Analysis
-
max time kernel
1610s -
max time network
1800s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
26-02-2023 22:02
Behavioral task
behavioral1
Sample
摩纳哥.7z
Resource
win10-20230220-en
Behavioral task
behavioral2
Sample
摩纳哥.7z
Resource
win7-20230220-en
Behavioral task
behavioral3
Sample
摩纳哥.7z
Resource
win10v2004-20230220-en
General
-
Target
摩纳哥.7z
-
Size
19.9MB
-
MD5
8d798197150cf22c2d63ff1181ca0535
-
SHA1
49bd04d964cfae91cc4021323dae9d51e8c33964
-
SHA256
00afff69b8f52c22df1875d98d75730cde0ea314c6e5b120636ed47deb12d014
-
SHA512
f84049e0266662e8aeac3a0d829e0461f9465d0450d2f5a0e111477a78aa05706d51457bb4f4d37591aac07e8e6145a05d6346210391ab4e01e211dea0904e33
-
SSDEEP
393216:O/Yz0z3hU/4T4e47EdNCVKko+kA27u2f2hLyBiFHNzF7V:Lz63hUWtjd4VCAHOENzFJ
Malware Config
Signatures
-
Detect Blackmoon payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2044-230-0x0000000004330000-0x000000000440A000-memory.dmp family_blackmoon -
Executes dropped EXE 1 IoCs
Processes:
Client.exepid process 2044 Client.exe -
Loads dropped DLL 1 IoCs
Processes:
Client.exepid process 2044 Client.exe -
Processes:
resource yara_rule behavioral2/memory/2044-169-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/2044-172-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/2044-171-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/2044-173-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/2044-174-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/2044-178-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/2044-180-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/2044-176-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/2044-182-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/2044-184-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/2044-186-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/2044-192-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/2044-190-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/2044-188-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/2044-194-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/2044-196-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/2044-198-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/2044-200-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/2044-202-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/2044-204-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/2044-206-0x0000000010000000-0x000000001003E000-memory.dmp upx -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
Client.exepid process 2044 Client.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Client.exedescription pid process target process PID 2044 set thread context of 320 2044 Client.exe svchost.exe -
Drops file in Program Files directory 1 IoCs
Processes:
Client.exedescription ioc process File created C:\Program Files\WinRAP\RarExt32.dll Client.exe -
Drops file in Windows directory 2 IoCs
Processes:
Client.exedescription ioc process File opened for modification \??\c:\windows\HPSocket4C.dll Client.exe File created \??\c:\windows\HPSocket4C.dll Client.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\7z_auto_file rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\.7z rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\.7z\ = "7z_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\7z_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_Classes\Local Settings rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\7z_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\7z_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\7z_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\7z_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe -
Suspicious behavior: EnumeratesProcesses 29 IoCs
Processes:
Client.exesvchost.exepid process 2044 Client.exe 2044 Client.exe 2044 Client.exe 320 svchost.exe 2044 Client.exe 2044 Client.exe 2044 Client.exe 2044 Client.exe 2044 Client.exe 2044 Client.exe 2044 Client.exe 2044 Client.exe 2044 Client.exe 2044 Client.exe 2044 Client.exe 2044 Client.exe 2044 Client.exe 2044 Client.exe 2044 Client.exe 2044 Client.exe 2044 Client.exe 2044 Client.exe 2044 Client.exe 2044 Client.exe 2044 Client.exe 2044 Client.exe 2044 Client.exe 2044 Client.exe 2044 Client.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
AUDIODG.EXE7zG.exedescription pid process Token: 33 1084 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1084 AUDIODG.EXE Token: 33 1084 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1084 AUDIODG.EXE Token: SeRestorePrivilege 568 7zG.exe Token: 35 568 7zG.exe Token: SeSecurityPrivilege 568 7zG.exe Token: SeSecurityPrivilege 568 7zG.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
7zG.exepid process 568 7zG.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
AcroRd32.exeClient.exesvchost.exepid process 1628 AcroRd32.exe 1628 AcroRd32.exe 1628 AcroRd32.exe 2044 Client.exe 2044 Client.exe 2044 Client.exe 320 svchost.exe 320 svchost.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
