa889ede057eb79533d6186af5743ff0531237ddf4a44f216593b0574e96773f8786074eb3214

    • C:\offdnee\auunfs.bat

      Filesize

      337B

      MD5

      ece5ab7244e545593129ed6975fea7ad

      SHA1

      aad3a17e35451b8cb3a16c417d516c426af1d9ee

      SHA256

      1b5c15952e04aba0d9b9a4b52b2fb6cab7fc3be7fa597aa6b94b2158f54f64dd

      SHA512

      2261493189db28dde8b8af488bce1865d1d095f198825d665867c9414936fbd37527dcef008b45bbe1f48170a4ceec97c952ab9b72a53d3ec4601c2f80c104a6

    • C:\offdnee\cc.dat

      Filesize

      640KB

      MD5

      2aa11fa3b80a06c6eac2dc8fd4ae1ded

      SHA1

      6d0234f6139ca7edcfe0e09a57ff09652987c30f

      SHA256

      4ef003d03f19f54e4bc1b39d796628d7a490b29ac2d222df27404225c694e3d7

      SHA512

      666e68672aa085a61656f9e27e76af0afcfd1a993ef62a172966288438cf3a71fd807fac2a1901582a4acb080f5a5c35936d416b1c4fe5d6016201f706debe24

    • C:\offdnee\clientconf.ini

      Filesize

      2B

      MD5

      ac6ad5d9b99757c3a878f2d275ace198

      SHA1

      439baa1b33514fb81632aaf44d16a9378c5664fc

      SHA256

      9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d

      SHA512

      bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b

    • C:\offdnee\nnls_recorder.exe

      Filesize

      342KB

      MD5

      09c53e6211a6f2b4c8f88e903b454442

      SHA1

      6c3756b5e5f0dd580552cc6b47197e5a1c289e9e

      SHA256

      fb5c8b5c6dbe07ed87de33cc2fd6d0c4dbdc0c09d48c0501984b23fd219b74c0

      SHA512

      eed140ddebee749544f5adb13b6a2aa4dcbc7ae033896981ef6149ca9521c50c0360aac1b7bf62623bd20c95c81b5417dfc1cdf0877b41dce1726376181c55b3

    • C:\offdnee\zy.txt

      Filesize

      91KB

      MD5

      25e6ce21e85fab3d21b6ee6df5089a41

      SHA1

      7dff799698789779412b1877df1b4b522397c77c

      SHA256

      023a19f93dd20591263656350af905e009dec56f579e33773e8be3dd22bfa089

      SHA512

      0530028eca643f0491ba5d5b07a347354ce28bb188d91e12ed8c20a575cb8f2ee967ecddcfd66b9da4172fc8424508a16f37979eb3693598c3e42e13b2e81f0b

    • \??\c:\offdnee\jsbbv.exe

      Filesize

      640KB

      MD5

      e90a533ecf1cc7684fd37be80e2e2702

      SHA1

      5d96a64eb8f7be0787229a4cc7a58b5d67d22925

      SHA256

      716a2299a052791abfb5df3820685dfe2c1734a0e8d356e876c68198efe3ef8f

      SHA512

      cce9a52eb1dbe233dbd25f0a12908b395c50641d7feb613c856bd79200db41bd555a7e9785ee9de700649deab91aabeba48db93154d24b4d3ea1e0b85ae440ba

    • memory/2188-6-0x0000000000400000-0x000000000071C000-memory.dmp

      Filesize

      3.1MB

    • memory/2188-67-0x0000000000400000-0x000000000071C000-memory.dmp

      Filesize

      3.1MB

    • memory/4620-118-0x0000000003C50000-0x0000000003D46000-memory.dmp

      Filesize

      984KB

    • memory/4620-117-0x0000000000400000-0x0000000000428000-memory.dmp

      Filesize

      160KB

    • memory/4620-87-0x0000000002A70000-0x0000000002B5D000-memory.dmp

      Filesize

      948KB

    • memory/4620-85-0x0000000002A70000-0x0000000002B5D000-memory.dmp

      Filesize

      948KB

    • memory/4620-78-0x0000000000400000-0x00000000005C0000-memory.dmp

      Filesize

      1.8MB

    • memory/4620-110-0x0000000000400000-0x00000000005C0000-memory.dmp

      Filesize

      1.8MB

    • memory/4620-79-0x0000000000400000-0x00000000005C0000-memory.dmp

      Filesize

      1.8MB

    • memory/4620-135-0x0000000000400000-0x0000000000428000-memory.dmp

      Filesize

      160KB

    • memory/4620-140-0x0000000010000000-0x0000000010003000-memory.dmp

      Filesize

      12KB

    • memory/4620-115-0x0000000003C50000-0x0000000003D46000-memory.dmp

      Filesize

      984KB

    • memory/4620-116-0x0000000003C50000-0x0000000003D46000-memory.dmp

      Filesize

      984KB

    • memory/4620-77-0x0000000000400000-0x00000000005C0000-memory.dmp

      Filesize

      1.8MB

    • memory/4620-138-0x0000000002A70000-0x0000000002B5D000-memory.dmp

      Filesize

      948KB

    • memory/4620-119-0x0000000010001000-0x000000001000F000-memory.dmp

      Filesize

      56KB

    • memory/4620-122-0x0000000000400000-0x0000000000428000-memory.dmp

      Filesize

      160KB

    • memory/4620-120-0x0000000010000000-0x0000000010017000-memory.dmp

      Filesize

      92KB

    • memory/4620-131-0x0000000002A70000-0x0000000002B5D000-memory.dmp

      Filesize

      948KB

    • memory/4620-132-0x0000000000400000-0x00000000005C0000-memory.dmp

      Filesize

      1.8MB

    • memory/4992-0-0x0000000000400000-0x00000000004D8000-memory.dmp

      Filesize

      864KB

    • memory/4992-2-0x0000000000401000-0x00000000004B7000-memory.dmp

      Filesize

      728KB

    • memory/4992-69-0x0000000000400000-0x00000000004D8000-memory.dmp

      Filesize

      864KB