31e1a16d982e4415d8161baf6817038b8dee191c996d5470338026b7f9fcce1f

Analysis

max time kernel
149s
max time network
31s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
02/04/2023, 05:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

BluescreenSimulator.exe
Size

435KB
MD5

c729d1244f267a4a9ee8d565b9d3d973
SHA1

6a2990aef82674312751d68737f19309e0a06504
SHA256

31e1a16d982e4415d8161baf6817038b8dee191c996d5470338026b7f9fcce1f
SHA512

a935bfdf0c46a7e1bb2276731374227c4ff01e1fb9813e458d3b110a50c563fd4ab38628ec81044ab927b34e90f39309b29cac94528358b5662181436ee93146
SSDEEP

6144:uPbYJ+oq8+Lf6b1gZjBfyZG4SaGQSZcFhQ9akOJe:uPbRKcLNkkOE

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	572	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	572	AUDIODG.EXE
Token: 33	572	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	572	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1044	MSASCui.exe
1044	MSASCui.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1992	BluescreenSimulator.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 1296	1992	BluescreenSimulator.exe	30
PID 1992 wrote to memory of 1296	1992	BluescreenSimulator.exe	30
PID 1992 wrote to memory of 1296	1992	BluescreenSimulator.exe	30
PID 1296 wrote to memory of 1348	1296	iexpress.exe	31
PID 1296 wrote to memory of 1348	1296	iexpress.exe	31
PID 1296 wrote to memory of 1348	1296	iexpress.exe	31

C:\Users\Admin\AppData\Local\Temp\BluescreenSimulator.exe
"C:\Users\Admin\AppData\Local\Temp\BluescreenSimulator.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Windows\system32\iexpress.exe
  "C:\Windows\system32\iexpress.exe" /N C:\Users\Admin\AppData\Local\Temp\\optionfile.SED
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1296
- - C:\Windows\system32\makecab.exe
    C:\Windows\system32\makecab.exe /f "C:\Users\Admin\AppData\Local\Temp\\~h2bclh40.dzs.DDF"
    3⤵
    PID:1348

C:\Program Files\Windows Defender\MSASCui.exe
"C:\Program Files\Windows Defender\MSASCui.exe"
1⤵
- Suspicious use of FindShellTrayWindow
PID:1044

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:276

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0xd0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:572

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\optionfile.SED

Filesize
788B

MD5
82419f1eb063f6f5b08839cd3944f0ab

SHA1
80b2e8738d51772ce7e296f9701ebdf17f389acb

SHA256
012690fb257d3355d1d3f6d1fcdf12177d16c048c763295870bc5a8ea1557366

SHA512
a91e35a6e21df62dd9458944c94fcc2b4455db6627a24440d02734da86a973397231470ac974198ef8efeb99e2f4086fa527cb5c0d49f44ae6e39fc98ef6ddc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\~h2bclh40.dzs.CAB

Filesize
92KB

MD5
14fd83377396c086097ff875b7a56df6

SHA1
2e1bf7f99fb8909adcf831e86938c5b6ab6a6fdc

SHA256
3719fc0c89af502e2141c3fefd752f49ef70ec27c4332eaa3fa002f7b503ea27

SHA512
6ab7493a8704ff15d20c4efe9f3e13c4ba5a731a568954d9a67a0c4eaf9247bbc9f4a50c95ce86a5e23ab3e8f199bff16af0acdfc04d9d2867b1f3e18ba5af20

Download Submit
C:\Users\Admin\AppData\Local\Temp\~h2bclh40.dzs.DDF

Filesize
862B

MD5
d29feb6e2151604557f7bf8f5e716e9f

SHA1
4c7d5b33aad5cf0be1f6aa5cb2ff7fa423e2b5e6

SHA256
f44eae6cf93ad49923431318677e92f073077cde72a6572647309eef599ab308

SHA512
e07f064eceba5ff30b1e0928683e6a31768c71dc8f938f52e92440d367b5400ca685520e4e00fdb2747dc0871909a5c3a6442986328850c7b133ca96fba22cd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\~h2bclh40.dzs.RPT

Filesize
283B

MD5
f08dc71e6f1cd97027671bf006648f71

SHA1
2c8f5fafe0825dd3e4705792052b10db0b5b6ef0

SHA256
d92bf35a64f0d3f1a7807f45977979cf95e79be4776cf86149c2704f6d130049

SHA512
19ebc979ee3b9e22a365d27746cee773a9a438ccd2ded9d36a3d3b64646d5ccb6f973e225fb28674c47128c09ec710088c7bf26672980deaa268985dbadb73ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\~h2bclh40.dzs_LAYOUT.INF

Filesize
1KB

MD5
ce5bf320d6d8a1f3bc823f7fa172235a

SHA1
f6835c0bce9df8c20b37f881bce0502e1e5aa53d

SHA256
bd171d171581cc7067f179719b4d13fe3c520a0a6b23653c29465bb271d2ce22

SHA512
44304e8d935efa71b202f45ef738fec053799e816fa2cdee9ff17c8a8c6602345ca30d2c9d94e04057bef5ace455a787817317696025ea1e28786f019da59753

Download Submit
memory/1044-60-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/1044-61-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/1992-54-0x0000000000350000-0x00000000003C2000-memory.dmp

Filesize
456KB

Download
memory/1992-59-0x000000001B2F0000-0x000000001B370000-memory.dmp

Filesize
512KB

Download
memory/1992-58-0x000000001B2F0000-0x000000001B370000-memory.dmp

Filesize
512KB

Download
memory/1992-57-0x000000001B2F0000-0x000000001B370000-memory.dmp

Filesize
512KB

Download
memory/1992-56-0x0000000000480000-0x000000000048A000-memory.dmp

Filesize
40KB

Download
memory/1992-55-0x000000001B2F0000-0x000000001B370000-memory.dmp

Filesize
512KB

Download