Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19/12/2024, 04:55
Behavioral task
behavioral1
Sample
99ebea7b7ddaf3aabe69feeff7d55743d15e036184dab086170b8849d7aee700.exe
Resource
win7-20240903-en
General
-
Target
99ebea7b7ddaf3aabe69feeff7d55743d15e036184dab086170b8849d7aee700.exe
-
Size
357KB
-
MD5
6b47674ad50a1b4ccbb496405e61e04c
-
SHA1
8c49abe1fbff4e5a928fbbb9df9b4da8fc766cad
-
SHA256
99ebea7b7ddaf3aabe69feeff7d55743d15e036184dab086170b8849d7aee700
-
SHA512
cc140fbd622b218a8b27bc01e64102a5d4d3938534437ffd8108889335e78f799c8426af67925354e8aacfebcc750f9b1d7f65748cac9722f169962fb86ed380
-
SSDEEP
6144:mvk3Q5ibjnNuuXckaL7pbRBkce97aw/N4L7oR:mvMQ5ibjnwka3pbRC19Gw/NsoR
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 1 IoCs
resource yara_rule behavioral1/files/0x00070000000164c8-13.dat family_blackmoon -
Deletes itself 1 IoCs
pid Process 2620 Systemygbpl.exe -
Executes dropped EXE 1 IoCs
pid Process 2620 Systemygbpl.exe -
Loads dropped DLL 2 IoCs
pid Process 2496 99ebea7b7ddaf3aabe69feeff7d55743d15e036184dab086170b8849d7aee700.exe 2496 99ebea7b7ddaf3aabe69feeff7d55743d15e036184dab086170b8849d7aee700.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 99ebea7b7ddaf3aabe69feeff7d55743d15e036184dab086170b8849d7aee700.exe -
Suspicious behavior: EnumeratesProcesses 59 IoCs
pid Process 2496 99ebea7b7ddaf3aabe69feeff7d55743d15e036184dab086170b8849d7aee700.exe 2496 99ebea7b7ddaf3aabe69feeff7d55743d15e036184dab086170b8849d7aee700.exe 2496 99ebea7b7ddaf3aabe69feeff7d55743d15e036184dab086170b8849d7aee700.exe 2496 99ebea7b7ddaf3aabe69feeff7d55743d15e036184dab086170b8849d7aee700.exe 2496 99ebea7b7ddaf3aabe69feeff7d55743d15e036184dab086170b8849d7aee700.exe 2496 99ebea7b7ddaf3aabe69feeff7d55743d15e036184dab086170b8849d7aee700.exe 2620 Systemygbpl.exe 2620 Systemygbpl.exe 2620 Systemygbpl.exe 2620 Systemygbpl.exe 2620 Systemygbpl.exe 2620 Systemygbpl.exe 2620 Systemygbpl.exe 2620 Systemygbpl.exe 2620 Systemygbpl.exe 2620 Systemygbpl.exe 2620 Systemygbpl.exe 2620 Systemygbpl.exe 2620 Systemygbpl.exe 2620 Systemygbpl.exe 2620 Systemygbpl.exe 2620 Systemygbpl.exe 2620 Systemygbpl.exe 2620 Systemygbpl.exe 2620 Systemygbpl.exe 2620 Systemygbpl.exe 2620 Systemygbpl.exe 2620 Systemygbpl.exe 2620 Systemygbpl.exe 2620 Systemygbpl.exe 2620 Systemygbpl.exe 2620 Systemygbpl.exe 2620 Systemygbpl.exe 2620 Systemygbpl.exe 2620 Systemygbpl.exe 2620 Systemygbpl.exe 2620 Systemygbpl.exe 2620 Systemygbpl.exe 2620 Systemygbpl.exe 2620 Systemygbpl.exe 2620 Systemygbpl.exe 2620 Systemygbpl.exe 2620 Systemygbpl.exe 2620 Systemygbpl.exe 2620 Systemygbpl.exe 2620 Systemygbpl.exe 2620 Systemygbpl.exe 2620 Systemygbpl.exe 2620 Systemygbpl.exe 2620 Systemygbpl.exe 2620 Systemygbpl.exe 2620 Systemygbpl.exe 2620 Systemygbpl.exe 2620 Systemygbpl.exe 2620 Systemygbpl.exe 2620 Systemygbpl.exe 2620 Systemygbpl.exe 2620 Systemygbpl.exe 2620 Systemygbpl.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2496 wrote to memory of 2620 2496 99ebea7b7ddaf3aabe69feeff7d55743d15e036184dab086170b8849d7aee700.exe 31 PID 2496 wrote to memory of 2620 2496 99ebea7b7ddaf3aabe69feeff7d55743d15e036184dab086170b8849d7aee700.exe 31 PID 2496 wrote to memory of 2620 2496 99ebea7b7ddaf3aabe69feeff7d55743d15e036184dab086170b8849d7aee700.exe 31 PID 2496 wrote to memory of 2620 2496 99ebea7b7ddaf3aabe69feeff7d55743d15e036184dab086170b8849d7aee700.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\99ebea7b7ddaf3aabe69feeff7d55743d15e036184dab086170b8849d7aee700.exe"C:\Users\Admin\AppData\Local\Temp\99ebea7b7ddaf3aabe69feeff7d55743d15e036184dab086170b8849d7aee700.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Users\Admin\AppData\Local\Temp\Systemygbpl.exe"C:\Users\Admin\AppData\Local\Temp\Systemygbpl.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2620
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
357KB
MD57632c236a34349539369753f3aba1ebb
SHA1c27f3ca0c4a949bac14098fbe361dc50d75d05bb
SHA256de95f2864923bbf8832e7cdd71321876f25ceff8443698661bddfea84b2f1650
SHA51220a91027fb7dd6364ec34d3b371e693be2a94453da996ba6c3417d268e13493f53dd876a551267f6961a7b90a6c7bc98debac76e2e6e40c52f16dc189948e3ab
-
Filesize
102B
MD5018fe4448883aeb32e332a39feaa0fdb
SHA18322dcbcce6f23511efa33a370d572b60adf5761
SHA25665071fa34f9d135d889ab212416d1c6b2c2bb60f204aff693b3aeebbbf1d9f6f
SHA512ddad3b6a06ec46fb9f9c9530d52f96b7d16b482d2fa0d0e472204ebd2f4c249fe068c5642a96f741d511a17e9b28aba51ffe8f3c82ebb4182ae7d88cf26d579d