3a106d498bf436f3a93ddda054549fdc0f4075b023765c1f9be9be4eca1be4c4

Analysis

max time kernel
150s
max time network
148s
platform
windows7_x64
resource
win7v20210410
submitted
22-07-2021 12:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BlueLinkrIRC.exe
Size

3.8MB
MD5

680827bf74af49d305f7246831f27048
SHA1

d9e5879ea10b833c30eedd514a171cc4e9601664
SHA256

3a106d498bf436f3a93ddda054549fdc0f4075b023765c1f9be9be4eca1be4c4
SHA512

687636be75f057bd7381dba193dca84d4de66f89ca918ebac147475bc7303f8a2aadfac62b33d84ee4ebe2336f29aa658fb1ccb47617f9b5f5443191d3391d5d

Score

9^/10

persistence upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Program Files (x86)\Bluelinkr\Irc\HTMLayout.dll	acprotect
\Program Files (x86)\Bluelinkr\Irc\htmlayout.dll	acprotect

Executes dropped EXE 8 IoCs

Processes:

setname.exeBluelinkrserver.exeBluelinkrserver.exeBluelinkrserver.exeBluelinkrserver.exeBluelinkrserver.exeBluelinkrserver.exeBluelinkrserver.exe

pid	process
1152	setname.exe
920	Bluelinkrserver.exe
1388	Bluelinkrserver.exe
1836	Bluelinkrserver.exe
928	Bluelinkrserver.exe
1964	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
2004	Bluelinkrserver.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Program Files (x86)\Bluelinkr\Irc\HTMLayout.dll	upx
\Program Files (x86)\Bluelinkr\Irc\htmlayout.dll	upx

Loads dropped DLL 5 IoCs

Processes:

BlueLinkrIRC.exesetname.execmd.execmd.exeBluelinkrserver.exe

pid process

1672 BlueLinkrIRC.exe
1152 setname.exe
516 cmd.exe
964 cmd.exe
1964 Bluelinkrserver.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Bluelinkrserver.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BluelinkrServertvncontrol = "\"C:\\Program Files (x86)\\Bluelinkr\\Irc\\Bluelinkrserver.exe\" -controlservice -slave"	Bluelinkrserver.exe

Drops file in Program Files directory 57 IoCs

Processes:

