analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

7b98eab672752a3de97e3624f2cb34e93f013c11292ea7707a3196bd3efba6c8

Full analysis: https://app.any.run/tasks/1be85884-0285-435b-89b1-d61dc69d0c5c
Verdict: Malicious activity
Analysis date: November 03, 2024, 06:47:24
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
blackmoon
vmprotect
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

ADBCBCAB0F96A8943F89E33D1BDBEE7F

SHA1:

ED5D72949EBC12DBEF551A6B84B3F39F2688AF95

SHA256:

7B98EAB672752A3DE97E3624F2CB34E93F013C11292EA7707A3196BD3EFBA6C8

SSDEEP:

98304:knkdiF+curL0JnGZyUV+JxcuSoSK5MVtuBNV+b0EwwO1uxGKPbBXMCtG/5hgSepf:bVaVTdZYbc8gpZxH9VC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • BLACKMOON has been detected (YARA)

      • RKCO.PKQ (PID: 5832)

  • SUSPICIOUS

    • Starts itself from another location

      • 7b98eab672752a3de97e3624f2cb34e93f013c11292ea7707a3196bd3efba6c8.exe (PID: 300)

    • Executable content was dropped or overwritten

      • 7b98eab672752a3de97e3624f2cb34e93f013c11292ea7707a3196bd3efba6c8.exe (PID: 300)

    • Creates file in the systems drive root

      • 7b98eab672752a3de97e3624f2cb34e93f013c11292ea7707a3196bd3efba6c8.exe (PID: 300)
      • RKCO.PKQ (PID: 5832)

    • Starts application with an unusual extension

      • 7b98eab672752a3de97e3624f2cb34e93f013c11292ea7707a3196bd3efba6c8.exe (PID: 300)

    • Mutex name with non-standard characters

      • RKCO.PKQ (PID: 5832)
      • 7b98eab672752a3de97e3624f2cb34e93f013c11292ea7707a3196bd3efba6c8.exe (PID: 300)

    • Starts CMD.EXE for commands execution

      • RKCO.PKQ (PID: 5832)

    • Uses WMIC.EXE to obtain data on the base board management (motherboard or system board)

      • RKCO.PKQ (PID: 5832)

  • INFO

    • Reads the computer name

      • 7b98eab672752a3de97e3624f2cb34e93f013c11292ea7707a3196bd3efba6c8.exe (PID: 300)
      • RKCO.PKQ (PID: 5832)

    • Checks supported languages

      • 7b98eab672752a3de97e3624f2cb34e93f013c11292ea7707a3196bd3efba6c8.exe (PID: 300)
      • RKCO.PKQ (PID: 5832)

    • Reads the machine GUID from the registry

      • RKCO.PKQ (PID: 5832)

    • Reads the software policy settings

      • RKCO.PKQ (PID: 5832)

