Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
08/09/2024, 01:03
General
-
Target
a9594dc8d05f4a8b27c5f1d5794087f133e644a1ae04cd2d03b584836ccdb7cd.exe
-
Size
75KB
-
MD5
0f284cb2d33de3b5fd265fd6e882f3c8
-
SHA1
4ac82842e54bdda8d3e971d9eb8dcd4c5c9dc21f
-
SHA256
a9594dc8d05f4a8b27c5f1d5794087f133e644a1ae04cd2d03b584836ccdb7cd
-
SHA512
91edf24e98e3622c2ac50b272a73cc74a63e0a9d21b0230e7ab08c434124b04f4fa189a8ce5ccbc6e1ecbbc83b9594809e3aeb8bf6ebc8a7f50ef29d992f1a24
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIvuzk358nLA89OGvrFVHmg:ymb3NkkiQ3mdBjFIvl358nLA89OMFVHb
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 27 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 36 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a9594dc8d05f4a8b27c5f1d5794087f133e644a1ae04cd2d03b584836ccdb7cd.exe"C:\Users\Admin\AppData\Local\Temp\a9594dc8d05f4a8b27c5f1d5794087f133e644a1ae04cd2d03b584836ccdb7cd.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\5vdjd.exec:\5vdjd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rffrxfr.exec:\rffrxfr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tbhbbt.exec:\tbhbbt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ppvpj.exec:\ppvpj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3rxrflr.exec:\3rxrflr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\llxxrlf.exec:\llxxrlf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tbhbtt.exec:\tbhbtt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rllflff.exec:\rllflff.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxrlfff.exec:\fxrlfff.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjppv.exec:\pjppv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1vjdv.exec:\1vjdv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfflrfr.exec:\lfflrfr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ppjjd.exec:\ppjjd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjvpp.exec:\pjvpp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rrrxxxr.exec:\rrrxxxr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5bbbbh.exec:\5bbbbh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvvpp.exec:\dvvpp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1xllflf.exec:\1xllflf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btbbtt.exec:\btbbtt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tbhhtt.exec:\tbhhtt.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdjdv.exec:\jdjdv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rflfrrl.exec:\rflfrrl.exe23⤵
- Executes dropped EXE
-
\??\c:\rrffxff.exec:\rrffxff.exe24⤵
- Executes dropped EXE
-
\??\c:\nhhhhh.exec:\nhhhhh.exe25⤵
- Executes dropped EXE
-
\??\c:\ppjdv.exec:\ppjdv.exe26⤵
- Executes dropped EXE
-
\??\c:\9xxrfff.exec:\9xxrfff.exe27⤵
- Executes dropped EXE
-
\??\c:\lfxxrrr.exec:\lfxxrrr.exe28⤵
- Executes dropped EXE
-
\??\c:\htbhbn.exec:\htbhbn.exe29⤵
- Executes dropped EXE
-
\??\c:\jdddp.exec:\jdddp.exe30⤵
- Executes dropped EXE
-
\??\c:\llfxffx.exec:\llfxffx.exe31⤵
- Executes dropped EXE
-
\??\c:\1xllfxx.exec:\1xllfxx.exe32⤵
- Executes dropped EXE
-
\??\c:\xrfxffx.exec:\xrfxffx.exe33⤵
- Executes dropped EXE
-
\??\c:\tnnnhn.exec:\tnnnhn.exe34⤵
- Executes dropped EXE
-
\??\c:\dvvvv.exec:\dvvvv.exe35⤵
- Executes dropped EXE
-
\??\c:\vppjd.exec:\vppjd.exe36⤵
- Executes dropped EXE
-
\??\c:\1pvpd.exec:\1pvpd.exe37⤵
- Executes dropped EXE
-
\??\c:\frrlffx.exec:\frrlffx.exe38⤵
- Executes dropped EXE
-
\??\c:\rfrrrrx.exec:\rfrrrrx.exe39⤵
- Executes dropped EXE
-
\??\c:\thhhhh.exec:\thhhhh.exe40⤵
- Executes dropped EXE
-
\??\c:\hntthh.exec:\hntthh.exe41⤵