BlueLinkrIRC.exeBluelinkrserver.exesetname.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Bluelinkr\Irc\UI\k.jpg	BlueLinkrIRC.exe
File opened for modification	C:\Program Files (x86)\Bluelinkr\Irc\Bluelinkrserver.exe	BlueLinkrIRC.exe
File opened for modification	C:\Program Files (x86)\Bluelinkr\Irc\setname.exe	BlueLinkrIRC.exe
File opened for modification	C:\Program Files (x86)\Bluelinkr\Irc\UI\card.htm	BlueLinkrIRC.exe
File created	C:\Program Files (x86)\Bluelinkr\Irc\UI\close.png	BlueLinkrIRC.exe
File opened for modification	C:\Program Files (x86)\Bluelinkr\Irc\UI\marsNormal.png	BlueLinkrIRC.exe
File opened for modification	C:\Program Files (x86)\Bluelinkr\Irc\log\2021.07.22.ttlog.log	Bluelinkrserver.exe
File opened for modification	C:\Program Files (x86)\Bluelinkr\Irc\Password.exe	BlueLinkrIRC.exe
File created	C:\Program Files (x86)\Bluelinkr\Irc\Unload.exe	BlueLinkrIRC.exe
File created	C:\Program Files (x86)\Bluelinkr\Irc\msvcr100.dll	BlueLinkrIRC.exe
File opened for modification	C:\Program Files (x86)\Bluelinkr\Irc\screenhooks32.dll	BlueLinkrIRC.exe
File created	C:\Program Files (x86)\Bluelinkr\Irc\Bluelinkrservice.dll	BlueLinkrIRC.exe
File created	C:\Program Files (x86)\Bluelinkr\Irc\bluelinkr.ini	BlueLinkrIRC.exe
File created	C:\Program Files (x86)\Bluelinkr\Irc\UI\bgline.jpg	BlueLinkrIRC.exe
File created	C:\Program Files (x86)\Bluelinkr\Irc\UI\k.jpg	BlueLinkrIRC.exe
File created	C:\Program Files (x86)\Bluelinkr\Irc\UI\uninstall.htm	BlueLinkrIRC.exe
File created	C:\Program Files (x86)\Bluelinkr\Irc\htmlayout.dll	BlueLinkrIRC.exe
File opened for modification	C:\Program Files (x86)\Bluelinkr\Irc\Bluelinkr.ini	setname.exe
File opened for modification	C:\Program Files (x86)\Bluelinkr\Irc\Bluelinkrservice.dll	BlueLinkrIRC.exe
File created	C:\Program Files (x86)\Bluelinkr\Irc\UI\card.htm	BlueLinkrIRC.exe
File opened for modification	C:\Program Files (x86)\Bluelinkr\Irc\msvcp100.dll	BlueLinkrIRC.exe
File created	C:\Program Files (x86)\Bluelinkr\Irc\Password.exe	BlueLinkrIRC.exe
File created	C:\Program Files (x86)\Bluelinkr\Irc\setname.exe	BlueLinkrIRC.exe
File created	C:\Program Files (x86)\Bluelinkr\Irc\UI\back.png	BlueLinkrIRC.exe
File created	C:\Program Files (x86)\Bluelinkr\Irc\UI\msg.htm	BlueLinkrIRC.exe
File opened for modification	C:\Program Files (x86)\Bluelinkr\Irc\Unload.exe	BlueLinkrIRC.exe
File created	C:\Program Files (x86)\Bluelinkr\Irc\Bluelinkrserver.exe	BlueLinkrIRC.exe
File created	C:\Program Files (x86)\Bluelinkr\Irc\screenhooks32.dll	BlueLinkrIRC.exe
File opened for modification	C:\Program Files (x86)\Bluelinkr\Irc\bluelinkr.ini	BlueLinkrIRC.exe
File opened for modification	C:\Program Files (x86)\Bluelinkr\Irc\UI\close.png	BlueLinkrIRC.exe
File created	C:\Program Files (x86)\Bluelinkr\Irc\UI\marsNormal.png	BlueLinkrIRC.exe
File opened for modification	C:\Program Files (x86)\Bluelinkr\Irc\UI\msg.htm	BlueLinkrIRC.exe
File created	C:\Program Files (x86)\Bluelinkr\Irc\build.bat	BlueLinkrIRC.exe
File opened for modification	C:\Program Files (x86)\Bluelinkr\Irc\UI\back.png	BlueLinkrIRC.exe
File opened for modification	C:\Program Files (x86)\Bluelinkr\Irc\UI\main.htm	BlueLinkrIRC.exe
File created	C:\Program Files (x86)\Bluelinkr\Irc\UI\newpass.htm	BlueLinkrIRC.exe
File opened for modification	C:\Program Files (x86)\Bluelinkr\Irc\UI\uninstall.htm	BlueLinkrIRC.exe
File opened for modification	C:\Program Files (x86)\Bluelinkr\Irc\UI\bgline.jpg	BlueLinkrIRC.exe
File opened for modification	C:\Program Files (x86)\Bluelinkr\Irc\UI\icon.png	BlueLinkrIRC.exe
File opened for modification	C:\Program Files (x86)\Bluelinkr\Irc\UI\newpass.htm	BlueLinkrIRC.exe
File opened for modification	C:\Program Files (x86)\Bluelinkr\Irc\UI\titlebar.png	BlueLinkrIRC.exe
File opened for modification	C:\Program Files (x86)\Bluelinkr\Irc\install.bat	BlueLinkrIRC.exe
File created	C:\Program Files (x86)\Bluelinkr\Irc\UI\minimize.png	BlueLinkrIRC.exe
File opened for modification	C:\Program Files (x86)\Bluelinkr\Irc\UI\confirm.htm	BlueLinkrIRC.exe
File created	C:\Program Files (x86)\Bluelinkr\Irc\UI\password.htm	BlueLinkrIRC.exe
File created	C:\Program Files (x86)\Bluelinkr\Irc\UI\titlebar.png	BlueLinkrIRC.exe
File created	C:\Program Files (x86)\Bluelinkr\Irc\UI\icon.png	BlueLinkrIRC.exe
File opened for modification	C:\Program Files (x86)\Bluelinkr\Irc\log\2021.07.22.log	setname.exe
File opened for modification	C:\Program Files (x86)\Bluelinkr\Irc\UI\minimize.png	BlueLinkrIRC.exe
File created	C:\Program Files (x86)\Bluelinkr\Irc\msvcp100.dll	BlueLinkrIRC.exe
File opened for modification	C:\Program Files (x86)\Bluelinkr\Irc\build.bat	BlueLinkrIRC.exe
File created	C:\Program Files (x86)\Bluelinkr\Irc\install.bat	BlueLinkrIRC.exe
File created	C:\Program Files (x86)\Bluelinkr\Irc\UI\main.htm	BlueLinkrIRC.exe
File created	C:\Program Files (x86)\Bluelinkr\Irc\UI\confirm.htm	BlueLinkrIRC.exe
File opened for modification	C:\Program Files (x86)\Bluelinkr\Irc\UI\password.htm	BlueLinkrIRC.exe
File opened for modification	C:\Program Files (x86)\Bluelinkr\Irc\htmlayout.dll	BlueLinkrIRC.exe
File opened for modification	C:\Program Files (x86)\Bluelinkr\Irc\msvcr100.dll	BlueLinkrIRC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

