Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
02/09/2024, 02:55
General
-
Target
b631c5c66bef2e77934162d152b05ae5576830fc4cf3f3e25bbb2903663a9916.exe
-
Size
79KB
-
MD5
5bf3d85491ed0bb928281b5d7381a0af
-
SHA1
c0b66e5d9d4cd6ecfb090f15417da0ce710512f0
-
SHA256
b631c5c66bef2e77934162d152b05ae5576830fc4cf3f3e25bbb2903663a9916
-
SHA512
fbe1757fd1d78341d9250bb771efaeca74e36e8880e1e462588e5e5b0e8e59ee4eed3be0c8ee4ceb7bbc3036c028949f2c7922495c1f6ad13bcc7b0a6b03d9b9
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIsIpWCz+FR4RzWqC5rINFE4yeq:ymb3NkkiQ3mdBjFIsIpZ+R4RzWqCu4n
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 25 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 32 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b631c5c66bef2e77934162d152b05ae5576830fc4cf3f3e25bbb2903663a9916.exe"C:\Users\Admin\AppData\Local\Temp\b631c5c66bef2e77934162d152b05ae5576830fc4cf3f3e25bbb2903663a9916.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\vjdvv.exec:\vjdvv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bnnbtt.exec:\bnnbtt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbhbtn.exec:\bbhbtn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pdvpj.exec:\pdvpj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9jddd.exec:\9jddd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrrxxrr.exec:\xrrxxrr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\djvvd.exec:\djvvd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vjjjd.exec:\vjjjd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlrlrrr.exec:\rlrlrrr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hntttb.exec:\hntttb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7tnhtt.exec:\7tnhtt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3dvvj.exec:\3dvvj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ffxxffx.exec:\ffxxffx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbbbbh.exec:\hbbbbh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvjpv.exec:\dvjpv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xlffllr.exec:\xlffllr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tntbbb.exec:\tntbbb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbtnbb.exec:\hbtnbb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7vvpp.exec:\7vvpp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfxrlfx.exec:\lfxrlfx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rllfxxx.exec:\rllfxxx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jvvvp.exec:\jvvvp.exe23⤵
- Executes dropped EXE
-
\??\c:\7lxrrrf.exec:\7lxrrrf.exe24⤵
- Executes dropped EXE
-
\??\c:\9rfxlrx.exec:\9rfxlrx.exe25⤵
- Executes dropped EXE
-
\??\c:\btbhtt.exec:\btbhtt.exe26⤵
- Executes dropped EXE
-
\??\c:\5vpdd.exec:\5vpdd.exe27⤵
- Executes dropped EXE
-
\??\c:\jpvpv.exec:\jpvpv.exe28⤵
- Executes dropped EXE
-
\??\c:\lflfffx.exec:\lflfffx.exe29⤵
- Executes dropped EXE
-
\??\c:\xrfxrrr.exec:\xrfxrrr.exe30⤵
- Executes dropped EXE
-
\??\c:\5nnnhn.exec:\5nnnhn.exe31⤵
- Executes dropped EXE
-
\??\c:\jdpjp.exec:\jdpjp.exe32⤵
- Executes dropped EXE
-
\??\c:\pjdjd.exec:\pjdjd.exe33⤵
- Executes dropped EXE
-
\??\c:\rrrfllx.exec:\rrrfllx.exe34⤵
- Executes dropped EXE
-
\??\c:\tthnbn.exec:\tthnbn.exe35⤵
- Executes dropped EXE
-
\??\c:\3hbtnn.exec:\3hbtnn.exe36⤵
- Executes dropped EXE
-
\??\c:\vpppp.exec:\vpppp.exe37⤵
- Executes dropped EXE
-
\??\c:\xrxrlll.exec:\xrxrlll.exe38⤵
- Executes dropped EXE
-
\??\c:\xrllffx.exec:\xrllffx.exe39⤵
- Executes dropped EXE
-
\??\c:\bhbbtt.exec:\bhbbtt.exe40⤵
- Executes dropped EXE
-
\??\c:\bhhhbh.exec:\bhhhbh.exe41⤵
