Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

GF.dll

windows7-x64

10

GF.dll

windows10-2004-x64

10

run me as admin.bat

windows7-x64

10

run me as admin.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/12/2024, 05:15 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    run me as admin.bat

  • Size

    111B

  • MD5

    32ebd1b51e027f5eb86c7cd3bf98f661

  • SHA1

    9f94f463b0c60e73cb6d9a221feb86da05bf5582

  • SHA256

    49941008e16ca6b79cc4949da034da2696d7f78d6664b74afcd11902eb76c3c9

  • SHA512

    4540c9d9ea0e58e889d29d50cb22bb4e0d5c401475127c529d9abacf9ea0c3a9aa8b22ca1b13fd6da98f0452b8e7d22111b59bc520b57601e3d6e606c0d48b35

Score
10/10
blackmoonbankerdiscoverytrojan

Malware Config

Signatures

  • Blackmoon family
    blackmoon
  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 2 IoCs
  • Blocklisted process makes network request 3 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\run me as admin.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2908
    • C:\Windows\system32\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\GF.DATA,Win10
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4136
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe C:\Users\Admin\AppData\Local\Temp\GF.DATA,Win10
        3⤵
        • Blocklisted process makes network request
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:1772

Network

  • flag-us
    DNS
    104.219.191.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    104.219.191.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    note.youdao.com
    rundll32.exe
    Remote address:
    8.8.8.8:53
    Request
    note.youdao.com
    IN A
    Response
    note.youdao.com
    IN CNAME
    note.ntes53.netease.com
    note.ntes53.netease.com
    IN CNAME
    note.youdao.com.163jiasu.com
    note.youdao.com.163jiasu.com
    IN CNAME
    note.youdao.com.w.kunluncan.com
    note.youdao.com.w.kunluncan.com
    IN A
    163.181.154.242
    note.youdao.com.w.kunluncan.com
    IN A
    163.181.154.244
    note.youdao.com.w.kunluncan.com
    IN A
    163.181.154.238
    note.youdao.com.w.kunluncan.com
    IN A
    163.181.154.240
    note.youdao.com.w.kunluncan.com
    IN A
    163.181.154.237
    note.youdao.com.w.kunluncan.com
    IN A
    163.181.154.241
    note.youdao.com.w.kunluncan.com
    IN A
    163.181.154.243
    note.youdao.com.w.kunluncan.com
    IN A
    163.181.154.239
  • flag-us
    DNS
    88.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    88.210.23.2.in-addr.arpa
    IN PTR
    Response
    88.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-88deploystaticakamaitechnologiescom
  • flag-gb
    GET
    https://note.youdao.com/s/QAtdKm1D
    rundll32.exe
    Remote address:
    163.181.154.242:443
    Request
    GET /s/QAtdKm1D HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:12.0) like Gecko
    Host: note.youdao.com
    Response
    HTTP/1.1 302 Moved Temporarily
    Server: Tengine
    Content-Length: 0
    Connection: keep-alive
    Date: Sun, 22 Dec 2024 05:15:33 GMT
    Lingxi-Traceid: b7164a5cc8a0403abf1a8685^1730359001434^971050346
    Location: https://note.youdao.com/noteshare?id=c1962491b2c6b41be120ded4796a7c56
    X-Envoy-Upstream-Service-Time: 2
    Via: cache28.l2nu20-8[34,34,302-0,M], cache48.l2nu20-8[35,0], cache29.l2sg2[104,104,302-0,M], cache1.l2sg2[105,0], ens-cache15.l2de3[259,258,302-0,M], ens-cache3.l2de3[259,0], ens-cache25.gb4[276,275,302-0,M], ens-cache21.gb4[279,0]
    Ali-Swift-Global-Savetime: 1734844533
    X-Cache: MISS TCP_MISS dirn:-2:-2
    X-Swift-SaveTime: Sun, 22 Dec 2024 05:15:33 GMT
    X-Swift-CacheTime: 0
    cdn-user-ip: 181.215.176.83
    cdn-source: ali
    cdn-ip: 163.181.154.242
    Timing-Allow-Origin: *
    EagleId: a3b59aa917348445331558407e
  • flag-gb
    GET
    https://note.youdao.com/yws/api/personal/share?method=get&shareKey=c1962491b2c6b41be120ded4796a7c56
    rundll32.exe
    Remote address:
