ea1657170eb703e4774f850eb1d023a91a1f7c74d684a49b3aed6cb4236402a7

Resubmissions

12/03/2023, 08:25

230312-kbg2mafc9y 8

12/03/2023, 08:22

230312-j9kpqsdc78 7

Analysis

max time kernel
33s
max time network
40s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
12/03/2023, 08:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BloxflipPredictorV6.exe
Size

20.6MB
MD5

5943536dfbc8db20a31b7c9c4f716ab9
SHA1

51377223adfc90017861c9d1f86c871a231ce18a
SHA256

c33ee64970501d06e38997852f64e877bb533181db4281da1c6ce31902096d95
SHA512

21145dea49d282b92ee384076dc9a71dc300ab3fd1e17672cd1fed884df292d8e8686f06018f7919e6f16bdbe0725fa89dd36ecfb120ddeec271ec06f6cca1f0
SSDEEP

393216:AZAlRYXpp0kBCFc/m3p1ROKWD2NJ/2dOE:AWlRYXpux2Ks2Dv

Score

7^/10

upx

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
1776	BloxflipPredictorV6.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0005000000019311-161.dat	upx
behavioral1/files/0x0005000000019311-162.dat	upx

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1628	chrome.exe
1628	chrome.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1628	chrome.exe
Token: SeShutdownPrivilege	1628	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1696 wrote to memory of 1776	1696	BloxflipPredictorV6.exe	26
PID 1696 wrote to memory of 1776	1696	BloxflipPredictorV6.exe	26
PID 1696 wrote to memory of 1776	1696	BloxflipPredictorV6.exe	26
PID 1628 wrote to memory of 1980	1628	chrome.exe	28
PID 1628 wrote to memory of 1980	1628	chrome.exe	28
PID 1628 wrote to memory of 1980	1628	chrome.exe	28
PID 1628 wrote to memory of 1424	1628	chrome.exe	30
PID 1628 wrote to memory of 1424	1628	chrome.exe	30
PID 1628 wrote to memory of 1424	1628	chrome.exe	30
PID 1628 wrote to memory of 1424	1628	chrome.exe	30
PID 1628 wrote to memory of 1424	1628	chrome.exe	30
PID 1628 wrote to memory of 1424	1628	chrome.exe	30
PID 1628 wrote to memory of 1424	1628	chrome.exe	30
PID 1628 wrote to memory of 1424	1628	chrome.exe	30
PID 1628 wrote to memory of 1424	1628	chrome.exe	30
PID 1628 wrote to memory of 1424	1628	chrome.exe	30
PID 1628 wrote to memory of 1424	1628	chrome.exe	30
PID 1628 wrote to memory of 1424	1628	chrome.exe	30
PID 1628 wrote to memory of 1424	1628	chrome.exe	30
PID 1628 wrote to memory of 1424	1628	chrome.exe	30
PID 1628 wrote to memory of 1424	1628	chrome.exe	30
PID 1628 wrote to memory of 1424	1628	chrome.exe	30
PID 1628 wrote to memory of 1424	1628	chrome.exe	30
PID 1628 wrote to memory of 1424	1628	chrome.exe	30
PID 1628 wrote to memory of 1424	1628	chrome.exe	30
PID 1628 wrote to memory of 1424	1628	chrome.exe	30
PID 1628 wrote to memory of 1424	1628	chrome.exe	30
PID 1628 wrote to memory of 1424	1628	chrome.exe	30
PID 1628 wrote to memory of 1424	1628	chrome.exe	30
PID 1628 wrote to memory of 1424	1628	chrome.exe	30
PID 1628 wrote to memory of 1424	1628	chrome.exe	30
PID 1628 wrote to memory of 1424	1628	chrome.exe	30
PID 1628 wrote to memory of 1424	1628	chrome.exe	30
PID 1628 wrote to memory of 1424	1628	chrome.exe	30
PID 1628 wrote to memory of 1424	1628	chrome.exe	30
PID 1628 wrote to memory of 1424	1628	chrome.exe	30
PID 1628 wrote to memory of 1424	1628	chrome.exe	30
PID 1628 wrote to memory of 1424	1628	chrome.exe	30
PID 1628 wrote to memory of 1424	1628	chrome.exe	30
PID 1628 wrote to memory of 1424	1628	chrome.exe	30
PID 1628 wrote to memory of 1424	1628	chrome.exe	30
PID 1628 wrote to memory of 1424	1628	chrome.exe	30
PID 1628 wrote to memory of 1424	1628	chrome.exe	30
PID 1628 wrote to memory of 1424	1628	chrome.exe	30
PID 1628 wrote to memory of 1424	1628	chrome.exe	30
PID 1628 wrote to memory of 588	1628	chrome.exe	31
PID 1628 wrote to memory of 588	1628	chrome.exe	31
PID 1628 wrote to memory of 588	1628	chrome.exe	31
PID 1628 wrote to memory of 1532	1628	chrome.exe	32
PID 1628 wrote to memory of 1532	1628	chrome.exe	32
PID 1628 wrote to memory of 1532	1628	chrome.exe	32
PID 1628 wrote to memory of 1532	1628	chrome.exe	32
PID 1628 wrote to memory of 1532	1628	chrome.exe	32
PID 1628 wrote to memory of 1532	1628	chrome.exe	32
PID 1628 wrote to memory of 1532	1628	chrome.exe	32
PID 1628 wrote to memory of 1532	1628	chrome.exe	32
PID 1628 wrote to memory of 1532	1628	chrome.exe	32
PID 1628 wrote to memory of 1532	1628	chrome.exe	32
PID 1628 wrote to memory of 1532	1628	chrome.exe	32
PID 1628 wrote to memory of 1532	1628	chrome.exe	32
PID 1628 wrote to memory of 1532	1628	chrome.exe	32
PID 1628 wrote to memory of 1532	1628	chrome.exe	32
PID 1628 wrote to memory of 1532	1628	chrome.exe	32
PID 1628 wrote to memory of 1532	1628	chrome.exe	32

C:\Users\Admin\AppData\Local\Temp\BloxflipPredictorV6.exe
"C:\Users\Admin\AppData\Local\Temp\BloxflipPredictorV6.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Users\Admin\AppData\Local\Temp\BloxflipPredictorV6.exe
  "C:\Users\Admin\AppData\Local\Temp\BloxflipPredictorV6.exe"
  2⤵
  - Loads dropped DLL
  PID:1776

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fefb969758,0x7fefb969768,0x7fefb969778
  2⤵
  PID:1980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1136 --field-trial-handle=1220,i,3777684315566131016,14106982439807334527,131072 /prefetch:2
  2⤵
  PID:1424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1456 --field-trial-handle=1220,i,3777684315566131016,14106982439807334527,131072 /prefetch:8
  2⤵
  PID:588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1632 --field-trial-handle=1220,i,3777684315566131016,14106982439807334527,131072 /prefetch:8
  2⤵
  PID:1532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2224 --field-trial-handle=1220,i,3777684315566131016,14106982439807334527,131072 /prefetch:1
  2⤵
  PID:1664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2244 --field-trial-handle=1220,i,3777684315566131016,14106982439807334527,131072 /prefetch:1
  2⤵
  PID:1736

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1344

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000004.dbtmp

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16962\python311.dll

Filesize
1.6MB

MD5
5ef44effa518fc9b3acda79684381d75

SHA1
df6d1a46e691dce3373800b188137eed4ce97dfc

SHA256
90fe310cce48c73f05b7e678a36f2d6bb8870c316b9f12495255b60ad7787777

SHA512
ca52ccd9dedfb03d38544cb2f5a248d52873f7ef143ee3693d2fe11e941e81c5a48da277dbe0cdcf5b01701778ba083d0355fdfef0c13faa59411e7e12e5928c

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI16962\python311.dll

Filesize
1.6MB

MD5
5ef44effa518fc9b3acda79684381d75

SHA1
df6d1a46e691dce3373800b188137eed4ce97dfc

SHA256
90fe310cce48c73f05b7e678a36f2d6bb8870c316b9f12495255b60ad7787777

SHA512
ca52ccd9dedfb03d38544cb2f5a248d52873f7ef143ee3693d2fe11e941e81c5a48da277dbe0cdcf5b01701778ba083d0355fdfef0c13faa59411e7e12e5928c

Download Submit
memory/1776-163-0x000007FEF6870000-0x000007FEF6E59000-memory.dmp

Filesize
5.9MB

Download