552 taskkill.exe
1872 taskkill.exe
1028 taskkill.exe
1592 taskkill.exe
Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

576 PING.EXE
920 PING.EXE
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

BlueLinkrIRC.exe

pid process

1672 BlueLinkrIRC.exe
1672 BlueLinkrIRC.exe
1672 BlueLinkrIRC.exe

pid	process
552	taskkill.exe
1872	taskkill.exe
1028	taskkill.exe
1592	taskkill.exe

pid	process
576	PING.EXE
920	PING.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	552	taskkill.exe
Token: SeDebugPrivilege	1872	taskkill.exe
Token: SeDebugPrivilege	1592	taskkill.exe
Token: SeDebugPrivilege	1028	taskkill.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

BlueLinkrIRC.exeBluelinkrserver.exe

pid	process
1672	BlueLinkrIRC.exe
1672	BlueLinkrIRC.exe
1672	BlueLinkrIRC.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

BlueLinkrIRC.exeBluelinkrserver.exe

pid	process
1672	BlueLinkrIRC.exe
1672	BlueLinkrIRC.exe
1672	BlueLinkrIRC.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe
1556	Bluelinkrserver.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

BlueLinkrIRC.exesetname.execmd.execmd.exeBluelinkrserver.exe

description	pid	process	target process
PID 1672 wrote to memory of 1152	1672	BlueLinkrIRC.exe	setname.exe
PID 1672 wrote to memory of 1152	1672	BlueLinkrIRC.exe	setname.exe
PID 1672 wrote to memory of 1152	1672	BlueLinkrIRC.exe	setname.exe
PID 1672 wrote to memory of 1152	1672	BlueLinkrIRC.exe	setname.exe
PID 1152 wrote to memory of 964	1152	setname.exe	cmd.exe
PID 1152 wrote to memory of 964	1152	setname.exe	cmd.exe
PID 1152 wrote to memory of 964	1152	setname.exe	cmd.exe
PID 1152 wrote to memory of 964	1152	setname.exe	cmd.exe
PID 1152 wrote to memory of 964	1152	setname.exe	cmd.exe
PID 1152 wrote to memory of 964	1152	setname.exe	cmd.exe
PID 1152 wrote to memory of 964	1152	setname.exe	cmd.exe
PID 964 wrote to memory of 552	964	cmd.exe	taskkill.exe
PID 964 wrote to memory of 552	964	cmd.exe	taskkill.exe
PID 964 wrote to memory of 552	964	cmd.exe	taskkill.exe
PID 964 wrote to memory of 552	964	cmd.exe	taskkill.exe
PID 1152 wrote to memory of 516	1152	setname.exe	cmd.exe
PID 1152 wrote to memory of 516	1152	setname.exe	cmd.exe
PID 1152 wrote to memory of 516	1152	setname.exe	cmd.exe
PID 1152 wrote to memory of 516	1152	setname.exe	cmd.exe
PID 1152 wrote to memory of 516	1152	setname.exe	cmd.exe
PID 1152 wrote to memory of 516	1152	setname.exe	cmd.exe
PID 1152 wrote to memory of 516	1152	setname.exe	cmd.exe
PID 516 wrote to memory of 1872	516	cmd.exe	taskkill.exe
PID 516 wrote to memory of 1872	516	cmd.exe	taskkill.exe
PID 516 wrote to memory of 1872	516	cmd.exe	taskkill.exe
PID 516 wrote to memory of 1872	516	cmd.exe	taskkill.exe
PID 516 wrote to memory of 1592	516	cmd.exe	taskkill.exe
PID 516 wrote to memory of 1592	516	cmd.exe	taskkill.exe
PID 516 wrote to memory of 1592	516	cmd.exe	taskkill.exe
PID 516 wrote to memory of 1592	516	cmd.exe	taskkill.exe
PID 964 wrote to memory of 1028	964	cmd.exe	taskkill.exe
PID 964 wrote to memory of 1028	964	cmd.exe	taskkill.exe
