Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    22/12/2024, 15:37

General

  • Target

    d8a962c01aefdd2a93c440cafe57b0ddcbd95208f13fd8015a1648aa99c8e74d.exe

  • Size

    74KB

  • MD5

    bcd4c107a4e12b065004c4ce99857bae

  • SHA1

    6431fb3a13bf0338f84586ae2f1f4e559704e283

  • SHA256

    d8a962c01aefdd2a93c440cafe57b0ddcbd95208f13fd8015a1648aa99c8e74d

  • SHA512

    39f69d0adc9f902791377e2ff697b41ebb8fee9493004f62ea1c491d139b1afbd24912e3a9f3cb2d24af6b2eb6c6862382f9961dbdaa32a9dc1d448c63d2745d

  • SSDEEP

    1536:IyfIcT9U1tPrgQvhLopacl1TsQk0NJP/PAjgas/3VUN0YWZPnouy8L1:VfIS2vhLoz5sQkqgjg1YWZfoutJ

Malware Config

Signatures

  • Blackmoon family
  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

  • Detect Blackmoon payload 3 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 61 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d8a962c01aefdd2a93c440cafe57b0ddcbd95208f13fd8015a1648aa99c8e74d.exe
    "C:\Users\Admin\AppData\Local\Temp\d8a962c01aefdd2a93c440cafe57b0ddcbd95208f13fd8015a1648aa99c8e74d.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2596
    • C:\Users\Admin\AppData\Local\Temp\Syslemtxnrz.exe
      "C:\Users\Admin\AppData\Local\Temp\Syslemtxnrz.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2900

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\lpath.ini

    Filesize

    102B

    MD5

    bc1a09b32c052e6b3498150233ff5cfe

    SHA1

    5a111e3bb1a66a07acbae2ef19fd67f80f834531

    SHA256

    a15f6dd76844ec33b59a1d69643912fb578f9cbf2ac65a981f274a050339e50f

    SHA512

    205366823044abd3153d054dd5f37bd32b5c27c0467aec37dcbd0eff84e8d4285fa7765dc106ccc07528689704894ab69f15d89e9d7af7ebdac087c8590e0fa6

  • \Users\Admin\AppData\Local\Temp\Syslemtxnrz.exe

    Filesize

    74KB

    MD5

    63d8a58fad9fe65f47c13bcb3cd34e99

    SHA1

    e59e9b0304f53cb2abba2462daf29e2a688798e4

    SHA256

    7608c93d7dbe3aa7e0779677ca3646a82fdad6f55660688d35600d172653fee4

    SHA512

    239b2162ca5a9c110524169d2d31f5c1d955ecc72e47c42d9361d9a30820a7f7c4f7066e9a7b7ecca10f2d423498b92a34415839b92829dc4de419a145b45d4d

  • memory/2596-0-0x0000000000400000-0x000000000046F000-memory.dmp

    Filesize

    444KB

  • memory/2596-7-0x0000000000400000-0x000000000046F000-memory.dmp

    Filesize

    444KB

  • memory/2596-16-0x00000000036E0000-0x000000000374F000-memory.dmp

    Filesize

    444KB

  • memory/2596-15-0x00000000036E0000-0x000000000374F000-memory.dmp

    Filesize

    444KB

  • memory/2900-21-0x0000000000400000-0x000000000046F000-memory.dmp

    Filesize

    444KB