Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

30d4ef807a...b9.exe

windows7-x64

10

30d4ef807a...b9.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    13/09/2024, 07:01 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    30d4ef807af7d8e8791aeb8f4eeea499a9ab0d961492dc97cbbd1d46c1ff1db9.exe

  • Size

    6.4MB

  • MD5

    dcbdd831f36abea3aa671235d45d8617

  • SHA1

    def917bf8c8fef22dc701af46a8157c6e3aa6114

  • SHA256

    30d4ef807af7d8e8791aeb8f4eeea499a9ab0d961492dc97cbbd1d46c1ff1db9

  • SHA512

    e830e00f1bcb038d771cd3f5a78157500b0d33d964433611dd5f25e32240de887d7f5cdb2cfcdb8496fbf0c09dcdc91ba93023a0fb8cfb867eed289db8dc0bad

  • SSDEEP

    98304:BxMsFme9BLT2nmYQNwlt9lQoVf2B3eoh7whgBiux19C1B5BaL7HRJPfaL:B2aBLqnmY8wjpUO8gYx19YTq7HLK

Score
10/10
blackmoonbankerdiscoverytrojanvmprotect

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 2 IoCs
  • VMProtect packed file 2 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\30d4ef807af7d8e8791aeb8f4eeea499a9ab0d961492dc97cbbd1d46c1ff1db9.exe
    "C:\Users\Admin\AppData\Local\Temp\30d4ef807af7d8e8791aeb8f4eeea499a9ab0d961492dc97cbbd1d46c1ff1db9.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2728
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 560
      2⤵
      • Program crash
      PID:2604

Network

  • flag-us
    DNS
    www.baidu.com
    30d4ef807af7d8e8791aeb8f4eeea499a9ab0d961492dc97cbbd1d46c1ff1db9.exe
    Remote address:
    8.8.8.8:53
    Request
    www.baidu.com
    IN A
    Response
    www.baidu.com
    IN CNAME
    www.a.shifen.com
    www.a.shifen.com
    IN CNAME
    www.wshifen.com
    www.wshifen.com
    IN A
    103.235.46.96
    www.wshifen.com
    IN A
    103.235.47.188
  • flag-hk
    GET
    https://www.baidu.com/
    30d4ef807af7d8e8791aeb8f4eeea499a9ab0d961492dc97cbbd1d46c1ff1db9.exe
    Remote address:
    103.235.46.96:443
    Request
    GET / HTTP/1.1
    Host: www.baidu.com
    Accept: */*
    Response
    HTTP/1.1 200 OK
    Accept-Ranges: bytes
    Cache-Control: no-cache
    Connection: keep-alive
    Content-Length: 9508
    Content-Type: text/html
    Date: Fri, 13 Sep 2024 07:01:27 GMT
    P3p: CP=" OTI DSP COR IVA OUR IND COM "
    P3p: CP=" OTI DSP COR IVA OUR IND COM "
    Pragma: no-cache
    Server: BWS/1.1
    Set-Cookie: BAIDUID=014DED08F528B0A5D5BCB491F2FA3436:FG=1; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com
    Set-Cookie: BIDUPSID=014DED08F528B0A5D5BCB491F2FA3436; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com
    Set-Cookie: PSTM=1726210887; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com
    Set-Cookie: BAIDUID=014DED08F528B0A51BB1446E36D4017E:FG=1; max-age=31536000; expires=Sat, 13-Sep-25 07:01:27 GMT; domain=.baidu.com; path=/; version=1; comment=bd
    Traceid: 1726210887373602509810915253944034931250
    Vary: Accept-Encoding
    X-Ua-Compatible: IE=Edge,chrome=1
    X-Xss-Protection: 1;mode=block
  • flag-us
    DNS
    dxmsoft.oss-cn-shanghai.aliyuncs.com
    30d4ef807af7d8e8791aeb8f4eeea499a9ab0d961492dc97cbbd1d46c1ff1db9.exe
    Remote address:
    8.8.8.8:53
    Request
    dxmsoft.oss-cn-shanghai.aliyuncs.com
    IN A
    Response
    dxmsoft.oss-cn-shanghai.aliyuncs.com
    IN A
    139.196.119.45
  • 103.235.46.96:443
    https://www.baidu.com/
    tls, http
    30d4ef807af7d8e8791aeb8f4eeea499a9ab0d961492dc97cbbd1d46c1ff1db9.exe
    1.5kB
     22.7kB
     23
    31

    HTTP Request

    GET https://www.baidu.com/

    HTTP Response

    200
  • 127.0.0.1:49197
    30d4ef807af7d8e8791aeb8f4eeea499a9ab0d961492dc97cbbd1d46c1ff1db9.exe
  • 127.0.0.1:49205
    30d4ef807af7d8e8791aeb8f4eeea499a9ab0d961492dc97cbbd1d46c1ff1db9.exe
  • 139.196.119.45:443
    dxmsoft.oss-cn-shanghai.aliyuncs.com
    30d4ef807af7d8e8791aeb8f4eeea499a9ab0d961492dc97cbbd1d46c1ff1db9.exe
    152 B
     3
  • 8.8.8.8:53
    www.baidu.com
    dns
    30d4ef807af7d8e8791aeb8f4eeea499a9ab0d961492dc97cbbd1d46c1ff1db9.exe
    59 B
     144 B
     1
    1

    DNS Request

    www.baidu.com

    DNS Response

    103.235.46.96
    103.235.47.188

  • 8.8.8.8:53
    dxmsoft.oss-cn-shanghai.aliyuncs.com
    dns
    30d4ef807af7d8e8791aeb8f4eeea499a9ab0d961492dc97cbbd1d46c1ff1db9.exe
    82 B
     98 B
     1
    1

    DNS Request

    dxmsoft.oss-cn-shanghai.aliyuncs.com

    DNS Response

    139.196.119.45

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2728-0-0x0000000000734000-0x0000000000BBA000-memory.dmp

    Filesize

    4.5MB

    Download

  • memory/2728-1-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2728-5-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2728-9-0x0000000000400000-0x0000000001121000-memory.dmp

    Filesize

    13.1MB

    Download

  • memory/2728-10-0x0000000000300000-0x0000000000302000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2728-3-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2728-12-0x0000000000734000-0x0000000000BBA000-memory.dmp

    Filesize

    4.5MB

    Download

  • memory/2728-13-0x0000000000400000-0x0000000001121000-memory.dmp

    Filesize

    13.1MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.