Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2024, 04:32
Behavioral task
behavioral1
Sample
1a8e34b9169e6ef0fec42bce6e6552f5bdc5b58fa137ca972fe185b943d945be.exe
Resource
win7-20241010-en
General
-
Target
1a8e34b9169e6ef0fec42bce6e6552f5bdc5b58fa137ca972fe185b943d945be.exe
-
Size
69KB
-
MD5
09dcc6f99a1e78c05df924a21752873e
-
SHA1
8c702f343e5ebbb0bc6f44d5184caa8f91b01fa1
-
SHA256
1a8e34b9169e6ef0fec42bce6e6552f5bdc5b58fa137ca972fe185b943d945be
-
SHA512
4b99dba7a5f7d5280977e0ea84e5d0e5954fd46254bcb8ca6be48cfa25e233b17234d0be903366c4f575d80b5e3621f362b11ff42c49f3fa9eaf77b7bee6073f
-
SSDEEP
1536:TPyr5BWPJgzJrQsA4MJ8SS5gq9a2pJ+jZOb4W9nouy8ac:T6DJrXAnHmgMJ+dOnFoutac
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 3 IoCs
resource yara_rule behavioral2/memory/3940-46-0x0000000000400000-0x0000000000468000-memory.dmp family_blackmoon behavioral2/memory/3940-50-0x0000000000400000-0x0000000000468000-memory.dmp family_blackmoon behavioral2/memory/2236-72-0x0000000000400000-0x0000000000468000-memory.dmp family_blackmoon -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 1a8e34b9169e6ef0fec42bce6e6552f5bdc5b58fa137ca972fe185b943d945be.exe -
Executes dropped EXE 1 IoCs
pid Process 2236 Sysceamnptnm.exe -
resource yara_rule behavioral2/memory/3940-0-0x0000000000400000-0x0000000000468000-memory.dmp upx behavioral2/files/0x0007000000023ca1-26.dat upx behavioral2/memory/3940-46-0x0000000000400000-0x0000000000468000-memory.dmp upx behavioral2/memory/3940-50-0x0000000000400000-0x0000000000468000-memory.dmp upx behavioral2/memory/2236-72-0x0000000000400000-0x0000000000468000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1a8e34b9169e6ef0fec42bce6e6552f5bdc5b58fa137ca972fe185b943d945be.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Sysceamnptnm.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 1a8e34b9169e6ef0fec42bce6e6552f5bdc5b58fa137ca972fe185b943d945be.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2236 Sysceamnptnm.exe 2236 Sysceamnptnm.exe 2236 Sysceamnptnm.exe 2236 Sysceamnptnm.exe 2236 Sysceamnptnm.exe 2236 Sysceamnptnm.exe 2236 Sysceamnptnm.exe 2236 Sysceamnptnm.exe 2236 Sysceamnptnm.exe 2236 Sysceamnptnm.exe 2236 Sysceamnptnm.exe 2236 Sysceamnptnm.exe 2236 Sysceamnptnm.exe 2236 Sysceamnptnm.exe 2236 Sysceamnptnm.exe 2236 Sysceamnptnm.exe 2236 Sysceamnptnm.exe 2236 Sysceamnptnm.exe 2236 Sysceamnptnm.exe 2236 Sysceamnptnm.exe 2236 Sysceamnptnm.exe 2236 Sysceamnptnm.exe 2236 Sysceamnptnm.exe 2236 Sysceamnptnm.exe 2236 Sysceamnptnm.exe 2236 Sysceamnptnm.exe 2236 Sysceamnptnm.exe 2236 Sysceamnptnm.exe 2236 Sysceamnptnm.exe 2236 Sysceamnptnm.exe 2236 Sysceamnptnm.exe 2236 Sysceamnptnm.exe 2236 Sysceamnptnm.exe 2236 Sysceamnptnm.exe 2236 Sysceamnptnm.exe 2236 Sysceamnptnm.exe 2236 Sysceamnptnm.exe 2236 Sysceamnptnm.exe 2236 Sysceamnptnm.exe 2236 Sysceamnptnm.exe 2236 Sysceamnptnm.exe 2236 Sysceamnptnm.exe 2236 Sysceamnptnm.exe 2236 Sysceamnptnm.exe 2236 Sysceamnptnm.exe 2236 Sysceamnptnm.exe 2236 Sysceamnptnm.exe 2236 Sysceamnptnm.exe 2236 Sysceamnptnm.exe 2236 Sysceamnptnm.exe 2236 Sysceamnptnm.exe 2236 Sysceamnptnm.exe 2236 Sysceamnptnm.exe 2236 Sysceamnptnm.exe 2236 Sysceamnptnm.exe 2236 Sysceamnptnm.exe 2236 Sysceamnptnm.exe 2236 Sysceamnptnm.exe 2236 Sysceamnptnm.exe 2236 Sysceamnptnm.exe 2236 Sysceamnptnm.exe 2236 Sysceamnptnm.exe 2236 Sysceamnptnm.exe 2236 Sysceamnptnm.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3940 wrote to memory of 2236 3940 1a8e34b9169e6ef0fec42bce6e6552f5bdc5b58fa137ca972fe185b943d945be.exe 95 PID 3940 wrote to memory of 2236 3940 1a8e34b9169e6ef0fec42bce6e6552f5bdc5b58fa137ca972fe185b943d945be.exe 95 PID 3940 wrote to memory of 2236 3940 1a8e34b9169e6ef0fec42bce6e6552f5bdc5b58fa137ca972fe185b943d945be.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\1a8e34b9169e6ef0fec42bce6e6552f5bdc5b58fa137ca972fe185b943d945be.exe"C:\Users\Admin\AppData\Local\Temp\1a8e34b9169e6ef0fec42bce6e6552f5bdc5b58fa137ca972fe185b943d945be.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3940 -
