Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
22/12/2024, 15:37
Behavioral task
behavioral1
Sample
d8a962c01aefdd2a93c440cafe57b0ddcbd95208f13fd8015a1648aa99c8e74d.exe
Resource
win7-20241023-en
General
-
Target
d8a962c01aefdd2a93c440cafe57b0ddcbd95208f13fd8015a1648aa99c8e74d.exe
-
Size
74KB
-
MD5
bcd4c107a4e12b065004c4ce99857bae
-
SHA1
6431fb3a13bf0338f84586ae2f1f4e559704e283
-
SHA256
d8a962c01aefdd2a93c440cafe57b0ddcbd95208f13fd8015a1648aa99c8e74d
-
SHA512
39f69d0adc9f902791377e2ff697b41ebb8fee9493004f62ea1c491d139b1afbd24912e3a9f3cb2d24af6b2eb6c6862382f9961dbdaa32a9dc1d448c63d2745d
-
SSDEEP
1536:IyfIcT9U1tPrgQvhLopacl1TsQk0NJP/PAjgas/3VUN0YWZPnouy8L1:VfIS2vhLoz5sQkqgjg1YWZfoutJ
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 3 IoCs
resource yara_rule behavioral1/memory/2596-7-0x0000000000400000-0x000000000046F000-memory.dmp family_blackmoon behavioral1/memory/2596-15-0x00000000036E0000-0x000000000374F000-memory.dmp family_blackmoon behavioral1/memory/2900-21-0x0000000000400000-0x000000000046F000-memory.dmp family_blackmoon -
Deletes itself 1 IoCs
pid Process 2900 Syslemtxnrz.exe -
Executes dropped EXE 1 IoCs
pid Process 2900 Syslemtxnrz.exe -
Loads dropped DLL 2 IoCs
pid Process 2596 d8a962c01aefdd2a93c440cafe57b0ddcbd95208f13fd8015a1648aa99c8e74d.exe 2596 d8a962c01aefdd2a93c440cafe57b0ddcbd95208f13fd8015a1648aa99c8e74d.exe -
resource yara_rule behavioral1/memory/2596-0-0x0000000000400000-0x000000000046F000-memory.dmp upx behavioral1/memory/2596-7-0x0000000000400000-0x000000000046F000-memory.dmp upx behavioral1/files/0x0007000000015f25-9.dat upx behavioral1/memory/2900-21-0x0000000000400000-0x000000000046F000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d8a962c01aefdd2a93c440cafe57b0ddcbd95208f13fd8015a1648aa99c8e74d.exe -
Suspicious behavior: EnumeratesProcesses 61 IoCs
pid Process 2596 d8a962c01aefdd2a93c440cafe57b0ddcbd95208f13fd8015a1648aa99c8e74d.exe 2596 d8a962c01aefdd2a93c440cafe57b0ddcbd95208f13fd8015a1648aa99c8e74d.exe 2596 d8a962c01aefdd2a93c440cafe57b0ddcbd95208f13fd8015a1648aa99c8e74d.exe 2596 d8a962c01aefdd2a93c440cafe57b0ddcbd95208f13fd8015a1648aa99c8e74d.exe 2596 d8a962c01aefdd2a93c440cafe57b0ddcbd95208f13fd8015a1648aa99c8e74d.exe 2596 d8a962c01aefdd2a93c440cafe57b0ddcbd95208f13fd8015a1648aa99c8e74d.exe 2596 d8a962c01aefdd2a93c440cafe57b0ddcbd95208f13fd8015a1648aa99c8e74d.exe 2596 d8a962c01aefdd2a93c440cafe57b0ddcbd95208f13fd8015a1648aa99c8e74d.exe 2900 Syslemtxnrz.exe 2900 Syslemtxnrz.exe 2900 Syslemtxnrz.exe 2900 Syslemtxnrz.exe 2900 Syslemtxnrz.exe 2900 