Analysis
-
max time kernel
61s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
01/04/2023, 12:37
Static task
static1
Behavioral task
behavioral1
Sample
BLTools-v2.2.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
BLTools-v2.2.exe
Resource
win10v2004-20230220-en
General
-
Target
BLTools-v2.2.exe
-
Size
4.5MB
-
MD5
ef5ee302110f10993a991fd9a2350594
-
SHA1
a3f020240217e95c952a4f17cfe101193db1f478
-
SHA256
f368811f3bb071d6ee006731fe819a0b7d8cd7ed5fd8110aeb5cb0da22a3a3a7
-
SHA512
5d5ade7075ba155046381bf1976de2e05bb355f897075930571f09c398ca9fbd28b499ce82cb13dd3139a9490c4f52237a4eba7e36b6b8fb536ce96af156fdc6
-
SSDEEP
98304:W3AsFVBrtaVHd+A1NTzIHG/4EfZRo6gW0bW+egt8qXLbkse219FdVVN3kzes:1wG9+A1NTzOPKZRo6gWG9egCqXLbN5hO
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 1928 created 3080 1928 BLTools-v2.2.exe 37 -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation BLTools-v2.2.exe Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation BLTools-v2.2.exe -
Executes dropped EXE 2 IoCs
pid Process 2808 BLTools v2.2.exe 4700 MaintenanceUI.exe -
resource yara_rule behavioral2/files/0x0009000000023141-236.dat upx behavioral2/files/0x0009000000023141-246.dat upx behavioral2/files/0x0009000000023141-247.dat upx behavioral2/memory/4700-248-0x0000000000E10000-0x0000000000FF6000-memory.dmp upx behavioral2/memory/4700-291-0x0000000000E10000-0x0000000000FF6000-memory.dmp upx -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
pid Process 3804 BLTools-v2.2.exe 3804 BLTools-v2.2.exe 3804 BLTools-v2.2.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1928 set thread context of 3804 1928 BLTools-v2.2.exe 84 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 4356 2808 WerFault.exe 85 -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ BLTools-v2.2.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 3804 BLTools-v2.2.exe 3804 BLTools-v2.2.exe 3804 BLTools-v2.2.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3804 BLTools-v2.2.exe Token: SeIncreaseQuotaPrivilege 3804 BLTools-v2.2.exe Token: SeSecurityPrivilege 3804 BLTools-v2.2.exe Token: SeTakeOwnershipPrivilege 3804 BLTools-v2.2.exe Token: SeLoadDriverPrivilege 3804 BLTools-v2.2.exe Token: SeSystemProfilePrivilege 3804 BLTools-v2.2.exe Token: SeSystemtimePrivilege 3804 BLTools-v2.2.exe Token: SeProfSingleProcessPrivilege 3804 BLTools-v2.2.exe Token: SeIncBasePriorityPrivilege 3804 BLTools-v2.2.exe Token: SeCreatePagefilePrivilege 3804 BLTools-v2.2.exe Token: SeBackupPrivilege 3804 BLTools-v2.2.exe Token: SeRestorePrivilege 3804 BLTools-v2.2.exe Token: SeShutdownPrivilege 3804 BLTools-v2.2.exe Token: SeDebugPrivilege 3804 BLTools-v2.2.exe Token: SeSystemEnvironmentPrivilege 3804 BLTools-v2.2.exe Token: SeRemoteShutdownPrivilege 3804 BLTools-v2.2.exe Token: SeUndockPrivilege 3804 BLTools-v2.2.exe Token: SeManageVolumePrivilege 3804 BLTools-v2.2.exe Token: 33 3804 BLTools-v2.2.exe Token: 34 3804 BLTools-v2.2.exe Token: 35 3804 BLTools-v2.2.exe Token: 36 3804 BLTools-v2.2.exe Token: SeIncreaseQuotaPrivilege 3804 BLTools-v2.2.exe Token: SeSecurityPrivilege 3804 BLTools-v2.2.exe Token: