Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
108s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
12/09/2024, 01:58
General
-
Target
d134fa96e96898f8f9ae773760844e9304d97d3224a33a4425e088c1c8e90251.exe
-
Size
124KB
-
MD5
d76ffc4a45ebdc52e58b8a72354c76d6
-
SHA1
392a3eac1f5d8cc812d4d222df51c2e1916cf79e
-
SHA256
d134fa96e96898f8f9ae773760844e9304d97d3224a33a4425e088c1c8e90251
-
SHA512
e616f2b27b5153b065f0167df2c8835c7c87949b52c22ffafe07230ec8f5f2dcea35301075aa677fa2d7ee6c888c2f0e6a4373207c1cf1a0c60c76279bba5bcb
-
SSDEEP
3072:ymb3NkkiQ3mdBjFomR7UsyJC+n0GsgcD2:n3C9BRomRph+0GsgcK
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 25 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 28 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d134fa96e96898f8f9ae773760844e9304d97d3224a33a4425e088c1c8e90251.exe"C:\Users\Admin\AppData\Local\Temp\d134fa96e96898f8f9ae773760844e9304d97d3224a33a4425e088c1c8e90251.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\dvppj.exec:\dvppj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rrlxxrl.exec:\rrlxxrl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbbtnn.exec:\bbbtnn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bnnhbt.exec:\bnnhbt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1dpjp.exec:\1dpjp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rxxlxrf.exec:\rxxlxrf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbhthb.exec:\nbhthb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vjdvj.exec:\vjdvj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rrxxfrx.exec:\rrxxfrx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thbtnh.exec:\thbtnh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dppjv.exec:\dppjv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frxlrll.exec:\frxlrll.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ntthbt.exec:\ntthbt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dpjpd.exec:\dpjpd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxxrfxr.exec:\lxxrfxr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxfxfxx.exec:\lxfxfxx.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hhbthh.exec:\hhbthh.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rflfrrl.exec:\rflfrrl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frffffx.exec:\frffffx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnttnn.exec:\tnttnn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dpjdv.exec:\dpjdv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ppjpd.exec:\ppjpd.exe23⤵
- Executes dropped EXE
-
\??\c:\xllfxxx.exec:\xllfxxx.exe24⤵
- Executes dropped EXE
-
\??\c:\tbhbtt.exec:\tbhbtt.exe25⤵
- Executes dropped EXE
-
\??\c:\vvdvp.exec:\vvdvp.exe26⤵
- Executes dropped EXE
-
\??\c:\7rfrlfx.exec:\7rfrlfx.exe27⤵
- Executes dropped EXE
-
\??\c:\tnnhbt.exec:\tnnhbt.exe28⤵
- Executes dropped EXE
-
\??\c:\bntnhh.exec:\bntnhh.exe29⤵
- Executes dropped EXE
-
\??\c:\vpvjp.exec:\vpvjp.exe30⤵
- Executes dropped EXE
-
\??\c:\rxrlxxr.exec:\rxrlxxr.exe31⤵
- Executes dropped EXE
-
\??\c:\llllxxr.exec:\llllxxr.exe32⤵
- Executes dropped EXE
-
\??\c:\thnhbb.exec:\thnhbb.exe33⤵
- Executes dropped EXE
-
\??\c:\hthbtn.exec:\hthbtn.exe34⤵
- Executes dropped EXE
-
\??\c:\3ddvv.exec:\3ddvv.exe35⤵
- Executes dropped EXE
-
\??\c:\pvpjv.exec:\pvpjv.exe36⤵
- Executes dropped EXE
-
\??\c:\xlffrll.exec:\xlffrll.exe37⤵
- Executes dropped EXE
-
\??\c:\lrrrllf.exec:\lrrrllf.exe38⤵
- Executes dropped EXE
-
\??\c:\ttbtbt.exec:\ttbtbt.exe39⤵
- Executes dropped EXE
-
\??\c:\htbnhh.exec:\htbnhh.exe40⤵
- Executes dropped EXE
-
\??\c:\jppjd.exec:\jppjd.exe41⤵