Syslemtxnrz.exe 2900 Syslemtxnrz.exe 2900 Syslemtxnrz.exe 2900 Syslemtxnrz.exe 2900 Syslemtxnrz.exe 2900 Syslemtxnrz.exe 2900 Syslemtxnrz.exe 2900 Syslemtxnrz.exe 2900 Syslemtxnrz.exe 2900 Syslemtxnrz.exe 2900 Syslemtxnrz.exe 2900 Syslemtxnrz.exe 2900 Syslemtxnrz.exe 2900 Syslemtxnrz.exe 2900 Syslemtxnrz.exe 2900 Syslemtxnrz.exe 2900 Syslemtxnrz.exe 2900 Syslemtxnrz.exe 2900 Syslemtxnrz.exe 2900 Syslemtxnrz.exe 2900 Syslemtxnrz.exe 2900 Syslemtxnrz.exe 2900 Syslemtxnrz.exe 2900 Syslemtxnrz.exe 2900 Syslemtxnrz.exe 2900 Syslemtxnrz.exe 2900 Syslemtxnrz.exe 2900 Syslemtxnrz.exe 2900 Syslemtxnrz.exe 2900 Syslemtxnrz.exe 2900 Syslemtxnrz.exe 2900 Syslemtxnrz.exe 2900 Syslemtxnrz.exe 2900 Syslemtxnrz.exe 2900 Syslemtxnrz.exe 2900 Syslemtxnrz.exe 2900 Syslemtxnrz.exe 2900 Syslemtxnrz.exe 2900 Syslemtxnrz.exe 2900 Syslemtxnrz.exe 2900 Syslemtxnrz.exe 2900 Syslemtxnrz.exe 2900 Syslemtxnrz.exe 2900 Syslemtxnrz.exe 2900 Syslemtxnrz.exe 2900 Syslemtxnrz.exe 2900 Syslemtxnrz.exe 2900 Syslemtxnrz.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2596 wrote to memory of 2900 2596 d8a962c01aefdd2a93c440cafe57b0ddcbd95208f13fd8015a1648aa99c8e74d.exe 32 PID 2596 wrote to memory of 2900 2596 d8a962c01aefdd2a93c440cafe57b0ddcbd95208f13fd8015a1648aa99c8e74d.exe 32 PID 2596 wrote to memory of 2900 2596 d8a962c01aefdd2a93c440cafe57b0ddcbd95208f13fd8015a1648aa99c8e74d.exe 32 PID 2596 wrote to memory of 2900 2596 d8a962c01aefdd2a93c440cafe57b0ddcbd95208f13fd8015a1648aa99c8e74d.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\d8a962c01aefdd2a93c440cafe57b0ddcbd95208f13fd8015a1648aa99c8e74d.exe"C:\Users\Admin\AppData\Local\Temp\d8a962c01aefdd2a93c440cafe57b0ddcbd95208f13fd8015a1648aa99c8e74d.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Users\Admin\AppData\Local\Temp\Syslemtxnrz.exe"C:\Users\Admin\AppData\Local\Temp\Syslemtxnrz.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2900
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
102B
MD5bc1a09b32c052e6b3498150233ff5cfe
SHA15a111e3bb1a66a07acbae2ef19fd67f80f834531
SHA256a15f6dd76844ec33b59a1d69643912fb578f9cbf2ac65a981f274a050339e50f
SHA512205366823044abd3153d054dd5f37bd32b5c27c0467aec37dcbd0eff84e8d4285fa7765dc106ccc07528689704894ab69f15d89e9d7af7ebdac087c8590e0fa6
-
Filesize
74KB
MD563d8a58fad9fe65f47c13bcb3cd34e99
SHA1e59e9b0304f53cb2abba2462daf29e2a688798e4
SHA2567608c93d7dbe3aa7e0779677ca3646a82fdad6f55660688d35600d172653fee4
SHA512239b2162ca5a9c110524169d2d31f5c1d955ecc72e47c42d9361d9a30820a7f7c4f7066e9a7b7ecca10f2d423498b92a34415839b92829dc4de419a145b45d4d