Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
10-06-2023 23:36
General
-
Target
BLTools BY XIII.exe
-
Size
5.9MB
-
MD5
016832e3ce6c4cf62015ac78998b7ead
-
SHA1
7090ba721ad1f71d50d7446d0b41b00e6256026f
-
SHA256
0fbeb20947f75b3e1bc730b8ddaaca5c55fd162d557dae2fe33babd7cbef716a
-
SHA512
5c151d367eb9dde8f89240dd46f44c5024ad199a7c4928ac1f9ab1e5d1d91d54c10608171b6912cf4112e0a593880b2ebd7c12a0cc480f7b15bfb060e74feb1b
-
SSDEEP
98304:5DJfFfupztdd20BbRFmN7nvIYAzYGVEooAZJTIya+vJ9OTOWjY9olN:/Ffupzd209RFOcYAsvAZ5If+vJ9OqXqN
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 5 IoCs
-
Executes dropped EXE 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Modifies registry class 9 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
-
Suspicious use of SetWindowsHookEx 19 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\BLTools BY XIII.exe"C:\Users\Admin\AppData\Local\Temp\BLTools BY XIII.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\BLTools\XIII.scr"C:\Users\Admin\AppData\Local\Temp\BLTools\XIII.scr" /S2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\LocaloqhKwDrFPR.exe"C:\Users\Admin\AppData\LocaloqhKwDrFPR.exe"3⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\WindowsExplorer.exe"C:\Windows\WindowsExplorer.exe"4⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsExplorer.exe"5⤵
- Drops startup file
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WindowsExplorer.exe"5⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Windows\WindowsExplorer.exe"4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\LocalqvrXdsXBvT.pnj"2⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140433⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=63FFA871358B07925F4BEC0104F16D6B --mojo-platform-channel-handle=1760 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=8F65CAE20E600877959A414AE3450706 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=8F65CAE20E600877959A414AE3450706 --renderer-client-id=2 --mojo-platform-channel-handle=1768 --allow-no-sandbox-job /prefetch:14⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A92D2491F4D451625476E8C576CE9B26 --mojo-platform-channel-handle=2320 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=214B54EAD6F966258EDD313CD5E7124A --mojo-platform-channel-handle=2332 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6F25D50D7863FC59012BBFB5E2582AD8 --mojo-platform-channel-handle=1976 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\BLTools\XIII.ScrFilesize
432KB
MD52b5a346d33b898420943d9c950497757
SHA11ce3285abe0fc86a58fddb61cbbd54df36604e33
SHA2563ae0dbcdfc899d434c254b03d8298fcf5ec3499d018a41e15b1ccbff8fbdeae6
SHA5124b24e7f97a741e7cdbcd01cb76f97aac983967ee515914c76422776fd98fbbb9b129b008a257fbb76d2dd22152345a70d60fbb07b73f66570304a917c3b5d6c5
-
C:\Users\Admin\AppData\Local\Temp\BLTools\XIII.scrFilesize
432KB
MD52b5a346d33b898420943d9c950497757
SHA11ce3285abe0fc86a58fddb61cbbd54df36604e33
SHA2563ae0dbcdfc899d434c254b03d8298fcf5ec3499d018a41e15b1ccbff8fbdeae6
SHA5124b24e7f97a741e7cdbcd01cb76f97aac983967ee515914c76422776fd98fbbb9b129b008a257fbb76d2dd22152345a70d60fbb07b73f66570304a917c3b5d6c5
-
C:\Users\Admin\AppData\LocaloqhKwDrFPR.exeFilesize
155KB
MD54d39527f50340de1c545bbefc744d05f
SHA197acd063a7485ad701235fdde775eca1f24f365f
SHA256cd6e270a2cbdb37336e3048280555bd07f3b243e8d01d67c5665ee91e5b604b6
SHA51211ef88a4e1d2cc0934bb153a8574f6ff3883b9b7bd31cb53e4b6e8983c4b3a34b9bcbf5a95f3b2f5111341f55b2d3e276d9b00a408f2ce8b6ce820143b6694a5
-
C:\Users\Admin\AppData\LocaloqhKwDrFPR.exeFilesize
155KB
MD54d39527f50340de1c545bbefc744d05f
SHA197acd063a7485ad701235fdde775eca1f24f365f
SHA256cd6e270a2cbdb37336e3048280555bd07f3b243e8d01d67c5665ee91e5b604b6
