Overview

overview

10

Static

static

10

摩纳哥.7z

windows10-1703-x64

7

摩纳哥.7z

windows7-x64

10

摩纳哥.7z

windows10-2004-x64

3

Analysis

  • max time kernel
    1779s
  • max time network
    1790s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    26-02-2023 22:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    摩纳哥.7z

  • Size

    19.9MB

  • MD5

    8d798197150cf22c2d63ff1181ca0535

  • SHA1

    49bd04d964cfae91cc4021323dae9d51e8c33964

  • SHA256

    00afff69b8f52c22df1875d98d75730cde0ea314c6e5b120636ed47deb12d014

  • SHA512

    f84049e0266662e8aeac3a0d829e0461f9465d0450d2f5a0e111477a78aa05706d51457bb4f4d37591aac07e8e6145a05d6346210391ab4e01e211dea0904e33

  • SSDEEP

    393216:O/Yz0z3hU/4T4e47EdNCVKko+kA27u2f2hLyBiFHNzF7V:Lz63hUWtjd4VCAHOENzFJ

Score
7/10
upx

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • UPX packed file 25 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 26 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\摩纳哥.7z
    1⤵
    • Modifies registry class
    PID:4344
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4580
    • C:\Program Files\7-Zip\7zFM.exe
      "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\摩纳哥.7z"
      2⤵
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:1640
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:3700
    • C:\Program Files\7-Zip\7zG.exe
      "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\摩纳哥\" -spe -an -ai#7zMap8540:84:7zEvent5155
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:4812
    • C:\Users\Admin\AppData\Local\Temp\摩纳哥\Client.exe
      "C:\Users\Admin\AppData\Local\Temp\摩纳哥\Client.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:3504
    • C:\Users\Admin\AppData\Local\Temp\摩纳哥\Client.exe
      "C:\Users\Admin\AppData\Local\Temp\摩纳哥\Client.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:2192

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
      Filesize

      14KB

      MD5

      b4e4be263d72037eee95f5e8bfe45908

      SHA1

      71cb6f11289bf71b30b9306c6310ea7fb5cbb192

      SHA256

      ab61ddeead7bbf4816d2a85ffa45a449e07ecdcc02cdac62e0af6d0e220824c9

      SHA512

      8afefdc1a3e86fc383a6581a1941075a173d02e7c5c3d642c6543dd774deb844ae5530e40a816a2719b716b6fc691a55a660fb4d5b7e24fca0e847aedafc51f0

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
      Filesize

      14KB

      MD5

      144acc86394ae16e09c6dbac9d29e5c8

      SHA1

      82e76abef0dc2416becacfcd674aa95533e4ce2f

      SHA256

      08c6cede2061b2013a8c603dcefe84ac54a54a22d61ad9be5a72c4a23bfeca3a

      SHA512

      acee07cdb8fc1a1ca17449be98c2200f36361a804802730d5b36fe1bece2e3cecc832582f01bedb4b703af3621d5ed4ea212d7552a8dfca0750570bce32b8a49

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
      Filesize

      14KB

      MD5

      144acc86394ae16e09c6dbac9d29e5c8

      SHA1

      82e76abef0dc2416becacfcd674aa95533e4ce2f

      SHA256

      08c6cede2061b2013a8c603dcefe84ac54a54a22d61ad9be5a72c4a23bfeca3a

      SHA512

      acee07cdb8fc1a1ca17449be98c2200f36361a804802730d5b36fe1bece2e3cecc832582f01bedb4b703af3621d5ed4ea212d7552a8dfca0750570bce32b8a49

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\摩纳哥\Client.exe
      Filesize

      15.8MB

      MD5

      b678a598c16d3c98cb65a330ebbdfd7b

      SHA1

      a1c4997f9066231623d3ed545a64abd3435cc20b

      SHA256

      3048cd91f71ef67483120edcf6fdba99c4c0a55cf50c5aafb8ad0748cf590e9c

      SHA512

      a31b5b744393f52d4b73bfc09e140b3a17f3c0ddfd8cfaaded9393ee18c160fed3e7397fbb0ad8c7c0c64c152268c488136e76651a65f8da7450550ae1071efe

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\摩纳哥\Client.exe
      Filesize

      15.8MB

      MD5

      b678a598c16d3c98cb65a330ebbdfd7b

      SHA1

      a1c4997f9066231623d3ed545a64abd3435cc20b

      SHA256

      3048cd91f71ef67483120edcf6fdba99c4c0a55cf50c5aafb8ad0748cf590e9c

      SHA512

      a31b5b744393f52d4b73bfc09e140b3a17f3c0ddfd8cfaaded9393ee18c160fed3e7397fbb0ad8c7c0c64c152268c488136e76651a65f8da7450550ae1071efe

