Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
25/08/2024, 00:26
General
-
Target
c7f88c32a84d0749d4bd5a9a45e8d150N.exe
-
Size
93KB
-
MD5
c7f88c32a84d0749d4bd5a9a45e8d150
-
SHA1
77538844c4dd3b3c7d36b5981b3103b09bf331ff
-
SHA256
de82ce87a4bc0524ff90e1dc9ee8ff43d152208150d8d119dbc1621a268fc385
-
SHA512
343c3b1f687653f2b4bbf9d4dc4752bbe56b6ff983c075a875950a570a4839e8d361f580da0b070b8dd899a2faa4752cdc44a473efe84809566e8f8700bf72f2
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxND+3T4+C2lmf6g7xQ5z:ymb3NkkiQ3mdBjF+3TU20LQR
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 22 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 27 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c7f88c32a84d0749d4bd5a9a45e8d150N.exe"C:\Users\Admin\AppData\Local\Temp\c7f88c32a84d0749d4bd5a9a45e8d150N.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\bhhtnn.exec:\bhhtnn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjpdd.exec:\pjpdd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\flrlffx.exec:\flrlffx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rxlrlll.exec:\rxlrlll.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvvvp.exec:\dvvvp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7djdp.exec:\7djdp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rffrllr.exec:\rffrllr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vjdvd.exec:\vjdvd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\llxrllf.exec:\llxrllf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frxrrrr.exec:\frxrrrr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thhbtn.exec:\thhbtn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pvvvp.exec:\pvvvp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jvvpv.exec:\jvvpv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrrllll.exec:\xrrllll.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jddvp.exec:\jddvp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3lffxff.exec:\3lffxff.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbhbhn.exec:\bbhbhn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pppvp.exec:\pppvp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddvpj.exec:\ddvpj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xlxrffx.exec:\xlxrffx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9lrlfxr.exec:\9lrlfxr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bnttnh.exec:\bnttnh.exe23⤵
- Executes dropped EXE
-
\??\c:\dvdpd.exec:\dvdpd.exe24⤵
- Executes dropped EXE
-
\??\c:\jdvdd.exec:\jdvdd.exe25⤵
- Executes dropped EXE
-
\??\c:\lxlffll.exec:\lxlffll.exe26⤵
- Executes dropped EXE
-
\??\c:\hhbbtt.exec:\hhbbtt.exe27⤵
- Executes dropped EXE
-
\??\c:\htbnht.exec:\htbnht.exe28⤵
- Executes dropped EXE
-
\??\c:\pvpdv.exec:\pvpdv.exe29⤵
- Executes dropped EXE
-
\??\c:\5flrlll.exec:\5flrlll.exe30⤵
- Executes dropped EXE
-
\??\c:\1frfxrr.exec:\1frfxrr.exe31⤵
- Executes dropped EXE
-
\??\c:\tnhbtn.exec:\tnhbtn.exe32⤵
- Executes dropped EXE
-
\??\c:\ppjvp.exec:\ppjvp.exe33⤵
- Executes dropped EXE
-
\??\c:\rlrlxrl.exec:\rlrlxrl.exe34⤵
- Executes dropped EXE
-
\??\c:\ttbttn.exec:\ttbttn.exe35⤵
- Executes dropped EXE
-
\??\c:\hntnbb.exec:\hntnbb.exe36⤵
- Executes dropped EXE
-
\??\c:\jdvpv.exec:\jdvpv.exe37⤵
- Executes dropped EXE
-
\??\c:\jvvpd.exec:\jvvpd.exe38⤵
- Executes dropped EXE
-
\??\c:\rfrlxxr.exec:\rfrlxxr.exe39⤵
- Executes dropped EXE
-
\??\c:\nnnnhh.exec:\nnnnhh.exe40⤵
- Executes dropped EXE
-
\??\c:\7hbbtt.exec:\7hbbtt.exe41⤵
- Executes dropped EXE
-
\??\c:\jpjdv.exec:\jpjdv.exe42⤵
- Executes dropped EXE
-
