f368811f3bb071d6ee006731fe819a0b7d8cd7ed5fd8110aeb5cb0da22a3a3a7

Analysis

max time kernel
61s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01/04/2023, 12:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BLTools-v2.2.exe
Size

4.5MB
MD5

ef5ee302110f10993a991fd9a2350594
SHA1

a3f020240217e95c952a4f17cfe101193db1f478
SHA256

f368811f3bb071d6ee006731fe819a0b7d8cd7ed5fd8110aeb5cb0da22a3a3a7
SHA512

5d5ade7075ba155046381bf1976de2e05bb355f897075930571f09c398ca9fbd28b499ce82cb13dd3139a9490c4f52237a4eba7e36b6b8fb536ce96af156fdc6
SSDEEP

98304:W3AsFVBrtaVHd+A1NTzIHG/4EfZRo6gW0bW+egt8qXLbkse219FdVVN3kzes:1wG9+A1NTzOPKZRo6gWG9egCqXLbN5hO

Score

10^/10

upx

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1928 created 3080	1928	BLTools-v2.2.exe	37

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	BLTools-v2.2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	BLTools-v2.2.exe

Executes dropped EXE 2 IoCs

pid	Process
2808	BLTools v2.2.exe
4700	MaintenanceUI.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0009000000023141-236.dat	upx
behavioral2/files/0x0009000000023141-246.dat	upx
behavioral2/files/0x0009000000023141-247.dat	upx
behavioral2/memory/4700-248-0x0000000000E10000-0x0000000000FF6000-memory.dmp	upx
behavioral2/memory/4700-291-0x0000000000E10000-0x0000000000FF6000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
3804	BLTools-v2.2.exe
3804	BLTools-v2.2.exe
3804	BLTools-v2.2.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1928 set thread context of 3804	1928	BLTools-v2.2.exe	84

