Resubmissions
20-02-2023 15:51
230220-tavqrsbe76 10Analysis
-
max time kernel
45s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
20-02-2023 15:51
Static task
static1
Behavioral task
behavioral1
Sample
BlitzedGrabber.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
BlitzedGrabber.exe
Resource
win10v2004-20220812-en
General
-
Target
BlitzedGrabber.exe
-
Size
2.3MB
-
MD5
e26786b1e73c9012aa5a395f5b539157
-
SHA1
6e1ebc73f642c21068f790b8574cced1f51becde
-
SHA256
b789d984abae7c36f9b71ae421e8c05602728d7a0ec0b3742632eb819fb661f8
-
SHA512
3e01078509597336b655adbf1428a4c90d7db8eff5e89c7de2a670995ea738550f4571ad9ff72edcd7c0fb08db77dce322ce02292269858119cf97f30f660d99
-
SSDEEP
24576:UoFnrj/BLDrrP9rkccneVkGpEwDN9fQbnOwqi0oTl7Q0aRtsDsfHQ+EgZC/IioEt:UoF/BNrJAGaWrNbJMlk0aAWHzLZCq96
Malware Config
Extracted
njrat
v4.0
MyBot
winter-rd.at.ply.gg:26394
Windows
-
reg_key
Windows
-
splitter
|-F-|
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
paylod.exeBlitzedGrabber.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk paylod.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk BlitzedGrabber.exe -
Executes dropped EXE 3 IoCs
Processes:
paylod.exeCustomEXE.exeBlitzedGrabber.exepid process 1496 paylod.exe 752 CustomEXE.exe 1900 BlitzedGrabber.exe -
Loads dropped DLL 6 IoCs
Processes:
BlitzedGrabber.exeCustomEXE.exepaylod.exepid process 1536 BlitzedGrabber.exe 1536 BlitzedGrabber.exe 1536 BlitzedGrabber.exe 752 CustomEXE.exe 1496 paylod.exe 1496 paylod.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/752-69-0x0000000004F60000-0x0000000005152000-memory.dmp agile_net -
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
paylod.exeBlitzedGrabber.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\BlitzedGrabber.exe" paylod.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" BlitzedGrabber.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" BlitzedGrabber.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" BlitzedGrabber.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" BlitzedGrabber.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
BlitzedGrabber.exedescription pid process Token: SeDebugPrivilege 1900 BlitzedGrabber.exe Token: 33 1900 BlitzedGrabber.exe Token: SeIncBasePriorityPrivilege 1900 BlitzedGrabber.exe Token: 33 1900 BlitzedGrabber.exe Token: SeIncBasePriorityPrivilege 1900 BlitzedGrabber.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
CustomEXE.exepid process 752 CustomEXE.exe 752 CustomEXE.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
BlitzedGrabber.exepaylod.exeBlitzedGrabber.execmd.exedescription pid process target process PID 1536 wrote to memory of 1496 1536 BlitzedGrabber.exe paylod.exe PID 1536 wrote to memory of 1496 1536 BlitzedGrabber.exe paylod.exe PID 1536 wrote to memory of 1496 1536 BlitzedGrabber.exe paylod.exe PID 1536 wrote to memory of 1496 1536 BlitzedGrabber.exe paylod.exe PID 1536 wrote to memory of 752 1536 BlitzedGrabber.exe CustomEXE.exe PID 1536 wrote to memory of 752 1536 BlitzedGrabber.exe CustomEXE.exe PID 1536 wrote to memory of 752 1536 BlitzedGrabber.exe CustomEXE.exe PID 1536 wrote to memory of 752 1536 BlitzedGrabber.exe CustomEXE.exe PID 1496 wrote to memory of 1900 1496 paylod.exe BlitzedGrabber.exe PID 1496 wrote to memory of 1900 1496 paylod.exe BlitzedGrabber.exe PID 1496 wrote to memory of 1900 1496 paylod.exe BlitzedGrabber.exe PID 1496 wrote to memory of 1900 1496 paylod.exe BlitzedGrabber.exe PID 1496 wrote to memory of 1616 1496 paylod.exe attrib.exe PID 1496 wrote to memory of 1616 1496 paylod.exe attrib.exe PID 1496 wrote to memory of 1616 1496 paylod.exe attrib.exe PID 1496 wrote to memory of 1616 1496 paylod.exe attrib.exe PID 1900 wrote to memory of 1180 1900 BlitzedGrabber.exe netsh.exe PID 1900 wrote to memory of 1180 1900 BlitzedGrabber.exe netsh.exe PID 1900 wrote to memory of 1180 1900 BlitzedGrabber.exe netsh.exe PID 1900 wrote to memory of 1180 1900 BlitzedGrabber.exe netsh.exe PID 1900 wrote to memory of 1120 1900 BlitzedGrabber.exe cmd.exe PID 1900 wrote to memory of 1120 1900 BlitzedGrabber.exe cmd.exe PID 1900 wrote to memory of 1120 1900 BlitzedGrabber.exe cmd.exe PID 1900 wrote to memory of 1120 1900 BlitzedGrabber.exe cmd.exe PID 1120 wrote to memory of 588 1120 cmd.exe PING.EXE PID 1120 wrote to memory of 588 1120 cmd.exe PING.EXE PID 1120 wrote to memory of 588 1120 cmd.exe PING.EXE PID 1120 wrote to memory of 588 1120 cmd.exe PING.EXE -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\BlitzedGrabber.exe"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabber.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\paylod.exe"C:\Users\Admin\AppData\Local\Temp\paylod.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\BlitzedGrabber.exe"C:\Users\Admin\AppData\Roaming\BlitzedGrabber.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\BlitzedGrabber.exe"4⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 0 -n 2 & del "C:\Users\Admin\AppData\Roaming\BlitzedGrabber.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 0 -n 25⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Roaming\BlitzedGrabber.exe"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\CustomEXE.exe"C:\Users\Admin\AppData\Local\Temp\CustomEXE.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\CustomEXE.exeFilesize
1.6MB
MD5228a69dc15032fd0fb7100ff8561185e
SHA1f8dbc89fed8078da7f306cb78b92ce04a0bdeb00
SHA256920bec9d500f6446b84399ab4c84858d0f0d7d1abb2e0377399ebbc4bafad709
SHA512373621c4743fa72571b3c8375aa6f7852303a821558b016b002d2af07154787d978f66696db89eeed8fe41f4aed5d66b690d4f87469939f9b1dea2ac2b9101f1
-
C:\Users\Admin\AppData\Local\Temp\CustomEXE.exeFilesize
1.6MB
MD5228a69dc15032fd0fb7100ff8561185e
SHA1f8dbc89fed8078da7f306cb78b92ce04a0bdeb00
SHA256920bec9d500f6446b84399ab4c84858d0f0d7d1abb2e0377399ebbc4bafad709
SHA512373621c4743fa72571b3c8375aa6f7852303a821558b016b002d2af07154787d978f66696db89eeed8fe41f4aed5d66b690d4f87469939f9b1dea2ac2b9101f1
-
C:\Users\Admin\AppData\Local\Temp\paylod.exeFilesize
26KB
MD5087825a9bbd97611aea7189792428793
SHA10e8a47b7de1c4767359ed493862477355e3a41b0
SHA2560cb0d61f335b32fd1b76d55a329b10b61824549b797833e9a32e4a48209b7a61
SHA5120e24b126b1ce17ddbd29e7ce1d673377cff1dd777bd1134669bf659830be29eb2c5ffc971b277182ffca80512a9aa5b9dbff3c7ed78f007cdb206ed142de349f
-
C:\Users\Admin\AppData\Local\Temp\paylod.exeFilesize
26KB
MD5087825a9bbd97611aea7189792428793
SHA10e8a47b7de1c4767359ed493862477355e3a41b0
SHA2560cb0d61f335b32fd1b76d55a329b10b61824549b797833e9a32e4a48209b7a61
SHA5120e24b126b1ce17ddbd29e7ce1d673377cff1dd777bd1134669bf659830be29eb2c5ffc971b277182ffca80512a9aa5b9dbff3c7ed78f007cdb206ed142de349f
-
C:\Users\Admin\AppData\Roaming\BlitzedGrabber.exeFilesize
26KB
MD5087825a9bbd97611aea7189792428793
SHA10e8a47b7de1c4767359ed493862477355e3a41b0
SHA2560cb0d61f335b32fd1b76d55a329b10b61824549b797833e9a32e4a48209b7a61
SHA5120e24b126b1ce17ddbd29e7ce1d673377cff1dd777bd1134669bf659830be29eb2c5ffc971b277182ffca80512a9aa5b9dbff3c7ed78f007cdb206ed142de349f
-
C:\Users\Admin\AppData\Roaming\BlitzedGrabber.exeFilesize
26KB
MD5087825a9bbd97611aea7189792428793
SHA10e8a47b7de1c4767359ed493862477355e3a41b0
SHA2560cb0d61f335b32fd1b76d55a329b10b61824549b797833e9a32e4a48209b7a61
SHA5120e24b126b1ce17ddbd29e7ce1d673377cff1dd777bd1134669bf659830be29eb2c5ffc971b277182ffca80512a9aa5b9dbff3c7ed78f007cdb206ed142de349f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnkFilesize
1KB
MD5c6e2ca12703923f0cb5c5715396f7818
SHA112fc03a3eb443498be241782dfd378fbb954aac2
SHA256bee59644277e439d3d83baf400873eae6f29e06a5643b8f3b50618ae7b8c5f17
