Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/12/2024, 04:32

General

  • Target

    1a8e34b9169e6ef0fec42bce6e6552f5bdc5b58fa137ca972fe185b943d945be.exe

  • Size

    69KB

  • MD5

    09dcc6f99a1e78c05df924a21752873e

  • SHA1

    8c702f343e5ebbb0bc6f44d5184caa8f91b01fa1

  • SHA256

    1a8e34b9169e6ef0fec42bce6e6552f5bdc5b58fa137ca972fe185b943d945be

  • SHA512

    4b99dba7a5f7d5280977e0ea84e5d0e5954fd46254bcb8ca6be48cfa25e233b17234d0be903366c4f575d80b5e3621f362b11ff42c49f3fa9eaf77b7bee6073f

  • SSDEEP

    1536:TPyr5BWPJgzJrQsA4MJ8SS5gq9a2pJ+jZOb4W9nouy8ac:T6DJrXAnHmgMJ+dOnFoutac

Malware Config

Signatures

  • Blackmoon family
  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

  • Detect Blackmoon payload 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1a8e34b9169e6ef0fec42bce6e6552f5bdc5b58fa137ca972fe185b943d945be.exe
    "C:\Users\Admin\AppData\Local\Temp\1a8e34b9169e6ef0fec42bce6e6552f5bdc5b58fa137ca972fe185b943d945be.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3940
    • C:\Users\Admin\AppData\Local\Temp\Sysceamnptnm.exe
      "C:\Users\Admin\AppData\Local\Temp\Sysceamnptnm.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2236

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475

    Filesize

    1KB

    MD5

    c497c3890beef899f17ce3c9f4cf6094

    SHA1

    51a5974721a2f9e76c4d176719d2b8f8efcc8b5c

    SHA256

    26fb97dd6d49d8dd547a1f1123ed4ea96099d0104273a3bd5665ca3010c207b4

    SHA512

    87c2c80232bdbe59c66da80f47cef0abfa30b27fd75f3075acf96e2de0722fed935f3dc1472de0d9d51fb1667c7157a51961ac54480b3cca4c9f2004ceee5660

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C

    Filesize

    471B

    MD5

    be2ae8a9d738667774406810e9474047

    SHA1

    abb5d75fbcfbf8fbfae4cbf00a8998a527e01f7e

    SHA256

    f38efc0a7fffa5640e03bf0adbb8388225e7580f5d01e6630bb6d83109187a68

    SHA512

    e5e10da017d491467f27fa7211eea836c6f1c2e383cf5d3d121e710b6ae8ee6570abb7fb9de20c897982497025da716e4eee21b501aa237f380984fad74cbf3f

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_A0B760D8ABF6F649D185B46E3E114CC2

    Filesize

    471B

    MD5

    34a31dff4a06599d613e8903b8ec356a

    SHA1

    b373ac1759e6774481625c22c1b804c45e18ac31

    SHA256

    f9a7cc1d76b34269792cf9107112b927aebf88249795acb101faaa13622d5844

    SHA512

    a47a95288a1a86978e71dffa5623f6b696846bc23e5f2b26812f174972553476c680300356181ae8087fda21b95b0f847efc02f0b027bc9af50acb2e464f4514

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CF14D1855652602540DFCFECD21854DB_54BE0F4A529F65D13ED30F3AD0874E58

    Filesize

    1KB

    MD5

    f6e71c7c85bd9c19d8e2163909a8233f

    SHA1

    a6f3bd3ad32b2e57f46d7b4695db0a8d00139d0b

    SHA256

    3847592f31dd6c61e46e37427cee89b95441028d30014f31485f4fc2d5d60245

    SHA512

    914aa222453ad077d951430009b36087baa9e959be5b972e3b7867cc99b87c96a2e88b233130669f93592222f4a14a70d357cd86bddcd71d6767ac8838064e59

