Overview
overview
3Static
static
1bloxflip.p...unt.py
windows7-x64
3bloxflip.p...unt.py
windows10-2004-x64
3bloxflip.p...ent.py
windows7-x64
3bloxflip.p...ent.py
windows10-2004-x64
3bloxflip.p...ash.py
windows7-x64
3bloxflip.p...ash.py
windows10-2004-x64
3bloxflip.p...pot.py
windows7-x64
3bloxflip.p...pot.py
windows10-2004-x64
3bloxflip.p...ine.py
windows7-x64
3bloxflip.p...ine.py
windows10-2004-x64
3bloxflip.p...ors.py
windows7-x64
3bloxflip.p...ors.py
windows10-2004-x64
3bloxflip.p...est.py
windows7-x64
3bloxflip.p...est.py
windows10-2004-x64
3Analysis
-
max time kernel
87s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
25/08/2023, 20:38
Static task
static1
Behavioral task
behavioral1
Sample
bloxflip.py-main/bloxflip/account.py
Resource
win7-20230712-en
windows7-x64
Behavioral task
behavioral2
Sample
bloxflip.py-main/bloxflip/account.py
Resource
win10v2004-20230703-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
bloxflip.py-main/bloxflip/client.py
Resource
win7-20230824-en
windows7-x64
Behavioral task
behavioral4
Sample
bloxflip.py-main/bloxflip/client.py
Resource
win10v2004-20230703-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
bloxflip.py-main/bloxflip/crash.py
Resource
win7-20230712-en
windows7-x64
Behavioral task
behavioral6
Sample
bloxflip.py-main/bloxflip/crash.py
Resource
win10v2004-20230703-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
bloxflip.py-main/bloxflip/jackpot.py
Resource
win7-20230712-en
windows7-x64
Behavioral task
behavioral8
Sample
bloxflip.py-main/bloxflip/jackpot.py
Resource
win10v2004-20230703-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
bloxflip.py-main/bloxflip/mine.py
Resource
win7-20230712-en
windows7-x64
Behavioral task
behavioral10
Sample
bloxflip.py-main/bloxflip/mine.py
Resource
win10v2004-20230703-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
bloxflip.py-main/bloxflip/utilities/errors.py
Resource
win7-20230712-en
windows7-x64
Behavioral task
behavioral12
Sample
bloxflip.py-main/bloxflip/utilities/errors.py
Resource
win10v2004-20230824-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
bloxflip.py-main/test.py
Resource
win7-20230712-en
windows7-x64
Behavioral task
behavioral14
Sample
bloxflip.py-main/test.py
Resource
win10v2004-20230703-en
windows10-2004-x64
General
-
Target
bloxflip.py-main/bloxflip/account.py
-
Size
625B
-
MD5
365dbb0bd6d3cfdd1a4077e7c5ec66c7
-
SHA1
bcefb0d17dc1766d4d451bb656575e8dd8465c3b
-
SHA256
f2cf0c1d72b1a6cd223f3da0baba2bbf1edc33df5838b05a6e3c63cdc9651534
-
SHA512
61761b880b187970c09b89239f0cc702e26c83918d8459086aabe71899fe7173d9f0e071ac2be510d2e71e66e29d8f8796b434abccdfcfa01e26e24df0c953a8
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings cmd.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 892 NOTEPAD.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2580 OpenWith.exe -
Suspicious use of SetWindowsHookEx 47 IoCs
pid Process 2580 OpenWith.exe 2580 OpenWith.exe 2580 OpenWith.exe 2580 OpenWith.exe 2580 OpenWith.exe 2580 OpenWith.exe 2580 OpenWith.exe 2580 OpenWith.exe 2580 OpenWith.exe 2580 OpenWith.exe 2580 OpenWith.exe 2580 OpenWith.exe 2580 OpenWith.exe 2580 OpenWith.exe 2580 OpenWith.exe 2580 OpenWith.exe 2580 OpenWith.exe 2580 OpenWith.exe 2580 OpenWith.exe 2580 OpenWith.exe 2580 OpenWith.exe 2580 OpenWith.exe 2580 OpenWith.exe 2580 OpenWith.exe 2580 OpenWith.exe 2580 OpenWith.exe 2580 OpenWith.exe 2580 OpenWith.exe 2580 OpenWith.exe 2580 OpenWith.exe 2580 OpenWith.exe 2580 OpenWith.exe 2580 OpenWith.exe 2580 OpenWith.exe 2580 OpenWith.exe 2580 OpenWith.exe 2580 OpenWith.exe 2580 OpenWith.exe 2580 OpenWith.exe 2580 OpenWith.exe 2580 OpenWith.exe 2580 OpenWith.exe 2580 OpenWith.exe 2580 OpenWith.exe 2580 OpenWith.exe 2580 OpenWith.exe 2580 OpenWith.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 2580 wrote to memory of 892 2580 OpenWith.exe 93 PID 2580 wrote to memory of 892 2580 OpenWith.exe 93
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\bloxflip.py-main\bloxflip\account.py1⤵
- Modifies registry class
PID:4028
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\bloxflip.py-main\bloxflip\account.py2⤵
- Opens file in notepad (likely ransom note)
PID:892
-