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4356	2808	WerFault.exe	85

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	BLTools-v2.2.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3804	BLTools-v2.2.exe
3804	BLTools-v2.2.exe
3804	BLTools-v2.2.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3804	BLTools-v2.2.exe
Token: SeIncreaseQuotaPrivilege	3804	BLTools-v2.2.exe
Token: SeSecurityPrivilege	3804	BLTools-v2.2.exe
Token: SeTakeOwnershipPrivilege	3804	BLTools-v2.2.exe
Token: SeLoadDriverPrivilege	3804	BLTools-v2.2.exe
Token: SeSystemProfilePrivilege	3804	BLTools-v2.2.exe
Token: SeSystemtimePrivilege	3804	BLTools-v2.2.exe
Token: SeProfSingleProcessPrivilege	3804	BLTools-v2.2.exe
Token: SeIncBasePriorityPrivilege	3804	BLTools-v2.2.exe
Token: SeCreatePagefilePrivilege	3804	BLTools-v2.2.exe
Token: SeBackupPrivilege	3804	BLTools-v2.2.exe
Token: SeRestorePrivilege	3804	BLTools-v2.2.exe
Token: SeShutdownPrivilege	3804	BLTools-v2.2.exe
Token: SeDebugPrivilege	3804	BLTools-v2.2.exe
Token: SeSystemEnvironmentPrivilege	3804	BLTools-v2.2.exe
Token: SeRemoteShutdownPrivilege	3804	BLTools-v2.2.exe
Token: SeUndockPrivilege	3804	BLTools-v2.2.exe
Token: SeManageVolumePrivilege	3804	BLTools-v2.2.exe
Token: 33	3804	BLTools-v2.2.exe
Token: 34	3804	BLTools-v2.2.exe
Token: 35	3804	BLTools-v2.2.exe
Token: 36	3804	BLTools-v2.2.exe
Token: SeIncreaseQuotaPrivilege	3804	BLTools-v2.2.exe
Token: SeSecurityPrivilege	3804	BLTools-v2.2.exe
Token: SeTakeOwnershipPrivilege	3804	BLTools-v2.2.exe
Token: SeLoadDriverPrivilege	3804	BLTools-v2.2.exe
Token: SeSystemProfilePrivilege	3804	BLTools-v2.2.exe
Token: SeSystemtimePrivilege	3804	BLTools-v2.2.exe
Token: SeProfSingleProcessPrivilege	3804	BLTools-v2.2.exe
Token: SeIncBasePriorityPrivilege	3804	BLTools-v2.2.exe
Token: SeCreatePagefilePrivilege	3804	BLTools-v2.2.exe
Token: SeBackupPrivilege	3804	BLTools-v2.2.exe
Token: SeRestorePrivilege	3804	BLTools-v2.2.exe
Token: SeShutdownPrivilege	3804	BLTools-v2.2.exe
Token: SeDebugPrivilege	3804	BLTools-v2.2.exe
Token: SeSystemEnvironmentPrivilege	3804	BLTools-v2.2.exe
Token: SeRemoteShutdownPrivilege	3804	BLTools-v2.2.exe
Token: SeUndockPrivilege	3804	BLTools-v2.2.exe
Token: SeManageVolumePrivilege	3804	BLTools-v2.2.exe
Token: 33	3804	BLTools-v2.2.exe
Token: 34	3804	BLTools-v2.2.exe
Token: 35	3804	BLTools-v2.2.exe
Token: 36	3804	BLTools-v2.2.exe
Token: SeIncreaseQuotaPrivilege	3804	BLTools-v2.2.exe
Token: SeSecurityPrivilege	3804	BLTools-v2.2.exe
Token: SeTakeOwnershipPrivilege	3804	BLTools-v2.2.exe
Token: SeLoadDriverPrivilege	3804	BLTools-v2.2.exe
Token: SeSystemProfilePrivilege	3804	BLTools-v2.2.exe
Token: SeSystemtimePrivilege	3804	BLTools-v2.2.exe
Token: SeProfSingleProcessPrivilege	3804	BLTools-v2.2.exe
Token: SeIncBasePriorityPrivilege	3804	BLTools-v2.2.exe
Token: SeCreatePagefilePrivilege	3804	BLTools-v2.2.exe
Token: SeBackupPrivilege	3804	BLTools-v2.2.exe
Token: SeRestorePrivilege	3804	BLTools-v2.2.exe
Token: SeShutdownPrivilege	3804	BLTools-v2.2.exe
Token: SeDebugPrivilege	3804	BLTools-v2.2.exe
Token: SeSystemEnvironmentPrivilege	3804	BLTools-v2.2.exe
Token: SeRemoteShutdownPrivilege	3804	BLTools-v2.2.exe
Token: SeUndockPrivilege	3804	BLTools-v2.2.exe
Token: SeManageVolumePrivilege	3804	BLTools-v2.2.exe
Token: 33	3804	BLTools-v2.2.exe
Token: 34	3804	BLTools-v2.2.exe
Token: 35	3804	BLTools-v2.2.exe
Token: 36	3804	BLTools-v2.2.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 3804	1928	BLTools-v2.2.exe	84
PID 1928 wrote to memory of 3804	1928	BLTools-v2.2.exe	84
PID 1928 wrote to memory of 3804	1928	BLTools-v2.2.exe	84
PID 1928 wrote to memory of 3804	1928	BLTools-v2.2.exe	84
PID 1928 wrote to memory of 3804	1928	BLTools-v2.2.exe	84
PID 1928 wrote to memory of 3804	1928	BLTools-v2.2.exe	84
PID 1928 wrote to memory of 3804	1928	BLTools-v2.2.exe	84
PID 1928 wrote to memory of 3804	1928	BLTools-v2.2.exe	84
PID 1928 wrote to memory of 3804	1928	BLTools-v2.2.exe	84
PID 1928 wrote to memory of 2808	1928	BLTools-v2.2.exe	85
PID 1928 wrote to memory of 2808	1928	BLTools-v2.2.exe	85
PID 1928 wrote to memory of 2808	1928	BLTools-v2.2.exe	85
PID 3804 wrote to memory of 4700	3804	BLTools-v2.2.exe	92
PID 3804 wrote to memory of 4700	3804	BLTools-v2.2.exe	92
PID 4700 wrote to memory of 2272	4700	MaintenanceUI.exe	93
PID 4700 wrote to memory of 2272	4700	MaintenanceUI.exe	93
PID 4700 wrote to memory of 2272	4700	MaintenanceUI.exe	93

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3080
- C:\Users\Admin\AppData\Local\Temp\BLTools-v2.2.exe
  "C:\Users\Admin\AppData\Local\Temp\BLTools-v2.2.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Checks computer location settings
  - Suspicious use of SetThreadContext
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1928
- - C:\Users\Admin\AppData\Local\Temp\BLTools v2.2.exe
    "C:\Users\Admin\AppData\Local\Temp\BLTools v2.2.exe"
    3⤵
    - Executes dropped EXE
    PID:2808
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2808 -s 1076
      4⤵
      Program crash
      PID:4356
- C:\Users\Admin\AppData\Local\Temp\BLTools-v2.2.exe
  "C:\Users\Admin\AppData\Local\Temp\BLTools-v2.2.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3804
- - C:\ProgramData\microsoft\MaintenanceUI.exe
    "C:\ProgramData\microsoft\MaintenanceUI.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4700
  - - C:\Windows\System32\backgroundTaskHost.exe
      C:\Windows\System32\backgroundTaskHost.exe
      4⤵
      PID:2272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2808 -ip 2808
1⤵
PID:3896

