Analysis Overview
SHA256
920bec9d500f6446b84399ab4c84858d0f0d7d1abb2e0377399ebbc4bafad709
Threat Level: Shows suspicious behavior
The file BlitzedGrabberV12.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-09 17:18
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-09 17:18
Reported
2023-10-09 17:20
Platform
win10v2004-20230915-en
Max time kernel
47s
Max time network
50s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Processes
C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.208.79.178.in-addr.arpa | udp |
Files
memory/3928-0-0x0000000075260000-0x0000000075A10000-memory.dmp
memory/3928-1-0x00000000005F0000-0x000000000079C000-memory.dmp
memory/3928-2-0x00000000056D0000-0x0000000005C74000-memory.dmp
memory/3928-3-0x00000000051C0000-0x0000000005252000-memory.dmp
memory/3928-4-0x00000000050E0000-0x00000000050F0000-memory.dmp
memory/3928-5-0x0000000005170000-0x000000000517A000-memory.dmp
memory/3928-6-0x0000000005C80000-0x0000000005E72000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\dcfb00f9-5ae7-4197-ba59-e48107e40d35\GunaDotNetRT.dll
| MD5 | 9af5eb006bb0bab7f226272d82c896c7 |
| SHA1 | c2a5bb42a5f08f4dc821be374b700652262308f0 |
| SHA256 | 77dc05a6bda90757f66552ee3f469b09f1e00732b4edca0f542872fb591ed9db |
| SHA512 | 7badd41be4c1039302fda9bba19d374ec9446ce24b7db33b66bee4ef38180d1abcd666d2aea468e7e452aa1e1565eedfefed582bf1c2fe477a4171d99d48772a |
C:\Users\Admin\AppData\Local\Temp\dcfb00f9-5ae7-4197-ba59-e48107e40d35\GunaDotNetRT.dll
| MD5 | 9af5eb006bb0bab7f226272d82c896c7 |
| SHA1 | c2a5bb42a5f08f4dc821be374b700652262308f0 |
| SHA256 | 77dc05a6bda90757f66552ee3f469b09f1e00732b4edca0f542872fb591ed9db |
| SHA512 | 7badd41be4c1039302fda9bba19d374ec9446ce24b7db33b66bee4ef38180d1abcd666d2aea468e7e452aa1e1565eedfefed582bf1c2fe477a4171d99d48772a |
memory/3928-14-0x0000000071960000-0x0000000071997000-memory.dmp
memory/3928-15-0x0000000073C70000-0x0000000073CF9000-memory.dmp
memory/3928-16-0x0000000005C80000-0x0000000005E6E000-memory.dmp
memory/3928-17-0x0000000005C80000-0x0000000005E6E000-memory.dmp
memory/3928-19-0x0000000005C80000-0x0000000005E6E000-memory.dmp
memory/3928-21-0x0000000005C80000-0x0000000005E6E000-memory.dmp
memory/3928-23-0x0000000005C80000-0x0000000005E6E000-memory.dmp
memory/3928-25-0x0000000005C80000-0x0000000005E6E000-memory.dmp
memory/3928-27-0x0000000005C80000-0x0000000005E6E000-memory.dmp
memory/3928-29-0x0000000005C80000-0x0000000005E6E000-memory.dmp
memory/3928-31-0x0000000005C80000-0x0000000005E6E000-memory.dmp
memory/3928-33-0x0000000005C80000-0x0000000005E6E000-memory.dmp
memory/3928-35-0x0000000005C80000-0x0000000005E6E000-memory.dmp
memory/3928-37-0x0000000005C80000-0x0000000005E6E000-memory.dmp
memory/3928-39-0x0000000005C80000-0x0000000005E6E000-memory.dmp
memory/3928-41-0x0000000005C80000-0x0000000005E6E000-memory.dmp
memory/3928-43-0x0000000005C80000-0x0000000005E6E000-memory.dmp
memory/3928-45-0x0000000005C80000-0x0000000005E6E000-memory.dmp
memory/3928-47-0x0000000005C80000-0x0000000005E6E000-memory.dmp
memory/3928-49-0x0000000005C80000-0x0000000005E6E000-memory.dmp
memory/3928-51-0x0000000005C80000-0x0000000005E6E000-memory.dmp
memory/3928-53-0x0000000005C80000-0x0000000005E6E000-memory.dmp
memory/3928-55-0x0000000005C80000-0x0000000005E6E000-memory.dmp
memory/3928-57-0x0000000005C80000-0x0000000005E6E000-memory.dmp
memory/3928-59-0x0000000005C80000-0x0000000005E6E000-memory.dmp
memory/3928-61-0x0000000005C80000-0x0000000005E6E000-memory.dmp
memory/3928-63-0x0000000005C80000-0x0000000005E6E000-memory.dmp
memory/3928-65-0x0000000005C80000-0x0000000005E6E000-memory.dmp
memory/3928-67-0x0000000005C80000-0x0000000005E6E000-memory.dmp
memory/3928-69-0x0000000005C80000-0x0000000005E6E000-memory.dmp
memory/3928-71-0x0000000005C80000-0x0000000005E6E000-memory.dmp
memory/3928-73-0x0000000005C80000-0x0000000005E6E000-memory.dmp
memory/3928-75-0x0000000005C80000-0x0000000005E6E000-memory.dmp
memory/3928-77-0x0000000005C80000-0x0000000005E6E000-memory.dmp
memory/3928-329-0x0000000075260000-0x0000000075A10000-memory.dmp
memory/3928-392-0x00000000050E0000-0x00000000050F0000-memory.dmp
memory/3928-501-0x0000000071960000-0x0000000071997000-memory.dmp