Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

786a239ae3...22.exe

windows7-x64

10

786a239ae3...22.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    300s
  • max time network
    213s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/03/2025, 05:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    786a239ae39c35117b5388ec4d7705898c5d1f3192c237f68be8db6f332b1a22.exe

  • Size

    396KB

  • MD5

    bec7c9faf5bb63cdc51302fe0ea5e002

  • SHA1

    715d1d2cf44a04d8522bf6eef3721df1c26eafe3

  • SHA256

    786a239ae39c35117b5388ec4d7705898c5d1f3192c237f68be8db6f332b1a22

  • SHA512

    18739b242b3a74406958f00225d5e28ea6021acc6e7c4e226aecd8956f13fc826223e7ce526ca7f96582a143ef880b228637bf4b24757c7b15c98e4603d1c10f

  • SSDEEP

    6144:7vbuWQu/cuaS2l8iE0B55FrJJJekPdb5J22l:7vqWQub2lrE0B55FpekPdb/22l

Score
10/10
blackmoonbankerdiscoverytrojan

Malware Config

Signatures

  • Blackmoon family
    blackmoon
  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\786a239ae39c35117b5388ec4d7705898c5d1f3192c237f68be8db6f332b1a22.exe
    "C:\Users\Admin\AppData\Local\Temp\786a239ae39c35117b5388ec4d7705898c5d1f3192c237f68be8db6f332b1a22.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:5612
    • C:\Users\Admin\AppData\Local\Temp\Syslemvjxto.exe
      "C:\Users\Admin\AppData\Local\Temp\Syslemvjxto.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3856

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Syslemvjxto.exe
    Filesize

    396KB

    MD5

    83ea8d6727682d283bf74725bd855a05

    SHA1

    13099e35557bf90b32c17627b3a55d2c1454f1a9

    SHA256

    efad552bfec7951f18cd1716a35bf95e548b4e2603bf289e7e81d84138188836

    SHA512

    7cc614d294a29a81d25d170219dfebf231aeb931c2d9293830bc43d3fc8fb01a0c5c18a45a1772128c5bfc6592cde1eaf4f60fec1f41c936503df58e5b052fd7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\lpath.ini
    Filesize

    102B

    MD5

    38e573fac354271844137cc55e09b34e

    SHA1

    905c43906d277227ccc2e1a2bed33a44269d4655

    SHA256

    a0b303cb2d365f5412329c87a505c707c67f40804208526b3ec20bd1ca50a5d7

    SHA512

    52a3bb75cb648594c08bce3a68a5bd5924a6ea847f85bc6bd02be1d569ae16368fb473c0abd4f5dedbc2ee4181ca68b2f52e2888c61c979c891bf432390e631a

    Download Submit