Overview

overview

10

Static

static

10

摩纳哥.7z

windows10-1703-x64

7

摩纳哥.7z

windows7-x64

10

摩纳哥.7z

windows10-2004-x64

3

Analysis

  • max time kernel
    1610s
  • max time network
    1800s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    26-02-2023 22:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    摩纳哥.7z

  • Size

    19.9MB

  • MD5

    8d798197150cf22c2d63ff1181ca0535

  • SHA1

    49bd04d964cfae91cc4021323dae9d51e8c33964

  • SHA256

    00afff69b8f52c22df1875d98d75730cde0ea314c6e5b120636ed47deb12d014

  • SHA512

    f84049e0266662e8aeac3a0d829e0461f9465d0450d2f5a0e111477a78aa05706d51457bb4f4d37591aac07e8e6145a05d6346210391ab4e01e211dea0904e33

  • SSDEEP

    393216:O/Yz0z3hU/4T4e47EdNCVKko+kA27u2f2hLyBiFHNzF7V:Lz63hUWtjd4VCAHOENzFJ

Score
10/10
blackmoonbankerdiscoverytrojanupx

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 21 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 29 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\摩纳哥.7z
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:932
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\摩纳哥.7z
      2⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1712
      • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\摩纳哥.7z"
        3⤵
        • Suspicious use of SetWindowsHookEx
        PID:1628
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:760
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x480
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1084
    • C:\Program Files\7-Zip\7zG.exe
      "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\摩纳哥\" -spe -an -ai#7zMap20159:84:7zEvent4395
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:568
    • C:\Users\Admin\AppData\Local\Temp\摩纳哥\Client.exe
      "C:\Users\Admin\AppData\Local\Temp\摩纳哥\Client.exe"
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2044
      • C:\WINDOWS\SysWOW64\svchost.exe
        C:\WINDOWS\system32\svchost.exe -K NetworkService
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:320

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\WinRAP\RarExt32.dll
      MD5

      d41d8cd98f00b204e9800998ecf8427e

      SHA1

      da39a3ee5e6b4b0d3255bfef95601890afd80709

      SHA256

      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

      SHA512

      cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\摩纳哥\Client.exe
      Filesize

      15.8MB

      MD5

      b678a598c16d3c98cb65a330ebbdfd7b

      SHA1

      a1c4997f9066231623d3ed545a64abd3435cc20b

      SHA256

      3048cd91f71ef67483120edcf6fdba99c4c0a55cf50c5aafb8ad0748cf590e9c

      SHA512

      a31b5b744393f52d4b73bfc09e140b3a17f3c0ddfd8cfaaded9393ee18c160fed3e7397fbb0ad8c7c0c64c152268c488136e76651a65f8da7450550ae1071efe

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\摩纳哥\Client.exe
      Filesize

      15.8MB

      MD5

      b678a598c16d3c98cb65a330ebbdfd7b

      SHA1

      a1c4997f9066231623d3ed545a64abd3435cc20b

      SHA256

      3048cd91f71ef67483120edcf6fdba99c4c0a55cf50c5aafb8ad0748cf590e9c

      SHA512

      a31b5b744393f52d4b73bfc09e140b3a17f3c0ddfd8cfaaded9393ee18c160fed3e7397fbb0ad8c7c0c64c152268c488136e76651a65f8da7450550ae1071efe

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\摩纳哥\rasadhlp.dll
      Filesize

      338KB

      MD5

      73c06c75bd9aa0a194b0dc73ab38cac5

      SHA1

      7604d4be31e6c017e3bd9a1e5590a81a7aafb40f

      SHA256

      fde687287ef8cd7e6a6ce655355eaca2fba25fd6c22cc1e4040281f73205ba90

      SHA512

      c8abaea48abc45fdb8c20ee1945494c42e0e3cd487723f48bd34f31fd31833a94deb38796397c8359fb3123e028a99ab5e8e05438399dcc34ae65d522f78487a

      Download Submit
    • \Users\Admin\AppData\Local\Temp\摩纳哥\rasadhlp.dll
      Filesize

      338KB

      MD5

      73c06c75bd9aa0a194b0dc73ab38cac5

      SHA1

      7604d4be31e6c017e3bd9a1e5590a81a7aafb40f

      SHA256

      fde687287ef8cd7e6a6ce655355eaca2fba25fd6c22cc1e4040281f73205ba90

      SHA512

      c8abaea48abc45fdb8c20ee1945494c42e0e3cd487723f48bd34f31fd31833a94deb38796397c8359fb3123e028a99ab5e8e05438399dcc34ae65d522f78487a

      Download Submit
    • memory/320-232-0x0000000004330000-0x000000000440A000-memory.dmp
      Filesize

      872KB

      Download
    • memory/2044-140-0x0000000000230000-0x0000000000231000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2044-139-0x0000000000230000-0x0000000000231000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2044-141-0x0000000000230000-0x0000000000231000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2044-142-0x0000000000250000-0x0000000000251000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2044-143-0x0000000000250000-0x0000000000251000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2044-144-0x0000000000250000-0x0000000000251000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2044-149-0x0000000000270000-0x0000000000271000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2044-156-0x0000000000310000-0x0000000000311000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2044-155-0x0000000000310000-0x0000000000311000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2044-153-0x0000000000280000-0x0000000000281000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2044-152-0x0000000000280000-0x0000000000281000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2044-150-0x0000000000270000-0x0000000000271000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2044-146-0x0000000000260000-0x0000000000261000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2044-147-0x0000000000260000-0x0000000000261000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2044-157-0x0000000000320000-0x0000000000321000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2044-158-0x0000000000320000-0x0000000000321000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2044-159-0x0000000000320000-0x0000000000321000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2044-161-0x0000000000330000-0x0000000000331000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2044-162-0x0000000000330000-0x0000000000331000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2044-160-0x0000000000330000-0x0000000000331000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2044-163-0x0000000000400000-0x0000000001420000-memory.dmp
      Filesize

      16.1MB

      Download
    • memory/2044-169-0x0000000010000000-0x000000001003E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/2044-172-0x0000000010000000-0x000000001003E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/2044-171-0x0000000010000000-0x000000001003E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/2044-173-0x0000000010000000-0x000000001003E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/2044-174-0x0000000010000000-0x000000001003E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/2044-178-0x0000000010000000-0x000000001003E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/2044-180-0x0000000010000000-0x000000001003E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/2044-176-0x0000000010000000-0x000000001003E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/2044-182-0x0000000010000000-0x000000001003E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/2044-184-0x0000000010000000-0x000000001003E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/2044-186-0x0000000010000000-0x000000001003E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/2044-192-0x0000000010000000-0x000000001003E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/2044-190-0x0000000010000000-0x000000001003E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/2044-188-0x0000000010000000-0x000000001003E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/2044-194-0x0000000010000000-0x000000001003E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/2044-196-0x0000000010000000-0x000000001003E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/2044-198-0x0000000010000000-0x000000001003E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/2044-200-0x0000000010000000-0x000000001003E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/2044-202-0x0000000010000000-0x000000001003E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/2044-204-0x0000000010000000-0x000000001003E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/2044-206-0x0000000010000000-0x000000001003E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/2044-230-0x0000000004330000-0x000000000440A000-memory.dmp
      Filesize

      872KB

      Download
    • memory/2044-231-0x00000000016F0000-0x00000000016F1000-memory.dmp
      Filesize

      4KB

      Download