cc9f9b64c5c17302e16986bc36b84d62f460664bcc7c843e25e3f9cdeb7fb06b

Resubmissions

01/11/2022, 19:49

221101-yj68dafdej 1

01/11/2022, 19:47

221101-yhsctsfddk 8

Analysis

max time kernel
1619s
max time network
1590s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01/11/2022, 19:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BloodHack.exe
Size

1.8MB
MD5

2370961b355c2c24ff7e6f2d850ab5e4
SHA1

626655e8c4f9314be8726a1bdc0b4e87e4f4e847
SHA256

9ca6536a01be198a9cad4d1df7c6d0e2c6b7d6f88ff8c8399534e93a6708565e
SHA512

adbe5ce312b3bd341fbf551310260869429c29dea819d427c1644b4532e7e5c48580bec3675b9107149548e312a734e543e603cb7e81cda1bb533a647328c974
SSDEEP

49152:/7n282hBSMnIQJwJ+YP/QAPYTysIWEOifkTOn:/7n2hCMI0wJAui

Score

8^/10

evasion

Malware Config

Signatures

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3564	sc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4696	BloodHack.exe
4696	BloodHack.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
660	Process not Found

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4696 wrote to memory of 1620	4696	BloodHack.exe	82
PID 4696 wrote to memory of 1620	4696	BloodHack.exe	82
PID 1620 wrote to memory of 3564	1620	cmd.exe	83
PID 1620 wrote to memory of 3564	1620	cmd.exe	83
PID 4696 wrote to memory of 4948	4696	BloodHack.exe	84
PID 4696 wrote to memory of 4948	4696	BloodHack.exe	84

C:\Users\Admin\AppData\Local\Temp\BloodHack.exe
"C:\Users\Admin\AppData\Local\Temp\BloodHack.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop mhyprot2
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1620
- - C:\Windows\system32\sc.exe
    sc stop mhyprot2
    3⤵
    - Launches sc.exe
    PID:3564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c CLS
  2⤵
  PID:4948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Windows 7 deprecation

Loading Replay Monitor...