885414fbd68aed4cd87b94e1cfb8145091cc7115eda81a0e720e42122ffe1af9

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7v20210408
submitted
22-07-2021 12:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BlueLinkr_123456_Email.exe
Size

3.4MB
MD5

552ac81b88079702cbb874cccce32da0
SHA1

94d4b749442ec8b8c15c38e94e29c79921624ac4
SHA256

885414fbd68aed4cd87b94e1cfb8145091cc7115eda81a0e720e42122ffe1af9
SHA512

a94ae6c4382fed92061bc93aa133dcacd15c6e02d6ab80167db8ac19e98c1d9eca2db6f984580c0789bb7172d45e0b216b42462f1bffe5a37155aa952cae1132

Score

9^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\BluelinkrRemote\HTMLayout.dll	acprotect
\Users\Admin\AppData\Local\Temp\BluelinkrRemote\htmlayout.dll	acprotect

Executes dropped EXE 1 IoCs

Processes:

Bluelinkrapp.exe

pid process

1924 Bluelinkrapp.exe

pid	process
1924	Bluelinkrapp.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\BluelinkrRemote\HTMLayout.dll	upx
\Users\Admin\AppData\Local\Temp\BluelinkrRemote\htmlayout.dll	upx

Loads dropped DLL 5 IoCs

Processes:

BlueLinkr_123456_Email.exeBluelinkrapp.exe

pid process

940 BlueLinkr_123456_Email.exe
940 BlueLinkr_123456_Email.exe
940 BlueLinkr_123456_Email.exe
1924 Bluelinkrapp.exe
1924 Bluelinkrapp.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

BlueLinkr_123456_Email.exe

pid process

940 BlueLinkr_123456_Email.exe
940 BlueLinkr_123456_Email.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

BlueLinkr_123456_Email.exe

pid process

940 BlueLinkr_123456_Email.exe
940 BlueLinkr_123456_Email.exe
940 BlueLinkr_123456_Email.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

BlueLinkr_123456_Email.exe

pid process

940 BlueLinkr_123456_Email.exe
940 BlueLinkr_123456_Email.exe
940 BlueLinkr_123456_Email.exe

pid	process
940	BlueLinkr_123456_Email.exe
940	BlueLinkr_123456_Email.exe
940	BlueLinkr_123456_Email.exe
1924	Bluelinkrapp.exe
1924	Bluelinkrapp.exe

pid	process
940	BlueLinkr_123456_Email.exe
940	BlueLinkr_123456_Email.exe

pid	process
940	BlueLinkr_123456_Email.exe
940	BlueLinkr_123456_Email.exe
940	BlueLinkr_123456_Email.exe

pid	process
940	BlueLinkr_123456_Email.exe
940	BlueLinkr_123456_Email.exe
940	BlueLinkr_123456_Email.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

BlueLinkr_123456_Email.exe

description	pid	process	target process
PID 940 wrote to memory of 1924	940	BlueLinkr_123456_Email.exe	Bluelinkrapp.exe
PID 940 wrote to memory of 1924	940	BlueLinkr_123456_Email.exe	Bluelinkrapp.exe
PID 940 wrote to memory of 1924	940	BlueLinkr_123456_Email.exe	Bluelinkrapp.exe
PID 940 wrote to memory of 1924	940	BlueLinkr_123456_Email.exe	Bluelinkrapp.exe

C:\Users\Admin\AppData\Local\Temp\BlueLinkr_123456_Email.exe
"C:\Users\Admin\AppData\Local\Temp\BlueLinkr_123456_Email.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:940

C:\Users\Admin\AppData\Local\Temp\BluelinkrRemote\Bluelinkrapp.exe
"C:\Users\Admin\AppData\Local\Temp\BluelinkrRemote\Bluelinkrapp.exe" startapp
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1924

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BluelinkrRemote\Bluelinkr.ini
MD5
297b0c6ba086002c7d813abad28d90a4

SHA1
f0a1f8ee6c7359ca7a6c375da592070fec76b9f5

SHA256
c921d077264a4607c1654bc443c2eaf44013056558c9a7d4fb6339a7b8456674

SHA512
8c9960a697fa97ccc4ebb5da0d322521862e7445dae3d0d26b72f3f7301ea813c096af284f85b0ed2d3756e3d6acb247c1fad8d3b08af8456684f276a53c5b47

Download Submit
C:\Users\Admin\AppData\Local\Temp\BluelinkrRemote\Bluelinkrapp.exe
MD5
018a7fdc34335d8c259ed07888422904

SHA1
65c9093ed720ffcad50c7730f645609300711bed

SHA256
a44e598d82e98adbfb953924652198248f41b8c297f64c0014382b053dcbfbb6

SHA512
b399f20171c35db9b6cb2132dfda843ab7a8afb49fd5f9139db72d2b167c2c658610d26a77fe9cc00381b9e52db4bb6a6dd6651d83da70ce4bee8beadf4f2a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\BluelinkrRemote\HTMLayout.dll
MD5
7222f8144a764f45b21fbc89e007c4c9

SHA1
0d77d686698d24a13b9678cb61a4af42ea5917d0

SHA256
c3460cb07883a9593c6aa889242bfff169f6a754f3e288768be93894bd5f7f62

SHA512
a4b294fa6e5ece0d3ed60c50d88d787c192c6ba07df222f50feb09d34450556840b4ff4e24a2dc52602029fed0e0e88143e84db474d995050e274af40527e192