cmd.exerundll32.exeClient.exedescription pid process target process PID 932 wrote to memory of 1712 932 cmd.exe rundll32.exe PID 932 wrote to memory of 1712 932 cmd.exe rundll32.exe PID 932 wrote to memory of 1712 932 cmd.exe rundll32.exe PID 1712 wrote to memory of 1628 1712 rundll32.exe AcroRd32.exe PID 1712 wrote to memory of 1628 1712 rundll32.exe AcroRd32.exe PID 1712 wrote to memory of 1628 1712 rundll32.exe AcroRd32.exe PID 1712 wrote to memory of 1628 1712 rundll32.exe AcroRd32.exe PID 2044 wrote to memory of 320 2044 Client.exe svchost.exe PID 2044 wrote to memory of 320 2044 Client.exe svchost.exe PID 2044 wrote to memory of 320 2044 Client.exe svchost.exe PID 2044 wrote to memory of 320 2044 Client.exe svchost.exe PID 2044 wrote to memory of 320 2044 Client.exe svchost.exe PID 2044 wrote to memory of 320 2044 Client.exe svchost.exe PID 2044 wrote to memory of 320 2044 Client.exe svchost.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\摩纳哥.7z1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\摩纳哥.7z2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\摩纳哥.7z"3⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4801⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\摩纳哥\" -spe -an -ai#7zMap20159:84:7zEvent43951⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\摩纳哥\Client.exe"C:\Users\Admin\AppData\Local\Temp\摩纳哥\Client.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\SysWOW64\svchost.exeC:\WINDOWS\system32\svchost.exe -K NetworkService2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\WinRAP\RarExt32.dllMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Temp\摩纳哥\Client.exeFilesize
15.8MB
MD5b678a598c16d3c98cb65a330ebbdfd7b
SHA1a1c4997f9066231623d3ed545a64abd3435cc20b
SHA2563048cd91f71ef67483120edcf6fdba99c4c0a55cf50c5aafb8ad0748cf590e9c
SHA512a31b5b744393f52d4b73bfc09e140b3a17f3c0ddfd8cfaaded9393ee18c160fed3e7397fbb0ad8c7c0c64c152268c488136e76651a65f8da7450550ae1071efe
-
C:\Users\Admin\AppData\Local\Temp\摩纳哥\Client.exeFilesize
15.8MB
MD5b678a598c16d3c98cb65a330ebbdfd7b
SHA1a1c4997f9066231623d3ed545a64abd3435cc20b
SHA2563048cd91f71ef67483120edcf6fdba99c4c0a55cf50c5aafb8ad0748cf590e9c
SHA512a31b5b744393f52d4b73bfc09e140b3a17f3c0ddfd8cfaaded9393ee18c160fed3e7397fbb0ad8c7c0c64c152268c488136e76651a65f8da7450550ae1071efe
-
C:\Users\Admin\AppData\Local\Temp\摩纳哥\rasadhlp.dllFilesize
338KB
MD573c06c75bd9aa0a194b0dc73ab38cac5
SHA17604d4be31e6c017e3bd9a1e5590a81a7aafb40f
SHA256fde687287ef8cd7e6a6ce655355eaca2fba25fd6c22cc1e4040281f73205ba90
SHA512c8abaea48abc45fdb8c20ee1945494c42e0e3cd487723f48bd34f31fd31833a94deb38796397c8359fb3123e028a99ab5e8e05438399dcc34ae65d522f78487a
-
\Users\Admin\AppData\Local\Temp\摩纳哥\rasadhlp.dllFilesize
338KB
MD573c06c75bd9aa0a194b0dc73ab38cac5
SHA17604d4be31e6c017e3bd9a1e5590a81a7aafb40f
SHA256fde687287ef8cd7e6a6ce655355eaca2fba25fd6c22cc1e4040281f73205ba90
SHA512c8abaea48abc45fdb8c20ee1945494c42e0e3cd487723f48bd34f31fd31833a94deb38796397c8359fb3123e028a99ab5e8e05438399dcc34ae65d522f78487a
-
memory/320-232-0x0000000004330000-0x000000000440A000-memory.dmpFilesize
872KB
-
memory/2044-140-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/2044-139-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/2044-141-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/2044-142-0x0000000000250000-0x0000000000251000-memory.dmpFilesize
4KB
-
memory/2044-143-0x0000000000250000-0x0000000000251000-memory.dmpFilesize
4KB
-
memory/2044-144-0x0000000000250000-0x0000000000251000-memory.dmpFilesize
4KB
-
memory/2044-149-0x0000000000270000-0x0000000000271000-memory.dmpFilesize
4KB
-
memory/2044-156-0x0000000000310000-0x0000000000311000-memory.dmpFilesize
4KB
-
memory/2044-155-0x0000000000310000-0x0000000000311000-memory.dmpFilesize
4KB
-
memory/2044-153-0x0000000000280000-0x0000000000281000-memory.dmpFilesize
4KB
-
memory/2044-152-0x0000000000280000-0x0000000000281000-memory.dmpFilesize
4KB
-
memory/2044-150-0x0000000000270000-0x0000000000271000-memory.dmpFilesize
4KB
-
memory/2044-146-0x0000000000260000-0x0000000000261000-memory.dmpFilesize
4KB
-
memory/2044-147-0x0000000000260000-0x0000000000261000-memory.dmpFilesize
4KB
-
memory/2044-157-0x0000000000320000-0x0000000000321000-memory.dmpFilesize
4KB
-
memory/2044-158-0x0000000000320000-0x0000000000321000-memory.dmpFilesize
4KB
-
memory/2044-159-0x0000000000320000-0x0000000000321000-memory.dmpFilesize
4KB
-
memory/2044-161-0x0000000000330000-0x0000000000331000-memory.dmpFilesize
4KB
-
memory/2044-162-0x0000000000330000-0x0000000000331000-memory.dmpFilesize
4KB
-
memory/2044-160-0x0000000000330000-0x0000000000331000-memory.dmpFilesize
4KB
-
memory/2044-163-0x0000000000400000-0x0000000001420000-memory.dmpFilesize
16.1MB
-
memory/2044-169-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/2044-172-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/2044-171-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/2044-173-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/2044-174-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/2044-178-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/2044-180-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/2044-176-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/2044-182-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/2044-184-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/2044-186-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/2044-192-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/2044-190-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/2044-188-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/2044-194-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/2044-196-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/2044-198-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/2044-200-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/2044-202-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/2044-204-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/2044-206-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/2044-230-0x0000000004330000-0x000000000440A000-memory.dmpFilesize
872KB
-
memory/2044-231-0x00000000016F0000-0x00000000016F1000-memory.dmpFilesize
4KB