Analysis Overview
SHA256
920bec9d500f6446b84399ab4c84858d0f0d7d1abb2e0377399ebbc4bafad709
Threat Level: Shows suspicious behavior
The file BlitzedGrabberV12.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Obfuscated with Agile.Net obfuscator
Loads dropped DLL
Drops file in Windows directory
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Checks SCSI registry key(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-09 18:33
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-09 18:33
Reported
2023-10-09 18:35
Platform
win10-20230915-en
Max time kernel
64s
Max time network
34s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\rescache\_merged\4183903823\810424605.pri | C:\Windows\system32\taskmgr.exe | N/A |
| File created | C:\Windows\rescache\_merged\1601268389\3877292338.pri | C:\Windows\system32\taskmgr.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1137129745-4190849146-4270886183-1000_Classes\Local Settings | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Processes
C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Network
Files
memory/3880-1-0x0000000073900000-0x0000000073FEE000-memory.dmp
memory/3880-0-0x0000000000F50000-0x00000000010FC000-memory.dmp
memory/3880-2-0x0000000006100000-0x00000000065FE000-memory.dmp
memory/3880-3-0x0000000005B00000-0x0000000005B92000-memory.dmp
memory/3880-4-0x0000000005BF0000-0x0000000005C00000-memory.dmp
memory/3880-5-0x0000000005A80000-0x0000000005A8A000-memory.dmp
memory/3880-6-0x0000000005E30000-0x0000000006022000-memory.dmp
\Users\Admin\AppData\Local\Temp\dcfb00f9-5ae7-4197-ba59-e48107e40d35\GunaDotNetRT.dll
| MD5 | 9af5eb006bb0bab7f226272d82c896c7 |
| SHA1 | c2a5bb42a5f08f4dc821be374b700652262308f0 |
| SHA256 | 77dc05a6bda90757f66552ee3f469b09f1e00732b4edca0f542872fb591ed9db |
| SHA512 | 7badd41be4c1039302fda9bba19d374ec9446ce24b7db33b66bee4ef38180d1abcd666d2aea468e7e452aa1e1565eedfefed582bf1c2fe477a4171d99d48772a |
C:\Users\Admin\AppData\Local\Temp\dcfb00f9-5ae7-4197-ba59-e48107e40d35\GunaDotNetRT.dll
| MD5 | 9af5eb006bb0bab7f226272d82c896c7 |
| SHA1 | c2a5bb42a5f08f4dc821be374b700652262308f0 |
| SHA256 | 77dc05a6bda90757f66552ee3f469b09f1e00732b4edca0f542872fb591ed9db |
| SHA512 | 7badd41be4c1039302fda9bba19d374ec9446ce24b7db33b66bee4ef38180d1abcd666d2aea468e7e452aa1e1565eedfefed582bf1c2fe477a4171d99d48772a |
memory/3880-14-0x0000000070560000-0x0000000070597000-memory.dmp
memory/3880-15-0x0000000072370000-0x00000000723F0000-memory.dmp
memory/3880-16-0x0000000005E30000-0x000000000601E000-memory.dmp
memory/3880-17-0x0000000005E30000-0x000000000601E000-memory.dmp
memory/3880-19-0x0000000005E30000-0x000000000601E000-memory.dmp
memory/3880-21-0x0000000005E30000-0x000000000601E000-memory.dmp
memory/3880-23-0x0000000005E30000-0x000000000601E000-memory.dmp
memory/3880-25-0x0000000005E30000-0x000000000601E000-memory.dmp
memory/3880-27-0x0000000005E30000-0x000000000601E000-memory.dmp
memory/3880-29-0x0000000005E30000-0x000000000601E000-memory.dmp
memory/3880-31-0x0000000005E30000-0x000000000601E000-memory.dmp
memory/3880-33-0x0000000005E30000-0x000000000601E000-memory.dmp
memory/3880-35-0x0000000005E30000-0x000000000601E000-memory.dmp
memory/3880-37-0x0000000005E30000-0x000000000601E000-memory.dmp
memory/3880-39-0x0000000005E30000-0x000000000601E000-memory.dmp
memory/3880-41-0x0000000005E30000-0x000000000601E000-memory.dmp
memory/3880-43-0x0000000005E30000-0x000000000601E000-memory.dmp
memory/3880-45-0x0000000005E30000-0x000000000601E000-memory.dmp
memory/3880-47-0x0000000005E30000-0x000000000601E000-memory.dmp
memory/3880-49-0x0000000005E30000-0x000000000601E000-memory.dmp
memory/3880-51-0x0000000005E30000-0x000000000601E000-memory.dmp
memory/3880-53-0x0000000005E30000-0x000000000601E000-memory.dmp
memory/3880-55-0x0000000005E30000-0x000000000601E000-memory.dmp
memory/3880-57-0x0000000005E30000-0x000000000601E000-memory.dmp
memory/3880-59-0x0000000005E30000-0x000000000601E000-memory.dmp
memory/3880-61-0x0000000005E30000-0x000000000601E000-memory.dmp
memory/3880-63-0x0000000005E30000-0x000000000601E000-memory.dmp
memory/3880-65-0x0000000005E30000-0x000000000601E000-memory.dmp
memory/3880-67-0x0000000005E30000-0x000000000601E000-memory.dmp
memory/3880-69-0x0000000005E30000-0x000000000601E000-memory.dmp