\??\c:\xxxxxfx.exec:\xxxxxfx.exe43⤵
- Executes dropped EXE
-
\??\c:\xllfflr.exec:\xllfflr.exe44⤵
- Executes dropped EXE
-
\??\c:\nbbbhb.exec:\nbbbhb.exe45⤵
- Executes dropped EXE
-
\??\c:\1tbnhh.exec:\1tbnhh.exe46⤵
- Executes dropped EXE
-
\??\c:\xllfxrl.exec:\xllfxrl.exe47⤵
- Executes dropped EXE
-
\??\c:\rlfrllf.exec:\rlfrllf.exe48⤵
- Executes dropped EXE
-
\??\c:\nhhbtt.exec:\nhhbtt.exe49⤵
- Executes dropped EXE
-
\??\c:\bnhhbb.exec:\bnhhbb.exe50⤵
- Executes dropped EXE
-
\??\c:\pjppd.exec:\pjppd.exe51⤵
- Executes dropped EXE
-
\??\c:\7vppj.exec:\7vppj.exe52⤵
- Executes dropped EXE
-
\??\c:\llrxrrr.exec:\llrxrrr.exe53⤵
- Executes dropped EXE
-
\??\c:\fxllfff.exec:\fxllfff.exe54⤵
- Executes dropped EXE
-
\??\c:\7htbtt.exec:\7htbtt.exe55⤵
- Executes dropped EXE
-
\??\c:\thhhht.exec:\thhhht.exe56⤵
- Executes dropped EXE
-
\??\c:\7vjpp.exec:\7vjpp.exe57⤵
- Executes dropped EXE
-
\??\c:\pvvjd.exec:\pvvjd.exe58⤵
- Executes dropped EXE
-
\??\c:\rffxxrx.exec:\rffxxrx.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\nhhhbh.exec:\nhhhbh.exe60⤵
- Executes dropped EXE
-
\??\c:\tbtttt.exec:\tbtttt.exe61⤵
- Executes dropped EXE
-
\??\c:\pjppj.exec:\pjppj.exe62⤵
- Executes dropped EXE
-
\??\c:\ddppd.exec:\ddppd.exe63⤵
- Executes dropped EXE
-
\??\c:\rrlllxl.exec:\rrlllxl.exe64⤵
- Executes dropped EXE
-
\??\c:\lllllrr.exec:\lllllrr.exe65⤵
- Executes dropped EXE
-
\??\c:\bhbtbb.exec:\bhbtbb.exe66⤵
-
\??\c:\bnttnh.exec:\bnttnh.exe67⤵
-
\??\c:\jjdvd.exec:\jjdvd.exe68⤵
-
\??\c:\dvdjj.exec:\dvdjj.exe69⤵
-
\??\c:\xrlllll.exec:\xrlllll.exe70⤵
-
\??\c:\xlllflf.exec:\xlllflf.exe71⤵
-
\??\c:\nbhhhh.exec:\nbhhhh.exe72⤵
-
\??\c:\bbbbbb.exec:\bbbbbb.exe73⤵
-
\??\c:\dvdpp.exec:\dvdpp.exe74⤵
-
\??\c:\dvjjj.exec:\dvjjj.exe75⤵
-
\??\c:\xrlrrfr.exec:\xrlrrfr.exe76⤵
-
\??\c:\lrxxxfx.exec:\lrxxxfx.exe77⤵
-
\??\c:\7bnntb.exec:\7bnntb.exe78⤵
-
\??\c:\ttnnhh.exec:\ttnnhh.exe79⤵
-
\??\c:\dpdvp.exec:\dpdvp.exe80⤵
-
\??\c:\jdjdd.exec:\jdjdd.exe81⤵
-
\??\c:\frxxrrr.exec:\frxxrrr.exe82⤵
-
\??\c:\tthbtt.exec:\tthbtt.exe83⤵
-
\??\c:\bbnhtt.exec:\bbnhtt.exe84⤵
-
\??\c:\djppj.exec:\djppj.exe85⤵
-
\??\c:\pjppp.exec:\pjppp.exe86⤵
-
\??\c:\jvddj.exec:\jvddj.exe87⤵
- System Location Discovery: System Language Discovery
-
\??\c:\rxlllrr.exec:\rxlllrr.exe88⤵
-
\??\c:\hbbbtb.exec:\hbbbtb.exe89⤵
-
\??\c:\bnnnhb.exec:\bnnnhb.exe90⤵
-
\??\c:\vvpjj.exec:\vvpjj.exe91⤵
-
\??\c:\3jddj.exec:\3jddj.exe92⤵
-
\??\c:\rrxrfll.exec:\rrxrfll.exe93⤵
-
\??\c:\7hhhhh.exec:\7hhhhh.exe94⤵
-
\??\c:\hbbnbh.exec:\hbbnbh.exe95⤵
-
\??\c:\hhnhbb.exec:\hhnhbb.exe96⤵
-
\??\c:\pddvv.exec:\pddvv.exe97⤵
-
\??\c:\ppdvd.exec:\ppdvd.exe98⤵
-
\??\c:\llllrrl.exec:\llllrrl.exe99⤵
- System Location Discovery: System Language Discovery
-
\??\c:\lflxlxl.exec:\lflxlxl.exe100⤵
-
\??\c:\ttbbhh.exec:\ttbbhh.exe101⤵
-
\??\c:\tthbbb.exec:\tthbbb.exe102⤵
-
\??\c:\pjppd.exec:\pjppd.exe103⤵
-
\??\c:\djpjd.exec:\djpjd.exe104⤵
-
\??\c:\rfxlrxx.exec:\rfxlrxx.exe105⤵
-
\??\c:\xrxfxfx.exec:\xrxfxfx.exe106⤵
-
\??\c:\ttnnhh.exec:\ttnnhh.exe107⤵
-
\??\c:\ntbhhn.exec:\ntbhhn.exe108⤵
-
\??\c:\bbnhbh.exec:\bbnhbh.exe109⤵
-
\??\c:\vvvvj.exec:\vvvvj.exe110⤵
-
\??\c:\dvdvv.exec:\dvdvv.exe111⤵
-
\??\c:\xrrrlll.exec:\xrrrlll.exe112⤵
-
\??\c:\lfxxrrr.exec:\lfxxrrr.exe113⤵
-
\??\c:\ttntth.exec:\ttntth.exe114⤵
-
\??\c:\bbnnbb.exec:\bbnnbb.exe115⤵
-
\??\c:\ddjjj.exec:\ddjjj.exe116⤵
-
\??\c:\vvddv.exec:\vvddv.exe117⤵
-
\??\c:\flfxrfx.exec:\flfxrfx.exe118⤵
-
\??\c:\xxrllll.exec:\xxrllll.exe119⤵
-
\??\c:\lffffll.exec:\lffffll.exe120⤵
-
\??\c:\hntnnh.exec:\hntnnh.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-