Malware Analysis Report

2025-05-05 22:24

Sample ID 231009-vvqg8aeh7v
Target BlitzedGrabberV12.exe
SHA256 920bec9d500f6446b84399ab4c84858d0f0d7d1abb2e0377399ebbc4bafad709
Tags
agilenet
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

920bec9d500f6446b84399ab4c84858d0f0d7d1abb2e0377399ebbc4bafad709

Threat Level: Shows suspicious behavior

The file BlitzedGrabberV12.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

agilenet

Loads dropped DLL

Obfuscated with Agile.Net obfuscator

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-09 17:18

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-09 17:18

Reported

2023-10-09 17:20

Platform

win10v2004-20230915-en

Max time kernel

47s

Max time network

50s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: 33 N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\taskmgr.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe

"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp

Files

memory/3928-0-0x0000000075260000-0x0000000075A10000-memory.dmp

memory/3928-1-0x00000000005F0000-0x000000000079C000-memory.dmp

memory/3928-2-0x00000000056D0000-0x0000000005C74000-memory.dmp

memory/3928-3-0x00000000051C0000-0x0000000005252000-memory.dmp

memory/3928-4-0x00000000050E0000-0x00000000050F0000-memory.dmp

memory/3928-5-0x0000000005170000-0x000000000517A000-memory.dmp

memory/3928-6-0x0000000005C80000-0x0000000005E72000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dcfb00f9-5ae7-4197-ba59-e48107e40d35\GunaDotNetRT.dll

MD5 9af5eb006bb0bab7f226272d82c896c7
SHA1 c2a5bb42a5f08f4dc821be374b700652262308f0
SHA256 77dc05a6bda90757f66552ee3f469b09f1e00732b4edca0f542872fb591ed9db
SHA512 7badd41be4c1039302fda9bba19d374ec9446ce24b7db33b66bee4ef38180d1abcd666d2aea468e7e452aa1e1565eedfefed582bf1c2fe477a4171d99d48772a

C:\Users\Admin\AppData\Local\Temp\dcfb00f9-5ae7-4197-ba59-e48107e40d35\GunaDotNetRT.dll

MD5 9af5eb006bb0bab7f226272d82c896c7
SHA1 c2a5bb42a5f08f4dc821be374b700652262308f0
SHA256 77dc05a6bda90757f66552ee3f469b09f1e00732b4edca0f542872fb591ed9db
SHA512 7badd41be4c1039302fda9bba19d374ec9446ce24b7db33b66bee4ef38180d1abcd666d2aea468e7e452aa1e1565eedfefed582bf1c2fe477a4171d99d48772a

memory/3928-14-0x0000000071960000-0x0000000071997000-memory.dmp

memory/3928-15-0x0000000073C70000-0x0000000073CF9000-memory.dmp

memory/3928-16-0x0000000005C80000-0x0000000005E6E000-memory.dmp

memory/3928-17-0x0000000005C80000-0x0000000005E6E000-memory.dmp

memory/3928-19-0x0000000005C80000-0x0000000005E6E000-memory.dmp

memory/3928-21-0x0000000005C80000-0x0000000005E6E000-memory.dmp

memory/3928-23-0x0000000005C80000-0x0000000005E6E000-memory.dmp

memory/3928-25-0x0000000005C80000-0x0000000005E6E000-memory.dmp

memory/3928-27-0x0000000005C80000-0x0000000005E6E000-memory.dmp

memory/3928-29-0x0000000005C80000-0x0000000005E6E000-memory.dmp

memory/3928-31-0x0000000005C80000-0x0000000005E6E000-memory.dmp

memory/3928-33-0x0000000005C80000-0x0000000005E6E000-memory.dmp

memory/3928-35-0x0000000005C80000-0x0000000005E6E000-memory.dmp

memory/3928-37-0x0000000005C80000-0x0000000005E6E000-memory.dmp

memory/3928-39-0x0000000005C80000-0x0000000005E6E000-memory.dmp

memory/3928-41-0x0000000005C80000-0x0000000005E6E000-memory.dmp

memory/3928-43-0x0000000005C80000-0x0000000005E6E000-memory.dmp

memory/3928-45-0x0000000005C80000-0x0000000005E6E000-memory.dmp

memory/3928-47-0x0000000005C80000-0x0000000005E6E000-memory.dmp

memory/3928-49-0x0000000005C80000-0x0000000005E6E000-memory.dmp

memory/3928-51-0x0000000005C80000-0x0000000005E6E000-memory.dmp

memory/3928-53-0x0000000005C80000-0x0000000005E6E000-memory.dmp

memory/3928-55-0x0000000005C80000-0x0000000005E6E000-memory.dmp

memory/3928-57-0x0000000005C80000-0x0000000005E6E000-memory.dmp

memory/3928-59-0x0000000005C80000-0x0000000005E6E000-memory.dmp

memory/3928-61-0x0000000005C80000-0x0000000005E6E000-memory.dmp

memory/3928-63-0x0000000005C80000-0x0000000005E6E000-memory.dmp

memory/3928-65-0x0000000005C80000-0x0000000005E6E000-memory.dmp

memory/3928-67-0x0000000005C80000-0x0000000005E6E000-memory.dmp

memory/3928-69-0x0000000005C80000-0x0000000005E6E000-memory.dmp

memory/3928-71-0x0000000005C80000-0x0000000005E6E000-memory.dmp

memory/3928-73-0x0000000005C80000-0x0000000005E6E000-memory.dmp

memory/3928-75-0x0000000005C80000-0x0000000005E6E000-memory.dmp

memory/3928-77-0x0000000005C80000-0x0000000005E6E000-memory.dmp

memory/3928-329-0x0000000075260000-0x0000000075A10000-memory.dmp

memory/3928-392-0x00000000050E0000-0x00000000050F0000-memory.dmp

memory/3928-501-0x0000000071960000-0x0000000071997000-memory.dmp