- Executes dropped EXE
-
\??\c:\pjppv.exec:\pjppv.exe42⤵
- Executes dropped EXE
-
\??\c:\pjvvv.exec:\pjvvv.exe43⤵
- Executes dropped EXE
-
\??\c:\lflffff.exec:\lflffff.exe44⤵
- Executes dropped EXE
-
\??\c:\lxllfff.exec:\lxllfff.exe45⤵
- Executes dropped EXE
-
\??\c:\hthbtt.exec:\hthbtt.exe46⤵
- Executes dropped EXE
-
\??\c:\nnhttn.exec:\nnhttn.exe47⤵
- Executes dropped EXE
-
\??\c:\1vjdj.exec:\1vjdj.exe48⤵
- Executes dropped EXE
-
\??\c:\pjjjj.exec:\pjjjj.exe49⤵
- Executes dropped EXE
-
\??\c:\llxrlll.exec:\llxrlll.exe50⤵
- Executes dropped EXE
-
\??\c:\frrfrlr.exec:\frrfrlr.exe51⤵
- Executes dropped EXE
-
\??\c:\hbhbbn.exec:\hbhbbn.exe52⤵
- Executes dropped EXE
-
\??\c:\tnnnnn.exec:\tnnnnn.exe53⤵
- Executes dropped EXE
-
\??\c:\9jvpv.exec:\9jvpv.exe54⤵
- Executes dropped EXE
-
\??\c:\9pdvd.exec:\9pdvd.exe55⤵
- Executes dropped EXE
-
\??\c:\lflllff.exec:\lflllff.exe56⤵
- Executes dropped EXE
-
\??\c:\hhhbtt.exec:\hhhbtt.exe57⤵
- Executes dropped EXE
-
\??\c:\bhhbtt.exec:\bhhbtt.exe58⤵
- Executes dropped EXE
-
\??\c:\dvpjv.exec:\dvpjv.exe59⤵
- Executes dropped EXE
-
\??\c:\3rrlffx.exec:\3rrlffx.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\rlllffx.exec:\rlllffx.exe61⤵
- Executes dropped EXE
-
\??\c:\bbhhhh.exec:\bbhhhh.exe62⤵
- Executes dropped EXE
-
\??\c:\bthhbb.exec:\bthhbb.exe63⤵
- Executes dropped EXE
-
\??\c:\ppvvp.exec:\ppvvp.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\3vjdd.exec:\3vjdd.exe65⤵
- Executes dropped EXE
-
\??\c:\3lfxxrr.exec:\3lfxxrr.exe66⤵
-
\??\c:\hbtbbn.exec:\hbtbbn.exe67⤵
-
\??\c:\tnthbh.exec:\tnthbh.exe68⤵
-
\??\c:\jjjjv.exec:\jjjjv.exe69⤵
-
\??\c:\jdjdv.exec:\jdjdv.exe70⤵
-
\??\c:\rlrrrrr.exec:\rlrrrrr.exe71⤵
-
\??\c:\9dvjd.exec:\9dvjd.exe72⤵
-
\??\c:\pppjd.exec:\pppjd.exe73⤵
-
\??\c:\7rxrffx.exec:\7rxrffx.exe74⤵
-
\??\c:\bbthbt.exec:\bbthbt.exe75⤵
-
\??\c:\tnhbbb.exec:\tnhbbb.exe76⤵
-
\??\c:\dppjj.exec:\dppjj.exe77⤵
-
\??\c:\9vvvp.exec:\9vvvp.exe78⤵
-
\??\c:\5tbnhb.exec:\5tbnhb.exe79⤵
-
\??\c:\pdpjd.exec:\pdpjd.exe80⤵
-
\??\c:\jdjpv.exec:\jdjpv.exe81⤵
-
\??\c:\7llfrrl.exec:\7llfrrl.exe82⤵
-
\??\c:\bnbtnh.exec:\bnbtnh.exe83⤵
- System Location Discovery: System Language Discovery
-
\??\c:\nhnnhn.exec:\nhnnhn.exe84⤵
-
\??\c:\jjdvp.exec:\jjdvp.exe85⤵
-
\??\c:\xflflfx.exec:\xflflfx.exe86⤵
-
\??\c:\rxxrrrr.exec:\rxxrrrr.exe87⤵
-
\??\c:\hbttnh.exec:\hbttnh.exe88⤵
-
\??\c:\pdvvd.exec:\pdvvd.exe89⤵
-
\??\c:\dvvpd.exec:\dvvpd.exe90⤵
-
\??\c:\xlrrfff.exec:\xlrrfff.exe91⤵
-
\??\c:\lfllffl.exec:\lfllffl.exe92⤵
-
\??\c:\nttbbn.exec:\nttbbn.exe93⤵
-
\??\c:\hthhbb.exec:\hthhbb.exe94⤵
-
\??\c:\vvjvv.exec:\vvjvv.exe95⤵
-
\??\c:\vpjdv.exec:\vpjdv.exe96⤵
-
\??\c:\rrlfrrl.exec:\rrlfrrl.exe97⤵
-
\??\c:\3llfxlf.exec:\3llfxlf.exe98⤵
-
\??\c:\tthhnh.exec:\tthhnh.exe99⤵
-
\??\c:\jjvjj.exec:\jjvjj.exe100⤵
-
\??\c:\xxlfxlf.exec:\xxlfxlf.exe101⤵
-
\??\c:\3lrfffx.exec:\3lrfffx.exe102⤵
-
\??\c:\3nntnn.exec:\3nntnn.exe103⤵
-
\??\c:\hhttnn.exec:\hhttnn.exe104⤵
-
\??\c:\vjvjv.exec:\vjvjv.exe105⤵
-
\??\c:\ppvvp.exec:\ppvvp.exe106⤵
-
\??\c:\rrlllxr.exec:\rrlllxr.exe107⤵
-
\??\c:\3hhnhb.exec:\3hhnhb.exe108⤵
-
\??\c:\tttnbb.exec:\tttnbb.exe109⤵
-
\??\c:\nhttnb.exec:\nhttnb.exe110⤵
-
\??\c:\ppvvj.exec:\ppvvj.exe111⤵
-
\??\c:\pppjv.exec:\pppjv.exe112⤵
-
\??\c:\9rlfrrf.exec:\9rlfrrf.exe113⤵
-
\??\c:\flfllrr.exec:\flfllrr.exe114⤵
-
\??\c:\ttttnt.exec:\ttttnt.exe115⤵
-
\??\c:\7thbbb.exec:\7thbbb.exe116⤵
-
\??\c:\3vpvp.exec:\3vpvp.exe117⤵
-
\??\c:\djjdv.exec:\djjdv.exe118⤵
-
\??\c:\hthtnb.exec:\hthtnb.exe119⤵
-
\??\c:\btnhtn.exec:\btnhtn.exe120⤵
-
\??\c:\jjvjd.exec:\jjvjd.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-