Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    118s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    26/12/2024, 14:03

General

  • Target

    bcab184259b680515c5612631f13d103dce2c89758dc6123f6d6d217cfe1aeeb.exe

  • Size

    74KB

  • MD5

    4b36f4d8314038f422b7e28920ec2260

  • SHA1

    7f55af361a460380e0669873059acc51bda949b1

  • SHA256

    bcab184259b680515c5612631f13d103dce2c89758dc6123f6d6d217cfe1aeeb

  • SHA512

    4ce2121d87477ed385ad5a0cd9e9ec1fff5eea3c747fe8923c3f8f24b34def0c4a6eb352107cbfdc8660f8caf679313671267c5c33e814c937a37afe18cfcea3

  • SSDEEP

    1536:IyfIcT9U1tPrgQvhLopacl1TsQk0NJP/PAjgas/3VUN0YWZPnouy8Lt:VfIS2vhLoz5sQkqgjg1YWZfout5

Malware Config

Signatures

  • Blackmoon family
  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

  • Detect Blackmoon payload 3 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 61 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bcab184259b680515c5612631f13d103dce2c89758dc6123f6d6d217cfe1aeeb.exe
    "C:\Users\Admin\AppData\Local\Temp\bcab184259b680515c5612631f13d103dce2c89758dc6123f6d6d217cfe1aeeb.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2520
    • C:\Users\Admin\AppData\Local\Temp\Syslemduqke.exe
      "C:\Users\Admin\AppData\Local\Temp\Syslemduqke.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2744

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Syslemduqke.exe

    Filesize

    74KB

    MD5

    9b23e47913221ed12df8919cf73e16c2

    SHA1

    db7efb496b48fb326c136ae3334f5e9838016505

    SHA256

    792a3c432db1dea6a0aba4d64d668a1a5ae9cb2485d55217f43d166ca516ff5d

    SHA512

    80faa25995042489aac63802610a24ded91da84412c41d3729eebf43879ff5749eb460f4cc24b16222bc0b75a08abb8e610043c35d947f4032785e072ce6b080

  • C:\Users\Admin\AppData\Local\Temp\lpath.ini

    Filesize

    102B

    MD5

    a72659088a268781438f2fdb47a4fe36

    SHA1

    a1ccb476935796f0d64178bb21620dc2c3bd0473

    SHA256

    a87a2fa7d603af99710af1cf0900beb1b2195803b1e842835ba55b9f5460c26c

    SHA512

    d1a1a6dcd1297dc1bbf7f261fcbf53953ab99a48591bb4e1be01eb22c4f725d799b4aaefbbef017fdcbe2584adada16b1a85b4a686e58e27b94e8baf57c0da87

  • memory/2520-0-0x0000000000400000-0x000000000046F000-memory.dmp

    Filesize

    444KB

  • memory/2520-7-0x0000000000400000-0x000000000046F000-memory.dmp

    Filesize

    444KB

  • memory/2520-16-0x00000000036C0000-0x000000000372F000-memory.dmp

    Filesize

    444KB

  • memory/2744-17-0x0000000000400000-0x000000000046F000-memory.dmp

    Filesize

    444KB

  • memory/2744-21-0x0000000000400000-0x000000000046F000-memory.dmp

    Filesize

    444KB