Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

造梦西�...��.url

windows7-x64

1

造梦西�...��.url

windows10-2004-x64

1

造梦西�...��.exe

windows7-x64

10

造梦西�...��.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    02/10/2024, 23:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    造梦西游5魂殇修改器.exe

  • Size

    468KB

  • MD5

    59d71e81bca65c7f790d33d317dbe4cc

  • SHA1

    01fa3b6561274da9d1c5550679e092033a3bb2af

  • SHA256

    fe5fa6f567d0d5b03e1e38d922fbbfab5f687e2192ffc0585c87dea14f00146c

  • SHA512

    d7a6990b6298e812ca014521a2a4a0976654eb8fb9d0a4911a1576f37b393d70a7f245e9b52aa074e1c3d9fe917093319f32c70017eb7e911f3937be67d4ff21

  • SSDEEP

    6144:6a4f07to4inSxvRUNzasgXO88SqER3GsAp5/pv:N4f0a4iSxgzasgP75RNA

Score
10/10
blackmoonbankerdiscoverytrojan

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\造梦西游5魂殇修改器.exe
    "C:\Users\Admin\AppData\Local\Temp\造梦西游5魂殇修改器.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2096
    • C:\Windows\SysWOW64\Explorer.exe
      Explorer /n,C:\Users\Admin\AppData\Local\Temp\ÔìÃÎÎ÷ÓÎ4»êéäÐÞ¸ÄÆ÷6.3.exe
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2112
  • C:\Windows\explorer.exe
    C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2448
    • C:\Users\Admin\AppData\Local\Temp\ÔìÃÎÎ÷ÓÎ4»êéäÐÞ¸ÄÆ÷6.3.exe
      "C:\Users\Admin\AppData\Local\Temp\ÔìÃÎÎ÷ÓÎ4»êéäÐÞ¸ÄÆ÷6.3.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2628
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://www.4399hs.com/
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1088
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1088 CREDAT:275457 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2532

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    494dc467f86039707e33a9a2e63cb65e

    SHA1

    d50633dc815b2690f22f25cbd75abc679bed86f8

    SHA256

    0b56d097ed3cac5823c423232ff558ee14445d26cd62dfd1932706ad6e206ed2

    SHA512

    9f9d2a3bb49668a48ab63a6f9dd408e4ec237ae7a30ec7d6f1f7377d5e6d1508661b1f6c64c956e47d9cfca5dc41502c1b3a4101d1814030363003381334a247

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\CabA372.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TarA3D4.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ÔìÃÎÎ÷ÓÎ4»êéäÐÞ¸ÄÆ÷6.3.exe
    Filesize

    268KB

    MD5

    d4345448976df15d4338d411583217d8

    SHA1

    83f405499bd649c5744fe4f6eb1abea8828487dc

    SHA256

    6cc67524aacded7fdd197048881a68fb21278dd9e20a73b57d7a11550fc736e9

    SHA512

    b6ff0b28aff3663b49156d1f6e3c75dd994e3ff70a92ff7914128473ab886aedec8cd2dd6018fd99e62ad7294bb808c5c4c5ad5a6713ba41df09b0b16d960385

    Download Submit