    • VMProtect protector has been detected

      • RKCO.PKQ (PID: 5832)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 4436)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 5
ImageVersion: -
OSVersion: 5
EntryPoint: 0x7d2a3d
UninitializedDataSize: -
InitializedDataSize: 1036288
CodeSize: 1134592
LinkerVersion: 6
PEType: PE32
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
TimeStamp: 2022:03:20 14:26:23+00:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
131
Monitored processes
7
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 7b98eab672752a3de97e3624f2cb34e93f013c11292ea7707a3196bd3efba6c8.exe no specs 7b98eab672752a3de97e3624f2cb34e93f013c11292ea7707a3196bd3efba6c8.exe THREAT rkco.pkq cmd.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
764"C:\Users\admin\Desktop\7b98eab672752a3de97e3624f2cb34e93f013c11292ea7707a3196bd3efba6c8.exe" C:\Users\admin\Desktop\7b98eab672752a3de97e3624f2cb34e93f013c11292ea7707a3196bd3efba6c8.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\7b98eab672752a3de97e3624f2cb34e93f013c11292ea7707a3196bd3efba6c8.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
300"C:\Users\admin\Desktop\7b98eab672752a3de97e3624f2cb34e93f013c11292ea7707a3196bd3efba6c8.exe" C:\Users\admin\Desktop\7b98eab672752a3de97e3624f2cb34e93f013c11292ea7707a3196bd3efba6c8.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\7b98eab672752a3de97e3624f2cb34e93f013c11292ea7707a3196bd3efba6c8.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll
5832"C:\Users\admin\Desktop\RKCO.PKQ"C:\Users\admin\Desktop\RKCO.PKQ
7b98eab672752a3de97e3624f2cb34e93f013c11292ea7707a3196bd3efba6c8.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\desktop\rkco.pkq
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll
2620cmd /c echo t>c:\windows\system32\administratortestpermissions28647C:\Windows\SysWOW64\cmd.exeRKCO.PKQ
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2692\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4436wmic BaseBoard get SerialNumberC:\Windows\SysWOW64\wbem\WMIC.exeRKCO.PKQ
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
3836\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeWMIC.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
3 498
Read events
3 498
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
3007b98eab672752a3de97e3624f2cb34e93f013c11292ea7707a3196bd3efba6c8.exeC:\Users\admin\Desktop\RKCO.PKQexecutable
MD5:35A2746D3B6771BF66E39339552EDE9C
SHA256:C6EAB143F1B0576FBAAE6B0793DC8BA9713A54DB7A26AA992FC045D05174B9A0
2620cmd.exeC:\Windows\SysWOW64\administratortestpermissions28647text
MD5:5696FEB53A6AD364E3DA313D7BB865C2
SHA256:9E8B03EA3B48312F8E3A15BEC7AA85C96A362E2776AC6BC3DFD74A40022BCC8A
5832RKCO.PKQC:\Users\admin\Desktop\soft.initext
MD5:242493406746B6E44516EB9D9E4F5CF4
SHA256:D141568A360ECBB7531BAFEEF02FED90CE3BB48C82CA10A8F36F44CF55A9424F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
24
DNS requests
10
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
HEAD
200
103.235.47.188:443
https://www.baidu.com/
unknown
1764
RUXIMICS.exe
GET
200
2.16.164.9:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
5488
MoUsoCoreWorker.exe
GET
200
2.16.164.9:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
6944
svchost.exe
GET
200
2.16.164.9:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
1764
RUXIMICS.exe
GET
200
23.32.185.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
6944
svchost.exe
GET
200
23.32.185.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
5488
MoUsoCoreWorker.exe
GET
200
23.32.185.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
unknown
6944
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
5488
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
1764
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
2.23.209.133:443
www.bing.com
Akamai International B.V.
GB
unknown
4
System
192.168.100.255:138
unknown
5832
RKCO.PKQ
103.235.47.188:443
www.baidu.com
Beijing Baidu Netcom Science and Technology Co., Ltd.
HK
unknown
6944
svchost.exe
2.16.164.9:80
crl.microsoft.com
Akamai International B.V.
NL
unknown
5488
MoUsoCoreWorker.exe
2.16.164.9:80
crl.microsoft.com
Akamai International B.V.
NL
unknown
1764
RUXIMICS.exe
2.16.164.9:80
crl.microsoft.com
Akamai International B.V.
NL
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 4.231.128.59
  • 40.127.240.158
unknown
www.bing.com
  • 2.23.209.133
  • 2.23.209.187
  • 2.23.209.182
  • 2.23.209.185
  • 2.23.209.189
  • 2.23.209.130
  • 2.23.209.193
  • 2.23.209.140
  • 2.23.209.179
unknown
google.com
  • 172.217.16.206
unknown
www.baidu.com
  • 103.235.47.188
  • 103.235.46.96
unknown
crl.microsoft.com
  • 2.16.164.9
  • 2.16.164.49
unknown
www.microsoft.com
  • 23.32.185.131
unknown
admin.yemanb.com
unknown
self.events.data.microsoft.com
  • 20.189.173.28
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
7b98eab672752a3de97e3624f2cb34e93f013c11292ea7707a3196bd3efba6c8