Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
25/12/2024, 21:26
General
-
Target
44ae6f453ca8e3f32e341bdc513e40ebacb14b3928374419957e77e17a3001ffN.exe
-
Size
71KB
-
MD5
e6bd64c9052ea30a44c5ea7ba87bf2e0
-
SHA1
43b903f486e65d5dd28dd53e51e9e21982fb3725
-
SHA256
44ae6f453ca8e3f32e341bdc513e40ebacb14b3928374419957e77e17a3001ff
-
SHA512
1f93b9e4b913d113361abac41ae58d458ec941ecef3875ac60bb086fd301a74b3e78568e7872f070a0159162d75b37a03bc6ccaf25a75ca2efac6a09e69117c1
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxND0yUuYp+5C8+LuvdLH+t:ymb3NkkiQ3mdBjF0yMliCt
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 28 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 32 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\44ae6f453ca8e3f32e341bdc513e40ebacb14b3928374419957e77e17a3001ffN.exe"C:\Users\Admin\AppData\Local\Temp\44ae6f453ca8e3f32e341bdc513e40ebacb14b3928374419957e77e17a3001ffN.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\1hnnnn.exec:\1hnnnn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpdvv.exec:\vpdvv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rflrlrr.exec:\rflrlrr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3tbttt.exec:\3tbttt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vdjjp.exec:\vdjjp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjjjv.exec:\jjjjv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tbtttt.exec:\tbtttt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7nttnt.exec:\7nttnt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pvjdv.exec:\pvjdv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\llrllll.exec:\llrllll.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xllxrrr.exec:\xllxrrr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7hhhhh.exec:\7hhhhh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddpvv.exec:\ddpvv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\flxrlll.exec:\flxrlll.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1hnhht.exec:\1hnhht.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvpvd.exec:\dvpvd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xxfffxx.exec:\xxfffxx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xxrfflx.exec:\xxrfflx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bhtbhh.exec:\bhtbhh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvdjd.exec:\dvdjd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxfxxxf.exec:\lxfxxxf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ffrffxf.exec:\ffrffxf.exe23⤵
- Executes dropped EXE
-
\??\c:\hhnthn.exec:\hhnthn.exe24⤵
- Executes dropped EXE
-
\??\c:\jppvv.exec:\jppvv.exe25⤵
- Executes dropped EXE
-
\??\c:\7vdjj.exec:\7vdjj.exe26⤵
- Executes dropped EXE
-
\??\c:\ffflffx.exec:\ffflffx.exe27⤵
- Executes dropped EXE
-
\??\c:\xlrfllr.exec:\xlrfllr.exe28⤵
- Executes dropped EXE
-
\??\c:\nnbtth.exec:\nnbtth.exe29⤵
- Executes dropped EXE
-
\??\c:\fflrxlr.exec:\fflrxlr.exe30⤵
- Executes dropped EXE
-
\??\c:\hbhhhh.exec:\hbhhhh.exe31⤵
- Executes dropped EXE
-
\??\c:\ddppv.exec:\ddppv.exe32⤵
- Executes dropped EXE
-
\??\c:\xrxrlll.exec:\xrxrlll.exe33⤵
- Executes dropped EXE
-
\??\c:\rrxlrrr.exec:\rrxlrrr.exe34⤵
- Executes dropped EXE
-
\??\c:\bhhnnt.exec:\bhhnnt.exe35⤵
- Executes dropped EXE
-
\??\c:\nhnttb.exec:\nhnttb.exe36⤵
- Executes dropped EXE
-
\??\c:\jdjdd.exec:\jdjdd.exe37⤵
- Executes dropped EXE
-
\??\c:\1jvvv.exec:\1jvvv.exe38⤵
- Executes dropped EXE
-
\??\c:\fffrrlr.exec:\fffrrlr.exe39⤵
- Executes dropped EXE
-
\??\c:\lxlrrfx.exec:\lxlrrfx.exe40⤵
- Executes dropped EXE
-
\??\c:\hthnnb.exec:\hthnnb.exe41⤵
