Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
18/12/2024, 21:24
General
-
Target
4efbe558859c51d8abbe470c1aad9054f7dc0a2493c8f823b990894b4f74ab3d.exe
-
Size
82KB
-
MD5
a67205c38d1e1643d6857a8ded9c3d0f
-
SHA1
c19a68e2cbea3217f0b6c44a9e5ba085ab3bb44b
-
SHA256
4efbe558859c51d8abbe470c1aad9054f7dc0a2493c8f823b990894b4f74ab3d
-
SHA512
8c5eaaad694f32815a430b6d3e58a823d12e48d019beda495e1a2417f797751f492577d900db334d821ddc33c7c4339cd2121897f2f05b8eb7e1d802220625a9
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIsIpWCz+FR4RzWqC5rINFE4yeqa:ymb3NkkiQ3mdBjFIsIpZ+R4RzWqCu4rS
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 28 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 36 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4efbe558859c51d8abbe470c1aad9054f7dc0a2493c8f823b990894b4f74ab3d.exe"C:\Users\Admin\AppData\Local\Temp\4efbe558859c51d8abbe470c1aad9054f7dc0a2493c8f823b990894b4f74ab3d.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\lfflxxf.exec:\lfflxxf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\0620482.exec:\0620482.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxxrfxr.exec:\lxxrfxr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\m4482.exec:\m4482.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxxlxfr.exec:\lxxlxfr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xlrfxrf.exec:\xlrfxrf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbnbbb.exec:\bbnbbb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdjvd.exec:\jdjvd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\e80022.exec:\e80022.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\0008260.exec:\0008260.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lrxrffr.exec:\lrxrffr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1ppjv.exec:\1ppjv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7jjvj.exec:\7jjvj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\64600.exec:\64600.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\842802.exec:\842802.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\262604.exec:\262604.exe17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\88608.exec:\88608.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\866240.exec:\866240.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dpvpp.exec:\dpvpp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\6400600.exec:\6400600.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\668826.exec:\668826.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\6260848.exec:\6260848.exe23⤵
- Executes dropped EXE
-
\??\c:\6248260.exec:\6248260.exe24⤵
- Executes dropped EXE
-
\??\c:\rxfxlrl.exec:\rxfxlrl.exe25⤵
- Executes dropped EXE
-
\??\c:\fflxrxl.exec:\fflxrxl.exe26⤵
- Executes dropped EXE
-
\??\c:\66264.exec:\66264.exe27⤵
- Executes dropped EXE
-
\??\c:\86686.exec:\86686.exe28⤵
- Executes dropped EXE
-
\??\c:\httthn.exec:\httthn.exe29⤵
- Executes dropped EXE
-
\??\c:\lffxrlr.exec:\lffxrlr.exe30⤵
- Executes dropped EXE
-
\??\c:\bbbnhb.exec:\bbbnhb.exe31⤵
- Executes dropped EXE
-
\??\c:\208684.exec:\208684.exe32⤵
- Executes dropped EXE
-
\??\c:\u226048.exec:\u226048.exe33⤵
- Executes dropped EXE
-
\??\c:\tntnnh.exec:\tntnnh.exe34⤵
- Executes dropped EXE
-
\??\c:\044420.exec:\044420.exe35⤵
- Executes dropped EXE
-
\??\c:\1dvdp.exec:\1dvdp.exe36⤵
- Executes dropped EXE
-
\??\c:\lxxlfxr.exec:\lxxlfxr.exe37⤵
- Executes dropped EXE
-
\??\c:\084242.exec:\084242.exe38⤵
- Executes dropped EXE
-
\??\c:\462042.exec:\462042.exe39⤵
- Executes dropped EXE
-
\??\c:\rlfrfff.exec:\rlfrfff.exe40⤵
- Executes dropped EXE
-
\??\c:\844426.exec:\844426.exe41⤵
- Executes dropped EXE
-
