Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
25/06/2024, 15:00
Behavioral task
behavioral1
Sample
f97c0223f7aaa977c35759c07610a4ce153ec259b1caeefdd53204a7e6470ffb.exe
Resource
win7-20240611-en
General
-
Target
f97c0223f7aaa977c35759c07610a4ce153ec259b1caeefdd53204a7e6470ffb.exe
-
Size
14.8MB
-
MD5
7c2310e2caf1397a700834035873da8e
-
SHA1
50c8962cccc99a846cd8fb99412d2aca4b28b0ad
-
SHA256
f97c0223f7aaa977c35759c07610a4ce153ec259b1caeefdd53204a7e6470ffb
-
SHA512
f167bf67f9c82ecb0c7da95b972895174320aa94f3c1a234493eeefd064a29ee03c2925c16e0e39818534ea9049ec6a765b56a0edc4ce73c6835e1188c6ca344
-
SSDEEP
393216:gPDPMlFbN6yoNBkExhHDa76y36aqcXG+A1ysSMc4:Y07Uyo/D876vaqJ16x4
Malware Config
Signatures
-
Detect Blackmoon payload 8 IoCs
resource yara_rule behavioral2/memory/3464-2-0x0000000000400000-0x0000000000926000-memory.dmp family_blackmoon behavioral2/memory/3464-1-0x0000000000400000-0x0000000000926000-memory.dmp family_blackmoon behavioral2/memory/3464-3-0x0000000000400000-0x0000000000926000-memory.dmp family_blackmoon behavioral2/memory/3464-17-0x0000000000400000-0x0000000000926000-memory.dmp family_blackmoon behavioral2/memory/4756-19-0x0000000000400000-0x0000000000926000-memory.dmp family_blackmoon behavioral2/memory/4756-18-0x0000000000400000-0x0000000000926000-memory.dmp family_blackmoon behavioral2/memory/4756-21-0x0000000000400000-0x0000000000926000-memory.dmp family_blackmoon behavioral2/memory/4756-50-0x0000000000400000-0x0000000000926000-memory.dmp family_blackmoon -
resource yara_rule behavioral2/files/0x0007000000023626-14.dat aspack_v212_v242 -
Executes dropped EXE 1 IoCs
pid Process 4756 33277f97c0223f7aaa977c35759c07610a4ce153ec259b1caeefdd53204a7e6470ffb.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: f97c0223f7aaa977c35759c07610a4ce153ec259b1caeefdd53204a7e6470ffb.exe File opened (read-only) \??\H: f97c0223f7aaa977c35759c07610a4ce153ec259b1caeefdd53204a7e6470ffb.exe File opened (read-only) \??\K: f97c0223f7aaa977c35759c07610a4ce153ec259b1caeefdd53204a7e6470ffb.exe File opened (read-only) \??\P: f97c0223f7aaa977c35759c07610a4ce153ec259b1caeefdd53204a7e6470ffb.exe File opened (read-only) \??\S: f97c0223f7aaa977c35759c07610a4ce153ec259b1caeefdd53204a7e6470ffb.exe File opened (read-only) \??\V: f97c0223f7aaa977c35759c07610a4ce153ec259b1caeefdd53204a7e6470ffb.exe File opened (read-only) \??\A: f97c0223f7aaa977c35759c07610a4ce153ec259b1caeefdd53204a7e6470ffb.exe File opened (read-only) \??\L: f97c0223f7aaa977c35759c07610a4ce153ec259b1caeefdd53204a7e6470ffb.exe File opened (read-only) \??\R: f97c0223f7aaa977c35759c07610a4ce153ec259b1caeefdd53204a7e6470ffb.exe File opened (read-only) \??\U: f97c0223f7aaa977c35759c07610a4ce153ec259b1caeefdd53204a7e6470ffb.exe File opened (read-only) \??\X: f97c0223f7aaa977c35759c07610a4ce153ec259b1caeefdd53204a7e6470ffb.exe File opened (read-only) \??\Y: f97c0223f7aaa977c35759c07610a4ce153ec259b1caeefdd53204a7e6470ffb.exe File opened (read-only) \??\Z: f97c0223f7aaa977c35759c07610a4ce153ec259b1caeefdd53204a7e6470ffb.exe File opened (read-only) \??\B: f97c0223f7aaa977c35759c07610a4ce153ec259b1caeefdd53204a7e6470ffb.exe File opened (read-only) \??