SeTakeOwnershipPrivilege 3804 BLTools-v2.2.exe Token: SeLoadDriverPrivilege 3804 BLTools-v2.2.exe Token: SeSystemProfilePrivilege 3804 BLTools-v2.2.exe Token: SeSystemtimePrivilege 3804 BLTools-v2.2.exe Token: SeProfSingleProcessPrivilege 3804 BLTools-v2.2.exe Token: SeIncBasePriorityPrivilege 3804 BLTools-v2.2.exe Token: SeCreatePagefilePrivilege 3804 BLTools-v2.2.exe Token: SeBackupPrivilege 3804 BLTools-v2.2.exe Token: SeRestorePrivilege 3804 BLTools-v2.2.exe Token: SeShutdownPrivilege 3804 BLTools-v2.2.exe Token: SeDebugPrivilege 3804 BLTools-v2.2.exe Token: SeSystemEnvironmentPrivilege 3804 BLTools-v2.2.exe Token: SeRemoteShutdownPrivilege 3804 BLTools-v2.2.exe Token: SeUndockPrivilege 3804 BLTools-v2.2.exe Token: SeManageVolumePrivilege 3804 BLTools-v2.2.exe Token: 33 3804 BLTools-v2.2.exe Token: 34 3804 BLTools-v2.2.exe Token: 35 3804 BLTools-v2.2.exe Token: 36 3804 BLTools-v2.2.exe Token: SeIncreaseQuotaPrivilege 3804 BLTools-v2.2.exe Token: SeSecurityPrivilege 3804 BLTools-v2.2.exe Token: SeTakeOwnershipPrivilege 3804 BLTools-v2.2.exe Token: SeLoadDriverPrivilege 3804 BLTools-v2.2.exe Token: SeSystemProfilePrivilege 3804 BLTools-v2.2.exe Token: SeSystemtimePrivilege 3804 BLTools-v2.2.exe Token: SeProfSingleProcessPrivilege 3804 BLTools-v2.2.exe Token: SeIncBasePriorityPrivilege 3804 BLTools-v2.2.exe Token: SeCreatePagefilePrivilege 3804 BLTools-v2.2.exe Token: SeBackupPrivilege 3804 BLTools-v2.2.exe Token: SeRestorePrivilege 3804 BLTools-v2.2.exe Token: SeShutdownPrivilege 3804 BLTools-v2.2.exe Token: SeDebugPrivilege 3804 BLTools-v2.2.exe Token: SeSystemEnvironmentPrivilege 3804 BLTools-v2.2.exe Token: SeRemoteShutdownPrivilege 3804 BLTools-v2.2.exe Token: SeUndockPrivilege 3804 BLTools-v2.2.exe Token: SeManageVolumePrivilege 3804 BLTools-v2.2.exe Token: 33 3804 BLTools-v2.2.exe Token: 34 3804 BLTools-v2.2.exe Token: 35 3804 BLTools-v2.2.exe Token: 36 3804 BLTools-v2.2.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1928 wrote to memory of 3804 1928 BLTools-v2.2.exe 84 PID 1928 wrote to memory of 3804 1928 BLTools-v2.2.exe 84 PID 1928 wrote to memory of 3804 1928 BLTools-v2.2.exe 84 PID 1928 wrote to memory of 3804 1928 BLTools-v2.2.exe 84 PID 1928 wrote to memory of 3804 1928 BLTools-v2.2.exe 84 PID 1928 wrote to memory of 3804 1928 BLTools-v2.2.exe 84 PID 1928 wrote to memory of 3804 1928 BLTools-v2.2.exe 84 PID 1928 wrote to memory of 3804 1928 BLTools-v2.2.exe 84 PID 1928 wrote to memory of 3804 1928 BLTools-v2.2.exe 84 PID 1928 wrote to memory of 2808 1928 BLTools-v2.2.exe 85 PID 1928 wrote to memory of 2808 1928 BLTools-v2.2.exe 85 PID 1928 wrote to memory of 2808 1928 BLTools-v2.2.exe 85 PID 3804 wrote to memory of 4700 3804 BLTools-v2.2.exe 92 PID 3804 wrote to memory of 4700 3804 BLTools-v2.2.exe 92 PID 4700 wrote to memory of 2272 4700 MaintenanceUI.exe 93 PID 4700 wrote to memory of 2272 4700 MaintenanceUI.exe 93 PID 4700 wrote to memory of 2272 4700 MaintenanceUI.exe 93
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3080
-
C:\Users\Admin\AppData\Local\Temp\BLTools-v2.2.exe"C:\Users\Admin\AppData\Local\Temp\BLTools-v2.2.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Checks computer location settings
