Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
31/12/2024, 09:46
Behavioral task
behavioral1
Sample
45ee6693f429120d248d587d46d8326eeb62c2cb4523fd0474cafe7a833cf43dN.exe
Resource
win7-20240903-en
General
-
Target
45ee6693f429120d248d587d46d8326eeb62c2cb4523fd0474cafe7a833cf43dN.exe
-
Size
2.3MB
-
MD5
c3e670b5f737cdb039065f85856a8b60
-
SHA1
3d8f2b12d3771f76b72f14aff1184df81226b26b
-
SHA256
45ee6693f429120d248d587d46d8326eeb62c2cb4523fd0474cafe7a833cf43d
-
SHA512
4ee19a3cf9ed97b24ec07e7a8f6706ea16cecac55565f8731d66250ad1f3aa6206c5ea462b4f6521f08e089f22698714019210db1a545e3e6458944ba867f247
-
SSDEEP
24576:3qzIIUgC8d36kLBXlnB8j7v5Ta+hLLQ20JmXSeWwa1oWJQjk0svTS/PPsbb1hwRV:3sCOfN6X5tLLQTg20ITS/PPs/1kS4ey
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 4 IoCs
resource yara_rule behavioral1/memory/1800-0-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/1800-7-0x0000000000220000-0x0000000000248000-memory.dmp family_blackmoon behavioral1/files/0x0007000000012118-8.dat family_blackmoon behavioral1/memory/1800-6-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon -
Njrat family
-
Executes dropped EXE 1 IoCs
pid Process 2100 tnbhtn.exe -
resource yara_rule behavioral1/memory/1800-0-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1800-7-0x0000000000220000-0x0000000000248000-memory.dmp upx behavioral1/files/0x0007000000012118-8.dat upx behavioral1/memory/1800-6-0x0000000000400000-0x0000000000428000-memory.dmp upx -
Program crash 1 IoCs
pid pid_target Process procid_target 3044 2100 WerFault.exe 30 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 45ee6693f429120d248d587d46d8326eeb62c2cb4523fd0474cafe7a833cf43dN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbhtn.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1800 wrote to memory of 2100 1800 45ee6693f429120d248d587d46d8326eeb62c2cb4523fd0474cafe7a833cf43dN.exe 30 PID 1800 wrote to memory of 2100 1800 45ee6693f429120d248d587d46d8326eeb62c2cb4523fd0474cafe7a833cf43dN.exe 30 PID 1800 wrote to memory of 2100 1800 45ee6693f429120d248d587d46d8326eeb62c2cb4523fd0474cafe7a833cf43dN.exe 30 PID 1800 wrote to memory of 2100 1800 45ee6693f429120d248d587d46d8326eeb62c2cb4523fd0474cafe7a833cf43dN.exe 30 PID 2100 wrote to memory of 3044 2100 tnbhtn.exe 31 PID 2100 wrote to memory of 3044 2100 tnbhtn.exe 31 PID 2100 wrote to memory of 3044 2100 tnbhtn.exe 31 PID 2100 wrote to memory of 3044 2100 tnbhtn.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\45ee6693f429120d248d587d46d8326eeb62c2cb4523fd0474cafe7a833cf43dN.exe"C:\Users\Admin\AppData\Local\Temp\45ee6693f429120d248d587d46d8326eeb62c2cb4523fd0474cafe7a833cf43dN.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1800 -
\??\c:\tnbhtn.exec:\tnbhtn.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 363⤵
- Program crash
PID:3044
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.3MB
MD59a6a661b5f67b4cd80d85e37281f06d4
SHA1bb7243c393a2d0bbc86a1ab41eec432d517652ed
SHA256801a6467cb330a6cd3603889a7fac7ae6eb6783dea34e747043692a1e047e212
SHA512d5dc73c9ee02bcafb5c0bc6c1899937fb84c13a9340597239b85fe5ab5b5a674012868d91e81d2be561d211734e8738dcaa901105026dc6088e39205f43c8439