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\摩纳哥\Client.exe
      Filesize

      15.8MB

      MD5

      b678a598c16d3c98cb65a330ebbdfd7b

      SHA1

      a1c4997f9066231623d3ed545a64abd3435cc20b

      SHA256

      3048cd91f71ef67483120edcf6fdba99c4c0a55cf50c5aafb8ad0748cf590e9c

      SHA512

      a31b5b744393f52d4b73bfc09e140b3a17f3c0ddfd8cfaaded9393ee18c160fed3e7397fbb0ad8c7c0c64c152268c488136e76651a65f8da7450550ae1071efe

      Download Submit
    • C:\Windows\HPSocket4C.dll
      Filesize

      2.1MB

      MD5

      c091a823c41bb5bc6c5a1ab6c926504c

      SHA1

      7b358a9211f8f5e3ce22f38075caf605fc4d2032

      SHA256

      c58334cb8bd8e7a2c998d0717fff8bacbd873ab949e40a0e5f053dd51b67cca4

      SHA512

      742ea0c78115f602c16a793d6d34ea97f0ff8bd4fc1ab28b90b7b7a3dc6fe6b921615ce97c0b23839e18f632d8e09f4319052de532dd9d31b70a22f12b7cc68d

      Download Submit
    • \??\c:\windows\HPSocket4C.dll
      Filesize

      2.1MB

      MD5

      c091a823c41bb5bc6c5a1ab6c926504c

      SHA1

      7b358a9211f8f5e3ce22f38075caf605fc4d2032

      SHA256

      c58334cb8bd8e7a2c998d0717fff8bacbd873ab949e40a0e5f053dd51b67cca4

      SHA512

      742ea0c78115f602c16a793d6d34ea97f0ff8bd4fc1ab28b90b7b7a3dc6fe6b921615ce97c0b23839e18f632d8e09f4319052de532dd9d31b70a22f12b7cc68d

      Download Submit
    • memory/2192-312-0x0000000001470000-0x0000000001471000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2192-314-0x00000000014F0000-0x00000000014F1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2192-311-0x00000000001F0000-0x00000000001F1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2192-318-0x0000000001530000-0x0000000001531000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2192-317-0x0000000001520000-0x0000000001521000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2192-316-0x0000000001510000-0x0000000001511000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2192-315-0x0000000001500000-0x0000000001501000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2192-313-0x00000000014E0000-0x00000000014E1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3504-271-0x0000000010000000-0x000000001003E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/3504-289-0x0000000010000000-0x000000001003E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/3504-257-0x0000000000400000-0x0000000001420000-memory.dmp
      Filesize

      16.1MB

      Download
    • memory/3504-264-0x0000000010000000-0x000000001003E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/3504-266-0x0000000010000000-0x000000001003E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/3504-267-0x0000000010000000-0x000000001003E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/3504-268-0x0000000010000000-0x000000001003E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/3504-269-0x0000000010000000-0x000000001003E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/3504-256-0x0000000003340000-0x0000000003341000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3504-273-0x0000000010000000-0x000000001003E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/3504-275-0x0000000010000000-0x000000001003E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/3504-277-0x0000000010000000-0x000000001003E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/3504-279-0x0000000010000000-0x000000001003E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/3504-281-0x0000000010000000-0x000000001003E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/3504-283-0x0000000010000000-0x000000001003E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/3504-285-0x0000000010000000-0x000000001003E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/3504-287-0x0000000010000000-0x000000001003E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/3504-255-0x0000000003330000-0x0000000003331000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3504-291-0x0000000010000000-0x000000001003E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/3504-293-0x0000000010000000-0x000000001003E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/3504-295-0x0000000010000000-0x000000001003E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/3504-297-0x0000000010000000-0x000000001003E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/3504-299-0x0000000010000000-0x000000001003E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/3504-301-0x0000000010000000-0x000000001003E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/3504-254-0x0000000003320000-0x0000000003321000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3504-253-0x0000000003310000-0x0000000003311000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3504-252-0x0000000003300000-0x0000000003301000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3504-250-0x00000000032D0000-0x00000000032D1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3504-251-0x00000000032F0000-0x00000000032F1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3504-249-0x00000000031B0000-0x00000000031B1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3504-303-0x0000000010000000-0x000000001003E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/3504-305-0x0000000010000000-0x000000001003E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/3504-307-0x0000000010000000-0x000000001003E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/3504-309-0x0000000010000000-0x000000001003E000-memory.dmp
      Filesize

      248KB

      Download