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Users\Admin\AppData\Local\Temp\BLTools v2.2.exe"C:\Users\Admin\AppData\Local\Temp\BLTools v2.2.exe"3⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2808 -s 10764⤵
- Program crash
PID:4356
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\BLTools-v2.2.exe"C:\Users\Admin\AppData\Local\Temp\BLTools-v2.2.exe"2⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3804 -
C:\ProgramData\microsoft\MaintenanceUI.exe"C:\ProgramData\microsoft\MaintenanceUI.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4700 -
C:\Windows\System32\backgroundTaskHost.exeC:\Windows\System32\backgroundTaskHost.exe4⤵PID:2272
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2808 -ip 28081⤵PID:3896
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2196
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
667KB
MD53d90f7387ce502377b51bc44cbccc932
SHA1a74481e159fd4be833f384b0143a0ae256d1d1ce
SHA2569e38265974dd42580fb252ae669b89688a8dc0016c6bdecae1786face9a75eea
SHA512ee2677992a01350375362048f60f37e51ea7752972452d945d1f2a85d6189230140e50579862f89b195da73156532eabe581028625a14518066a93a810742742
-
Filesize
667KB
MD53d90f7387ce502377b51bc44cbccc932
SHA1a74481e159fd4be833f384b0143a0ae256d1d1ce
SHA2569e38265974dd42580fb252ae669b89688a8dc0016c6bdecae1786face9a75eea
SHA512ee2677992a01350375362048f60f37e51ea7752972452d945d1f2a85d6189230140e50579862f89b195da73156532eabe581028625a14518066a93a810742742
-
Filesize
667KB
MD53d90f7387ce502377b51bc44cbccc932
SHA1a74481e159fd4be833f384b0143a0ae256d1d1ce
SHA2569e38265974dd42580fb252ae669b89688a8dc0016c6bdecae1786face9a75eea
SHA512ee2677992a01350375362048f60f37e51ea7752972452d945d1f2a85d6189230140e50579862f89b195da73156532eabe581028625a14518066a93a810742742
-
Filesize
859B
MD56e11a15fe4491ead2a94f64d3467be38
SHA19a8329fb71ddc89dae9aa174c0b44a1f646efd63
SHA256087cf6355ae9fc71eea2493b30c6b10a6775f3dd68b2cb5e07fcc13461b74248
SHA5126154e320e2556aef177fc5bfb4e5fe8fabe324af736b89db4db41e6dd51658f7f6a7d0f73c24dc6ccdc4edf14023f4a1ecd0908abac5b82cebd038a93b2fc106
-
Filesize
4.6MB
MD531b01cdaebe52fe31f74cd083a18fb88
SHA12501d0927aafe0e33c3750501f45a2984f6b2fdb
SHA256120b0dc2fec8495fd608890cee10cf68e8ce2b97561bb044c2ce28990f017716
SHA512ca8b94efa40c10b059cf885d61e57812eaa21228e744f33891c87db9790d2a1fe034d797a9faa6124a03911865366c9ebb273c0681f6d2329567971598e4b529
-
Filesize
4.6MB
MD531b01cdaebe52fe31f74cd083a18fb88
SHA12501d0927aafe0e33c3750501f45a2984f6b2fdb
SHA256120b0dc2fec8495fd608890cee10cf68e8ce2b97561bb044c2ce28990f017716
SHA512ca8b94efa40c10b059cf885d61e57812eaa21228e744f33891c87db9790d2a1fe034d797a9faa6124a03911865366c9ebb273c0681f6d2329567971598e4b529
-
Filesize
4.6MB
MD531b01cdaebe52fe31f74cd083a18fb88
SHA12501d0927aafe0e33c3750501f45a2984f6b2fdb
SHA256120b0dc2fec8495fd608890cee10cf68e8ce2b97561bb044c2ce28990f017716
SHA512ca8b94efa40c10b059cf885d61e57812eaa21228e744f33891c87db9790d2a1fe034d797a9faa6124a03911865366c9ebb273c0681f6d2329567971598e4b529
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82