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2196

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\MaintenanceUI.exe

Filesize
667KB

MD5
3d90f7387ce502377b51bc44cbccc932

SHA1
a74481e159fd4be833f384b0143a0ae256d1d1ce

SHA256
9e38265974dd42580fb252ae669b89688a8dc0016c6bdecae1786face9a75eea

SHA512
ee2677992a01350375362048f60f37e51ea7752972452d945d1f2a85d6189230140e50579862f89b195da73156532eabe581028625a14518066a93a810742742

Download Submit
C:\ProgramData\Microsoft\MaintenanceUI.exe

Filesize
667KB

MD5
3d90f7387ce502377b51bc44cbccc932

SHA1
a74481e159fd4be833f384b0143a0ae256d1d1ce

SHA256
9e38265974dd42580fb252ae669b89688a8dc0016c6bdecae1786face9a75eea

SHA512
ee2677992a01350375362048f60f37e51ea7752972452d945d1f2a85d6189230140e50579862f89b195da73156532eabe581028625a14518066a93a810742742

Download Submit
C:\ProgramData\microsoft\MaintenanceUI.exe

Filesize
667KB

MD5
3d90f7387ce502377b51bc44cbccc932

SHA1
a74481e159fd4be833f384b0143a0ae256d1d1ce

SHA256
9e38265974dd42580fb252ae669b89688a8dc0016c6bdecae1786face9a75eea

SHA512
ee2677992a01350375362048f60f37e51ea7752972452d945d1f2a85d6189230140e50579862f89b195da73156532eabe581028625a14518066a93a810742742

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\BLTools-v2.2.exe.log

Filesize
859B

MD5
6e11a15fe4491ead2a94f64d3467be38

SHA1
9a8329fb71ddc89dae9aa174c0b44a1f646efd63

SHA256
087cf6355ae9fc71eea2493b30c6b10a6775f3dd68b2cb5e07fcc13461b74248

SHA512
6154e320e2556aef177fc5bfb4e5fe8fabe324af736b89db4db41e6dd51658f7f6a7d0f73c24dc6ccdc4edf14023f4a1ecd0908abac5b82cebd038a93b2fc106

Download Submit
C:\Users\Admin\AppData\Local\Temp\BLTools v2.2.exe

Filesize
4.6MB

MD5
31b01cdaebe52fe31f74cd083a18fb88

SHA1
2501d0927aafe0e33c3750501f45a2984f6b2fdb

SHA256
120b0dc2fec8495fd608890cee10cf68e8ce2b97561bb044c2ce28990f017716

SHA512
ca8b94efa40c10b059cf885d61e57812eaa21228e744f33891c87db9790d2a1fe034d797a9faa6124a03911865366c9ebb273c0681f6d2329567971598e4b529

Download Submit
C:\Users\Admin\AppData\Local\Temp\BLTools v2.2.exe

Filesize
4.6MB

MD5
31b01cdaebe52fe31f74cd083a18fb88

SHA1
2501d0927aafe0e33c3750501f45a2984f6b2fdb

SHA256
120b0dc2fec8495fd608890cee10cf68e8ce2b97561bb044c2ce28990f017716

SHA512
ca8b94efa40c10b059cf885d61e57812eaa21228e744f33891c87db9790d2a1fe034d797a9faa6124a03911865366c9ebb273c0681f6d2329567971598e4b529

Download Submit
C:\Users\Admin\AppData\Local\Temp\BLTools v2.2.exe

Filesize
4.6MB

MD5
31b01cdaebe52fe31f74cd083a18fb88

SHA1
2501d0927aafe0e33c3750501f45a2984f6b2fdb

SHA256
120b0dc2fec8495fd608890cee10cf68e8ce2b97561bb044c2ce28990f017716

SHA512
ca8b94efa40c10b059cf885d61e57812eaa21228e744f33891c87db9790d2a1fe034d797a9faa6124a03911865366c9ebb273c0681f6d2329567971598e4b529