- Executes dropped EXE
-
\??\c:\5pvpj.exec:\5pvpj.exe42⤵
- Executes dropped EXE
-
\??\c:\jjppp.exec:\jjppp.exe43⤵
- Executes dropped EXE
-
\??\c:\7rrlffx.exec:\7rrlffx.exe44⤵
- Executes dropped EXE
-
\??\c:\lfffflf.exec:\lfffflf.exe45⤵
- Executes dropped EXE
-
\??\c:\nnbbbt.exec:\nnbbbt.exe46⤵
- Executes dropped EXE
-
\??\c:\7thbtt.exec:\7thbtt.exe47⤵
- Executes dropped EXE
-
\??\c:\ddvpj.exec:\ddvpj.exe48⤵
- Executes dropped EXE
-
\??\c:\vppjv.exec:\vppjv.exe49⤵
- Executes dropped EXE
-
\??\c:\llllflx.exec:\llllflx.exe50⤵
- Executes dropped EXE
-
\??\c:\fflrrrl.exec:\fflrrrl.exe51⤵
- Executes dropped EXE
-
\??\c:\ttnhht.exec:\ttnhht.exe52⤵
- Executes dropped EXE
-
\??\c:\bnnnnn.exec:\bnnnnn.exe53⤵
- Executes dropped EXE
-
\??\c:\dvvjp.exec:\dvvjp.exe54⤵
- Executes dropped EXE
-
\??\c:\jvdvd.exec:\jvdvd.exe55⤵
- Executes dropped EXE
-
\??\c:\frrrfxx.exec:\frrrfxx.exe56⤵
- Executes dropped EXE
-
\??\c:\xflxllf.exec:\xflxllf.exe57⤵
- Executes dropped EXE
-
\??\c:\bhhtnt.exec:\bhhtnt.exe58⤵
- Executes dropped EXE
-
\??\c:\ttnhtt.exec:\ttnhtt.exe59⤵
- Executes dropped EXE
-
\??\c:\pjjpj.exec:\pjjpj.exe60⤵
- Executes dropped EXE
-
\??\c:\xxrrrrr.exec:\xxrrrrr.exe61⤵
- Executes dropped EXE
-
\??\c:\3xllrlr.exec:\3xllrlr.exe62⤵
- Executes dropped EXE
-
\??\c:\3bhbbb.exec:\3bhbbb.exe63⤵
- Executes dropped EXE
-
\??\c:\nnnhnn.exec:\nnnhnn.exe64⤵
- Executes dropped EXE
-
\??\c:\ddjjp.exec:\ddjjp.exe65⤵
- Executes dropped EXE
-
\??\c:\rxxflxf.exec:\rxxflxf.exe66⤵
-
\??\c:\frffrxf.exec:\frffrxf.exe67⤵
-
\??\c:\ttttnn.exec:\ttttnn.exe68⤵
-
\??\c:\httnhh.exec:\httnhh.exe69⤵
-
\??\c:\jjvvp.exec:\jjvvp.exe70⤵
-
\??\c:\dvdvd.exec:\dvdvd.exe71⤵
-
\??\c:\xrrxxxx.exec:\xrrxxxx.exe72⤵
-
\??\c:\tthbnh.exec:\tthbnh.exe73⤵
-
\??\c:\7hnbnt.exec:\7hnbnt.exe74⤵
-
\??\c:\1pjjv.exec:\1pjjv.exe75⤵
-
\??\c:\7dvjp.exec:\7dvjp.exe76⤵
-
\??\c:\lfxxfxr.exec:\lfxxfxr.exe77⤵
-
\??\c:\lfxrfxl.exec:\lfxrfxl.exe78⤵
-
\??\c:\ntnhtb.exec:\ntnhtb.exe79⤵
-
\??\c:\vvvpj.exec:\vvvpj.exe80⤵
-
\??\c:\jjdjd.exec:\jjdjd.exe81⤵
-
\??\c:\xrllfff.exec:\xrllfff.exe82⤵
-
\??\c:\7hhbtt.exec:\7hhbtt.exe83⤵
-
\??\c:\pddvj.exec:\pddvj.exe84⤵
-
\??\c:\xlxrffx.exec:\xlxrffx.exe85⤵
-
\??\c:\rllxrxl.exec:\rllxrxl.exe86⤵
-
\??\c:\1hnhnn.exec:\1hnhnn.exe87⤵
-
\??\c:\jdvjj.exec:\jdvjj.exe88⤵
-
\??\c:\vjpdj.exec:\vjpdj.exe89⤵
-
\??\c:\lrrrfxl.exec:\lrrrfxl.exe90⤵
-
\??\c:\hnhhhh.exec:\hnhhhh.exe91⤵
-
\??\c:\9hnbnh.exec:\9hnbnh.exe92⤵
-
\??\c:\djvvp.exec:\djvvp.exe93⤵
-
\??\c:\pdvpd.exec:\pdvpd.exe94⤵
-
\??\c:\xlxrlxr.exec:\xlxrlxr.exe95⤵
-
\??\c:\9xrfrlf.exec:\9xrfrlf.exe96⤵
-
\??\c:\9hhhtb.exec:\9hhhtb.exe97⤵
-
\??\c:\ddvpd.exec:\ddvpd.exe98⤵
-
\??\c:\vjdvj.exec:\vjdvj.exe99⤵
-
\??\c:\xxffxfx.exec:\xxffxfx.exe100⤵
-
\??\c:\5fxxrrl.exec:\5fxxrrl.exe101⤵
- System Location Discovery: System Language Discovery
-
\??\c:\tbthbt.exec:\tbthbt.exe102⤵
-
\??\c:\9vpjd.exec:\9vpjd.exe103⤵
-
\??\c:\vjpjd.exec:\vjpjd.exe104⤵
-
\??\c:\rlfxlfr.exec:\rlfxlfr.exe105⤵
-
\??\c:\thtnnt.exec:\thtnnt.exe106⤵
-
\??\c:\9tbnth.exec:\9tbnth.exe107⤵
-
\??\c:\rfxrxxx.exec:\rfxrxxx.exe108⤵
-
\??\c:\xrxxxxx.exec:\xrxxxxx.exe109⤵
-
\??\c:\nbnhbt.exec:\nbnhbt.exe110⤵
-
\??\c:\nhnnnb.exec:\nhnnnb.exe111⤵
-
\??\c:\7jpjd.exec:\7jpjd.exe112⤵
-
\??\c:\9djdp.exec:\9djdp.exe113⤵
-
\??\c:\rfxrrrr.exec:\rfxrrrr.exe114⤵
-
\??\c:\bnnbnh.exec:\bnnbnh.exe115⤵
-
\??\c:\1hhbhh.exec:\1hhbhh.exe116⤵
-
\??\c:\dvvpj.exec:\dvvpj.exe117⤵
-
\??\c:\ppjdv.exec:\ppjdv.exe118⤵
-
\??\c:\ffrlfxl.exec:\ffrlfxl.exe119⤵
-
\??\c:\llllfxr.exec:\llllfxr.exe120⤵
-
\??\c:\nbbbnt.exec:\nbbbnt.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-