- Executes dropped EXE
-
\??\c:\vjpvj.exec:\vjpvj.exe42⤵
- Executes dropped EXE
-
\??\c:\dpvvj.exec:\dpvvj.exe43⤵
- Executes dropped EXE
-
\??\c:\fxflxxf.exec:\fxflxxf.exe44⤵
- Executes dropped EXE
-
\??\c:\lllffxx.exec:\lllffxx.exe45⤵
- Executes dropped EXE
-
\??\c:\nhtbhh.exec:\nhtbhh.exe46⤵
- Executes dropped EXE
-
\??\c:\bhhnht.exec:\bhhnht.exe47⤵
- Executes dropped EXE
-
\??\c:\pvjjp.exec:\pvjjp.exe48⤵
- Executes dropped EXE
-
\??\c:\1djpp.exec:\1djpp.exe49⤵
-
\??\c:\rrllfll.exec:\rrllfll.exe50⤵
- Executes dropped EXE
-
\??\c:\bthhhn.exec:\bthhhn.exe51⤵
- Executes dropped EXE
-
\??\c:\nhbtnt.exec:\nhbtnt.exe52⤵
- Executes dropped EXE
-
\??\c:\pjppp.exec:\pjppp.exe53⤵
- Executes dropped EXE
-
\??\c:\vvvdv.exec:\vvvdv.exe54⤵
- Executes dropped EXE
-
\??\c:\xfrrrrr.exec:\xfrrrrr.exe55⤵
- Executes dropped EXE
-
\??\c:\tthbbb.exec:\tthbbb.exe56⤵
- Executes dropped EXE
-
\??\c:\hhnnnn.exec:\hhnnnn.exe57⤵
- Executes dropped EXE
-
\??\c:\jvvjd.exec:\jvvjd.exe58⤵
- Executes dropped EXE
-
\??\c:\jvddd.exec:\jvddd.exe59⤵
- Executes dropped EXE
-
\??\c:\rrrrlfx.exec:\rrrrlfx.exe60⤵
- Executes dropped EXE
-
\??\c:\hhtnnh.exec:\hhtnnh.exe61⤵
- Executes dropped EXE
-
\??\c:\tnhhbh.exec:\tnhhbh.exe62⤵
- Executes dropped EXE
-
\??\c:\djdvd.exec:\djdvd.exe63⤵
- Executes dropped EXE
-
\??\c:\fxxfxxr.exec:\fxxfxxr.exe64⤵
- Executes dropped EXE
-
\??\c:\lfxxrll.exec:\lfxxrll.exe65⤵
- Executes dropped EXE
-
\??\c:\btbbtb.exec:\btbbtb.exe66⤵
- Executes dropped EXE
-
\??\c:\ddjdv.exec:\ddjdv.exe67⤵
-
\??\c:\pjpjd.exec:\pjpjd.exe68⤵
-
\??\c:\rflfrrl.exec:\rflfrrl.exe69⤵
-
\??\c:\rxlllrl.exec:\rxlllrl.exe70⤵
-
\??\c:\bhbtnn.exec:\bhbtnn.exe71⤵
-
\??\c:\jjjjv.exec:\jjjjv.exe72⤵
-
\??\c:\pvpvv.exec:\pvpvv.exe73⤵
-
\??\c:\ffffxfx.exec:\ffffxfx.exe74⤵
-
\??\c:\5bhnnn.exec:\5bhnnn.exe75⤵
-
\??\c:\hnhnnt.exec:\hnhnnt.exe76⤵
- System Location Discovery: System Language Discovery
-
\??\c:\dddpp.exec:\dddpp.exe77⤵
-
\??\c:\rlfxrrl.exec:\rlfxrrl.exe78⤵
-
\??\c:\3nhhbb.exec:\3nhhbb.exe79⤵
-
\??\c:\pvdjj.exec:\pvdjj.exe80⤵
-
\??\c:\pvvvd.exec:\pvvvd.exe81⤵
-
\??\c:\fxflfll.exec:\fxflfll.exe82⤵
-
\??\c:\nhbtnt.exec:\nhbtnt.exe83⤵
-
\??\c:\nhbtnn.exec:\nhbtnn.exe84⤵
-
\??\c:\pjjdv.exec:\pjjdv.exe85⤵
-
\??\c:\9jjjd.exec:\9jjjd.exe86⤵
-
\??\c:\lfrfffx.exec:\lfrfffx.exe87⤵
-
\??\c:\5xrlrrx.exec:\5xrlrrx.exe88⤵
-
\??\c:\nbnhbb.exec:\nbnhbb.exe89⤵
-
\??\c:\jjvdd.exec:\jjvdd.exe90⤵
-
\??\c:\rlrrrrr.exec:\rlrrrrr.exe91⤵
-
\??\c:\nthbnn.exec:\nthbnn.exe92⤵
-
\??\c:\ddvdd.exec:\ddvdd.exe93⤵
-
\??\c:\vdpvp.exec:\vdpvp.exe94⤵
-
\??\c:\rfxxlrr.exec:\rfxxlrr.exe95⤵
-
\??\c:\bnbttt.exec:\bnbttt.exe96⤵
-
\??\c:\nnnttb.exec:\nnnttb.exe97⤵
-
\??\c:\vpjdj.exec:\vpjdj.exe98⤵
-
\??\c:\7ppjv.exec:\7ppjv.exe99⤵
-
\??\c:\xlfrfrx.exec:\xlfrfrx.exe100⤵
-
\??\c:\hbtnbb.exec:\hbtnbb.exe101⤵
-
\??\c:\thhhtb.exec:\thhhtb.exe102⤵
-
\??\c:\5pddj.exec:\5pddj.exe103⤵
-
\??\c:\llfffff.exec:\llfffff.exe104⤵
-
\??\c:\rxffxxf.exec:\rxffxxf.exe105⤵
-
\??\c:\7tnttn.exec:\7tnttn.exe106⤵
-
\??\c:\pvddd.exec:\pvddd.exe107⤵
-
\??\c:\jjdjj.exec:\jjdjj.exe108⤵
-
\??\c:\rlfflrr.exec:\rlfflrr.exe109⤵
-
\??\c:\rllrrrl.exec:\rllrrrl.exe110⤵
-
\??\c:\hhhttb.exec:\hhhttb.exe111⤵
-
\??\c:\1jjjv.exec:\1jjjv.exe112⤵
-
\??\c:\9lllfff.exec:\9lllfff.exe113⤵
-
\??\c:\lxffxff.exec:\lxffxff.exe114⤵
-
\??\c:\hbhhbb.exec:\hbhhbb.exe115⤵
-
\??\c:\vvvpj.exec:\vvvpj.exe116⤵
-
\??\c:\3jpjd.exec:\3jpjd.exe117⤵
-
\??\c:\xrrfxrl.exec:\xrrfxrl.exe118⤵
-
\??\c:\htbttt.exec:\htbttt.exe119⤵
-
\??\c:\thhhbh.exec:\thhhbh.exe120⤵
-
\??\c:\hbnntb.exec:\hbnntb.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-