Malware Analysis Report

2024-10-24 18:40

Sample ID 211015-skexmabgfn
Target BluStealer_2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c
SHA256 2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c
Tags
28cc82fd466e0d0976a6359f264775a8 blackmatter ransomware suricata
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c

Threat Level: Known bad

The file BluStealer_2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c was found to be: Known bad.

Malicious Activity Summary

28cc82fd466e0d0976a6359f264775a8 blackmatter ransomware suricata

suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

BlackMatter Ransomware

Blackmatter family

Modifies extensions of user files

Enumerates connected drives

Suspicious use of NtSetInformationThreadHideFromDebugger

Sets desktop wallpaper using registry

Enumerates physical storage devices

Opens file in notepad (likely ransom note)

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Modifies Control Panel

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-10-15 15:10

Signatures

Blackmatter family

blackmatter

Analysis: behavioral1

Detonation Overview

Submitted

2021-10-15 15:10

Reported

2021-10-15 15:13

Platform

win7-en-20210920

Max time kernel

147s

Max time network

37s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BluStealer_2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe"

Signatures

BlackMatter Ransomware

ransomware blackmatter

suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

suricata

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\StopMount.png => C:\Users\Admin\Pictures\StopMount.png.chkvc3MvG C:\Users\Admin\AppData\Local\Temp\BluStealer_2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
File opened for modification C:\Users\Admin\Pictures\TestSkip.raw.chkvc3MvG C:\Users\Admin\AppData\Local\Temp\BluStealer_2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
File opened for modification C:\Users\Admin\Pictures\UninstallBlock.tif.chkvc3MvG C:\Users\Admin\AppData\Local\Temp\BluStealer_2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
File opened for modification C:\Users\Admin\Pictures\UnprotectSave.raw.chkvc3MvG C:\Users\Admin\AppData\Local\Temp\BluStealer_2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
File renamed C:\Users\Admin\Pictures\FormatPush.png => C:\Users\Admin\Pictures\FormatPush.png.chkvc3MvG C:\Users\Admin\AppData\Local\Temp\BluStealer_2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
File opened for modification C:\Users\Admin\Pictures\FormatPush.png.chkvc3MvG C:\Users\Admin\AppData\Local\Temp\BluStealer_2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
File renamed C:\Users\Admin\Pictures\UninstallBlock.tif => C:\Users\Admin\Pictures\UninstallBlock.tif.chkvc3MvG C:\Users\Admin\AppData\Local\Temp\BluStealer_2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
File renamed C:\Users\Admin\Pictures\MountNew.tiff => C:\Users\Admin\Pictures\MountNew.tiff.chkvc3MvG C:\Users\Admin\AppData\Local\Temp\BluStealer_2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
File renamed C:\Users\Admin\Pictures\TestSkip.raw => C:\Users\Admin\Pictures\TestSkip.raw.chkvc3MvG C:\Users\Admin\AppData\Local\Temp\BluStealer_2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
File opened for modification C:\Users\Admin\Pictures\MountNew.tiff.chkvc3MvG C:\Users\Admin\AppData\Local\Temp\BluStealer_2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
File opened for modification C:\Users\Admin\Pictures\StopMount.png.chkvc3MvG C:\Users\Admin\AppData\Local\Temp\BluStealer_2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
File renamed C:\Users\Admin\Pictures\UnprotectSave.raw => C:\Users\Admin\Pictures\UnprotectSave.raw.chkvc3MvG C:\Users\Admin\AppData\Local\Temp\BluStealer_2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
File renamed C:\Users\Admin\Pictures\CompleteCompress.crw => C:\Users\Admin\Pictures\CompleteCompress.crw.chkvc3MvG C:\Users\Admin\AppData\Local\Temp\BluStealer_2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
File opened for modification C:\Users\Admin\Pictures\CompleteCompress.crw.chkvc3MvG C:\Users\Admin\AppData\Local\Temp\BluStealer_2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
File opened for modification C:\Users\Admin\Pictures\MountNew.tiff C:\Users\Admin\AppData\Local\Temp\BluStealer_2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\chkvc3MvG.bmp" C:\Users\Admin\AppData\Local\Temp\BluStealer_2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\chkvc3MvG.bmp" C:\Users\Admin\AppData\Local\Temp\BluStealer_2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Control Panel\International C:\Users\Admin\AppData\Local\Temp\BluStealer_2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\BluStealer_2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\BluStealer_2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\Windows\splwow64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Windows\splwow64.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}" C:\Windows\splwow64.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}" C:\Windows\splwow64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_Classes\Local Settings C:\Windows\splwow64.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\splwow64.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Windows\splwow64.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff C:\Windows\splwow64.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" C:\Windows\splwow64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg C:\Windows\splwow64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Windows\splwow64.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewVersion = "0" C:\Windows\splwow64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Windows\splwow64.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000 C:\Windows\splwow64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Windows\splwow64.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000 C:\Windows\splwow64.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Windows\splwow64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\splwow64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\splwow64.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\splwow64.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\NOTEPAD.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\splwow64.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BluStealer_2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BluStealer_2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\BluStealer_2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\BluStealer_2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BluStealer_2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BluStealer_2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\BluStealer_2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\BluStealer_2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BluStealer_2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\BluStealer_2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BluStealer_2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\BluStealer_2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BluStealer_2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BluStealer_2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\splwow64.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\BluStealer_2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe

"C:\Users\Admin\AppData\Local\Temp\BluStealer_2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" /p C:\chkvc3MvG.README.txt

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

Country Destination Domain Proto
US 8.8.8.8:53 mojobiden.com udp

Files

memory/1268-54-0x0000000075BF1000-0x0000000075BF3000-memory.dmp

memory/1268-56-0x0000000000A20000-0x0000000000A21000-memory.dmp

memory/1268-55-0x0000000000A25000-0x0000000000A36000-memory.dmp

memory/1268-57-0x0000000000A36000-0x0000000000A37000-memory.dmp

memory/2028-58-0x0000000000000000-mapping.dmp

C:\chkvc3MvG.README.txt

MD5 b920836834910a56ea82efc009b2d4ce
SHA1 a5d1b656b5ab0ab51357afe4c68619f706a9a7c2
SHA256 d6af899e20548251735c7a379d4d6067b16c4d8b42d8c5c2960576d1890058cc
SHA512 e914574fe9d28e0e90eb9ba49f085c39f8c65a458778251845ccd5b5a6a1e30d35b181a6e70c8844de0552a9e010a6b43c3f7b0472eb8e6db1a2507fc8cd01e7

memory/1480-61-0x0000000000000000-mapping.dmp

memory/1480-62-0x000007FEFB891000-0x000007FEFB893000-memory.dmp

memory/1480-63-0x0000000004140000-0x0000000004141000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-10-15 15:10

Reported

2021-10-15 15:13

Platform

win10-en-20211014

Max time kernel

122s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BluStealer_2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe"

Signatures

BlackMatter Ransomware

ransomware blackmatter

suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)

suricata

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\BlockConvert.raw => C:\Users\Admin\Pictures\BlockConvert.raw.WRLMMTHME C:\Users\Admin\AppData\Local\Temp\BluStealer_2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
File opened for modification C:\Users\Admin\Pictures\BlockConvert.raw.WRLMMTHME C:\Users\Admin\AppData\Local\Temp\BluStealer_2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
File opened for modification C:\Users\Admin\Pictures\UndoRemove.tiff C:\Users\Admin\AppData\Local\Temp\BluStealer_2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
File renamed C:\Users\Admin\Pictures\UndoRemove.tiff => C:\Users\Admin\Pictures\UndoRemove.tiff.WRLMMTHME C:\Users\Admin\AppData\Local\Temp\BluStealer_2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
File opened for modification C:\Users\Admin\Pictures\UnpublishInstall.tiff C:\Users\Admin\AppData\Local\Temp\BluStealer_2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
File renamed C:\Users\Admin\Pictures\UnpublishInstall.tiff => C:\Users\Admin\Pictures\UnpublishInstall.tiff.WRLMMTHME C:\Users\Admin\AppData\Local\Temp\BluStealer_2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
File opened for modification C:\Users\Admin\Pictures\UnpublishInstall.tiff.WRLMMTHME C:\Users\Admin\AppData\Local\Temp\BluStealer_2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
File renamed C:\Users\Admin\Pictures\FormatHide.crw => C:\Users\Admin\Pictures\FormatHide.crw.WRLMMTHME C:\Users\Admin\AppData\Local\Temp\BluStealer_2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
File opened for modification C:\Users\Admin\Pictures\FormatHide.crw.WRLMMTHME C:\Users\Admin\AppData\Local\Temp\BluStealer_2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
File renamed C:\Users\Admin\Pictures\RestorePush.png => C:\Users\Admin\Pictures\RestorePush.png.WRLMMTHME C:\Users\Admin\AppData\Local\Temp\BluStealer_2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
File opened for modification C:\Users\Admin\Pictures\RestorePush.png.WRLMMTHME C:\Users\Admin\AppData\Local\Temp\BluStealer_2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
File opened for modification C:\Users\Admin\Pictures\UndoRemove.tiff.WRLMMTHME C:\Users\Admin\AppData\Local\Temp\BluStealer_2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\BluStealer_2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\WRLMMTHME.bmp" C:\Users\Admin\AppData\Local\Temp\BluStealer_2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\WRLMMTHME.bmp" C:\Users\Admin\AppData\Local\Temp\BluStealer_2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\International C:\Users\Admin\AppData\Local\Temp\BluStealer_2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\BluStealer_2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\BluStealer_2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BluStealer_2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BluStealer_2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\BluStealer_2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\BluStealer_2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BluStealer_2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BluStealer_2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\BluStealer_2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\BluStealer_2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BluStealer_2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\BluStealer_2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BluStealer_2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\BluStealer_2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BluStealer_2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BluStealer_2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\BluStealer_2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe

"C:\Users\Admin\AppData\Local\Temp\BluStealer_2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 52.109.12.19:443 tcp
US 8.8.8.8:53 mojobiden.com udp
US 8.8.8.8:53 mojobiden.com udp
US 8.8.8.8:53 time.windows.com udp
NL 20.101.57.9:123 time.windows.com udp

Files

memory/1744-116-0x0000000002840000-0x0000000002841000-memory.dmp

memory/1744-115-0x0000000002843000-0x0000000002845000-memory.dmp