Download Submit
C:\Users\Admin\AppData\Local\Temp\BluelinkrRemote\MSVCR100.dll
MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\Users\Admin\AppData\Local\Temp\BluelinkrRemote\ui\back.png
MD5
51c2e465dc63554abdec6c51251f2a19

SHA1
6bbad8c1944b6b6fce93815c77afdff339348134

SHA256
3094a0489848874c1837d01a812396106412bf10df767ec10492fcefd2cfbdaf

SHA512
021eefb5b6e0d94e79d3a1a61ccc06ad5cdae1ea0c8a3dde4648c1689da21b219af6d88b49a27c229c39b9313d11711beaefc1c74fb8852f4415ed5a72f59a33

Download Submit
C:\Users\Admin\AppData\Local\Temp\BluelinkrRemote\ui\marsNormal.png
MD5
7e6e7a88863a4699af6d1097caa095fd

SHA1
4882fa9b508ae60a7d2e2cca75f4598ee924e337

SHA256
23f214bd8f814629e00944219034d4ebe7992783a31a0b56249bf24683c07bd4

SHA512
4dedc950dd24817d243fc184613f06fc5e87599856678d0ff6db6eb695965a7ae757095de746e68d4179104e277b0d930d38c583545ed4949485b442fd53df6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\BluelinkrRemote\ui\minimize.png
MD5
be10f697f00fdedaf18e169cd5faa69c

SHA1
bafc0fe42870389b8f0f0fedc40b3bc2a57a3c10

SHA256
eff575cb4a939ec65e61c48c3b443a159e8b2aea41655fbc740e01331e76a984

SHA512
a3271c8ce918f9958618655e31114a3eac0e7a31804ad8a83f0844f749007eb803f5bb3f720e91b651fda8c48c98788d43ad9384b52e6f616163bcc12c58964f

Download Submit
C:\Users\Admin\AppData\Local\Temp\BluelinkrRemote\ui\startapp.htm
MD5
0cc5f1ff762039e8cdc8cd5fa6045b56

SHA1
eba62136ef564d127e391758a471c574aa3cf204

SHA256
7bc650cc8111bfbbb291c368aa8518a0a960fc969bac1c42829c1708b43d98bf

SHA512
3e1ba2c7f15b58e6bca6920d12b30aae6c36dea312a155e7719e9bb83992fa91765bd66f2083d20149fc71b21b77dbf342829d8109498c9233b5e2305e18b929

Download Submit
C:\Users\Admin\AppData\Local\Temp\BluelinkrRemote\ui\titlebar.png
MD5
6661a793bda035249ca04bbfdc27dd86

SHA1
172144308e0cdf37c8068c1cc61d671a2d1d1edf

SHA256
35cefd888cb072d0c473f611d05bc6bc7c30f59ecdc298a1f8a4d279d450147d

SHA512
be4eab1cf556544500c6d2e12ef99d22e88084f0cfc34cbd1a428bc4811d2613a045e35c847d854bca4d16d890ac3119eea00b47dc71ae750b2c1419cda1264f

Download Submit
\Users\Admin\AppData\Local\Temp\BluelinkrRemote\Bluelinkrapp.exe
MD5
018a7fdc34335d8c259ed07888422904

SHA1
65c9093ed720ffcad50c7730f645609300711bed

SHA256
a44e598d82e98adbfb953924652198248f41b8c297f64c0014382b053dcbfbb6

SHA512
b399f20171c35db9b6cb2132dfda843ab7a8afb49fd5f9139db72d2b167c2c658610d26a77fe9cc00381b9e52db4bb6a6dd6651d83da70ce4bee8beadf4f2a7a

Download Submit
\Users\Admin\AppData\Local\Temp\BluelinkrRemote\Bluelinkrapp.exe
MD5
018a7fdc34335d8c259ed07888422904

SHA1
65c9093ed720ffcad50c7730f645609300711bed

SHA256
a44e598d82e98adbfb953924652198248f41b8c297f64c0014382b053dcbfbb6

SHA512
b399f20171c35db9b6cb2132dfda843ab7a8afb49fd5f9139db72d2b167c2c658610d26a77fe9cc00381b9e52db4bb6a6dd6651d83da70ce4bee8beadf4f2a7a

Download Submit
\Users\Admin\AppData\Local\Temp\BluelinkrRemote\Bluelinkrapp.exe
MD5
018a7fdc34335d8c259ed07888422904

SHA1
65c9093ed720ffcad50c7730f645609300711bed

SHA256
a44e598d82e98adbfb953924652198248f41b8c297f64c0014382b053dcbfbb6

SHA512
b399f20171c35db9b6cb2132dfda843ab7a8afb49fd5f9139db72d2b167c2c658610d26a77fe9cc00381b9e52db4bb6a6dd6651d83da70ce4bee8beadf4f2a7a

Download Submit
\Users\Admin\AppData\Local\Temp\BluelinkrRemote\htmlayout.dll
MD5
7222f8144a764f45b21fbc89e007c4c9

SHA1
0d77d686698d24a13b9678cb61a4af42ea5917d0

SHA256
c3460cb07883a9593c6aa889242bfff169f6a754f3e288768be93894bd5f7f62

SHA512
a4b294fa6e5ece0d3ed60c50d88d787c192c6ba07df222f50feb09d34450556840b4ff4e24a2dc52602029fed0e0e88143e84db474d995050e274af40527e192

Download Submit
\Users\Admin\AppData\Local\Temp\BluelinkrRemote\msvcr100.dll
MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
memory/940-60-0x0000000075051000-0x0000000075053000-memory.dmp

Filesize
8KB

Download
memory/1924-64-0x0000000000000000-mapping.dmp

Download