Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
30/09/2024, 03:04
General
-
Target
027b1105ae474cb53c12c847688ff41715ba0b74638000291d7d7d8da9a2891bN.exe
-
Size
80KB
-
MD5
03195d14c12a391bff77049cc121a240
-
SHA1
4ebd807db9270f9bf794b1754b76b8d9be14e19d
-
SHA256
027b1105ae474cb53c12c847688ff41715ba0b74638000291d7d7d8da9a2891b
-
SHA512
be31a3a395889eaa8e3d7286608ac6204349cdbb685fc736961439032ea842e05751ae94f81140b0dc6c849b876e3094f6929befa1b16337598bdad7b2a247ed
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIsIpWCz+FR4RzWqC5rINFE4yeCH:ymb3NkkiQ3mdBjFIsIpZ+R4RzWqCu4T
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 25 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 36 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\027b1105ae474cb53c12c847688ff41715ba0b74638000291d7d7d8da9a2891bN.exe"C:\Users\Admin\AppData\Local\Temp\027b1105ae474cb53c12c847688ff41715ba0b74638000291d7d7d8da9a2891bN.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\rrlffff.exec:\rrlffff.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnnhbb.exec:\tnnhbb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhttbb.exec:\nhttbb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dpvdp.exec:\dpvdp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjvvp.exec:\pjvvp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rffxrlr.exec:\rffxrlr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhhbnn.exec:\nhhbnn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vdpjj.exec:\vdpjj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9fllfff.exec:\9fllfff.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frlrflf.exec:\frlrflf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbhhbb.exec:\nbhhbb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhbtnn.exec:\nhbtnn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vdpjp.exec:\vdpjp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjjdd.exec:\pjjdd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9rlfrrl.exec:\9rlfrrl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thhbtt.exec:\thhbtt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9hnhbt.exec:\9hnhbt.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jpppj.exec:\jpppj.exe19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\pppjd.exec:\pppjd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3vpjv.exec:\3vpjv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxrlffx.exec:\fxrlffx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5ffxrrl.exec:\5ffxrrl.exe23⤵
- Executes dropped EXE
-
\??\c:\bttnhh.exec:\bttnhh.exe24⤵
- Executes dropped EXE
-
\??\c:\ntbthn.exec:\ntbthn.exe25⤵
- Executes dropped EXE
-
\??\c:\jdvdv.exec:\jdvdv.exe26⤵
- Executes dropped EXE
-
\??\c:\vjpjd.exec:\vjpjd.exe27⤵
- Executes dropped EXE
-
\??\c:\jjvpj.exec:\jjvpj.exe28⤵
- Executes dropped EXE
-
\??\c:\lrlfxrr.exec:\lrlfxrr.exe29⤵
- Executes dropped EXE
-
\??\c:\5rfffff.exec:\5rfffff.exe30⤵
- Executes dropped EXE
-
\??\c:\3btttn.exec:\3btttn.exe31⤵
- Executes dropped EXE
-
\??\c:\5btnhh.exec:\5btnhh.exe32⤵
- Executes dropped EXE
-
\??\c:\dvdvv.exec:\dvdvv.exe33⤵
- Executes dropped EXE
-
\??\c:\jdvdv.exec:\jdvdv.exe34⤵
- Executes dropped EXE
-
\??\c:\7rrlffx.exec:\7rrlffx.exe35⤵
- Executes dropped EXE
-
\??\c:\3rfxffl.exec:\3rfxffl.exe36⤵
- Executes dropped EXE
-
\??\c:\tbttnn.exec:\tbttnn.exe37⤵
- Executes dropped EXE
-
\??\c:\bbnhnn.exec:\bbnhnn.exe38⤵
- Executes dropped EXE
-
\??\c:\pjddp.exec:\pjddp.exe39⤵
- Executes dropped EXE
-
\??\c:\vpdpj.exec:\vpdpj.exe40⤵
- Executes dropped EXE
-
