Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
04/10/2024, 05:17
General
-
Target
f9d4e338c995cff706c9def5d931d627093355f513b4439de4f82aa69c187873N.exe
-
Size
230KB
-
MD5
18ddcc606a221e8d20834287a92fe100
-
SHA1
57cd8c7f9e5f2ad12d0dbd37b3e263e03284ccfe
-
SHA256
f9d4e338c995cff706c9def5d931d627093355f513b4439de4f82aa69c187873
-
SHA512
217d3a43f88b5dad180cb85dcd9a72476a2caf8f0115c0bbf16e26c568a026291d7860cc506d0486478f1e3d29875633c3e5422b13ec8844f3c52406df5e6d45
-
SSDEEP
3072:ymb3NkkiQ3mdBjFo73PYP1lri3KoSV31x4xLn/c1fE:n3C9BRo7MlrWKo+lxKk1fE
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 29 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 28 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f9d4e338c995cff706c9def5d931d627093355f513b4439de4f82aa69c187873N.exe"C:\Users\Admin\AppData\Local\Temp\f9d4e338c995cff706c9def5d931d627093355f513b4439de4f82aa69c187873N.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\680662.exec:\680662.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thhhbh.exec:\thhhbh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddvdv.exec:\ddvdv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\6004048.exec:\6004048.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\864402.exec:\864402.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\2084466.exec:\2084466.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\04646.exec:\04646.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pvdvp.exec:\pvdvp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btbhbb.exec:\btbhbb.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\k84488.exec:\k84488.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnthbb.exec:\tnthbb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\2288006.exec:\2288006.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlrlrrx.exec:\rlrlrrx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\llrrrrr.exec:\llrrrrr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\8684888.exec:\8684888.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\htbttb.exec:\htbttb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\4826628.exec:\4826628.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\k82266.exec:\k82266.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lflrrxl.exec:\lflrrxl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\468822.exec:\468822.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\e40000.exec:\e40000.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\402622.exec:\402622.exe23⤵
- Executes dropped EXE
-
\??\c:\pdjjd.exec:\pdjjd.exe24⤵
- Executes dropped EXE
-
\??\c:\04486.exec:\04486.exe25⤵
- Executes dropped EXE
-
\??\c:\btbhhn.exec:\btbhhn.exe26⤵
- Executes dropped EXE
-
\??\c:\hhbbbb.exec:\hhbbbb.exe27⤵
- Executes dropped EXE
-
\??\c:\nhnbtn.exec:\nhnbtn.exe28⤵
- Executes dropped EXE
-
\??\c:\622204.exec:\622204.exe29⤵
- Executes dropped EXE
-
\??\c:\026244.exec:\026244.exe30⤵
- Executes dropped EXE
-
\??\c:\fxrllll.exec:\fxrllll.exe31⤵
- Executes dropped EXE
-
\??\c:\8000660.exec:\8000660.exe32⤵
- Executes dropped EXE
-
\??\c:\nnhthb.exec:\nnhthb.exe33⤵
- Executes dropped EXE
-
\??\c:\8888288.exec:\8888288.exe34⤵
- Executes dropped EXE
-
\??\c:\246600.exec:\246600.exe35⤵
- Executes dropped EXE
-
\??\c:\rxxrllf.exec:\rxxrllf.exe36⤵
- Executes dropped EXE
-
\??\c:\66888.exec:\66888.exe37⤵
- Executes dropped EXE
-
\??\c:\vpjpj.exec:\vpjpj.exe38⤵
- Executes dropped EXE
-
\??\c:\028266.exec:\028266.exe39⤵
- Executes dropped EXE
-
\??\c:\i044220.exec:\i044220.exe40⤵
- Executes dropped EXE
-
\??\c:\3lrrflx.exec:\3lrrflx.exe41⤵
