Analysis Overview
SHA256
ebdce938512e6338a6e0101e006e9a22237bced741086cc932eebecc03e9a820
Threat Level: Shows suspicious behavior
The file Archive.zip was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Suspicious use of NtSetInformationThreadHideFromDebugger
Unsigned PE
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-12-24 19:06
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-24 19:06
Reported
2024-12-24 19:07
Platform
win10ltsc2021-20241211-en
Max time kernel
43s
Max time network
44s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\New folder\BlackRock.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\New folder\BlackRock.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\New folder\BlackRock.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Desktop\New folder\BlackRock.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Processes
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Archive.zip"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\Desktop\New folder\BlackRock.exe
"C:\Users\Admin\Desktop\New folder\BlackRock.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.134.124.100.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.35.70.100.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.44.82.100.in-addr.arpa | udp |
| US | 8.8.8.8:53 | checkappexec.microsoft.com | udp |
| N/A | 100.82.147.102:443 | checkappexec.microsoft.com | tcp |
| US | 8.8.8.8:53 | 102.147.82.100.in-addr.arpa | udp |
| US | 8.8.8.8:53 | company.blackrock.luxury | udp |
| N/A | 100.124.121.54:443 | company.blackrock.luxury | tcp |
| US | 8.8.8.8:53 | 54.121.124.100.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fd.api.iris.microsoft.com | udp |
| N/A | 100.92.72.231:443 | fd.api.iris.microsoft.com | tcp |
| US | 8.8.8.8:53 | 177.33.67.100.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 231.72.92.100.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.219.110.100.in-addr.arpa | udp |
Files
C:\Users\Admin\Desktop\New folder\BlackRock.exe
| MD5 | fb74ea83b0013db659ecaf1ea222b7f4 |
| SHA1 | 17330d6bdd9ab973d8a0a0293202a8343a2440d3 |
| SHA256 | c413dbc4dc71a512432bfe2d64b3aa0e8344000a0daa88d6020a76e01018d1a7 |
| SHA512 | e22c2f582babb9e76917903e1df60f76c0c8d30604ccc2c87e56e875aab2ae584e9afcee4575c449abd030e8613b17b4b8ce14fb15fcd3cdd4dd22f1ff3bb238 |
memory/4520-14-0x00007FFD661A3000-0x00007FFD661A5000-memory.dmp
memory/4520-15-0x00000258C3B90000-0x00000258C3D3C000-memory.dmp
memory/4520-16-0x00000258C5990000-0x00000258C5991000-memory.dmp
memory/4520-17-0x00007FFD661A0000-0x00007FFD66C62000-memory.dmp
memory/4520-18-0x00000258DE240000-0x00000258DE2B6000-memory.dmp
C:\Users\Admin\Desktop\New folder\ScintillaNET.dll
| MD5 | 46c84ded17d245234617918c27afd4f7 |
| SHA1 | 3619b22c33e6146c3d3c4f1e76ff61cdf35e5bb4 |
| SHA256 | 4779af90d40a141a6fa9ac8e75611fccc5e240f20f34d560df7a8bdc05ca27bd |
| SHA512 | 04948e1e3e99d769054f318a7637740012c75c0b2b0dd1618e94acea308c871a7fc2902ca3fe4b83902a1a86e986e2849f7341c37f8ae1cd99c6529b49328a25 |
memory/4520-20-0x00000258DE580000-0x00000258DE6D4000-memory.dmp
C:\Users\Admin\Desktop\New folder\Newtonsoft.Json.dll
| MD5 | 195ffb7167db3219b217c4fd439eedd6 |
| SHA1 | 1e76e6099570ede620b76ed47cf8d03a936d49f8 |
| SHA256 | e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d |
| SHA512 | 56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac |
memory/4520-22-0x00000258DE420000-0x00000258DE4D2000-memory.dmp
memory/4520-23-0x00000258C5B10000-0x00000258C5B4C000-memory.dmp
memory/4520-24-0x00007FFD661A0000-0x00007FFD66C62000-memory.dmp