    163.181.154.242:443
    Request
    GET /yws/api/personal/share?method=get&shareKey=c1962491b2c6b41be120ded4796a7c56 HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
    Host: note.youdao.com
    Response
    HTTP/1.1 200 OK
    Server: Tengine
    Content-Type: text/json;charset=UTF-8
    Content-Length: 5755
    Connection: keep-alive
    Date: Sun, 22 Dec 2024 05:15:33 GMT
    Vary: Accept-Encoding
    Vary: Accept-Encoding
    Cache-Control: no-cache, no-store, must-revalidate
    Content-Language: en-US
    Expires: Thu, 01 Jan 1970 00:00:00 GMT
    Lingxi-Traceid: 3d4881f628734430a67773d3^1697549702646^1783490713
    Pragma: no-cache
    X-Envoy-Upstream-Service-Time: 68
    Via: cache20.l2nu20-8[99,98,200-0,M], cache26.l2nu20-8[100,0], cache36.l2hk3[130,130,200-0,M], cache1.l2hk3[131,0], ens-cache12.l2de3[318,318,200-0,M], ens-cache6.l2de3[319,0], ens-cache9.gb4[336,335,200-0,M], ens-cache21.gb4[341,0]
    Ali-Swift-Global-Savetime: 1734844533
    X-Cache: MISS TCP_MISS dirn:-2:-2
    X-Swift-SaveTime: Sun, 22 Dec 2024 05:15:33 GMT
    X-Swift-CacheTime: 0
    cdn-user-ip: 181.215.176.83
    cdn-source: ali
    cdn-ip: 163.181.154.242
    Timing-Allow-Origin: *
    EagleId: a3b59aa917348445335578610e
  • flag-gb
    GET
    https://note.youdao.com/s/I209b0Zd
    rundll32.exe
    Remote address:
    163.181.154.242:443
    Request
    GET /s/I209b0Zd HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:12.0) like Gecko
    Host: note.youdao.com
    Response
    HTTP/1.1 302 Moved Temporarily
    Server: Tengine
    Content-Length: 0
    Connection: keep-alive
    Date: Sun, 22 Dec 2024 05:15:34 GMT
    Lingxi-Traceid: c79739a6efad4fa08903b893^1713661075144^193949946
    Location: https://note.youdao.com/noteshare?id=868ac900e3086be35be080c4ccf044e4
    X-Envoy-Upstream-Service-Time: 2
    Via: cache14.l2nu20-8[46,46,302-0,M], cache17.l2nu20-8[47,0], cache19.l2sg2[112,111,302-0,M], cache18.l2sg2[113,0], ens-cache11.l2de3[264,264,302-0,M], ens-cache3.l2de3[265,0], ens-cache26.gb4[284,283,302-0,M], ens-cache21.gb4[287,0]
    Ali-Swift-Global-Savetime: 1734844534
    X-Cache: MISS TCP_MISS dirn:-2:-2
    X-Swift-SaveTime: Sun, 22 Dec 2024 05:15:34 GMT
    X-Swift-CacheTime: 0
    cdn-user-ip: 181.215.176.83
    cdn-source: ali
    cdn-ip: 163.181.154.242
    Timing-Allow-Origin: *
    EagleId: a3b59aa917348445339788838e
  • flag-gb
    GET
    https://note.youdao.com/yws/api/personal/share?method=get&shareKey=868ac900e3086be35be080c4ccf044e4
    rundll32.exe
    Remote address:
    163.181.154.242:443
    Request
    GET /yws/api/personal/share?method=get&shareKey=868ac900e3086be35be080c4ccf044e4 HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
    Host: note.youdao.com
    Response
    HTTP/1.1 200 OK
    Server: Tengine
    Content-Type: text/json;charset=UTF-8
    Content-Length: 5021
    Connection: keep-alive
    Date: Sun, 22 Dec 2024 05:15:34 GMT
    Vary: Accept-Encoding
    Vary: Accept-Encoding
    Cache-Control: no-cache, no-store, must-revalidate
    Content-Language: en-US
    Expires: Thu, 01 Jan 1970 00:00:00 GMT
    Lingxi-Traceid: f7efad88b05c4aedb9a96a4e^1730359001434^971050513
    Pragma: no-cache
    X-Envoy-Upstream-Service-Time: 17
    Via: cache45.l2nu20-8[50,50,200-0,M], cache34.l2nu20-8[51,0], cache10.l2sg2[114,113,200-0,M], cache18.l2sg2[115,0], ens-cache17.l2de3[269,269,200-0,M], ens-cache16.l2de3[271,0], ens-cache4.gb4[289,289,200-0,M], ens-cache21.gb4[294,0]
    Ali-Swift-Global-Savetime: 1734844534
    X-Cache: MISS TCP_MISS dirn:-2:-2
    X-Swift-SaveTime: Sun, 22 Dec 2024 05:15:34 GMT
    X-Swift-CacheTime: 0
    cdn-user-ip: 181.215.176.83
    cdn-source: ali
    cdn-ip: 163.181.154.242
    Timing-Allow-Origin: *
    EagleId: a3b59aa917348445343311056e
  • flag-us
    DNS
    242.154.181.163.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    242.154.181.163.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    69.31.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    69.31.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-gb