C:\Users\Admin\AppData\Local\Temp\Sysceamnptnm.exe"C:\Users\Admin\AppData\Local\Temp\Sysceamnptnm.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2236
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475
Filesize1KB
MD5c497c3890beef899f17ce3c9f4cf6094
SHA151a5974721a2f9e76c4d176719d2b8f8efcc8b5c
SHA25626fb97dd6d49d8dd547a1f1123ed4ea96099d0104273a3bd5665ca3010c207b4
SHA51287c2c80232bdbe59c66da80f47cef0abfa30b27fd75f3075acf96e2de0722fed935f3dc1472de0d9d51fb1667c7157a51961ac54480b3cca4c9f2004ceee5660
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C
Filesize471B
MD5be2ae8a9d738667774406810e9474047
SHA1abb5d75fbcfbf8fbfae4cbf00a8998a527e01f7e
SHA256f38efc0a7fffa5640e03bf0adbb8388225e7580f5d01e6630bb6d83109187a68
SHA512e5e10da017d491467f27fa7211eea836c6f1c2e383cf5d3d121e710b6ae8ee6570abb7fb9de20c897982497025da716e4eee21b501aa237f380984fad74cbf3f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_A0B760D8ABF6F649D185B46E3E114CC2
Filesize471B
MD534a31dff4a06599d613e8903b8ec356a
SHA1b373ac1759e6774481625c22c1b804c45e18ac31
SHA256f9a7cc1d76b34269792cf9107112b927aebf88249795acb101faaa13622d5844
SHA512a47a95288a1a86978e71dffa5623f6b696846bc23e5f2b26812f174972553476c680300356181ae8087fda21b95b0f847efc02f0b027bc9af50acb2e464f4514
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CF14D1855652602540DFCFECD21854DB_54BE0F4A529F65D13ED30F3AD0874E58
Filesize1KB
MD5f6e71c7c85bd9c19d8e2163909a8233f
SHA1a6f3bd3ad32b2e57f46d7b4695db0a8d00139d0b
SHA2563847592f31dd6c61e46e37427cee89b95441028d30014f31485f4fc2d5d60245
SHA512914aa222453ad077d951430009b36087baa9e959be5b972e3b7867cc99b87c96a2e88b233130669f93592222f4a14a70d357cd86bddcd71d6767ac8838064e59
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475
Filesize500B
MD5a183dbba7354f6ad8da95dbed04e67fa
SHA1b58ff518d99fd7955d421e4bad8c877a411edac1
SHA256712f8379ff53dd4ab614cea5a3ba480a95b9b9943d48b17c8695aa1d9762767a
SHA512f3a902e5b49636488841652352e8c570fc9fef28f202bde0b899837da72a7aff99a3c75e8295ec4faa8fd4597188c0a1a5f606bd2fc638af5c6b646c93e620f5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C
Filesize398B
MD58d0e81ac0d54d4dae35c044cf61a357c
SHA14b4dc20ac38d4e3afce95916a319e6a57361301a
SHA2563dc83d53fe784a0e975435c548e60356f82c0badbedd0f1815228db429cdb555
SHA512aebb72a9382c086c8101f021a182aafa815af2707d63394007615b0e754143bc5486a07f26b160cc4cdc22c4c67f9ef7823e442e57786bbcdec3ce0168218281
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AD5F118F7897046E8CA970AE6A6AB70B_A0B760D8ABF6F649D185B46E3E114CC2
Filesize410B
MD5b67a1e9d1a903d7e1036aa3f4ca04633
SHA1d7a3e71906e4f7f5eba6873200d9fd258b8ebe62
SHA256337bf4273ee72aa6564b811b639adbe6788e1cab7eeed5870a2137f2cf26206c
SHA512e53677859abf7908ab424705c15738da359758b2cf6369e8d89a9f6b39f303eaf305f81b25a991ce515022127a0677548de2b194854eb72bef60996b60648fb7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CF14D1855652602540DFCFECD21854DB_54BE0F4A529F65D13ED30F3AD0874E58
Filesize536B
MD50cc2d93b1a11cc857ce586f856c30c1c
SHA1356de0e1d267d3bc508e98dcbc7cbefd5a5d8cfe
SHA256d906b8624e9e42a3006a274abd4a7e8fe0068d8b66908b4c7875e8104760f61e
SHA512349530d53f2669b19907b4fd897ff6cc69aa7e926b3b7df41b4c9e43653c655a0acc3ae886a4e72ddd160b3dfde29f3d3f1ae6580aaeec67bec7111275b6443d
-
Filesize
69KB
MD5c310a63a388ab11190d222579ce743aa
SHA11986a818988157ad44cdf865122cec45b7492948
SHA256757534c1944d2b97d2a35167412b17b1a941444b0404c5266afd52bbf3f8365a
SHA5123fe7090532e947fdd6482ec270d10f397b13a722c91d52388115a7fe49ce289e21ec5056c806b4a2cafc58b2addcee432736eca8f944812ef402183a5db85b58
-
Filesize
102B
MD5da7899ea5fbe668f5d22ba00b3812e4d
SHA14effc239f6a69cd8a0acdf91355eea03dceeb3d7
SHA2567a849ec4a9aa15bb62c3ee7ab42c540c24e5eca650f8c2f2691b39b7b5f76bd1
SHA512103b9c5e0aab549dd8022b17c46a71c850581a639bad2b4c2a3db7cebb6608ff54ced6245ec177e28e258c826569f2b941370746d99362328655f80ad7b53d91