PID 964 wrote to memory of 1028	964	cmd.exe	taskkill.exe
PID 964 wrote to memory of 1028	964	cmd.exe	taskkill.exe
PID 516 wrote to memory of 1844	516	cmd.exe	reg.exe
PID 516 wrote to memory of 1844	516	cmd.exe	reg.exe
PID 516 wrote to memory of 1844	516	cmd.exe	reg.exe
PID 516 wrote to memory of 1844	516	cmd.exe	reg.exe
PID 964 wrote to memory of 576	964	cmd.exe	reg.exe
PID 964 wrote to memory of 576	964	cmd.exe	reg.exe
PID 964 wrote to memory of 576	964	cmd.exe	reg.exe
PID 964 wrote to memory of 576	964	cmd.exe	reg.exe
PID 964 wrote to memory of 1388	964	cmd.exe	Bluelinkrserver.exe
PID 964 wrote to memory of 1388	964	cmd.exe	Bluelinkrserver.exe
PID 964 wrote to memory of 1388	964	cmd.exe	Bluelinkrserver.exe
PID 964 wrote to memory of 1388	964	cmd.exe	Bluelinkrserver.exe
PID 516 wrote to memory of 920	516	cmd.exe	Bluelinkrserver.exe
PID 516 wrote to memory of 920	516	cmd.exe	Bluelinkrserver.exe
PID 516 wrote to memory of 920	516	cmd.exe	Bluelinkrserver.exe
PID 516 wrote to memory of 920	516	cmd.exe	Bluelinkrserver.exe
PID 964 wrote to memory of 1836	964	cmd.exe	Bluelinkrserver.exe
PID 964 wrote to memory of 1836	964	cmd.exe	Bluelinkrserver.exe
PID 964 wrote to memory of 1836	964	cmd.exe	Bluelinkrserver.exe
PID 964 wrote to memory of 1836	964	cmd.exe	Bluelinkrserver.exe
PID 516 wrote to memory of 928	516	cmd.exe	Bluelinkrserver.exe
PID 516 wrote to memory of 928	516	cmd.exe	Bluelinkrserver.exe
PID 516 wrote to memory of 928	516	cmd.exe	Bluelinkrserver.exe
PID 516 wrote to memory of 928	516	cmd.exe	Bluelinkrserver.exe
PID 928 wrote to memory of 1556	928	Bluelinkrserver.exe	Bluelinkrserver.exe
PID 928 wrote to memory of 1556	928	Bluelinkrserver.exe	Bluelinkrserver.exe
PID 928 wrote to memory of 1556	928	Bluelinkrserver.exe	Bluelinkrserver.exe
PID 928 wrote to memory of 1556	928	Bluelinkrserver.exe	Bluelinkrserver.exe
PID 516 wrote to memory of 576	516	cmd.exe	PING.EXE
PID 516 wrote to memory of 576	516	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\BlueLinkrIRC.exe
"C:\Users\Admin\AppData\Local\Temp\BlueLinkrIRC.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1672

C:\Program Files (x86)\Bluelinkr\Irc\setname.exe
"C:\Program Files (x86)\Bluelinkr\Irc\setname.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1152

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files (x86)\Bluelinkr\Irc\install.bat" "
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:964

C:\Windows\SysWOW64\taskkill.exe
taskkill /im BluelinkrServer.exe /f
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:552

C:\Windows\SysWOW64\taskkill.exe
taskkill /im Bluelinkrproxyauto.exe /f
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1028

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "SoftwareSASGeneration" /t "REG_DWORD" /d "1" /f
4⤵
PID:576

C:\Program Files (x86)\Bluelinkr\Irc\Bluelinkrserver.exe
BluelinkrServer.exe -install -silent
4⤵
- Executes dropped EXE
PID:1388

C:\Program Files (x86)\Bluelinkr\Irc\Bluelinkrserver.exe
BluelinkrServer.exe -start -silent
4⤵
- Executes dropped EXE
PID:1836