    GET
    http://note.youdao.com/yws/api/personal/file/WEBff9be8798017e1e00cd12e80dcc38a6f?method=download&inline=true&shareKey=868ac900e3086be35be080c4ccf044e4
    rundll32.exe
    Remote address:
    163.181.154.242:80
    Request
    GET /yws/api/personal/file/WEBff9be8798017e1e00cd12e80dcc38a6f?method=download&inline=true&shareKey=868ac900e3086be35be080c4ccf044e4 HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Cookie: YNOTE_SESS=v2|Wz0zAgKz5VY5kLJ46MTB0zWRHP4OLqu0guhHquhfpy0Py6LOEnfwLRwZ6MqLhHkWRPK0fYMOMQF0zfOMwyh4qF0p4nMPZhLkM0;YNOTE_LOGIN=5;
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:12.0) like Gecko
    Host: note.youdao.com
    Response
    HTTP/1.1 302 Moved Temporarily
    Server: Tengine
    Content-Length: 0
    Connection: keep-alive
    Date: Sun, 22 Dec 2024 05:15:35 GMT
    Cache-Control: no-cache, no-store, must-revalidate,no-cache, no-store, must-revalidate
    Expires: Thu, 01 Jan 1970 00:00:00 GMT
    Lingxi-Traceid: 3c8fa9a45043434a80c3d224^1697547004101^1250237703
    Location: https://bucket-ynote-online-cdn.note.youdao.com/qq59CCB7E676AF5C4D9B6C94F2ED36B3AA%2FFACFBE096F8E46E8A69DC62CED282560?filename=Config.ini&Signature=9A52D5smTTGsBTBsITtrGqKtCNWGPnEKLCiraeaHElI%3D&Expires=1734851734&NOSAccessKeyId=e7d1acab859342789faa85a4b0cb4c83
    Pragma: no-cache
    Pragma: no-cache
    X-Envoy-Upstream-Service-Time: 14
    Via: cache42.l2nu20-8[78,78,302-0,M], cache49.l2nu20-8[79,0], cache38.l2sg2[149,149,302-0,M], cache21.l2sg2[151,0], ens-cache2.l2de3[301,301,302-0,M], ens-cache1.l2de3[303,0], ens-cache23.gb4[320,319,302-0,M], ens-cache11.gb4[321,0]
    Ali-Swift-Global-Savetime: 1734844535
    X-Cache: MISS TCP_MISS dirn:-2:-2
    X-Swift-SaveTime: Sun, 22 Dec 2024 05:15:35 GMT
    X-Swift-CacheTime: 0
    cdn-user-ip: 181.215.176.83
    cdn-source: ali
    cdn-ip: 163.181.154.242
    Timing-Allow-Origin: *
    EagleId: a3b59a9f17348445347872389e
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    bucket-ynote-online-cdn.note.youdao.com
    rundll32.exe
    Remote address:
    8.8.8.8:53
    Request
    bucket-ynote-online-cdn.note.youdao.com
    IN A
    Response
    bucket-ynote-online-cdn.note.youdao.com
    IN CNAME
    bucket-ynote-online-cdn.note.youdao.com.163jiasu.com
    bucket-ynote-online-cdn.note.youdao.com.163jiasu.com
    IN CNAME
    bucket-ynote-online-cdn.note.youdao.com.w.kunluncan.com
    bucket-ynote-online-cdn.note.youdao.com.w.kunluncan.com
    IN A
    180.163.147.218
    bucket-ynote-online-cdn.note.youdao.com.w.kunluncan.com
    IN A
    180.163.147.215
    bucket-ynote-online-cdn.note.youdao.com.w.kunluncan.com
    IN A
    180.163.147.219
    bucket-ynote-online-cdn.note.youdao.com.w.kunluncan.com
    IN A
    180.163.147.221
    bucket-ynote-online-cdn.note.youdao.com.w.kunluncan.com
    IN A
    180.163.147.217
    bucket-ynote-online-cdn.note.youdao.com.w.kunluncan.com
    IN A
    180.163.147.214
    bucket-ynote-online-cdn.note.youdao.com.w.kunluncan.com
    IN A
    180.163.147.220
    bucket-ynote-online-cdn.note.youdao.com.w.kunluncan.com
    IN A
    180.163.147.216
  • flag-us
    DNS
    13.86.106.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.86.106.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    196.249.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    196.249.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    212.20.149.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    212.20.149.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    241.42.69.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.42.69.40.in-addr.arpa
    IN PTR
    Response
  • 163.181.154.242:443
    https://note.youdao.com/yws/api/personal/share?method=get&shareKey=868ac900e3086be35be080c4ccf044e4
    tls, http
    rundll32.exe
    2.0kB
     20.7kB
     18
    24

