Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

16cc88e682...6a.exe

windows7-x64

10

16cc88e682...6a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    129s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/03/2025, 01:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    16cc88e682c36823d09dd1d626fc315b960fca78aa798d7f75e799de7c21886a.exe

  • Size

    440KB

  • MD5

    d545053a9c721cc5b9d513264beb92b8

  • SHA1

    31bcda7c3aebeae23edbe73782d68416805dd9e8

  • SHA256

    16cc88e682c36823d09dd1d626fc315b960fca78aa798d7f75e799de7c21886a

  • SHA512

    1eec9db9fdc723d47539801a4bf69dbdbae7670609b8575b4a5e7eec4829909fa8b6f71abc601c19c1f77e876ecbf290c775d98fdabb76b3c781afe60e58cf3e

  • SSDEEP

    6144:xozXQKqfmiiyWwuiFOLeyOV0R7YRXxMSaAW:xgXQKSLpOCtV0R8xMSaAW

Score
10/10
blackmoonbankerdiscoverytrojan

Malware Config

Signatures

  • Blackmoon family
    blackmoon
  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\16cc88e682c36823d09dd1d626fc315b960fca78aa798d7f75e799de7c21886a.exe
    "C:\Users\Admin\AppData\Local\Temp\16cc88e682c36823d09dd1d626fc315b960fca78aa798d7f75e799de7c21886a.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:668
    • C:\Users\Admin\AppData\Local\Temp\Syslemuuoly.exe
      "C:\Users\Admin\AppData\Local\Temp\Syslemuuoly.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4580

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Syslemuuoly.exe
    Filesize

    440KB

    MD5

    f753a067390be2365d13385440f2f6c7

    SHA1

    fcb797cfaf4d282db96ef6ad294d2091cab591a9

    SHA256

    eba2089dfd7655c2113e485ae012d641401c23fc76edb305f7499e909777ef34

    SHA512

    a7921276932d742620c1136b71eed2f4d7d8095dc646f1ce8a8cf1e06bb4baab2f55239b64d77bf674804fea45feba5f783b5b5d4558c905cf670ddc44c21824

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\lpath.ini
    Filesize

    102B

    MD5

    dcbdd25641e21844b2edbc2d5fab7066

    SHA1

    ef8bb78633d5123b09cdf3bb94933aa1b3384bbd

    SHA256

    fbe5d2884ad88173e7bbed99f3acf6b1e9795a8528b577bdd36318b960dd34ae

    SHA512

    e22b49c4bf7d19da0f526d79e535e77a3cb23e6b306a0dea19f573a2a731a6d45d670b169f1bad55f0a70cae55c9982fb24ea30170ef64fd00a8ac6d081c6cf3

    Download Submit