5e5c17140ce8829ed152d6fce28064e9f5693d789d9ffd2e6b45e330cf5f2207

General

Target

BLTools 1.9 [CRACKED BY INJUAN]/BLTools-v1.9.exe
Size

9.3MB
MD5

5b8fee9267593396b57d345a9afc7ddb
SHA1

264968d1bf7c1f6ad0ca4cbdeb89762ddd294948
SHA256

90dc5d6d2a6b8b4dc6b5f95c44d24b1b6e1916911b1b7a51dd97ed055156fddd
SHA512

69f9254f78f6ba09d456321cdc74dd74115debc5b91d4abf00cbf665d91ace2d1f4289ee0be9aa32a437b3d14d420b149e778a244c1478df59f3bc9a9571f085

Score

10^/10

evasion themida trojan

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

BLTools-v1.9.exe

description pid process target process

PID 1896 created 1188 1896 BLTools-v1.9.exe Explorer.EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

BLTools-v1.9.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ BLTools-v1.9.exe
Executes dropped EXE 1 IoCs

Processes:

BLTools v1.9.exe

pid process

2036 BLTools v1.9.exe

description	pid	process	target process
PID 1896 created 1188	1896	BLTools-v1.9.exe	Explorer.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	BLTools-v1.9.exe

pid	process
2036	BLTools v1.9.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

BLTools-v1.9.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	BLTools-v1.9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	BLTools-v1.9.exe

Loads dropped DLL 5 IoCs

Processes:

WerFault.exe

pid process

1372 WerFault.exe
1372 WerFault.exe
1372 WerFault.exe
1372 WerFault.exe
1372 WerFault.exe

pid	process
1372	WerFault.exe
1372	WerFault.exe
1372	WerFault.exe
1372	WerFault.exe
1372	WerFault.exe

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral3/memory/1896-56-0x000000013F5A0000-0x0000000140342000-memory.dmp	themida
behavioral3/memory/1896-57-0x000000013F5A0000-0x0000000140342000-memory.dmp	themida
behavioral3/memory/1896-73-0x000000013F5A0000-0x0000000140342000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

BLTools-v1.9.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA BLTools-v1.9.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

BLTools-v1.9.exe

pid process

2044 BLTools-v1.9.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

BLTools-v1.9.exe

description pid process target process

PID 1896 set thread context of 2044 1896 BLTools-v1.9.exe BLTools-v1.9.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1372 2036 WerFault.exe BLTools v1.9.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

BLTools-v1.9.exeBLTools v1.9.exe

pid process

2044 BLTools-v1.9.exe
2036 BLTools v1.9.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

BLTools v1.9.exe

description pid process

Token: SeDebugPrivilege 2036 BLTools v1.9.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BLTools-v1.9.exe

pid	process
2044	BLTools-v1.9.exe

description	pid	process	target process
PID 1896 set thread context of 2044	1896	BLTools-v1.9.exe	BLTools-v1.9.exe

pid	pid_target	process	target process
1372	2036	WerFault.exe	BLTools v1.9.exe

pid	process
2044	BLTools-v1.9.exe
2036	BLTools v1.9.exe

description	pid	process
Token: SeDebugPrivilege	2036	BLTools v1.9.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

BLTools-v1.9.exeBLTools v1.9.exe

description	pid	process	target process
PID 1896 wrote to memory of 2044	1896	BLTools-v1.9.exe	BLTools-v1.9.exe
PID 1896 wrote to memory of 2044	1896	BLTools-v1.9.exe	BLTools-v1.9.exe
PID 1896 wrote to memory of 2044	1896	BLTools-v1.9.exe	BLTools-v1.9.exe
PID 1896 wrote to memory of 2044	1896	BLTools-v1.9.exe	BLTools-v1.9.exe
PID 1896 wrote to memory of 2044	1896	BLTools-v1.9.exe	BLTools-v1.9.exe
PID 1896 wrote to memory of 2044	1896	BLTools-v1.9.exe	BLTools-v1.9.exe
PID 1896 wrote to memory of 2044	1896	BLTools-v1.9.exe	BLTools-v1.9.exe
PID 1896 wrote to memory of 2044	1896	BLTools-v1.9.exe	BLTools-v1.9.exe
PID 1896 wrote to memory of 2044	1896	BLTools-v1.9.exe	BLTools-v1.9.exe
PID 1896 wrote to memory of 2044	1896	BLTools-v1.9.exe	BLTools-v1.9.exe
PID 1896 wrote to memory of 2036	1896	BLTools-v1.9.exe	BLTools v1.9.exe
PID 1896 wrote to memory of 2036	1896	BLTools-v1.9.exe	BLTools v1.9.exe
PID 1896 wrote to memory of 2036	1896	BLTools-v1.9.exe	BLTools v1.9.exe
PID 1896 wrote to memory of 2036	1896	BLTools-v1.9.exe	BLTools v1.9.exe
PID 2036 wrote to memory of 1372	2036	BLTools v1.9.exe	WerFault.exe
PID 2036 wrote to memory of 1372	2036	BLTools v1.9.exe	WerFault.exe
PID 2036 wrote to memory of 1372	2036	BLTools v1.9.exe	WerFault.exe
PID 2036 wrote to memory of 1372	2036	BLTools v1.9.exe	WerFault.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1188

C:\Users\Admin\AppData\Local\Temp\BLTools 1.9 [CRACKED BY INJUAN]\BLTools-v1.9.exe
"C:\Users\Admin\AppData\Local\Temp\BLTools 1.9 [CRACKED BY INJUAN]\BLTools-v1.9.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1896

C:\Users\Admin\AppData\Local\Temp\BLTools 1.9 [CRACKED BY INJUAN]\BLTools v1.9.exe
"C:\Users\Admin\AppData\Local\Temp\BLTools 1.9 [CRACKED BY INJUAN]\BLTools v1.9.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 1716
4⤵
- Loads dropped DLL
- Program crash
PID:1372

C:\Users\Admin\AppData\Local\Temp\BLTools 1.9 [CRACKED BY INJUAN]\BLTools-v1.9.exe
"C:\Users\Admin\AppData\Local\Temp\BLTools 1.9 [CRACKED BY INJUAN]\BLTools-v1.9.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2044

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BLTools 1.9 [CRACKED BY INJUAN]\BLTools v1.9.exe
Filesize
5.1MB

MD5
f36d71183fe68a91e94b2f6608700007

SHA1
e0c9afb2309e1d00dbb292a61c95feabee0ca1e5

SHA256
539301d8f1e30accc6f993a8c9bf3dc79196f864ef4455e07de6cdd46a17c305

SHA512
6a25d645f9247e5eea60de4a7e07b661d018cdb1eb2b7f92800124f4362351cc6dd9400fad596bcbcdfba9273037ba9c62fb61a4dfaafb50155b081b98dc84bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\BLTools 1.9 [CRACKED BY INJUAN]\BLTools v1.9.exe
Filesize
5.1MB

MD5
f36d71183fe68a91e94b2f6608700007

SHA1
e0c9afb2309e1d00dbb292a61c95feabee0ca1e5

SHA256
539301d8f1e30accc6f993a8c9bf3dc79196f864ef4455e07de6cdd46a17c305

SHA512
6a25d645f9247e5eea60de4a7e07b661d018cdb1eb2b7f92800124f4362351cc6dd9400fad596bcbcdfba9273037ba9c62fb61a4dfaafb50155b081b98dc84bd

Download Submit
\Users\Admin\AppData\Local\Temp\BLTools 1.9 [CRACKED BY INJUAN]\BLTools v1.9.exe
Filesize
5.1MB

MD5
f36d71183fe68a91e94b2f6608700007

SHA1
e0c9afb2309e1d00dbb292a61c95feabee0ca1e5

SHA256
539301d8f1e30accc6f993a8c9bf3dc79196f864ef4455e07de6cdd46a17c305

SHA512
6a25d645f9247e5eea60de4a7e07b661d018cdb1eb2b7f92800124f4362351cc6dd9400fad596bcbcdfba9273037ba9c62fb61a4dfaafb50155b081b98dc84bd

Download Submit
\Users\Admin\AppData\Local\Temp\BLTools 1.9 [CRACKED BY INJUAN]\BLTools v1.9.exe
Filesize
5.1MB

MD5
f36d71183fe68a91e94b2f6608700007

SHA1
e0c9afb2309e1d00dbb292a61c95feabee0ca1e5

SHA256
539301d8f1e30accc6f993a8c9bf3dc79196f864ef4455e07de6cdd46a17c305

SHA512
6a25d645f9247e5eea60de4a7e07b661d018cdb1eb2b7f92800124f4362351cc6dd9400fad596bcbcdfba9273037ba9c62fb61a4dfaafb50155b081b98dc84bd