\??\c:\600084.exec:\600084.exe42⤵
- Executes dropped EXE
-
\??\c:\hhhnnb.exec:\hhhnnb.exe43⤵
- Executes dropped EXE
-
\??\c:\frrrfxf.exec:\frrrfxf.exe44⤵
- Executes dropped EXE
-
\??\c:\fxfllxx.exec:\fxfllxx.exe45⤵
- Executes dropped EXE
-
\??\c:\5bhtbb.exec:\5bhtbb.exe46⤵
- Executes dropped EXE
-
\??\c:\bnnhtt.exec:\bnnhtt.exe47⤵
- Executes dropped EXE
-
\??\c:\644826.exec:\644826.exe48⤵
- Executes dropped EXE
-
\??\c:\644860.exec:\644860.exe49⤵
- Executes dropped EXE
-
\??\c:\8220060.exec:\8220060.exe50⤵
- Executes dropped EXE
-
\??\c:\4048264.exec:\4048264.exe51⤵
- Executes dropped EXE
-
\??\c:\a8864.exec:\a8864.exe52⤵
- Executes dropped EXE
-
\??\c:\880242.exec:\880242.exe53⤵
- Executes dropped EXE
-
\??\c:\nhthth.exec:\nhthth.exe54⤵
- Executes dropped EXE
-
\??\c:\7xrrffx.exec:\7xrrffx.exe55⤵
- Executes dropped EXE
-
\??\c:\q24222.exec:\q24222.exe56⤵
- Executes dropped EXE
-
\??\c:\2424420.exec:\2424420.exe57⤵
- Executes dropped EXE
-
\??\c:\228200.exec:\228200.exe58⤵
- Executes dropped EXE
-
\??\c:\k28200.exec:\k28200.exe59⤵
- Executes dropped EXE
-
\??\c:\08442.exec:\08442.exe60⤵
- Executes dropped EXE
-
\??\c:\btnhbt.exec:\btnhbt.exe61⤵
- Executes dropped EXE
-
\??\c:\4026448.exec:\4026448.exe62⤵
- Executes dropped EXE
-
\??\c:\04268.exec:\04268.exe63⤵
- Executes dropped EXE
-
\??\c:\606266.exec:\606266.exe64⤵
- Executes dropped EXE
-
\??\c:\nttnnh.exec:\nttnnh.exe65⤵
- Executes dropped EXE
-
\??\c:\dvvjv.exec:\dvvjv.exe66⤵
-
\??\c:\rfxlxrl.exec:\rfxlxrl.exe67⤵
-
\??\c:\xlrlffx.exec:\xlrlffx.exe68⤵
-
\??\c:\3bthbt.exec:\3bthbt.exe69⤵
-
\??\c:\bhhthh.exec:\bhhthh.exe70⤵
- System Location Discovery: System Language Discovery
-
\??\c:\g4664.exec:\g4664.exe71⤵
-
\??\c:\46260.exec:\46260.exe72⤵
-
\??\c:\frxrllf.exec:\frxrllf.exe73⤵
-
\??\c:\5fllrrl.exec:\5fllrrl.exe74⤵
-
\??\c:\84626.exec:\84626.exe75⤵
-
\??\c:\6008228.exec:\6008228.exe76⤵
-
\??\c:\bhhhhh.exec:\bhhhhh.exe77⤵
-
\??\c:\tbtttt.exec:\tbtttt.exe78⤵
-
\??\c:\hthbtb.exec:\hthbtb.exe79⤵
-
\??\c:\hhbtnn.exec:\hhbtnn.exe80⤵
-
\??\c:\0404444.exec:\0404444.exe81⤵
-
\??\c:\68264.exec:\68264.exe82⤵
-
\??\c:\022222.exec:\022222.exe83⤵
-
\??\c:\lxlfxxr.exec:\lxlfxxr.exe84⤵
-
\??\c:\406042.exec:\406042.exe85⤵
-
\??\c:\c488444.exec:\c488444.exe86⤵
-
\??\c:\8626860.exec:\8626860.exe87⤵
-
\??\c:\0026884.exec:\0026884.exe88⤵
- System Location Discovery: System Language Discovery
-
\??\c:\rfxxrrr.exec:\rfxxrrr.exe89⤵
-
\??\c:\htbnht.exec:\htbnht.exe90⤵
-
\??\c:\jvvvv.exec:\jvvvv.exe91⤵
-
\??\c:\0440620.exec:\0440620.exe92⤵
-
\??\c:\dpvjj.exec:\dpvjj.exe93⤵
-
\??\c:\06660.exec:\06660.exe94⤵
-
\??\c:\7xxrffr.exec:\7xxrffr.exe95⤵
-
\??\c:\djvvp.exec:\djvvp.exe96⤵
-
\??\c:\g4086.exec:\g4086.exe97⤵
-
\??\c:\0004260.exec:\0004260.exe98⤵
-
\??\c:\6482626.exec:\6482626.exe99⤵
-
\??\c:\c648248.exec:\c648248.exe100⤵
-
\??\c:\880246.exec:\880246.exe101⤵
-
\??\c:\xlffrrl.exec:\xlffrrl.exe102⤵
-
\??\c:\fxrrfxr.exec:\fxrrfxr.exe103⤵
-
\??\c:\bntnhh.exec:\bntnhh.exe104⤵
-
\??\c:\c022662.exec:\c022662.exe105⤵
-
\??\c:\rflrfxr.exec:\rflrfxr.exe106⤵
-
\??\c:\bnnnhh.exec:\bnnnhh.exe107⤵
-
\??\c:\8066666.exec:\8066666.exe108⤵
-
\??\c:\lxxxlll.exec:\lxxxlll.exe109⤵
-
\??\c:\8844226.exec:\8844226.exe110⤵
-
\??\c:\9jpjv.exec:\9jpjv.exe111⤵
-
\??\c:\tbhhhb.exec:\tbhhhb.exe112⤵
-
\??\c:\a8088.exec:\a8088.exe113⤵
-
\??\c:\rrfxrlf.exec:\rrfxrlf.exe114⤵
-
\??\c:\844860.exec:\844860.exe115⤵
-
\??\c:\4404888.exec:\4404888.exe116⤵
-
\??\c:\vpjjd.exec:\vpjjd.exe117⤵
-
\??\c:\c442604.exec:\c442604.exe118⤵
-
\??\c:\pdjdd.exec:\pdjdd.exe119⤵
-
\??\c:\08484.exec:\08484.exe120⤵
-
\??\c:\1ffrfrf.exec:\1ffrfrf.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-