Analysis
-
max time kernel
159s -
max time network
182s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
23-02-2022 00:19
Behavioral task
behavioral1
Sample
0371d4f04c68e560699e6a589492bcbcee67c5188973ed102dbc791059f6f741.exe
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
General
-
Target
0371d4f04c68e560699e6a589492bcbcee67c5188973ed102dbc791059f6f741.exe
-
Size
59KB
-
MD5
ef3d2ab168550010abb419edb9d1ab93
-
SHA1
c552e7c0fd01dde456d5bc8c9d5c233af5793ba9
-
SHA256
0371d4f04c68e560699e6a589492bcbcee67c5188973ed102dbc791059f6f741
-
SHA512
804d92f499f56b298b918b973e2c42d859b7e5db7b35b9a5e7fd63595eed3e254cd3a1748a11844b227aa9393b6d61a1ccd8a98d14056a03a79d3419f587da4d
Malware Config
Signatures
-
Drops file in System32 directory 4 IoCs
Processes:
blbdlls.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE blbdlls.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies blbdlls.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 blbdlls.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 blbdlls.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 3 IoCs
Processes:
blbdlls.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" blbdlls.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" blbdlls.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix blbdlls.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
blbdlls.exepid process 3788 blbdlls.exe 3788 blbdlls.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
0371d4f04c68e560699e6a589492bcbcee67c5188973ed102dbc791059f6f741.exepid process 3900 0371d4f04c68e560699e6a589492bcbcee67c5188973ed102dbc791059f6f741.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
0371d4f04c68e560699e6a589492bcbcee67c5188973ed102dbc791059f6f741.exeblbdlls.exedescription pid process target process PID 804 wrote to memory of 3900 804 0371d4f04c68e560699e6a589492bcbcee67c5188973ed102dbc791059f6f741.exe 0371d4f04c68e560699e6a589492bcbcee67c5188973ed102dbc791059f6f741.exe PID 804 wrote to memory of 3900 804 0371d4f04c68e560699e6a589492bcbcee67c5188973ed102dbc791059f6f741.exe 0371d4f04c68e560699e6a589492bcbcee67c5188973ed102dbc791059f6f741.exe PID 804 wrote to memory of 3900 804 0371d4f04c68e560699e6a589492bcbcee67c5188973ed102dbc791059f6f741.exe 0371d4f04c68e560699e6a589492bcbcee67c5188973ed102dbc791059f6f741.exe PID 2516 wrote to memory of 3788 2516 blbdlls.exe blbdlls.exe PID 2516 wrote to memory of 3788 2516 blbdlls.exe blbdlls.exe PID 2516 wrote to memory of 3788 2516 blbdlls.exe blbdlls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0371d4f04c68e560699e6a589492bcbcee67c5188973ed102dbc791059f6f741.exe"C:\Users\Admin\AppData\Local\Temp\0371d4f04c68e560699e6a589492bcbcee67c5188973ed102dbc791059f6f741.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\0371d4f04c68e560699e6a589492bcbcee67c5188973ed102dbc791059f6f741.exe--593052142⤵
- Suspicious behavior: RenamesItself
-
C:\Windows\SysWOW64\blbdlls.exe"C:\Windows\SysWOW64\blbdlls.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\blbdlls.exe--ed9fea1d2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses