Overview
overview
10Static
static
10BlitzedPrem.7z
windows7-x64
3BlitzedPrem.7z
windows10-2004-x64
3APIFOR.dll
windows7-x64
1APIFOR.dll
windows10-2004-x64
1BlitzedGrabberV14.exe
windows7-x64
10BlitzedGrabberV14.exe
windows10-2004-x64
10BlitzedGrabberV14.pdb
windows7-x64
3BlitzedGrabberV14.pdb
windows10-2004-x64
3Costura.dll
windows7-x64
1Costura.dll
windows10-2004-x64
1DiscordRPC.dll
windows7-x64
1DiscordRPC.dll
windows10-2004-x64
1Guna.UI2.dll
windows7-x64
1Guna.UI2.dll
windows10-2004-x64
1Newtonsoft.Json.dll
windows7-x64
1Newtonsoft.Json.dll
windows10-2004-x64
1Sodium.dll
windows7-x64
1Sodium.dll
windows10-2004-x64
1System.Dia...ce.dll
windows7-x64
1System.Dia...ce.dll
windows10-2004-x64
1Vestris.Re...ib.dll
windows7-x64
1Vestris.Re...ib.dll
windows10-2004-x64
1dnlib.dll
windows7-x64
1dnlib.dll
windows10-2004-x64
1libsodium-64.dll
windows7-x64
1libsodium-64.dll
windows10-2004-x64
1libsodium.dll
windows7-x64
1libsodium.dll
windows10-2004-x64
1Analysis
-
max time kernel
32s -
max time network
29s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
23-04-2023 15:14
Behavioral task
behavioral1
Sample
BlitzedPrem.7z
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
BlitzedPrem.7z
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
APIFOR.dll
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
APIFOR.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral5
Sample
BlitzedGrabberV14.exe
Resource
win7-20230220-en
Behavioral task
behavioral6
Sample
BlitzedGrabberV14.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral7
Sample
BlitzedGrabberV14.pdb
Resource
win7-20230220-en
Behavioral task
behavioral8
Sample
BlitzedGrabberV14.pdb
Resource
win10v2004-20230220-en
Behavioral task
behavioral9
Sample
Costura.dll
Resource
win7-20230220-en
Behavioral task
behavioral10
Sample
Costura.dll
Resource
win10v2004-20230221-en
Behavioral task
behavioral11
Sample
DiscordRPC.dll
Resource
win7-20230220-en
Behavioral task
behavioral12
Sample
DiscordRPC.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral13
Sample
Guna.UI2.dll
Resource
win7-20230220-en
Behavioral task
behavioral14
Sample
Guna.UI2.dll
Resource
win10v2004-20230221-en
Behavioral task
behavioral15
Sample
Newtonsoft.Json.dll
Resource
win7-20230220-en
Behavioral task
behavioral16
Sample
Newtonsoft.Json.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral17
Sample
Sodium.dll
Resource
win7-20230220-en
Behavioral task
behavioral18
Sample
Sodium.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral19
Sample
System.Diagnostics.DiagnosticSource.dll
Resource
win7-20230220-en
Behavioral task
behavioral20
Sample
System.Diagnostics.DiagnosticSource.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral21
Sample
Vestris.ResourceLib.dll
Resource
win7-20230220-en
Behavioral task
behavioral22
Sample
Vestris.ResourceLib.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral23
Sample
dnlib.dll
Resource
win7-20230220-en
Behavioral task
behavioral24
Sample
dnlib.dll
Resource
win10v2004-20230221-en
Behavioral task
behavioral25
Sample
libsodium-64.dll
Resource
win7-20230220-en
Behavioral task
behavioral26
Sample
libsodium-64.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral27
Sample
libsodium.dll
Resource
win7-20230220-en
Behavioral task
behavioral28
Sample
libsodium.dll
Resource
win10v2004-20230220-en
General
-
Target
BlitzedPrem.7z
-
Size
5.3MB
-
MD5
7c73dbaf4675062445763268ae30fd50
-
SHA1
6a26872339fc0cecee551c81317cd40fcfb30cbd
-
SHA256
be8c72e77bd4a9453a3ffbf89383ca1487c650c3eb006b8c58e5e6490089b38c
-
SHA512
93ac3e0594c1ecd17579e9dd52ecdbd47c68fdde7a9a2a362f82e3c13f4eb2aa42ed8072de4b21eece9c75a460ba8b2fb79d66acd55b3ab78e3b12ff91efb653
-
SSDEEP
98304:jbDchxaZZXeYfaXv/zEvWNk9Od2/pfFz2zy24/SU1xyhuoYIDhMKJYPg:vDoaZZOYe/4We9o2952OHDwNJdJX
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 12 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\7z_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\7z_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\7z_auto_file\shell\edit rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\7z_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\7z_auto_file\shell\open\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\7z_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\.7z rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\.7z\ = "7z_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\7z_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\7z_auto_file\shell\edit\command rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\7z_auto_file\shell\open rundll32.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 112 NOTEPAD.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
rundll32.exepid process 1540 rundll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 1968 wrote to memory of 1540 1968 cmd.exe rundll32.exe PID 1968 wrote to memory of 1540 1968 cmd.exe rundll32.exe PID 1968 wrote to memory of 1540 1968 cmd.exe rundll32.exe PID 1540 wrote to memory of 112 1540 rundll32.exe NOTEPAD.EXE PID 1540 wrote to memory of 112 1540 rundll32.exe NOTEPAD.EXE PID 1540 wrote to memory of 112 1540 rundll32.exe NOTEPAD.EXE
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\BlitzedPrem.7z1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\BlitzedPrem.7z2⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\BlitzedPrem.7z3⤵
- Opens file in notepad (likely ransom note)