memory/3880-71-0x0000000005E30000-0x000000000601E000-memory.dmp
memory/3880-73-0x0000000005E30000-0x000000000601E000-memory.dmp
memory/3880-75-0x0000000005E30000-0x000000000601E000-memory.dmp
memory/3880-77-0x0000000005E30000-0x000000000601E000-memory.dmp
memory/3880-417-0x0000000073900000-0x0000000073FEE000-memory.dmp
memory/3880-487-0x0000000005BF0000-0x0000000005C00000-memory.dmp
memory/3880-597-0x0000000070560000-0x0000000070597000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-09 18:33
Reported
2023-10-09 18:36
Platform
win10v2004-20230915-en
Max time kernel
150s
Max time network
126s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
memory/3648-1-0x0000000000430000-0x00000000005DC000-memory.dmp
memory/3648-0-0x00000000751E0000-0x0000000075990000-memory.dmp
memory/3648-2-0x0000000005700000-0x0000000005CA4000-memory.dmp
memory/3648-3-0x0000000004FA0000-0x0000000005032000-memory.dmp
memory/3648-4-0x0000000005140000-0x0000000005150000-memory.dmp
memory/3648-5-0x0000000005150000-0x000000000515A000-memory.dmp
memory/3648-6-0x0000000005310000-0x0000000005502000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\dcfb00f9-5ae7-4197-ba59-e48107e40d35\GunaDotNetRT.dll
| MD5 | 9af5eb006bb0bab7f226272d82c896c7 |
| SHA1 | c2a5bb42a5f08f4dc821be374b700652262308f0 |
| SHA256 | 77dc05a6bda90757f66552ee3f469b09f1e00732b4edca0f542872fb591ed9db |
| SHA512 | 7badd41be4c1039302fda9bba19d374ec9446ce24b7db33b66bee4ef38180d1abcd666d2aea468e7e452aa1e1565eedfefed582bf1c2fe477a4171d99d48772a |
C:\Users\Admin\AppData\Local\Temp\dcfb00f9-5ae7-4197-ba59-e48107e40d35\GunaDotNetRT.dll
| MD5 | 9af5eb006bb0bab7f226272d82c896c7 |
| SHA1 | c2a5bb42a5f08f4dc821be374b700652262308f0 |
| SHA256 | 77dc05a6bda90757f66552ee3f469b09f1e00732b4edca0f542872fb591ed9db |
| SHA512 | 7badd41be4c1039302fda9bba19d374ec9446ce24b7db33b66bee4ef38180d1abcd666d2aea468e7e452aa1e1565eedfefed582bf1c2fe477a4171d99d48772a |
memory/3648-14-0x00000000718E0000-0x0000000071917000-memory.dmp
memory/3648-15-0x0000000073BF0000-0x0000000073C79000-memory.dmp
memory/3648-16-0x0000000005310000-0x00000000054FE000-memory.dmp
memory/3648-17-0x0000000005310000-0x00000000054FE000-memory.dmp
memory/3648-19-0x0000000005310000-0x00000000054FE000-memory.dmp
memory/3648-21-0x0000000005310000-0x00000000054FE000-memory.dmp
memory/3648-23-0x0000000005310000-0x00000000054FE000-memory.dmp
memory/3648-25-0x0000000005310000-0x00000000054FE000-memory.dmp
memory/3648-27-0x0000000005310000-0x00000000054FE000-memory.dmp
memory/3648-29-0x0000000005310000-0x00000000054FE000-memory.dmp
memory/3648-31-0x0000000005310000-0x00000000054FE000-memory.dmp
memory/3648-33-0x0000000005310000-0x00000000054FE000-memory.dmp
memory/3648-35-0x0000000005310000-0x00000000054FE000-memory.dmp
memory/3648-37-0x0000000005310000-0x00000000054FE000-memory.dmp
memory/3648-39-0x0000000005310000-0x00000000054FE000-memory.dmp
memory/3648-41-0x0000000005310000-0x00000000054FE000-memory.dmp
memory/3648-43-0x0000000005310000-0x00000000054FE000-memory.dmp
memory/3648-45-0x0000000005310000-0x00000000054FE000-memory.dmp
memory/3648-47-0x0000000005310000-0x00000000054FE000-memory.dmp
memory/3648-49-0x0000000005310000-0x00000000054FE000-memory.dmp
memory/3648-51-0x0000000005310000-0x00000000054FE000-memory.dmp
memory/3648-53-0x0000000005310000-0x00000000054FE000-memory.dmp
memory/3648-55-0x0000000005310000-0x00000000054FE000-memory.dmp
memory/3648-57-0x0000000005310000-0x00000000054FE000-memory.dmp
memory/3648-59-0x0000000005310000-0x00000000054FE000-memory.dmp
memory/3648-61-0x0000000005310000-0x00000000054FE000-memory.dmp
memory/3648-63-0x0000000005310000-0x00000000054FE000-memory.dmp
memory/3648-65-0x0000000005310000-0x00000000054FE000-memory.dmp
memory/3648-67-0x0000000005310000-0x00000000054FE000-memory.dmp
memory/3648-69-0x0000000005310000-0x00000000054FE000-memory.dmp
memory/3648-71-0x0000000005310000-0x00000000054FE000-memory.dmp
memory/3648-73-0x0000000005310000-0x00000000054FE000-memory.dmp
memory/3648-75-0x0000000005310000-0x00000000054FE000-memory.dmp
memory/3648-77-0x0000000005310000-0x00000000054FE000-memory.dmp
memory/3648-369-0x00000000751E0000-0x0000000075990000-memory.dmp
memory/3648-424-0x0000000005140000-0x0000000005150000-memory.dmp
memory/3648-498-0x00000000718E0000-0x0000000071917000-memory.dmp