Malware Analysis Report

2025-05-05 22:33

Sample ID 241224-xr869strgt
Target Archive.zip
SHA256 ebdce938512e6338a6e0101e006e9a22237bced741086cc932eebecc03e9a820
Tags
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

ebdce938512e6338a6e0101e006e9a22237bced741086cc932eebecc03e9a820

Threat Level: Shows suspicious behavior

The file Archive.zip was found to be: Shows suspicious behavior.

Malicious Activity Summary


Executes dropped EXE

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-12-24 19:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-24 19:06

Reported

2024-12-24 19:07

Platform

win10ltsc2021-20241211-en

Max time kernel

43s

Max time network

44s

Command Line

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Archive.zip"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\New folder\BlackRock.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\New folder\BlackRock.exe N/A
N/A N/A C:\Users\Admin\Desktop\New folder\BlackRock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\New folder\BlackRock.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Processes

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Archive.zip"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\Desktop\New folder\BlackRock.exe

"C:\Users\Admin\Desktop\New folder\BlackRock.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.134.124.100.in-addr.arpa udp
US 8.8.8.8:53 196.35.70.100.in-addr.arpa udp
US 8.8.8.8:53 169.44.82.100.in-addr.arpa udp
US 8.8.8.8:53 checkappexec.microsoft.com udp
N/A 100.82.147.102:443 checkappexec.microsoft.com tcp
US 8.8.8.8:53 102.147.82.100.in-addr.arpa udp
US 8.8.8.8:53 company.blackrock.luxury udp
N/A 100.124.121.54:443 company.blackrock.luxury tcp
US 8.8.8.8:53 54.121.124.100.in-addr.arpa udp
US 8.8.8.8:53 fd.api.iris.microsoft.com udp
N/A 100.92.72.231:443 fd.api.iris.microsoft.com tcp
US 8.8.8.8:53 177.33.67.100.in-addr.arpa udp
US 8.8.8.8:53 231.72.92.100.in-addr.arpa udp
US 8.8.8.8:53 22.219.110.100.in-addr.arpa udp

Files

C:\Users\Admin\Desktop\New folder\BlackRock.exe

MD5 fb74ea83b0013db659ecaf1ea222b7f4
SHA1 17330d6bdd9ab973d8a0a0293202a8343a2440d3
SHA256 c413dbc4dc71a512432bfe2d64b3aa0e8344000a0daa88d6020a76e01018d1a7
SHA512 e22c2f582babb9e76917903e1df60f76c0c8d30604ccc2c87e56e875aab2ae584e9afcee4575c449abd030e8613b17b4b8ce14fb15fcd3cdd4dd22f1ff3bb238

memory/4520-14-0x00007FFD661A3000-0x00007FFD661A5000-memory.dmp

memory/4520-15-0x00000258C3B90000-0x00000258C3D3C000-memory.dmp

memory/4520-16-0x00000258C5990000-0x00000258C5991000-memory.dmp

memory/4520-17-0x00007FFD661A0000-0x00007FFD66C62000-memory.dmp

memory/4520-18-0x00000258DE240000-0x00000258DE2B6000-memory.dmp

C:\Users\Admin\Desktop\New folder\ScintillaNET.dll

MD5 46c84ded17d245234617918c27afd4f7
SHA1 3619b22c33e6146c3d3c4f1e76ff61cdf35e5bb4
SHA256 4779af90d40a141a6fa9ac8e75611fccc5e240f20f34d560df7a8bdc05ca27bd
SHA512 04948e1e3e99d769054f318a7637740012c75c0b2b0dd1618e94acea308c871a7fc2902ca3fe4b83902a1a86e986e2849f7341c37f8ae1cd99c6529b49328a25

memory/4520-20-0x00000258DE580000-0x00000258DE6D4000-memory.dmp

C:\Users\Admin\Desktop\New folder\Newtonsoft.Json.dll

MD5 195ffb7167db3219b217c4fd439eedd6
SHA1 1e76e6099570ede620b76ed47cf8d03a936d49f8
SHA256 e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d
SHA512 56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac

memory/4520-22-0x00000258DE420000-0x00000258DE4D2000-memory.dmp

memory/4520-23-0x00000258C5B10000-0x00000258C5B4C000-memory.dmp

memory/4520-24-0x00007FFD661A0000-0x00007FFD66C62000-memory.dmp