Download Submit
\Users\Admin\AppData\Local\Temp\BLTools 1.9 [CRACKED BY INJUAN]\BLTools v1.9.exe
Filesize
5.1MB

MD5
f36d71183fe68a91e94b2f6608700007

SHA1
e0c9afb2309e1d00dbb292a61c95feabee0ca1e5

SHA256
539301d8f1e30accc6f993a8c9bf3dc79196f864ef4455e07de6cdd46a17c305

SHA512
6a25d645f9247e5eea60de4a7e07b661d018cdb1eb2b7f92800124f4362351cc6dd9400fad596bcbcdfba9273037ba9c62fb61a4dfaafb50155b081b98dc84bd

Download Submit
\Users\Admin\AppData\Local\Temp\BLTools 1.9 [CRACKED BY INJUAN]\BLTools v1.9.exe
Filesize
5.1MB

MD5
f36d71183fe68a91e94b2f6608700007

SHA1
e0c9afb2309e1d00dbb292a61c95feabee0ca1e5

SHA256
539301d8f1e30accc6f993a8c9bf3dc79196f864ef4455e07de6cdd46a17c305

SHA512
6a25d645f9247e5eea60de4a7e07b661d018cdb1eb2b7f92800124f4362351cc6dd9400fad596bcbcdfba9273037ba9c62fb61a4dfaafb50155b081b98dc84bd

Download Submit
\Users\Admin\AppData\Local\Temp\BLTools 1.9 [CRACKED BY INJUAN]\BLTools v1.9.exe
Filesize
5.1MB

MD5
f36d71183fe68a91e94b2f6608700007

SHA1
e0c9afb2309e1d00dbb292a61c95feabee0ca1e5

SHA256
539301d8f1e30accc6f993a8c9bf3dc79196f864ef4455e07de6cdd46a17c305

SHA512
6a25d645f9247e5eea60de4a7e07b661d018cdb1eb2b7f92800124f4362351cc6dd9400fad596bcbcdfba9273037ba9c62fb61a4dfaafb50155b081b98dc84bd

Download Submit
memory/1372-81-0x0000000000000000-mapping.dmp

Download
memory/1896-60-0x000000001D2B0000-0x000000001D79C000-memory.dmp

Filesize
4.9MB

Download
memory/1896-67-0x0000000025EA0000-0x0000000026C42000-memory.dmp

Filesize
13.6MB

Download
memory/1896-65-0x000007FEFBA81000-0x000007FEFBA83000-memory.dmp

Filesize
8KB

Download
memory/1896-56-0x000000013F5A0000-0x0000000140342000-memory.dmp

Filesize
13.6MB

Download
memory/1896-59-0x0000000000170000-0x0000000000176000-memory.dmp

Filesize
24KB

Download
memory/1896-58-0x000000001C1F0000-0x000000001C970000-memory.dmp

Filesize
7.5MB

Download
memory/1896-57-0x000000013F5A0000-0x0000000140342000-memory.dmp

Filesize
13.6MB

Download
memory/1896-73-0x000000013F5A0000-0x0000000140342000-memory.dmp

Filesize
13.6MB

Download
memory/2036-79-0x0000000005075000-0x0000000005086000-memory.dmp

Filesize
68KB

Download
memory/2036-75-0x0000000076081000-0x0000000076083000-memory.dmp

Filesize
8KB

Download
memory/2036-76-0x00000000026A0000-0x0000000002700000-memory.dmp

Filesize
384KB

Download
memory/2036-77-0x0000000000900000-0x0000000000924000-memory.dmp

Filesize
144KB

Download
memory/2036-74-0x0000000000A10000-0x0000000000F32000-memory.dmp

Filesize
5.1MB

Download
memory/2036-80-0x00000000008A0000-0x00000000008AA000-memory.dmp

Filesize
40KB

Download
memory/2036-69-0x0000000000000000-mapping.dmp

Download
memory/2044-78-0x0000000140000000-0x0000000140CC6000-memory.dmp

Filesize
12.8MB

Download
memory/2044-70-0x000007FFFFBD0000-0x000007FFFFFA1000-memory.dmp

Filesize
3.8MB

Download
memory/2044-68-0x0000000140000000-0x0000000140CC6000-memory.dmp

Filesize
12.8MB

Download
memory/2044-64-0x0000000140000000-0x0000000140CC6000-memory.dmp

Filesize
12.8MB

Download
memory/2044-61-0x0000000140000000-0x0000000140CC6000-memory.dmp

Filesize
12.8MB

Download
memory/2044-62-0x0000000140CC1968-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads