Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
08/06/2024, 08:16
Static task
static1
Behavioral task
behavioral1
Sample
f6181f9e5f4c319804561999c27f5ab02d1c6820e832823044816f1974ebc7d1.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
f6181f9e5f4c319804561999c27f5ab02d1c6820e832823044816f1974ebc7d1.exe
Resource
win10v2004-20240508-en
General
-
Target
f6181f9e5f4c319804561999c27f5ab02d1c6820e832823044816f1974ebc7d1.exe
-
Size
6.0MB
-
MD5
8c0f0f48bf7086d1f9d9190a5c8a0b6e
-
SHA1
1f5b4c8b25d68c5696d48c96fba5680dd82a4dd5
-
SHA256
f6181f9e5f4c319804561999c27f5ab02d1c6820e832823044816f1974ebc7d1
-
SHA512
eba62d38dd16d3a711762638751278bc83cc5c7e670e67270427c1f79fd0066977b0b4c6838521014d6c687b896458d51e05b931208262455cf440cb01bba4cf
-
SSDEEP
98304:YJSdDP4p289p8NyUJYnBquzfc050vvZ16oAcs9XIcGcU09AQFGbVDs9o36QA:D9Eh9pk9JYnBDzk0qZ16oAcs9XI1ksKb
Malware Config
Signatures
-
Detect Blackmoon payload 1 IoCs
resource yara_rule behavioral1/files/0x00070000000153c7-11.dat family_blackmoon -
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 44WI0n0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\44WI0n0 = "C:\\ProgramData\\Aicica\\{E8dzJaUJX3X34h08}\\44WI0n0.exe" 44WI0n0.exe -
Executes dropped EXE 1 IoCs
pid Process 2756 44WI0n0.exe -
Loads dropped DLL 2 IoCs
pid Process 2936 f6181f9e5f4c319804561999c27f5ab02d1c6820e832823044816f1974ebc7d1.exe 2756 44WI0n0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2756 44WI0n0.exe 2756 44WI0n0.exe 2756 44WI0n0.exe 2756 44WI0n0.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2756 44WI0n0.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 2756 44WI0n0.exe 2756 44WI0n0.exe 2756 44WI0n0.exe 2756 44WI0n0.exe 2756 44WI0n0.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2868 wrote to memory of 2936 2868 f6181f9e5f4c319804561999c27f5ab02d1c6820e832823044816f1974ebc7d1.exe 28 PID 2868 wrote to memory of 2936 2868 f6181f9e5f4c319804561999c27f5ab02d1c6820e832823044816f1974ebc7d1.exe 28 PID 2868 wrote to memory of 2936 2868 f6181f9e5f4c319804561999c27f5ab02d1c6820e832823044816f1974ebc7d1.exe 28 PID 2868 wrote to memory of 2936 2868 f6181f9e5f4c319804561999c27f5ab02d1c6820e832823044816f1974ebc7d1.exe 28 PID 2936 wrote to memory of 2756 2936 f6181f9e5f4c319804561999c27f5ab02d1c6820e832823044816f1974ebc7d1.exe 29 PID 2936 wrote to memory of 2756 2936 f6181f9e5f4c319804561999c27f5ab02d1c6820e832823044816f1974ebc7d1.exe 29 PID 2936 wrote to memory of 2756 2936 f6181f9e5f4c319804561999c27f5ab02d1c6820e832823044816f1974ebc7d1.exe 29 PID 2936 wrote to memory of 2756 2936 f6181f9e5f4c319804561999c27f5ab02d1c6820e832823044816f1974ebc7d1.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\f6181f9e5f4c319804561999c27f5ab02d1c6820e832823044816f1974ebc7d1.exe"C:\Users\Admin\AppData\Local\Temp\f6181f9e5f4c319804561999c27f5ab02d1c6820e832823044816f1974ebc7d1.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Users\Admin\AppData\Local\Temp\f6181f9e5f4c319804561999c27f5ab02d1c6820e832823044816f1974ebc7d1.exeC:\Users\Admin\AppData\Local\Temp\f6181f9e5f4c319804561999c27f5ab02d1c6820e832823044816f1974ebc7d1.exe 45063C065A065606740669066106740667066B0642066706720667065A0647066F0665066F06650667065A067D0643063E0662067C064C06670653064C065E0635065E06350632066E0636063E067B065A063206320651064F06360668063606--3652⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\ProgramData\Aicica\{E8dzJaUJX3X34h08}\44WI0n0.exe"C:\ProgramData\Aicica\{E8dzJaUJX3X34h08}\44WI0n0.exe"3⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2756
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
369B
MD54e30f5f935e911d761695dc7cbafc7df
SHA175d6e98a53276fa4a746e998b53fa0a0795c0023
SHA256617cc5c99b2445b4c66e437de26214d559c04f94b301d306d4a222ed75b62af0
SHA5128bc18bfe4fd9a844fa8c7c9a3a8a3006f802047fcaf1c3c3ab38061f64183cdc5b77ece0441ea7d9d7c87e864dc291c270734eea834fc5b77bb508847dfe99aa
-
Filesize
41KB
MD590f1cbf523b201c20adf2e6cb5a91e2d
SHA1e485907216de02d71a127623d6d8b155fa25aafa
SHA25684ef8cba9b668bf3c2f47cfe2efc6fb4821fada314959a36419443efe41967d2
SHA5126d121b48dba3a48d7dceb0baad629b7ad195b7f47d267f8f3295cead8940836ced45abac716fd54504b603ad9d3eb57ffd2a36f2c3e183d65df051ceba694521
-
Filesize
4.5MB
MD5ba1443306d4b071b8be748ce6b643615
SHA130b0541cc9da303e0d79ab1a2c9549253a8290e3
SHA256cf0887a6af4acbb23090700e13600ad62b1fb93ecca7994c1c6a5a1d439d3d72
SHA512c9faab1fd7d9b646547e829fc0082efa5a234900eebb4bd75d57ad859d3d1ac3ef691613cfcfff9d38a789f95d66ec5f727c8c54e83816fb647cd8f6763cca51