Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26/12/2024, 14:03
Behavioral task
behavioral1
Sample
bcab184259b680515c5612631f13d103dce2c89758dc6123f6d6d217cfe1aeeb.exe
Resource
win7-20240903-en
General
-
Target
bcab184259b680515c5612631f13d103dce2c89758dc6123f6d6d217cfe1aeeb.exe
-
Size
74KB
-
MD5
4b36f4d8314038f422b7e28920ec2260
-
SHA1
7f55af361a460380e0669873059acc51bda949b1
-
SHA256
bcab184259b680515c5612631f13d103dce2c89758dc6123f6d6d217cfe1aeeb
-
SHA512
4ce2121d87477ed385ad5a0cd9e9ec1fff5eea3c747fe8923c3f8f24b34def0c4a6eb352107cbfdc8660f8caf679313671267c5c33e814c937a37afe18cfcea3
-
SSDEEP
1536:IyfIcT9U1tPrgQvhLopacl1TsQk0NJP/PAjgas/3VUN0YWZPnouy8Lt:VfIS2vhLoz5sQkqgjg1YWZfout5
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 3 IoCs
resource yara_rule behavioral1/memory/2520-7-0x0000000000400000-0x000000000046F000-memory.dmp family_blackmoon behavioral1/memory/2744-17-0x0000000000400000-0x000000000046F000-memory.dmp family_blackmoon behavioral1/memory/2744-21-0x0000000000400000-0x000000000046F000-memory.dmp family_blackmoon -
Deletes itself 1 IoCs
pid Process 2744 Syslemduqke.exe -
Executes dropped EXE 1 IoCs
pid Process 2744 Syslemduqke.exe -
Loads dropped DLL 2 IoCs
pid Process 2520 bcab184259b680515c5612631f13d103dce2c89758dc6123f6d6d217cfe1aeeb.exe 2520 bcab184259b680515c5612631f13d103dce2c89758dc6123f6d6d217cfe1aeeb.exe -
resource yara_rule behavioral1/memory/2520-0-0x0000000000400000-0x000000000046F000-memory.dmp upx behavioral1/memory/2520-7-0x0000000000400000-0x000000000046F000-memory.dmp upx behavioral1/files/0x00070000000165c2-15.dat upx behavioral1/memory/2744-17-0x0000000000400000-0x000000000046F000-memory.dmp upx behavioral1/memory/2744-21-0x0000000000400000-0x000000000046F000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bcab184259b680515c5612631f13d103dce2c89758dc6123f6d6d217cfe1aeeb.exe -
Suspicious behavior: EnumeratesProcesses 61 IoCs
pid Process 2520 bcab184259b680515c5612631f13d103dce2c89758dc6123f6d6d217cfe1aeeb.exe 2520 bcab184259b680515c5612631f13d103dce2c89758dc6123f6d6d217cfe1aeeb.exe 2520 bcab184259b680515c5612631f13d103dce2c89758dc6123f6d6d217cfe1aeeb.exe 2520 bcab184259b680515c5612631f13d103dce2c89758dc6123f6d6d217cfe1aeeb.exe 2520 bcab184259b680515c5612631f13d103dce2c89758dc6123f6d6d217cfe1aeeb.exe 2520 bcab184259b680515c5612631f13d103dce2c89758dc6123f6d6d217cfe1aeeb.exe 2520 bcab184259b680515c5612631f13d103dce2c89758dc6123f6d6d217cfe1aeeb.exe 2520 bcab184259b680515c5612631f13d103dce2c89758dc6123f6d6d217cfe1aeeb.exe 2744 Syslemduqke.exe 2744 Syslemduqke.exe 2744 Syslemduqke.exe 2744 Syslemduqke.exe 2744 Syslemduqke.exe 2744 Syslemduqke.exe 2744 Syslemduqke.exe 2744 Syslemduqke.exe 2744 Syslemduqke.exe 2744 Syslemduqke.exe 2744 Syslemduqke.exe 2744 Syslemduqke.exe 2744 Syslemduqke.exe 2744 Syslemduqke.exe 2744 Syslemduqke.exe 2744 Syslemduqke.exe 2744 Syslemduqke.exe 2744 Syslemduqke.exe 2744 Syslemduqke.exe 2744 Syslemduqke.exe 2744 Syslemduqke.exe 2744 Syslemduqke.exe 2744 Syslemduqke.exe 2744 Syslemduqke.exe 2744 Syslemduqke.exe 2744 Syslemduqke.exe 2744 Syslemduqke.exe 2744 Syslemduqke.exe 2744 Syslemduqke.exe 2744 Syslemduqke.exe 2744 Syslemduqke.exe 2744 Syslemduqke.exe 2744 Syslemduqke.exe 2744 Syslemduqke.exe 2744 Syslemduqke.exe 2744 Syslemduqke.exe 2744 Syslemduqke.exe 2744 Syslemduqke.exe 2744 Syslemduqke.exe 2744 Syslemduqke.exe 2744 Syslemduqke.exe 2744 Syslemduqke.exe 2744 Syslemduqke.exe 2744 Syslemduqke.exe 2744 Syslemduqke.exe 2744 Syslemduqke.exe 2744 Syslemduqke.exe 2744 Syslemduqke.exe 2744 Syslemduqke.exe 2744 Syslemduqke.exe 2744 Syslemduqke.exe 2744 Syslemduqke.exe 2744 Syslemduqke.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2520 wrote to memory of 2744 2520 bcab184259b680515c5612631f13d103dce2c89758dc6123f6d6d217cfe1aeeb.exe 31 PID 2520 wrote to memory of 2744 2520 bcab184259b680515c5612631f13d103dce2c89758dc6123f6d6d217cfe1aeeb.exe 31 PID 2520 wrote to memory of 2744 2520 bcab184259b680515c5612631f13d103dce2c89758dc6123f6d6d217cfe1aeeb.exe 31 PID 2520 wrote to memory of 2744 2520 bcab184259b680515c5612631f13d103dce2c89758dc6123f6d6d217cfe1aeeb.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\bcab184259b680515c5612631f13d103dce2c89758dc6123f6d6d217cfe1aeeb.exe"C:\Users\Admin\AppData\Local\Temp\bcab184259b680515c5612631f13d103dce2c89758dc6123f6d6d217cfe1aeeb.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Users\Admin\AppData\Local\Temp\Syslemduqke.exe"C:\Users\Admin\AppData\Local\Temp\Syslemduqke.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2744
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
74KB
MD59b23e47913221ed12df8919cf73e16c2
SHA1db7efb496b48fb326c136ae3334f5e9838016505
SHA256792a3c432db1dea6a0aba4d64d668a1a5ae9cb2485d55217f43d166ca516ff5d
SHA51280faa25995042489aac63802610a24ded91da84412c41d3729eebf43879ff5749eb460f4cc24b16222bc0b75a08abb8e610043c35d947f4032785e072ce6b080
-
Filesize
102B
MD5a72659088a268781438f2fdb47a4fe36
SHA1a1ccb476935796f0d64178bb21620dc2c3bd0473
SHA256a87a2fa7d603af99710af1cf0900beb1b2195803b1e842835ba55b9f5460c26c
SHA512d1a1a6dcd1297dc1bbf7f261fcbf53953ab99a48591bb4e1be01eb22c4f725d799b4aaefbbef017fdcbe2584adada16b1a85b4a686e58e27b94e8baf57c0da87