- Executes dropped EXE
-
\??\c:\dvpjd.exec:\dvpjd.exe42⤵
- Executes dropped EXE
-
\??\c:\lxfrxrl.exec:\lxfrxrl.exe43⤵
- Executes dropped EXE
-
\??\c:\bnhtnh.exec:\bnhtnh.exe44⤵
- Executes dropped EXE
-
\??\c:\hhhbnn.exec:\hhhbnn.exe45⤵
- Executes dropped EXE
-
\??\c:\5ppjv.exec:\5ppjv.exe46⤵
- Executes dropped EXE
-
\??\c:\pjjdv.exec:\pjjdv.exe47⤵
- Executes dropped EXE
-
\??\c:\rxfxlll.exec:\rxfxlll.exe48⤵
- Executes dropped EXE
-
\??\c:\flfxrll.exec:\flfxrll.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\bttnbt.exec:\bttnbt.exe50⤵
- Executes dropped EXE
-
\??\c:\dpvpv.exec:\dpvpv.exe51⤵
- Executes dropped EXE
-
\??\c:\3jdpj.exec:\3jdpj.exe52⤵
- Executes dropped EXE
-
\??\c:\fxxlfxr.exec:\fxxlfxr.exe53⤵
- Executes dropped EXE
-
\??\c:\bbhhbn.exec:\bbhhbn.exe54⤵
- Executes dropped EXE
-
\??\c:\btnnhb.exec:\btnnhb.exe55⤵
- Executes dropped EXE
-
\??\c:\jppjv.exec:\jppjv.exe56⤵
- Executes dropped EXE
-
\??\c:\1dvpd.exec:\1dvpd.exe57⤵
- Executes dropped EXE
-
\??\c:\3xxrfll.exec:\3xxrfll.exe58⤵
- Executes dropped EXE
-
\??\c:\lfxxrrx.exec:\lfxxrrx.exe59⤵
- Executes dropped EXE
-
\??\c:\hbhtbb.exec:\hbhtbb.exe60⤵
- Executes dropped EXE
-
\??\c:\ddjvv.exec:\ddjvv.exe61⤵
- Executes dropped EXE
-
\??\c:\7lfxlfx.exec:\7lfxlfx.exe62⤵
- Executes dropped EXE
-
\??\c:\xlffxrl.exec:\xlffxrl.exe63⤵
- Executes dropped EXE
-
\??\c:\hbnhnh.exec:\hbnhnh.exe64⤵
- Executes dropped EXE
-
\??\c:\jvvpj.exec:\jvvpj.exe65⤵
- Executes dropped EXE
-
\??\c:\pvdvp.exec:\pvdvp.exe66⤵
-
\??\c:\rxrlxrf.exec:\rxrlxrf.exe67⤵
-
\??\c:\nhhbbt.exec:\nhhbbt.exe68⤵
-
\??\c:\ddjjp.exec:\ddjjp.exe69⤵
-
\??\c:\pdpjj.exec:\pdpjj.exe70⤵
-
\??\c:\frxxrlf.exec:\frxxrlf.exe71⤵
-
\??\c:\xrllllf.exec:\xrllllf.exe72⤵
-
\??\c:\bnhbth.exec:\bnhbth.exe73⤵
-
\??\c:\1vjdp.exec:\1vjdp.exe74⤵
-
\??\c:\fxxlfxf.exec:\fxxlfxf.exe75⤵
-
\??\c:\tntnhh.exec:\tntnhh.exe76⤵
-
\??\c:\7pjjj.exec:\7pjjj.exe77⤵
-
\??\c:\frxxrrl.exec:\frxxrrl.exe78⤵
-
\??\c:\rlxxffl.exec:\rlxxffl.exe79⤵
-
\??\c:\ntbthh.exec:\ntbthh.exe80⤵
-
\??\c:\btbttt.exec:\btbttt.exe81⤵
-
\??\c:\vpjdd.exec:\vpjdd.exe82⤵
-
\??\c:\lrxxlll.exec:\lrxxlll.exe83⤵
-
\??\c:\thnhbb.exec:\thnhbb.exe84⤵
-
\??\c:\3bnhhn.exec:\3bnhhn.exe85⤵
-
\??\c:\dpvpd.exec:\dpvpd.exe86⤵
-
\??\c:\pvjjv.exec:\pvjjv.exe87⤵
-
\??\c:\lxxxxrr.exec:\lxxxxrr.exe88⤵
-
\??\c:\rxfxrrl.exec:\rxfxrrl.exe89⤵
-
\??\c:\nhbtnn.exec:\nhbtnn.exe90⤵
-
\??\c:\7htntb.exec:\7htntb.exe91⤵
-
\??\c:\3dvpj.exec:\3dvpj.exe92⤵
-
\??\c:\jdppd.exec:\jdppd.exe93⤵
-
\??\c:\lxrlfff.exec:\lxrlfff.exe94⤵
-
\??\c:\xfrxffx.exec:\xfrxffx.exe95⤵
-
\??\c:\bbbbbb.exec:\bbbbbb.exe96⤵
-
\??\c:\ppddd.exec:\ppddd.exe97⤵
-
\??\c:\jjdvp.exec:\jjdvp.exe98⤵
-
\??\c:\lfrlxxx.exec:\lfrlxxx.exe99⤵
-
\??\c:\nbhbbb.exec:\nbhbbb.exe100⤵
-
\??\c:\jjjdv.exec:\jjjdv.exe101⤵
-
\??\c:\dvpjj.exec:\dvpjj.exe102⤵
-
\??\c:\xrrlffx.exec:\xrrlffx.exe103⤵
-
\??\c:\hbbthh.exec:\hbbthh.exe104⤵
-
\??\c:\tnttnn.exec:\tnttnn.exe105⤵
-
\??\c:\vvvpj.exec:\vvvpj.exe106⤵
-
\??\c:\7jjvp.exec:\7jjvp.exe107⤵
-
\??\c:\lffxlrl.exec:\lffxlrl.exe108⤵
- System Location Discovery: System Language Discovery
-
\??\c:\3llffxx.exec:\3llffxx.exe109⤵
-
\??\c:\9hhhhh.exec:\9hhhhh.exe110⤵
-
\??\c:\ntntnt.exec:\ntntnt.exe111⤵
-
\??\c:\jppdv.exec:\jppdv.exe112⤵
-
\??\c:\rfffxxx.exec:\rfffxxx.exe113⤵
-
\??\c:\xlfxrrl.exec:\xlfxrrl.exe114⤵
-
\??\c:\tbbbtt.exec:\tbbbtt.exe115⤵
-
\??\c:\5htnnn.exec:\5htnnn.exe116⤵
-
\??\c:\dvjdd.exec:\dvjdd.exe117⤵
-
\??\c:\dvppd.exec:\dvppd.exe118⤵
-
\??\c:\7flfrrr.exec:\7flfrrr.exe119⤵
-
\??\c:\hbbtnn.exec:\hbbtnn.exe120⤵
-
\??\c:\5hhtnn.exec:\5hhtnn.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-