Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

e46d7c0ef3...1b.exe

windows7-x64

10

e46d7c0ef3...1b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    10/06/2024, 18:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e46d7c0ef3b8f44d17e5f391e53fdc992c9125e9a99b8c709d623ff865dac21b.exe

  • Size

    89KB

  • MD5

    bf9fca4cd65d1d0e6e242733650f7783

  • SHA1

    7d969fa24c271f7104986eb5e8463c3d803040cd

  • SHA256

    e46d7c0ef3b8f44d17e5f391e53fdc992c9125e9a99b8c709d623ff865dac21b

  • SHA512

    079577c0807ef3af8a014a510d3c42dc5a4809ab461fc0a0950c167539a7a3084291f084d48ec85f1255a0e256c85b62c9f9ab98ae8da0c218b448b63fa43b8a

  • SSDEEP

    1536:5+4hkM3Yz8wMZhUD2XsjEQWOSkE+Ct6WKBex3GWU5FkWp+AmQwKGSZhCQbIo/tSI:dq6OLM3QasY5Ft71fqWWp+efG4hCQrR

Score
10/10
blackmoonbankertrojanupx

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 2 IoCs
  • UPX dump on OEP (original entry point) 4 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e46d7c0ef3b8f44d17e5f391e53fdc992c9125e9a99b8c709d623ff865dac21b.exe
    "C:\Users\Admin\AppData\Local\Temp\e46d7c0ef3b8f44d17e5f391e53fdc992c9125e9a99b8c709d623ff865dac21b.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2360
    • C:\Users\Admin\AppData\Local\Temp\Syslemondjj.exe
      "C:\Users\Admin\AppData\Local\Temp\Syslemondjj.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2720

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\lpath.ini
    Filesize

    102B

    MD5

    9e79a9808e21509cbdcf8e1f1e447b49

    SHA1

    eae0d6ac51aa68f2d119b381c3f9ad57d4d74b1d

    SHA256

    f88807a04d048d0bb611268b476c9a0c8814d4d016faf5e7827d1e857846cc87

    SHA512

    3d493b05a00f0b6aec62284e00dd087e6338c738e0e9c426f616ef8b3c903eb914f2eb91a389fcd12469bec4dc7ffc6ad7b365c0c37d388842fa856254f3d923

    Download Submit

  • \Users\Admin\AppData\Local\Temp\Syslemondjj.exe
    Filesize

    89KB

    MD5

    056a84d2bfd95391ee18f22a9b7a3028

    SHA1

    8596f39d5c975fc71fab8bc24b89c40e9a957352

    SHA256

    981f4cd6ad0d04e698c9ae4d4b665e460db0039b1dbfe411f0b53606a088ef0d

    SHA512

    55e2833dd7d9905168b8eecd24084dd832191b252f75991acca18035b35c146b73c05e7273711266dc56b7132d93490b628c97c8c6616f1a8930d63960dfa5f5

    Download Submit

  • memory/2360-0-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2360-9-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2360-15-0x00000000035B0000-0x000000000362F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2720-20-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download