\??\c:\5ddvj.exec:\5ddvj.exe41⤵
- Executes dropped EXE
-
\??\c:\frxrlff.exec:\frxrlff.exe42⤵
- Executes dropped EXE
-
\??\c:\lxfxrrl.exec:\lxfxrrl.exe43⤵
- Executes dropped EXE
-
\??\c:\bthbhh.exec:\bthbhh.exe44⤵
- Executes dropped EXE
-
\??\c:\bntnhh.exec:\bntnhh.exe45⤵
- Executes dropped EXE
-
\??\c:\btbtnn.exec:\btbtnn.exe46⤵
- Executes dropped EXE
-
\??\c:\9pdpj.exec:\9pdpj.exe47⤵
- Executes dropped EXE
-
\??\c:\pjjdv.exec:\pjjdv.exe48⤵
- Executes dropped EXE
-
\??\c:\lrfxxrr.exec:\lrfxxrr.exe49⤵
- Executes dropped EXE
-
\??\c:\5rfxxxf.exec:\5rfxxxf.exe50⤵
- Executes dropped EXE
-
\??\c:\nnhhnn.exec:\nnhhnn.exe51⤵
- Executes dropped EXE
-
\??\c:\nnnhbb.exec:\nnnhbb.exe52⤵
- Executes dropped EXE
-
\??\c:\dvvpj.exec:\dvvpj.exe53⤵
- Executes dropped EXE
-
\??\c:\dvvdv.exec:\dvvdv.exe54⤵
- Executes dropped EXE
-
\??\c:\rrfxrfx.exec:\rrfxrfx.exe55⤵
- Executes dropped EXE
-
\??\c:\fffxxfx.exec:\fffxxfx.exe56⤵
- Executes dropped EXE
-
\??\c:\nhhhbb.exec:\nhhhbb.exe57⤵
- Executes dropped EXE
-
\??\c:\7vddv.exec:\7vddv.exe58⤵
- Executes dropped EXE
-
\??\c:\xxxrfxx.exec:\xxxrfxx.exe59⤵
- Executes dropped EXE
-
\??\c:\5ttnhh.exec:\5ttnhh.exe60⤵
- Executes dropped EXE
-
\??\c:\bnnbbb.exec:\bnnbbb.exe61⤵
- Executes dropped EXE
-
\??\c:\1pvpd.exec:\1pvpd.exe62⤵
- Executes dropped EXE
-
\??\c:\vpdvd.exec:\vpdvd.exe63⤵
- Executes dropped EXE
-
\??\c:\rffrllf.exec:\rffrllf.exe64⤵
- Executes dropped EXE
-
\??\c:\lfrlrrf.exec:\lfrlrrf.exe65⤵
- Executes dropped EXE
-
\??\c:\btbbth.exec:\btbbth.exe66⤵
-
\??\c:\bttthn.exec:\bttthn.exe67⤵
-
\??\c:\vjpjj.exec:\vjpjj.exe68⤵
-
\??\c:\frxlrrl.exec:\frxlrrl.exe69⤵
-
\??\c:\nhbtnn.exec:\nhbtnn.exe70⤵
-
\??\c:\ttnnnh.exec:\ttnnnh.exe71⤵
-
\??\c:\dvdjd.exec:\dvdjd.exe72⤵
-
\??\c:\dvppp.exec:\dvppp.exe73⤵
-
\??\c:\bnbtbb.exec:\bnbtbb.exe74⤵
-
\??\c:\dpjjd.exec:\dpjjd.exe75⤵
-
\??\c:\nhhhbb.exec:\nhhhbb.exe76⤵
-
\??\c:\bnnhhh.exec:\bnnhhh.exe77⤵
-
\??\c:\hbhbtt.exec:\hbhbtt.exe78⤵
-
\??\c:\rrxxrxx.exec:\rrxxrxx.exe79⤵
-
\??\c:\hhhhbh.exec:\hhhhbh.exe80⤵
-
\??\c:\hntnhb.exec:\hntnhb.exe81⤵
-
\??\c:\lxlxrrl.exec:\lxlxrrl.exe82⤵
-
\??\c:\jjvvv.exec:\jjvvv.exe83⤵
-
\??\c:\ffxfxll.exec:\ffxfxll.exe84⤵
-
\??\c:\5tbtbt.exec:\5tbtbt.exe85⤵
-
\??\c:\vpddv.exec:\vpddv.exe86⤵
-
\??\c:\7bnhnn.exec:\7bnhnn.exe87⤵
-
\??\c:\frrrlll.exec:\frrrlll.exe88⤵
-
\??\c:\ttnhbh.exec:\ttnhbh.exe89⤵
-
\??\c:\7ffxxxr.exec:\7ffxxxr.exe90⤵
-
\??\c:\pddpd.exec:\pddpd.exe91⤵
-
\??\c:\xfllfxx.exec:\xfllfxx.exe92⤵
-
\??\c:\rflfffx.exec:\rflfffx.exe93⤵
-
\??\c:\bnbbtt.exec:\bnbbtt.exe94⤵
-
\??\c:\fxrfxll.exec:\fxrfxll.exe95⤵
-
\??\c:\lllfxxx.exec:\lllfxxx.exe96⤵
-
\??\c:\tntnhb.exec:\tntnhb.exe97⤵
-
\??\c:\dvvpd.exec:\dvvpd.exe98⤵
-
\??\c:\jvpjd.exec:\jvpjd.exe99⤵
-
\??\c:\xrflfrl.exec:\xrflfrl.exe100⤵
-
\??\c:\3rxrllf.exec:\3rxrllf.exe101⤵
-
\??\c:\htthnb.exec:\htthnb.exe102⤵
-
\??\c:\djdvp.exec:\djdvp.exe103⤵
-
\??\c:\lxxfrrr.exec:\lxxfrrr.exe104⤵
-
\??\c:\1bbbtt.exec:\1bbbtt.exe105⤵
-
\??\c:\jjdvp.exec:\jjdvp.exe106⤵
-
\??\c:\vvvjd.exec:\vvvjd.exe107⤵
-
\??\c:\xrllrfl.exec:\xrllrfl.exe108⤵
-
\??\c:\ntnttt.exec:\ntnttt.exe109⤵
-
\??\c:\pjvpd.exec:\pjvpd.exe110⤵
-
\??\c:\xrfxffl.exec:\xrfxffl.exe111⤵
-
\??\c:\nhhhhn.exec:\nhhhhn.exe112⤵
-
\??\c:\vppjj.exec:\vppjj.exe113⤵
-
\??\c:\fxxrlll.exec:\fxxrlll.exe114⤵
-
\??\c:\flffffx.exec:\flffffx.exe115⤵
-
\??\c:\tnhhtt.exec:\tnhhtt.exe116⤵
-
\??\c:\jjjpj.exec:\jjjpj.exe117⤵
-
\??\c:\rrflxrl.exec:\rrflxrl.exe118⤵
-
\??\c:\nhnbnt.exec:\nhnbnt.exe119⤵
-
\??\c:\hbhbbh.exec:\hbhbbh.exe120⤵
-
\??\c:\pjjpp.exec:\pjjpp.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-