    HTTP Request

    GET https://note.youdao.com/s/QAtdKm1D

    HTTP Response

    302

    HTTP Request

    GET https://note.youdao.com/yws/api/personal/share?method=get&shareKey=c1962491b2c6b41be120ded4796a7c56

    HTTP Response

    200

    HTTP Request

    GET https://note.youdao.com/s/I209b0Zd

    HTTP Response

    302

    HTTP Request

    GET https://note.youdao.com/yws/api/personal/share?method=get&shareKey=868ac900e3086be35be080c4ccf044e4

    HTTP Response

    200
  • 163.181.154.242:80
    http://note.youdao.com/yws/api/personal/file/WEBff9be8798017e1e00cd12e80dcc38a6f?method=download&inline=true&shareKey=868ac900e3086be35be080c4ccf044e4
    http
    rundll32.exe
    655 B
     1.4kB
     5
    4

    HTTP Request

    GET http://note.youdao.com/yws/api/personal/file/WEBff9be8798017e1e00cd12e80dcc38a6f?method=download&inline=true&shareKey=868ac900e3086be35be080c4ccf044e4

    HTTP Response

    302
  • 180.163.147.218:443
    bucket-ynote-online-cdn.note.youdao.com
    rundll32.exe
    260 B
     5
  • 8.8.8.8:53
    104.219.191.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    104.219.191.52.in-addr.arpa

  • 8.8.8.8:53
    note.youdao.com
    dns
    rundll32.exe
    61 B
     304 B
     1
    1

    DNS Request

    note.youdao.com

    DNS Response

    163.181.154.242
    163.181.154.244
    163.181.154.238
    163.181.154.240
    163.181.154.237
    163.181.154.241
    163.181.154.243
    163.181.154.239

  • 8.8.8.8:53
    88.210.23.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    88.210.23.2.in-addr.arpa

  • 8.8.8.8:53
    242.154.181.163.in-addr.arpa
    dns
    74 B
     145 B
     1
    1

    DNS Request

    242.154.181.163.in-addr.arpa

  • 8.8.8.8:53
    69.31.126.40.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    69.31.126.40.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    bucket-ynote-online-cdn.note.youdao.com
    dns
    rundll32.exe
    85 B
     342 B
     1
    1

    DNS Request

    bucket-ynote-online-cdn.note.youdao.com

    DNS Response

    180.163.147.218
    180.163.147.215
    180.163.147.219
    180.163.147.221
    180.163.147.217
    180.163.147.214
    180.163.147.220
    180.163.147.216

  • 8.8.8.8:53
    13.86.106.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    13.86.106.20.in-addr.arpa

  • 8.8.8.8:53
    196.249.167.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    196.249.167.52.in-addr.arpa

  • 8.8.8.8:53
    212.20.149.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    212.20.149.52.in-addr.arpa

  • 8.8.8.8:53
    241.42.69.40.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    241.42.69.40.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1772-0-0x0000000010027000-0x00000000103B2000-memory.dmp

    Filesize

    3.5MB

    Download

  • memory/1772-2-0x00000000006A0000-0x00000000006A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1772-1-0x0000000000690000-0x0000000000691000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1772-3-0x0000000010000000-0x00000000106EB000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1772-4-0x0000000010027000-0x00000000103B2000-memory.dmp

    Filesize

    3.5MB

    Download

  • memory/1772-5-0x0000000010000000-0x00000000106EB000-memory.dmp

    Filesize

    6.9MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.