SHA51211ef88a4e1d2cc0934bb153a8574f6ff3883b9b7bd31cb53e4b6e8983c4b3a34b9bcbf5a95f3b2f5111341f55b2d3e276d9b00a408f2ce8b6ce820143b6694a5
-
C:\Users\Admin\AppData\LocaloqhKwDrFPR.exeFilesize
155KB
MD54d39527f50340de1c545bbefc744d05f
SHA197acd063a7485ad701235fdde775eca1f24f365f
SHA256cd6e270a2cbdb37336e3048280555bd07f3b243e8d01d67c5665ee91e5b604b6
SHA51211ef88a4e1d2cc0934bb153a8574f6ff3883b9b7bd31cb53e4b6e8983c4b3a34b9bcbf5a95f3b2f5111341f55b2d3e276d9b00a408f2ce8b6ce820143b6694a5
-
C:\Users\Admin\AppData\LocalqvrXdsXBvT.pnjFilesize
101KB
MD5c619f168dfa4a664a42cf5ddd8b2f1cb
SHA1a906d7dff2149bbb5b29426584862698822f12c9
SHA256cd89e893f3c063f46e3281f01e1a59bff77e828baa67796c7873316d7c924718
SHA51244a3f24b952fafd3ac4bb1abbd21e3abd5af813edb5217eccd6d2bb058b3955c53d8683f6957ea0b731084bb9bde81cb6eefef9afba168c0a55c9cf63eedf5b5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsExplorer.exeFilesize
155KB
MD54d39527f50340de1c545bbefc744d05f
SHA197acd063a7485ad701235fdde775eca1f24f365f
SHA256cd6e270a2cbdb37336e3048280555bd07f3b243e8d01d67c5665ee91e5b604b6
SHA51211ef88a4e1d2cc0934bb153a8574f6ff3883b9b7bd31cb53e4b6e8983c4b3a34b9bcbf5a95f3b2f5111341f55b2d3e276d9b00a408f2ce8b6ce820143b6694a5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsExplorer.lnkFilesize
1KB
MD5d511c43295b1707c7cb5cd7f327ac7e5
SHA1ca0a0eb480a8352d741da9bb6ce695fdc7b9478b
SHA256b7070b27fd9f11284f6fc449a05ca4fcfa2f2b7ced3b8954e7451592ff2db800
SHA51200da7c9ec042e234732f19ae1fd958306e6dff8bcc8f1ad960eda4b92b9aa959ed6629d38d7e7d6261715e24d33f8203472b4a8417309e5d6e9e106a4d76561f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WindowsExplorer.lnkFilesize
1KB
MD5cbbab89e0cda89d84359dde67010f163
SHA1bdecb40a32b20206f32b4614d46b2d16752df9ca
SHA2564b3a8e20cc4f9d313ea503e7b1738d4cd2bda8c69bc68e44c5acb5e541f24f45
SHA51299520649007b543f0ca3a7d8db109b5e43e6f91f3ae820a4f33acffe7d71197e0b15947b1404019fd1a76e216a325df10324d2ca8545a35d53b661dfee009e3c
-
C:\Windows\WindowsExplorer.exeFilesize
155KB
MD54d39527f50340de1c545bbefc744d05f
SHA197acd063a7485ad701235fdde775eca1f24f365f
SHA256cd6e270a2cbdb37336e3048280555bd07f3b243e8d01d67c5665ee91e5b604b6
SHA51211ef88a4e1d2cc0934bb153a8574f6ff3883b9b7bd31cb53e4b6e8983c4b3a34b9bcbf5a95f3b2f5111341f55b2d3e276d9b00a408f2ce8b6ce820143b6694a5
-
C:\Windows\WindowsExplorer.exeFilesize
155KB
MD54d39527f50340de1c545bbefc744d05f
SHA197acd063a7485ad701235fdde775eca1f24f365f
SHA256cd6e270a2cbdb37336e3048280555bd07f3b243e8d01d67c5665ee91e5b604b6
SHA51211ef88a4e1d2cc0934bb153a8574f6ff3883b9b7bd31cb53e4b6e8983c4b3a34b9bcbf5a95f3b2f5111341f55b2d3e276d9b00a408f2ce8b6ce820143b6694a5
-
memory/1652-155-0x0000000001510000-0x0000000001520000-memory.dmpFilesize
64KB
-
memory/1652-156-0x0000000000CA0000-0x0000000000D10000-memory.dmpFilesize
448KB
-
memory/4468-176-0x0000000004D20000-0x0000000004D76000-memory.dmpFilesize
344KB
-
memory/4468-178-0x0000000004DD0000-0x0000000004DE0000-memory.dmpFilesize
64KB
-
memory/4468-177-0x0000000004DD0000-0x0000000004DE0000-memory.dmpFilesize
64KB
-
memory/4468-172-0x0000000004AB0000-0x0000000004B4C000-memory.dmpFilesize
624KB
-
memory/4468-171-0x0000000000140000-0x000000000016E000-memory.dmpFilesize
184KB
-
memory/4468-175-0x0000000004BB0000-0x0000000004BBA000-memory.dmpFilesize
40KB
-
memory/4468-174-0x0000000004C80000-0x0000000004D12000-memory.dmpFilesize
584KB
-
memory/4468-173-0x0000000005190000-0x0000000005734000-memory.dmpFilesize
5.6MB
-
memory/4740-193-0x0000000005340000-0x0000000005350000-memory.dmpFilesize
64KB
-
memory/4740-198-0x0000000005340000-0x0000000005350000-memory.dmpFilesize
64KB
-
memory/4740-201-0x0000000005340000-0x0000000005350000-memory.dmpFilesize
64KB