- Executes dropped EXE
-
\??\c:\fxfxrxx.exec:\fxfxrxx.exe42⤵
- Executes dropped EXE
-
\??\c:\c028282.exec:\c028282.exe43⤵
- Executes dropped EXE
-
\??\c:\bnnthh.exec:\bnnthh.exe44⤵
- Executes dropped EXE
-
\??\c:\2026040.exec:\2026040.exe45⤵
- Executes dropped EXE
-
\??\c:\6422604.exec:\6422604.exe46⤵
- Executes dropped EXE
-
\??\c:\nnnnhb.exec:\nnnnhb.exe47⤵
- Executes dropped EXE
-
\??\c:\jjjdv.exec:\jjjdv.exe48⤵
- Executes dropped EXE
-
\??\c:\7hnbtt.exec:\7hnbtt.exe49⤵
- Executes dropped EXE
-
\??\c:\jddvv.exec:\jddvv.exe50⤵
- Executes dropped EXE
-
\??\c:\0000888.exec:\0000888.exe51⤵
- Executes dropped EXE
-
\??\c:\ttntnn.exec:\ttntnn.exe52⤵
- Executes dropped EXE
-
\??\c:\0428666.exec:\0428666.exe53⤵
- Executes dropped EXE
-
\??\c:\6400080.exec:\6400080.exe54⤵
- Executes dropped EXE
-
\??\c:\jdddd.exec:\jdddd.exe55⤵
- Executes dropped EXE
-
\??\c:\frrrlrr.exec:\frrrlrr.exe56⤵
- Executes dropped EXE
-
\??\c:\424884.exec:\424884.exe57⤵
- Executes dropped EXE
-
\??\c:\s8444.exec:\s8444.exe58⤵
- Executes dropped EXE
-
\??\c:\jpvvp.exec:\jpvvp.exe59⤵
- Executes dropped EXE
-
\??\c:\20226.exec:\20226.exe60⤵
- Executes dropped EXE
-
\??\c:\28048.exec:\28048.exe61⤵
- Executes dropped EXE
-
\??\c:\a6048.exec:\a6048.exe62⤵
- Executes dropped EXE
-
\??\c:\bbttnn.exec:\bbttnn.exe63⤵
- Executes dropped EXE
-
\??\c:\624600.exec:\624600.exe64⤵
- Executes dropped EXE
-
\??\c:\206044.exec:\206044.exe65⤵
- Executes dropped EXE
-
\??\c:\5lxfxxr.exec:\5lxfxxr.exe66⤵
-
\??\c:\vppjv.exec:\vppjv.exe67⤵
-
\??\c:\22860.exec:\22860.exe68⤵
-
\??\c:\jdvpp.exec:\jdvpp.exe69⤵
-
\??\c:\3vpjv.exec:\3vpjv.exe70⤵
-
\??\c:\a8204.exec:\a8204.exe71⤵
-
\??\c:\o044882.exec:\o044882.exe72⤵
-
\??\c:\20862.exec:\20862.exe73⤵
-
\??\c:\88486.exec:\88486.exe74⤵
-
\??\c:\pjpjj.exec:\pjpjj.exe75⤵
-
\??\c:\xrrrlff.exec:\xrrrlff.exe76⤵
-
\??\c:\c086268.exec:\c086268.exe77⤵
-
\??\c:\bntnhb.exec:\bntnhb.exe78⤵
-
\??\c:\bbthtn.exec:\bbthtn.exe79⤵
-
\??\c:\vdjdd.exec:\vdjdd.exe80⤵
-
\??\c:\vvdpj.exec:\vvdpj.exe81⤵
-
\??\c:\4800446.exec:\4800446.exe82⤵
-
\??\c:\jjddv.exec:\jjddv.exe83⤵
-
\??\c:\rlfrlff.exec:\rlfrlff.exe84⤵
-
\??\c:\86824.exec:\86824.exe85⤵
-
\??\c:\9djjp.exec:\9djjp.exe86⤵
-
\??\c:\jjjdd.exec:\jjjdd.exe87⤵
-
\??\c:\xrflxfx.exec:\xrflxfx.exe88⤵
-
\??\c:\428844.exec:\428844.exe89⤵
-
\??\c:\662200.exec:\662200.exe90⤵
-
\??\c:\httnnn.exec:\httnnn.exe91⤵
-
\??\c:\httttt.exec:\httttt.exe92⤵
-
\??\c:\llffxxx.exec:\llffxxx.exe93⤵
-
\??\c:\xrxrrrl.exec:\xrxrrrl.exe94⤵
-
\??\c:\g0828.exec:\g0828.exe95⤵
-
\??\c:\lrrrlrr.exec:\lrrrlrr.exe96⤵
-
\??\c:\xrfxfff.exec:\xrfxfff.exe97⤵
-
\??\c:\pjvvp.exec:\pjvvp.exe98⤵
-
\??\c:\nttttt.exec:\nttttt.exe99⤵
-
\??\c:\1nnhbb.exec:\1nnhbb.exe100⤵
-
\??\c:\26884.exec:\26884.exe101⤵
-
\??\c:\48422.exec:\48422.exe102⤵
-
\??\c:\0404448.exec:\0404448.exe103⤵
-
\??\c:\9tbttt.exec:\9tbttt.exe104⤵
-
\??\c:\xfrrxrr.exec:\xfrrxrr.exe105⤵
-
\??\c:\6000444.exec:\6000444.exe106⤵
-
\??\c:\lllrrxx.exec:\lllrrxx.exe107⤵
-
\??\c:\840044.exec:\840044.exe108⤵
-
\??\c:\jvpvj.exec:\jvpvj.exe109⤵
-
\??\c:\dpvpj.exec:\dpvpj.exe110⤵
-
\??\c:\jvddp.exec:\jvddp.exe111⤵
- System Location Discovery: System Language Discovery
-
\??\c:\vjvvp.exec:\vjvvp.exe112⤵
-
\??\c:\82800.exec:\82800.exe113⤵
-
\??\c:\ppddj.exec:\ppddj.exe114⤵
-
\??\c:\420666.exec:\420666.exe115⤵
-
\??\c:\ppppp.exec:\ppppp.exe116⤵
-
\??\c:\llxrrrf.exec:\llxrrrf.exe117⤵
-
\??\c:\jdjdv.exec:\jdjdv.exe118⤵
-
\??\c:\pdjdp.exec:\pdjdp.exe119⤵
-
\??\c:\3jppd.exec:\3jppd.exe120⤵
-
\??\c:\u022444.exec:\u022444.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-