SHA51211de53c3fbfb54c4af3e92a5b5b679930fb148e502fa1aebccfce25c9a47c2015cce274fbaa214b6e694195265326079cbb87a22a3e5dbbe19ca68c24036eaaf
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnkFilesize
1018B
MD593cb514e5aee4c07439ca292550ecc2a
SHA1eb97821bfc02e4d6124034d9f16f748c806c9c14
SHA256ca3cd374a4c636a9050735de89c11f6eeeb10c0c5a676c22795789281967f667
SHA512d8bfe7f321f9a62449d161848f493611fe08fc84e27260e4eb4ed14a15dca9ad7aff5be26222973eec9573ab1359306890daa146725e935d7c2d40599cd2d963
-
\Users\Admin\AppData\Local\Temp\CustomEXE.exeFilesize
1.6MB
MD5228a69dc15032fd0fb7100ff8561185e
SHA1f8dbc89fed8078da7f306cb78b92ce04a0bdeb00
SHA256920bec9d500f6446b84399ab4c84858d0f0d7d1abb2e0377399ebbc4bafad709
SHA512373621c4743fa72571b3c8375aa6f7852303a821558b016b002d2af07154787d978f66696db89eeed8fe41f4aed5d66b690d4f87469939f9b1dea2ac2b9101f1
-
\Users\Admin\AppData\Local\Temp\dcfb00f9-5ae7-4197-ba59-e48107e40d35\GunaDotNetRT.dllFilesize
136KB
MD59af5eb006bb0bab7f226272d82c896c7
SHA1c2a5bb42a5f08f4dc821be374b700652262308f0
SHA25677dc05a6bda90757f66552ee3f469b09f1e00732b4edca0f542872fb591ed9db
SHA5127badd41be4c1039302fda9bba19d374ec9446ce24b7db33b66bee4ef38180d1abcd666d2aea468e7e452aa1e1565eedfefed582bf1c2fe477a4171d99d48772a
-
\Users\Admin\AppData\Local\Temp\paylod.exeFilesize
26KB
MD5087825a9bbd97611aea7189792428793
SHA10e8a47b7de1c4767359ed493862477355e3a41b0
SHA2560cb0d61f335b32fd1b76d55a329b10b61824549b797833e9a32e4a48209b7a61
SHA5120e24b126b1ce17ddbd29e7ce1d673377cff1dd777bd1134669bf659830be29eb2c5ffc971b277182ffca80512a9aa5b9dbff3c7ed78f007cdb206ed142de349f
-
\Users\Admin\AppData\Local\Temp\paylod.exeFilesize
26KB
MD5087825a9bbd97611aea7189792428793
SHA10e8a47b7de1c4767359ed493862477355e3a41b0
SHA2560cb0d61f335b32fd1b76d55a329b10b61824549b797833e9a32e4a48209b7a61
SHA5120e24b126b1ce17ddbd29e7ce1d673377cff1dd777bd1134669bf659830be29eb2c5ffc971b277182ffca80512a9aa5b9dbff3c7ed78f007cdb206ed142de349f
-
\Users\Admin\AppData\Roaming\BlitzedGrabber.exeFilesize
26KB
MD5087825a9bbd97611aea7189792428793
SHA10e8a47b7de1c4767359ed493862477355e3a41b0
SHA2560cb0d61f335b32fd1b76d55a329b10b61824549b797833e9a32e4a48209b7a61
SHA5120e24b126b1ce17ddbd29e7ce1d673377cff1dd777bd1134669bf659830be29eb2c5ffc971b277182ffca80512a9aa5b9dbff3c7ed78f007cdb206ed142de349f
-
\Users\Admin\AppData\Roaming\BlitzedGrabber.exeFilesize
26KB
MD5087825a9bbd97611aea7189792428793
SHA10e8a47b7de1c4767359ed493862477355e3a41b0
SHA2560cb0d61f335b32fd1b76d55a329b10b61824549b797833e9a32e4a48209b7a61
SHA5120e24b126b1ce17ddbd29e7ce1d673377cff1dd777bd1134669bf659830be29eb2c5ffc971b277182ffca80512a9aa5b9dbff3c7ed78f007cdb206ed142de349f
-
memory/588-87-0x0000000000000000-mapping.dmp
-
memory/752-61-0x0000000000000000-mapping.dmp
-
memory/752-84-0x0000000072740000-0x0000000072777000-memory.dmpFilesize
220KB
-
memory/752-73-0x00000000049C7000-0x00000000049D8000-memory.dmpFilesize
68KB
-
memory/752-71-0x0000000075390000-0x0000000075410000-memory.dmpFilesize
512KB
-
memory/752-69-0x0000000004F60000-0x0000000005152000-memory.dmpFilesize
1.9MB
-
memory/752-66-0x0000000000B20000-0x0000000000CCC000-memory.dmpFilesize
1.7MB
-
memory/752-72-0x0000000072740000-0x0000000072777000-memory.dmpFilesize
220KB
-
memory/1120-86-0x0000000000000000-mapping.dmp
-
memory/1180-85-0x0000000000000000-mapping.dmp
-
memory/1496-64-0x0000000000E20000-0x0000000000E2C000-memory.dmpFilesize
48KB
-
memory/1496-57-0x0000000000000000-mapping.dmp
-
memory/1536-65-0x0000000074C10000-0x00000000751BB000-memory.dmpFilesize
5.7MB
-
memory/1536-54-0x0000000076581000-0x0000000076583000-memory.dmpFilesize
8KB
-
memory/1616-81-0x0000000000000000-mapping.dmp
-
memory/1900-79-0x0000000000C00000-0x0000000000C0C000-memory.dmpFilesize
48KB
-
memory/1900-76-0x0000000000000000-mapping.dmp