C:\Program Files (x86)\Bluelinkr\Irc\Bluelinkrserver.exe
"C:\Program Files (x86)\Bluelinkr\Irc\Bluelinkrserver.exe" -controlservice -slave
5⤵
- Executes dropped EXE
PID:2004

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 1 -w 100
4⤵
- Runs ping.exe
PID:920

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files (x86)\Bluelinkr\Irc\install.bat" "
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:516

C:\Windows\SysWOW64\taskkill.exe
taskkill /im BluelinkrServer.exe /f
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1872

C:\Windows\SysWOW64\taskkill.exe
taskkill /im Bluelinkrproxyauto.exe /f
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1592

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "SoftwareSASGeneration" /t "REG_DWORD" /d "1" /f
4⤵
PID:1844

C:\Program Files (x86)\Bluelinkr\Irc\Bluelinkrserver.exe
BluelinkrServer.exe -install -silent
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:920

C:\Program Files (x86)\Bluelinkr\Irc\Bluelinkrserver.exe
BluelinkrServer.exe -start -silent
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:928

C:\Program Files (x86)\Bluelinkr\Irc\Bluelinkrserver.exe
"C:\Program Files (x86)\Bluelinkr\Irc\Bluelinkrserver.exe" -controlservice -slave
5⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1556

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 1 -w 100
4⤵
- Runs ping.exe
PID:576

C:\Program Files (x86)\Bluelinkr\Irc\Bluelinkrserver.exe
"C:\Program Files (x86)\Bluelinkr\Irc\Bluelinkrserver.exe" -service
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:1964

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Bluelinkr\Irc\Bluelinkr.ini
MD5
7cb8b8a523059db935a28dee05655ee4

SHA1
7dfdc4ed57725117a86917bbed2d47db8b13e967

SHA256
97580107eca3d40f28799f2bd36c74b891f601fc480a67dbec3b5d350c27bef6

SHA512
69ac2fa075b294b4a174d9f93ade7e66766c129dd811e3f7c6ad49af4a671cd404b4e94885c4320d01e2f061b220cc200b790c75b7a9015d9ef047b96631e387

Download Submit
C:\Program Files (x86)\Bluelinkr\Irc\Bluelinkr.ini
MD5
7cb8b8a523059db935a28dee05655ee4

SHA1
7dfdc4ed57725117a86917bbed2d47db8b13e967

SHA256
97580107eca3d40f28799f2bd36c74b891f601fc480a67dbec3b5d350c27bef6

SHA512
69ac2fa075b294b4a174d9f93ade7e66766c129dd811e3f7c6ad49af4a671cd404b4e94885c4320d01e2f061b220cc200b790c75b7a9015d9ef047b96631e387

Download Submit
C:\Program Files (x86)\Bluelinkr\Irc\BluelinkrService.dll
MD5
27dbb1fec517635721ba6a13e91b60b2

SHA1
6e3823cf8ae6b6fc10570e8fc76c107004fc989a

SHA256
054905d717f149b730d63caf6ca1cc2cdcd9d4f5891ffccbd41f0a59a674f350

SHA512
b517dccc9b63d941577e5f0e0e8492b9a1ddd312ce35c72fd8c31a3645d462820cc78bbbf180967abeec04772bd3940b337162240f07c88ccfbca116dc5b16a1

Download Submit
C:\Program Files (x86)\Bluelinkr\Irc\Bluelinkrserver.exe
MD5
bc7848c0c1539e660657c137f18eecb7

SHA1
ffeddf0da11f70a99980599e88bd77c02ec2a132

SHA256
7c109a43bf859024faaf50c3fa6841478c2d47b7768cf13521d2cd927b402698

SHA512
5a3c75d12d0127e96b729b79dc5f4aed4c7b859eb52eaf717fd51108005a32a5191ac6c87db75497f6219d400753635f196e6e56edb6af448a69dc12721f1c0a

Download Submit
C:\Program Files (x86)\Bluelinkr\Irc\Bluelinkrserver.exe
MD5
bc7848c0c1539e660657c137f18eecb7

SHA1
ffeddf0da11f70a99980599e88bd77c02ec2a132

SHA256
7c109a43bf859024faaf50c3fa6841478c2d47b7768cf13521d2cd927b402698

SHA512
5a3c75d12d0127e96b729b79dc5f4aed4c7b859eb52eaf717fd51108005a32a5191ac6c87db75497f6219d400753635f196e6e56edb6af448a69dc12721f1c0a