\I: f97c0223f7aaa977c35759c07610a4ce153ec259b1caeefdd53204a7e6470ffb.exe File opened (read-only) \??\J: f97c0223f7aaa977c35759c07610a4ce153ec259b1caeefdd53204a7e6470ffb.exe File opened (read-only) \??\N: f97c0223f7aaa977c35759c07610a4ce153ec259b1caeefdd53204a7e6470ffb.exe File opened (read-only) \??\O: f97c0223f7aaa977c35759c07610a4ce153ec259b1caeefdd53204a7e6470ffb.exe File opened (read-only) \??\W: f97c0223f7aaa977c35759c07610a4ce153ec259b1caeefdd53204a7e6470ffb.exe File opened (read-only) \??\E: f97c0223f7aaa977c35759c07610a4ce153ec259b1caeefdd53204a7e6470ffb.exe File opened (read-only) \??\M: f97c0223f7aaa977c35759c07610a4ce153ec259b1caeefdd53204a7e6470ffb.exe File opened (read-only) \??\Q: f97c0223f7aaa977c35759c07610a4ce153ec259b1caeefdd53204a7e6470ffb.exe File opened (read-only) \??\T: f97c0223f7aaa977c35759c07610a4ce153ec259b1caeefdd53204a7e6470ffb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 3464 f97c0223f7aaa977c35759c07610a4ce153ec259b1caeefdd53204a7e6470ffb.exe 3464 f97c0223f7aaa977c35759c07610a4ce153ec259b1caeefdd53204a7e6470ffb.exe 3464 f97c0223f7aaa977c35759c07610a4ce153ec259b1caeefdd53204a7e6470ffb.exe 4756 33277f97c0223f7aaa977c35759c07610a4ce153ec259b1caeefdd53204a7e6470ffb.exe 4756 33277f97c0223f7aaa977c35759c07610a4ce153ec259b1caeefdd53204a7e6470ffb.exe 4756 33277f97c0223f7aaa977c35759c07610a4ce153ec259b1caeefdd53204a7e6470ffb.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3464 wrote to memory of 4756 3464 f97c0223f7aaa977c35759c07610a4ce153ec259b1caeefdd53204a7e6470ffb.exe 94 PID 3464 wrote to memory of 4756 3464 f97c0223f7aaa977c35759c07610a4ce153ec259b1caeefdd53204a7e6470ffb.exe 94 PID 3464 wrote to memory of 4756 3464 f97c0223f7aaa977c35759c07610a4ce153ec259b1caeefdd53204a7e6470ffb.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\f97c0223f7aaa977c35759c07610a4ce153ec259b1caeefdd53204a7e6470ffb.exe"C:\Users\Admin\AppData\Local\Temp\f97c0223f7aaa977c35759c07610a4ce153ec259b1caeefdd53204a7e6470ffb.exe"1⤵
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3464 -
C:\¾ÅÖÝ´«Ææ\33277f97c0223f7aaa977c35759c07610a4ce153ec259b1caeefdd53204a7e6470ffb.exeC:\¾ÅÖÝ´«Ææ\33277f97c0223f7aaa977c35759c07610a4ce153ec259b1caeefdd53204a7e6470ffb.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4756
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4416,i,7869973516895866428,11647313872437892197,262144 --variations-seed-version --mojo-platform-channel-handle=3976 /prefetch:81⤵PID:4160
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12B
MD516d3524c8a0205605112b32c3200eb75
SHA1320c6217513556163cbdf25393b34b21457d42b9
SHA256596097582ce23b86fd85ea7b7afb9e8e182a24102c203035fa80f7836de95e2a
SHA512eabb314dc41c8cad87950c51037285c1cd9676e28b38e85af5e18b282429228fa8ec146a1b3a53bcd656b4058c9cfcc91ee33cca08cd168d5123d49c440c21e3
-
Filesize
14.8MB
MD57c2310e2caf1397a700834035873da8e
SHA150c8962cccc99a846cd8fb99412d2aca4b28b0ad
SHA256f97c0223f7aaa977c35759c07610a4ce153ec259b1caeefdd53204a7e6470ffb
SHA512f167bf67f9c82ecb0c7da95b972895174320aa94f3c1a234493eeefd064a29ee03c2925c16e0e39818534ea9049ec6a765b56a0edc4ce73c6835e1188c6ca344