Analysis
-
max time kernel
31s -
max time network
34s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
09/01/2023, 16:52
Behavioral task
behavioral1
Sample
Bltools/Activator.exe
Resource
win10v2004-20220812-en
4 signatures
30 seconds
General
-
Target
Bltools/Bltools 1.8.exe
-
Size
154.4MB
-
MD5
c314b432022e5946c3a6cdd0b3bf9067
-
SHA1
25fc93a9773e93fb0b9788bf9c60f80223d090ee
-
SHA256
c29418b980e1d065a8691fd1af768c7e4e0d59e51a0ca7812cb79ab18f5e97d0
-
SHA512
c7ba7444bc2c36589fb9b075f74f7ba0421c0eff59731ab036751dd4b607aa562033319daf8dc8c380ea196efad6144fe01b9952165e8a8997b60f895232cd86
-
SSDEEP
49152:UR9z9GFry1d43+i3aA12NzFOLP0Iibkak5EbvhtGH5RDHp01:g9Gidw12Ne5EfGZRD
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 4372 wmic.exe Token: SeSecurityPrivilege 4372 wmic.exe Token: SeTakeOwnershipPrivilege 4372 wmic.exe Token: SeLoadDriverPrivilege 4372 wmic.exe Token: SeSystemProfilePrivilege 4372 wmic.exe Token: SeSystemtimePrivilege 4372 wmic.exe Token: SeProfSingleProcessPrivilege 4372 wmic.exe Token: SeIncBasePriorityPrivilege 4372 wmic.exe Token: SeCreatePagefilePrivilege 4372 wmic.exe Token: SeBackupPrivilege 4372 wmic.exe Token: SeRestorePrivilege 4372 wmic.exe Token: SeShutdownPrivilege 4372 wmic.exe Token: SeDebugPrivilege 4372 wmic.exe Token: SeSystemEnvironmentPrivilege 4372 wmic.exe Token: SeRemoteShutdownPrivilege 4372 wmic.exe Token: SeUndockPrivilege 4372 wmic.exe Token: SeManageVolumePrivilege 4372 wmic.exe Token: 33 4372 wmic.exe Token: 34 4372 wmic.exe Token: 35 4372 wmic.exe Token: 36 4372 wmic.exe Token: SeIncreaseQuotaPrivilege 4372 wmic.exe Token: SeSecurityPrivilege 4372 wmic.exe Token: SeTakeOwnershipPrivilege 4372 wmic.exe Token: SeLoadDriverPrivilege 4372 wmic.exe Token: SeSystemProfilePrivilege 4372 wmic.exe Token: SeSystemtimePrivilege 4372 wmic.exe Token: SeProfSingleProcessPrivilege 4372 wmic.exe Token: SeIncBasePriorityPrivilege 4372 wmic.exe Token: SeCreatePagefilePrivilege 4372 wmic.exe Token: SeBackupPrivilege 4372 wmic.exe Token: SeRestorePrivilege 4372 wmic.exe Token: SeShutdownPrivilege 4372 wmic.exe Token: SeDebugPrivilege 4372 wmic.exe Token: SeSystemEnvironmentPrivilege 4372 wmic.exe Token: SeRemoteShutdownPrivilege 4372 wmic.exe Token: SeUndockPrivilege 4372 wmic.exe Token: SeManageVolumePrivilege 4372 wmic.exe Token: 33 4372 wmic.exe Token: 34 4372 wmic.exe Token: 35 4372 wmic.exe Token: 36 4372 wmic.exe Token: SeIncreaseQuotaPrivilege 3096 WMIC.exe Token: SeSecurityPrivilege 3096 WMIC.exe Token: SeTakeOwnershipPrivilege 3096 WMIC.exe Token: SeLoadDriverPrivilege 3096 WMIC.exe Token: SeSystemProfilePrivilege 3096 WMIC.exe Token: SeSystemtimePrivilege 3096 WMIC.exe Token: SeProfSingleProcessPrivilege 3096 WMIC.exe Token: SeIncBasePriorityPrivilege 3096 WMIC.exe Token: SeCreatePagefilePrivilege 3096 WMIC.exe Token: SeBackupPrivilege 3096 WMIC.exe Token: SeRestorePrivilege 3096 WMIC.exe Token: SeShutdownPrivilege 3096 WMIC.exe Token: SeDebugPrivilege 3096 WMIC.exe Token: SeSystemEnvironmentPrivilege 3096 WMIC.exe Token: SeRemoteShutdownPrivilege 3096 WMIC.exe Token: SeUndockPrivilege 3096 WMIC.exe Token: SeManageVolumePrivilege 3096 WMIC.exe Token: 33 3096 WMIC.exe Token: 34 3096 WMIC.exe Token: 35 3096 WMIC.exe Token: 36 3096 WMIC.exe Token: SeIncreaseQuotaPrivilege 3096 WMIC.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 4536 wrote to memory of 4372 4536 Bltools 1.8.exe 83 PID 4536 wrote to memory of 4372 4536 Bltools 1.8.exe 83 PID 4536 wrote to memory of 4784 4536 Bltools 1.8.exe 85 PID 4536 wrote to memory of 4784 4536 Bltools 1.8.exe 85 PID 4784 wrote to memory of 3096 4784 cmd.exe 87 PID 4784 wrote to memory of 3096 4784 cmd.exe 87 PID 4536 wrote to memory of 60 4536 Bltools 1.8.exe 89 PID 4536 wrote to memory of 60 4536 Bltools 1.8.exe 89 PID 60 wrote to memory of 2836 60 cmd.exe 91 PID 60 wrote to memory of 2836 60 cmd.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\Bltools\Bltools 1.8.exe"C:\Users\Admin\AppData\Local\Temp\Bltools\Bltools 1.8.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Windows\System32\Wbem\wmic.exewmic os get Caption2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4372
-
-
C:\Windows\system32\cmd.execmd /C "wmic path win32_VideoController get name"2⤵
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3096
-
-
-
C:\Windows\system32\cmd.execmd /C "wmic cpu get name"2⤵
- Suspicious use of WriteProcessMemory
PID:60 -
C:\Windows\System32\Wbem\WMIC.exewmic cpu get name3⤵PID:2836
-
-