Download Submit
C:\Program Files (x86)\Bluelinkr\Irc\Bluelinkrserver.exe
MD5
bc7848c0c1539e660657c137f18eecb7

SHA1
ffeddf0da11f70a99980599e88bd77c02ec2a132

SHA256
7c109a43bf859024faaf50c3fa6841478c2d47b7768cf13521d2cd927b402698

SHA512
5a3c75d12d0127e96b729b79dc5f4aed4c7b859eb52eaf717fd51108005a32a5191ac6c87db75497f6219d400753635f196e6e56edb6af448a69dc12721f1c0a

Download Submit
C:\Program Files (x86)\Bluelinkr\Irc\Bluelinkrserver.exe
MD5
bc7848c0c1539e660657c137f18eecb7

SHA1
ffeddf0da11f70a99980599e88bd77c02ec2a132

SHA256
7c109a43bf859024faaf50c3fa6841478c2d47b7768cf13521d2cd927b402698

SHA512
5a3c75d12d0127e96b729b79dc5f4aed4c7b859eb52eaf717fd51108005a32a5191ac6c87db75497f6219d400753635f196e6e56edb6af448a69dc12721f1c0a

Download Submit
C:\Program Files (x86)\Bluelinkr\Irc\Bluelinkrserver.exe
MD5
bc7848c0c1539e660657c137f18eecb7

SHA1
ffeddf0da11f70a99980599e88bd77c02ec2a132

SHA256
7c109a43bf859024faaf50c3fa6841478c2d47b7768cf13521d2cd927b402698

SHA512
5a3c75d12d0127e96b729b79dc5f4aed4c7b859eb52eaf717fd51108005a32a5191ac6c87db75497f6219d400753635f196e6e56edb6af448a69dc12721f1c0a

Download Submit
C:\Program Files (x86)\Bluelinkr\Irc\Bluelinkrserver.exe
MD5
bc7848c0c1539e660657c137f18eecb7

SHA1
ffeddf0da11f70a99980599e88bd77c02ec2a132

SHA256
7c109a43bf859024faaf50c3fa6841478c2d47b7768cf13521d2cd927b402698

SHA512
5a3c75d12d0127e96b729b79dc5f4aed4c7b859eb52eaf717fd51108005a32a5191ac6c87db75497f6219d400753635f196e6e56edb6af448a69dc12721f1c0a

Download Submit
C:\Program Files (x86)\Bluelinkr\Irc\Bluelinkrserver.exe
MD5
bc7848c0c1539e660657c137f18eecb7

SHA1
ffeddf0da11f70a99980599e88bd77c02ec2a132

SHA256
7c109a43bf859024faaf50c3fa6841478c2d47b7768cf13521d2cd927b402698

SHA512
5a3c75d12d0127e96b729b79dc5f4aed4c7b859eb52eaf717fd51108005a32a5191ac6c87db75497f6219d400753635f196e6e56edb6af448a69dc12721f1c0a

Download Submit
C:\Program Files (x86)\Bluelinkr\Irc\Bluelinkrserver.exe
MD5
bc7848c0c1539e660657c137f18eecb7

SHA1
ffeddf0da11f70a99980599e88bd77c02ec2a132

SHA256
7c109a43bf859024faaf50c3fa6841478c2d47b7768cf13521d2cd927b402698

SHA512
5a3c75d12d0127e96b729b79dc5f4aed4c7b859eb52eaf717fd51108005a32a5191ac6c87db75497f6219d400753635f196e6e56edb6af448a69dc12721f1c0a

Download Submit
C:\Program Files (x86)\Bluelinkr\Irc\HTMLayout.dll
MD5
19660f7dcca5176b0640b2b677e9cb08

SHA1
00d181acb9e07791bb05aabb91b1efbe45ac9f1f

SHA256
fbce41fabb06aba7c07cd0f1c47460a767b580c96b8fc1ec6739b752b2d7c0ca

SHA512
ffc841535c3ad99ae682cd63f4c33fb24d39d9a222d5ebd44053a59bbdfdca413d86da6b392aa6a64ebc38af72527011d6f8d95a0e4b90e324972e19441ad0e0

Download Submit
C:\Program Files (x86)\Bluelinkr\Irc\install.bat
MD5
04f559f28d6a9326e4a8cc40a86b329d

SHA1
a8706c6a489a3ff91a8a5f8cc8c7460d063655be

SHA256
c9da6208ec63e2cb9827f5ae4b6fcf45d14e8c48ac19b34e371e3077db86b853

SHA512
4b0b435b1e279486c5de9bc57458d7cb8b39f1cf2b945ebab6da38cb88574aca8e018beebbe357b2c275d19fffbb8dfaf219de74e39b51267684449913fe2823

Download Submit
C:\Program Files (x86)\Bluelinkr\Irc\setname.exe
MD5
787840101b0cd50716f4805bced1faa0

SHA1
71e7ca88c5f7b5aa257c332703d2ffeed994d22a

SHA256
f407ae3e683bd1d00078278881ad0f44e86130f5d4f15fb36a026ec96e95e55e

SHA512
82838f9f4d311ae98031e9efb72da697fae6a860933f9d9cedd884d515e3f697c47060566f8044bb176bf48a8eca5ec06730a9561a37b3c0447377ce2f5440c0

Download Submit
C:\Program Files (x86)\Bluelinkr\Irc\ui\back.png
MD5
51c2e465dc63554abdec6c51251f2a19

SHA1
6bbad8c1944b6b6fce93815c77afdff339348134

SHA256
3094a0489848874c1837d01a812396106412bf10df767ec10492fcefd2cfbdaf

SHA512
021eefb5b6e0d94e79d3a1a61ccc06ad5cdae1ea0c8a3dde4648c1689da21b219af6d88b49a27c229c39b9313d11711beaefc1c74fb8852f4415ed5a72f59a33

Download Submit
C:\Program Files (x86)\Bluelinkr\Irc\ui\close.png
MD5
a02411fe39a126f07f3203cd285bab1b

SHA1
1131bda594b60c63ac15f0d0007d2ca4688daa56

SHA256
3587870c3335581b1f96a010c291c1e4457b8ef0b6ed3c945288c88058f6b31d

SHA512
3c8eea43eaaaf1e97552ce4e8531f96958182fab404fbaeecc2cb6c9ec4a660ecd64d3966fa95193de46984f8382297c02684c37b899e6211192e6bd3e98c496

Download Submit
C:\Program Files (x86)\Bluelinkr\Irc\ui\minimize.png
MD5
be10f697f00fdedaf18e169cd5faa69c

SHA1
bafc0fe42870389b8f0f0fedc40b3bc2a57a3c10

SHA256
eff575cb4a939ec65e61c48c3b443a159e8b2aea41655fbc740e01331e76a984

SHA512
a3271c8ce918f9958618655e31114a3eac0e7a31804ad8a83f0844f749007eb803f5bb3f720e91b651fda8c48c98788d43ad9384b52e6f616163bcc12c58964f

Download Submit
C:\Program Files (x86)\Bluelinkr\Irc\ui\msg.htm
MD5
3deddd1c0ccedc38858d8930c2b7960e

SHA1
577b4e270bfbb77c7abe71b8bf0c5bcd96a93cff

SHA256
df7b17ea71e30ca9e58e829411050e3ab8f13c676d0f4a03a7af569eaef008dc

SHA512
65f07c0171f1fb8f553a0bf0292871c524b5296132d999736c4aa68a6f35543e59de33ee66c8c5a73a30d156012f10a58d95ba62919a710855b88188e26df6ab

Download Submit
C:\Program Files (x86)\Bluelinkr\Irc\ui\newpass.htm
MD5
026bb0ce09ce2ca8e9e69cd0ba9058f0

SHA1
b31364f23334b2680d40d89aba061888ca9bd4c9

SHA256
d6ddaa392e6978b6fd8354a8363e12c8b9623dbffe3820175be4f73ebb832222

SHA512
61f223d6b80946124fa770879cebfb329fdd79b02e5de98e9e2f0ccfcb4ddc2aae1a2001d6df1d7d5d069836f1a02b8c1a9c0af20e0a09d7896f662133e28121

Download Submit
C:\Program Files (x86)\Bluelinkr\Irc\ui\titlebar.png
MD5
6661a793bda035249ca04bbfdc27dd86

SHA1
172144308e0cdf37c8068c1cc61d671a2d1d1edf

SHA256
35cefd888cb072d0c473f611d05bc6bc7c30f59ecdc298a1f8a4d279d450147d

SHA512
be4eab1cf556544500c6d2e12ef99d22e88084f0cfc34cbd1a428bc4811d2613a045e35c847d854bca4d16d890ac3119eea00b47dc71ae750b2c1419cda1264f

