Analysis
-
max time kernel
64s -
max time network
34s -
platform
windows10-1703_x64 -
resource
win10-20230915-en -
resource tags
arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system -
submitted
09/10/2023, 18:33
Static task
static1
Behavioral task
behavioral1
Sample
BlitzedGrabberV12.exe
Resource
win10-20230915-en
Behavioral task
behavioral2
Sample
BlitzedGrabberV12.exe
Resource
win10v2004-20230915-en
General
-
Target
BlitzedGrabberV12.exe
-
Size
1.6MB
-
MD5
228a69dc15032fd0fb7100ff8561185e
-
SHA1
f8dbc89fed8078da7f306cb78b92ce04a0bdeb00
-
SHA256
920bec9d500f6446b84399ab4c84858d0f0d7d1abb2e0377399ebbc4bafad709
-
SHA512
373621c4743fa72571b3c8375aa6f7852303a821558b016b002d2af07154787d978f66696db89eeed8fe41f4aed5d66b690d4f87469939f9b1dea2ac2b9101f1
-
SSDEEP
24576:xxAskWeOT4n5lLHxnpL2Q/NLmKgDJ68p4C8BsePDigEoXh7O83igweBAWgt:PAznU4n9t2ELj18p4BDifoM83ig9Ap
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 3880 BlitzedGrabberV12.exe -
Obfuscated with Agile.Net obfuscator 33 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral1/memory/3880-6-0x0000000005E30000-0x0000000006022000-memory.dmp agile_net behavioral1/memory/3880-16-0x0000000005E30000-0x000000000601E000-memory.dmp agile_net behavioral1/memory/3880-17-0x0000000005E30000-0x000000000601E000-memory.dmp agile_net behavioral1/memory/3880-19-0x0000000005E30000-0x000000000601E000-memory.dmp agile_net behavioral1/memory/3880-21-0x0000000005E30000-0x000000000601E000-memory.dmp agile_net behavioral1/memory/3880-23-0x0000000005E30000-0x000000000601E000-memory.dmp agile_net behavioral1/memory/3880-25-0x0000000005E30000-0x000000000601E000-memory.dmp agile_net behavioral1/memory/3880-27-0x0000000005E30000-0x000000000601E000-memory.dmp agile_net behavioral1/memory/3880-29-0x0000000005E30000-0x000000000601E000-memory.dmp agile_net behavioral1/memory/3880-31-0x0000000005E30000-0x000000000601E000-memory.dmp agile_net behavioral1/memory/3880-33-0x0000000005E30000-0x000000000601E000-memory.dmp agile_net behavioral1/memory/3880-35-0x0000000005E30000-0x000000000601E000-memory.dmp agile_net behavioral1/memory/3880-37-0x0000000005E30000-0x000000000601E000-memory.dmp agile_net behavioral1/memory/3880-39-0x0000000005E30000-0x000000000601E000-memory.dmp agile_net behavioral1/memory/3880-41-0x0000000005E30000-0x000000000601E000-memory.dmp agile_net behavioral1/memory/3880-43-0x0000000005E30000-0x000000000601E000-memory.dmp agile_net behavioral1/memory/3880-45-0x0000000005E30000-0x000000000601E000-memory.dmp agile_net behavioral1/memory/3880-47-0x0000000005E30000-0x000000000601E000-memory.dmp agile_net behavioral1/memory/3880-49-0x0000000005E30000-0x000000000601E000-memory.dmp agile_net behavioral1/memory/3880-51-0x0000000005E30000-0x000000000601E000-memory.dmp agile_net behavioral1/memory/3880-53-0x0000000005E30000-0x000000000601E000-memory.dmp agile_net behavioral1/memory/3880-55-0x0000000005E30000-0x000000000601E000-memory.dmp agile_net behavioral1/memory/3880-57-0x0000000005E30000-0x000000000601E000-memory.dmp agile_net behavioral1/memory/3880-59-0x0000000005E30000-0x000000000601E000-memory.dmp agile_net behavioral1/memory/3880-61-0x0000000005E30000-0x000000000601E000-memory.dmp agile_net behavioral1/memory/3880-63-0x0000000005E30000-0x000000000601E000-memory.dmp agile_net behavioral1/memory/3880-65-0x0000000005E30000-0x000000000601E000-memory.dmp agile_net behavioral1/memory/3880-67-0x0000000005E30000-0x000000000601E000-memory.dmp agile_net behavioral1/memory/3880-69-0x0000000005E30000-0x000000000601E000-memory.dmp agile_net behavioral1/memory/3880-71-0x0000000005E30000-0x000000000601E000-memory.dmp agile_net behavioral1/memory/3880-73-0x0000000005E30000-0x000000000601E000-memory.dmp agile_net behavioral1/memory/3880-75-0x0000000005E30000-0x000000000601E000-memory.dmp agile_net behavioral1/memory/3880-77-0x0000000005E30000-0x000000000601E000-memory.dmp agile_net -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\rescache\_merged\4183903823\810424605.pri taskmgr.exe File created C:\Windows\rescache\_merged\1601268389\3877292338.pri taskmgr.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1137129745-4190849146-4270886183-1000_Classes\Local Settings taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
pid Process 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 2020 taskmgr.exe Token: SeSystemProfilePrivilege 2020 taskmgr.exe Token: SeCreateGlobalPrivilege 2020 taskmgr.exe Token: 33 2020 taskmgr.exe Token: SeIncBasePriorityPrivilege 2020 taskmgr.exe -
Suspicious use of FindShellTrayWindow 54 IoCs
pid Process 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe -
Suspicious use of SendNotifyMessage 54 IoCs
pid Process 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"1⤵
- Loads dropped DLL
PID:3880
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2020
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:784
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD59af5eb006bb0bab7f226272d82c896c7
SHA1c2a5bb42a5f08f4dc821be374b700652262308f0
SHA25677dc05a6bda90757f66552ee3f469b09f1e00732b4edca0f542872fb591ed9db
SHA5127badd41be4c1039302fda9bba19d374ec9446ce24b7db33b66bee4ef38180d1abcd666d2aea468e7e452aa1e1565eedfefed582bf1c2fe477a4171d99d48772a
-
Filesize
136KB
MD59af5eb006bb0bab7f226272d82c896c7
SHA1c2a5bb42a5f08f4dc821be374b700652262308f0
SHA25677dc05a6bda90757f66552ee3f469b09f1e00732b4edca0f542872fb591ed9db
SHA5127badd41be4c1039302fda9bba19d374ec9446ce24b7db33b66bee4ef38180d1abcd666d2aea468e7e452aa1e1565eedfefed582bf1c2fe477a4171d99d48772a