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475

    Filesize

    500B

    MD5

    a183dbba7354f6ad8da95dbed04e67fa

    SHA1

    b58ff518d99fd7955d421e4bad8c877a411edac1

    SHA256

    712f8379ff53dd4ab614cea5a3ba480a95b9b9943d48b17c8695aa1d9762767a

    SHA512

    f3a902e5b49636488841652352e8c570fc9fef28f202bde0b899837da72a7aff99a3c75e8295ec4faa8fd4597188c0a1a5f606bd2fc638af5c6b646c93e620f5

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C

    Filesize

    398B

    MD5

    8d0e81ac0d54d4dae35c044cf61a357c

    SHA1

    4b4dc20ac38d4e3afce95916a319e6a57361301a

    SHA256

    3dc83d53fe784a0e975435c548e60356f82c0badbedd0f1815228db429cdb555

    SHA512

    aebb72a9382c086c8101f021a182aafa815af2707d63394007615b0e754143bc5486a07f26b160cc4cdc22c4c67f9ef7823e442e57786bbcdec3ce0168218281

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AD5F118F7897046E8CA970AE6A6AB70B_A0B760D8ABF6F649D185B46E3E114CC2

    Filesize

    410B

    MD5

    b67a1e9d1a903d7e1036aa3f4ca04633

    SHA1

    d7a3e71906e4f7f5eba6873200d9fd258b8ebe62

    SHA256

    337bf4273ee72aa6564b811b639adbe6788e1cab7eeed5870a2137f2cf26206c

    SHA512

    e53677859abf7908ab424705c15738da359758b2cf6369e8d89a9f6b39f303eaf305f81b25a991ce515022127a0677548de2b194854eb72bef60996b60648fb7

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CF14D1855652602540DFCFECD21854DB_54BE0F4A529F65D13ED30F3AD0874E58

    Filesize

    536B

    MD5

    0cc2d93b1a11cc857ce586f856c30c1c

    SHA1

    356de0e1d267d3bc508e98dcbc7cbefd5a5d8cfe

    SHA256

    d906b8624e9e42a3006a274abd4a7e8fe0068d8b66908b4c7875e8104760f61e

    SHA512

    349530d53f2669b19907b4fd897ff6cc69aa7e926b3b7df41b4c9e43653c655a0acc3ae886a4e72ddd160b3dfde29f3d3f1ae6580aaeec67bec7111275b6443d

  • C:\Users\Admin\AppData\Local\Temp\Sysceamnptnm.exe

    Filesize

    69KB

    MD5

    c310a63a388ab11190d222579ce743aa

    SHA1

    1986a818988157ad44cdf865122cec45b7492948

    SHA256

    757534c1944d2b97d2a35167412b17b1a941444b0404c5266afd52bbf3f8365a

    SHA512

    3fe7090532e947fdd6482ec270d10f397b13a722c91d52388115a7fe49ce289e21ec5056c806b4a2cafc58b2addcee432736eca8f944812ef402183a5db85b58

  • C:\Users\Admin\AppData\Local\Temp\cpath.ini

    Filesize

    102B

    MD5

    da7899ea5fbe668f5d22ba00b3812e4d

    SHA1

    4effc239f6a69cd8a0acdf91355eea03dceeb3d7

    SHA256

    7a849ec4a9aa15bb62c3ee7ab42c540c24e5eca650f8c2f2691b39b7b5f76bd1

    SHA512

    103b9c5e0aab549dd8022b17c46a71c850581a639bad2b4c2a3db7cebb6608ff54ced6245ec177e28e258c826569f2b941370746d99362328655f80ad7b53d91

  • memory/2236-72-0x0000000000400000-0x0000000000468000-memory.dmp

    Filesize

    416KB

  • memory/3940-0-0x0000000000400000-0x0000000000468000-memory.dmp

    Filesize

    416KB

  • memory/3940-50-0x0000000000400000-0x0000000000468000-memory.dmp

    Filesize

    416KB

  • memory/3940-46-0x0000000000400000-0x0000000000468000-memory.dmp

    Filesize

    416KB