Download Submit
\Program Files (x86)\Bluelinkr\Irc\Bluelinkrserver.exe
MD5
bc7848c0c1539e660657c137f18eecb7

SHA1
ffeddf0da11f70a99980599e88bd77c02ec2a132

SHA256
7c109a43bf859024faaf50c3fa6841478c2d47b7768cf13521d2cd927b402698

SHA512
5a3c75d12d0127e96b729b79dc5f4aed4c7b859eb52eaf717fd51108005a32a5191ac6c87db75497f6219d400753635f196e6e56edb6af448a69dc12721f1c0a

Download Submit
\Program Files (x86)\Bluelinkr\Irc\Bluelinkrserver.exe
MD5
bc7848c0c1539e660657c137f18eecb7

SHA1
ffeddf0da11f70a99980599e88bd77c02ec2a132

SHA256
7c109a43bf859024faaf50c3fa6841478c2d47b7768cf13521d2cd927b402698

SHA512
5a3c75d12d0127e96b729b79dc5f4aed4c7b859eb52eaf717fd51108005a32a5191ac6c87db75497f6219d400753635f196e6e56edb6af448a69dc12721f1c0a

Download Submit
\Program Files (x86)\Bluelinkr\Irc\Bluelinkrservice.dll
MD5
27dbb1fec517635721ba6a13e91b60b2

SHA1
6e3823cf8ae6b6fc10570e8fc76c107004fc989a

SHA256
054905d717f149b730d63caf6ca1cc2cdcd9d4f5891ffccbd41f0a59a674f350

SHA512
b517dccc9b63d941577e5f0e0e8492b9a1ddd312ce35c72fd8c31a3645d462820cc78bbbf180967abeec04772bd3940b337162240f07c88ccfbca116dc5b16a1

Download Submit
\Program Files (x86)\Bluelinkr\Irc\htmlayout.dll
MD5
19660f7dcca5176b0640b2b677e9cb08

SHA1
00d181acb9e07791bb05aabb91b1efbe45ac9f1f

SHA256
fbce41fabb06aba7c07cd0f1c47460a767b580c96b8fc1ec6739b752b2d7c0ca

SHA512
ffc841535c3ad99ae682cd63f4c33fb24d39d9a222d5ebd44053a59bbdfdca413d86da6b392aa6a64ebc38af72527011d6f8d95a0e4b90e324972e19441ad0e0

Download Submit
\Program Files (x86)\Bluelinkr\Irc\setname.exe
MD5
787840101b0cd50716f4805bced1faa0

SHA1
71e7ca88c5f7b5aa257c332703d2ffeed994d22a

SHA256
f407ae3e683bd1d00078278881ad0f44e86130f5d4f15fb36a026ec96e95e55e

SHA512
82838f9f4d311ae98031e9efb72da697fae6a860933f9d9cedd884d515e3f697c47060566f8044bb176bf48a8eca5ec06730a9561a37b3c0447377ce2f5440c0

Download Submit
memory/516-75-0x0000000000000000-mapping.dmp

Download
memory/552-74-0x0000000000000000-mapping.dmp

Download
memory/576-80-0x0000000000000000-mapping.dmp

Download
memory/576-100-0x0000000000000000-mapping.dmp

Download
memory/920-85-0x0000000000000000-mapping.dmp

Download
memory/920-109-0x0000000000000000-mapping.dmp

Download
memory/928-91-0x0000000000000000-mapping.dmp

Download
memory/964-73-0x0000000000000000-mapping.dmp

Download
memory/1028-78-0x0000000000000000-mapping.dmp

Download
memory/1152-61-0x0000000000000000-mapping.dmp

Download
memory/1388-84-0x0000000000000000-mapping.dmp

Download
memory/1556-98-0x0000000000000000-mapping.dmp

Download
memory/1592-77-0x0000000000000000-mapping.dmp

Download
memory/1672-59-0x0000000075971000-0x0000000075973000-memory.dmp

Filesize
8KB

Download
memory/1836-90-0x0000000000000000-mapping.dmp

Download
memory/1844-79-0x0000000000000000-mapping.dmp

Download
memory/1872-76-0x0000000000000000-mapping.dmp

Download
memory/2004-106-0x0000000000000000-mapping.dmp

Download