Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

16cc88e682...6a.exe

windows7-x64

10

16cc88e682...6a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    299s
  • max time network
    284s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/03/2025, 01:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    16cc88e682c36823d09dd1d626fc315b960fca78aa798d7f75e799de7c21886a.exe

  • Size

    440KB

  • MD5

    d545053a9c721cc5b9d513264beb92b8

  • SHA1

    31bcda7c3aebeae23edbe73782d68416805dd9e8

  • SHA256

    16cc88e682c36823d09dd1d626fc315b960fca78aa798d7f75e799de7c21886a

  • SHA512

    1eec9db9fdc723d47539801a4bf69dbdbae7670609b8575b4a5e7eec4829909fa8b6f71abc601c19c1f77e876ecbf290c775d98fdabb76b3c781afe60e58cf3e

  • SSDEEP

    6144:xozXQKqfmiiyWwuiFOLeyOV0R7YRXxMSaAW:xgXQKSLpOCtV0R8xMSaAW

Score
10/10
blackmoonbankerdiscoverytrojan

Malware Config

Signatures

  • Blackmoon family
    blackmoon
  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\16cc88e682c36823d09dd1d626fc315b960fca78aa798d7f75e799de7c21886a.exe
    "C:\Users\Admin\AppData\Local\Temp\16cc88e682c36823d09dd1d626fc315b960fca78aa798d7f75e799de7c21886a.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:5276
    • C:\Users\Admin\AppData\Local\Temp\Syslemzlhml.exe
      "C:\Users\Admin\AppData\Local\Temp\Syslemzlhml.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2316

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Syslemzlhml.exe
    Filesize

    440KB

    MD5

    0194a2bad4223a46ec8b9d1837dfb152

    SHA1

    b3380fb6b85d7824df1217301c2b25ddb9ae61a7

    SHA256

    672da139332a4890de3769fcc36b44fafcca883cd5950e6a3632c4a94cd6a052

    SHA512

    9eeec51400f0b9905dd49e250b8d5ddd081ca99705ac80f88f483f2e14800d97e46b3cde8ef7449294a98708ad1795662e4e4115e1c40a8df182e7c2559efba9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\lpath.ini
    Filesize

    102B

    MD5

    dcbdd25641e21844b2edbc2d5fab7066

    SHA1

    ef8bb78633d5123b09cdf3bb94933aa1b3384bbd

    SHA256

    fbe5d2884ad88173e7bbed99f3acf6b1e9795a8528b577bdd36318b960dd34ae

    SHA512

    e22b49c4bf7d19da0f526d79e535e77a3cb23e6b306a0dea19f573a2a731a6d45d670b169f1bad55f0a70cae55c9982fb24ea30170ef64fd00a8ac6d081c6cf3

    Download Submit