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ckrp5rab.n0m.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1928-187-0x0000000001960000-0x0000000001970000-memory.dmp

Filesize
64KB

Download
memory/1928-133-0x0000000000BE0000-0x000000000105E000-memory.dmp

Filesize
4.5MB

Download
memory/2272-289-0x00000174067E0000-0x00000174067FA000-memory.dmp

Filesize
104KB

Download
memory/2272-292-0x0000017406A80000-0x0000017406A97000-memory.dmp

Filesize
92KB

Download
memory/2808-208-0x0000000004E70000-0x0000000004E80000-memory.dmp

Filesize
64KB

Download
memory/2808-205-0x0000000000060000-0x00000000004FA000-memory.dmp

Filesize
4.6MB

Download
memory/3804-204-0x00007FF476220000-0x00007FF4765F1000-memory.dmp

Filesize
3.8MB

Download
memory/3804-230-0x00000000060D0000-0x00000000060E0000-memory.dmp

Filesize
64KB

Download
memory/3804-209-0x0000000140000000-0x0000000140E3A000-memory.dmp

Filesize
14.2MB

Download
memory/3804-210-0x0000000140000000-0x0000000140E3A000-memory.dmp

Filesize
14.2MB

Download
memory/3804-211-0x0000000140000000-0x0000000140E3A000-memory.dmp

Filesize
14.2MB

Download
memory/3804-212-0x0000000140000000-0x0000000140E3A000-memory.dmp

Filesize
14.2MB

Download
memory/3804-213-0x0000000140000000-0x0000000140E3A000-memory.dmp

Filesize
14.2MB

Download
memory/3804-206-0x0000000140000000-0x0000000140E3A000-memory.dmp

Filesize
14.2MB

Download
memory/3804-215-0x0000000140000000-0x0000000140E3A000-memory.dmp

Filesize
14.2MB

Download
memory/3804-216-0x0000000140000000-0x0000000140E3A000-memory.dmp

Filesize
14.2MB

Download
memory/3804-201-0x0000000140000000-0x0000000140E3A000-memory.dmp

Filesize
14.2MB

Download
memory/3804-226-0x0000000003D90000-0x0000000003DB2000-memory.dmp

Filesize
136KB

Download
memory/3804-227-0x0000000022C30000-0x0000000023158000-memory.dmp

Filesize
5.2MB

Download
memory/3804-228-0x00007FFC091D0000-0x00007FFC091E0000-memory.dmp

Filesize
64KB

Download
memory/3804-229-0x00007FFC877F0000-0x00007FFC87800000-memory.dmp

Filesize
64KB

Download
memory/3804-207-0x0000000140000000-0x0000000140E3A000-memory.dmp

Filesize
14.2MB

Download
memory/3804-231-0x00000000060D0000-0x00000000060E0000-memory.dmp

Filesize
64KB

Download
memory/3804-197-0x0000000140000000-0x0000000140E3A000-memory.dmp

Filesize
14.2MB

Download
memory/3804-189-0x0000000140000000-0x0000000140E3A000-memory.dmp

Filesize
14.2MB

Download
memory/3804-188-0x0000000140000000-0x0000000140E3A000-memory.dmp

Filesize
14.2MB

Download
memory/3804-295-0x0000000140000000-0x0000000140E3A000-memory.dmp

Filesize
14.2MB

Download
memory/3804-249-0x0000000026A20000-0x00000000271C6000-memory.dmp

Filesize
7.6MB

Download
memory/3804-251-0x0000000140000000-0x0000000140E3A000-memory.dmp

Filesize
14.2MB

Download
memory/3804-258-0x00007FF476220000-0x00007FF4765F1000-memory.dmp

Filesize
3.8MB

Download
memory/3804-259-0x00000000060D0000-0x00000000060E0000-memory.dmp

Filesize
64KB

Download
memory/3804-136-0x0000000140000000-0x0000000140E3A000-memory.dmp

Filesize
14.2MB

Download
memory/3804-294-0x00000000060D0000-0x00000000060E0000-memory.dmp

Filesize
64KB

Download
memory/3804-134-0x0000000140000000-0x0000000140E3A000-memory.dmp

Filesize
14.2MB

Download
memory/3804-293-0x00000000060D0000-0x00000000060E0000-memory.dmp

Filesize
64KB

Download
memory/4700-291-0x0000000000E10000-0x0000000000FF6000-memory.dmp

Filesize
1.9MB

Download
memory/4700-248-0x0000000000E10000-0x0000000000FF6000-memory.dmp

Filesize
1.9MB

Download