cde41e7f12e6c1eb4f5fc935c4dc706154eaea25b973b23754e8a0ebdc023767

Resubmissions

08/03/2024, 20:20

240308-y4k6msgb5w 4

08/03/2024, 20:20

240308-y4dfssgb4y 1

08/03/2024, 20:18

240308-y3c4msfc56 1

Analysis

max time kernel
77s
max time network
44s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08/03/2024, 20:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bloxtrap-Client_690829.exe
Size

27.5MB
MD5

44f38a48c3d18b99ebb434e8ed22728f
SHA1

0d2ed15ee98daf8ceaf2570786d12288b2e490be
SHA256

cde41e7f12e6c1eb4f5fc935c4dc706154eaea25b973b23754e8a0ebdc023767
SHA512

f77aa94ebc6c874619b6c74887d6faf0bdf53aa6cf0c7d26de1713cfbf3d9ebf68185975700cf1c4c912919f9c0a94042aed59fe3ef08f76f0d8a604a4898de8
SSDEEP

786432:huqpkq8b6McvEVrbYlXFoiM6ofQZTib6fzfHwSN2MbSZNjt3KWAv6C:KFfQZ86fTHwSN2MbSZXKW9C

Score

4^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
872	ffmpeg.exe

Loads dropped DLL 8 IoCs

pid	Process
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1944	Process not Found

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
452	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2384	Bloxtrap-Client_690829.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2384	Bloxtrap-Client_690829.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2384	Bloxtrap-Client_690829.exe

C:\Users\Admin\AppData\Local\Temp\Bloxtrap-Client_690829.exe
"C:\Users\Admin\AppData\Local\Temp\Bloxtrap-Client_690829.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2384

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2976

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\FFmpeg\ffmpeg\README.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:452

C:\Users\Admin\AppData\Roaming\FFmpeg\ffmpeg\bin\ffmpeg.exe
"C:\Users\Admin\AppData\Roaming\FFmpeg\ffmpeg\bin\ffmpeg.exe"
1⤵
- Executes dropped EXE
PID:872

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\FFmpeg\ffmpeg\README.txt

Filesize
38KB

MD5
05c7d5fdc667561828f764eb3d686889

SHA1
77eab2c4e756b8ea6c08d7983c10a499650e73fd

SHA256
64638abe9d00547c03ea1a94ab0d6188f274fcb4fbe9b59981bfa67344918027

SHA512
4de84fb664d1a51df427d9dc2f8a04b9138684038cb9ba29d8a93a9cca589eebc0d9e92d2c73ee3f973f36e5c1b974eee84b0a8d776458bd7ee7edd14b1df4d0

Download Submit
C:\Users\Admin\AppData\Roaming\FFmpeg\ffmpeg\bin\ffmpeg.exe

Filesize
4.9MB

MD5
73128b114f748b34959c3498c2b4437e

SHA1
d3eba035c6d1aabf761361a5405a8a0dbbbd603e

SHA256
49ee6ced14080f3abd9d47ab89fff5df28441b1429a2b62945c4e39991e08889

SHA512
587eba772552c6bff08291a11fcc07150de89fe658343148f744bd0c95b504551b365f0d810f499b6ca1771e2377ed162a4414fa63bc5d0cfd6b1699c9c1ad48

Download Submit
\Users\Admin\AppData\Roaming\FFmpeg\ffmpeg\bin\ffmpeg.exe

Filesize
17.1MB

MD5
cd56b12249f4233aee8f1923df08c3bf

SHA1
6e3787f89784e23f6a49f788bd6dda61374eaedf

SHA256
7a5801f2515aec1edb780590adf997fc42cd84f8f08605dd16cd00dca36f5787

SHA512
e71dfd7118253e8ae8f1cf9a0e3d50871cfe42f52e017f3e687eccefb0f367a441c69ce44330a296bd16548547a852ab6a463e59f84908a470087d76b1f5a02c

Download Submit
\Users\Admin\AppData\Roaming\FFmpeg\ffmpeg\bin\ffmpeg.exe

Filesize
15.2MB

MD5
52900d44b6890edb08149c258f7de191

SHA1
5797af705bf5c600933a451934aacf8484cd7012

SHA256
750a53243922cb3d4d83c4eed5a3e6f1e4d148d21ae4fda8ee5d2916eb7aada5

SHA512
98bebbcf9e5589e5e24577de1ca8af759546b6de131e4fe93202166480f4651ea91d70bebd502aee9fccc7393a9ff0291806a8c11f9ae779abac9edfeaff2970

Download Submit
\Users\Admin\AppData\Roaming\FFmpeg\ffmpeg\bin\ffmpeg.exe

Filesize
16.1MB

MD5
4330620d2b1d501bafa542cd63909dc7

SHA1
ebe65859540480535f97f72250aed570a1d24103

SHA256
99a0cdaa1dda7668b8d2e6e586b2928b76c683801b80477d5174f10f793544d7

SHA512
3aa84e79ca5d53fc22b133c3fdf359171600260dbbab071c421aed18c3caed98d95fc7fbea27f063090b03685041768f3a21713a0ca164362e9fe8d4e68ebe89

Download Submit
\Users\Admin\AppData\Roaming\FFmpeg\ffmpeg\bin\ffmpeg.exe

Filesize
3.9MB

MD5
e7baafded48472dee954c075528771b4

SHA1
d4eff614deaa2500753034d785834ede17e45e4a

SHA256
cee96f148f12e6d0861b0e13945518e562fa7d71568a1c6614861b15917c9c04

SHA512
c516ce6b7210b55d57ae5790e1bbd0d289bf5dda23b81d6c261de6428d86b07a2ad57084f955766c6d4ea5d5d1c9e6fe6dea6687effda89858e9e0af5ec14b98

Download Submit
\Users\Admin\AppData\Roaming\FFmpeg\ffmpeg\bin\ffmpeg.exe

Filesize
4.1MB

MD5
a06fbbfca1f2c71710173307631a791a

SHA1
9a658249bbeb7adbba5b00316a2de94775cd5e2b

SHA256
11643122ccd6758a8606bbc910e8b0334ef7786340f1a731b12be381f8b1611b

SHA512
dbca8a7a19aa72a9ba635629cd074ff8efbf7ecfe0b32cb2fba876979d33ace4d1a17ca86a60199231fca2dde7b1c725fab7f0643d27cdf7242f4a6a36e7d445

Download Submit
\Users\Admin\AppData\Roaming\FFmpeg\ffmpeg\bin\ffmpeg.exe

Filesize
4.3MB

MD5
a9ee9554d4ad5afa80632532a9654957

SHA1
9f4fbc3a7996e1ee9b2ec9c56589435ce3264d77

SHA256
2ee8f63e8ca90d919d83fdf643707c8b4fbf396f0748de714828d6992cc6885a

SHA512
2070d3bd62647b9e69319e58806e2c939581a893abace9baf26088bc5efbf099c000a5cc3a95dfdbc57d3f561c699c9bb6dbe0ad9857c0b3a18b5d2653528bce

Download Submit
\Users\Admin\AppData\Roaming\FFmpeg\ffmpeg\bin\ffmpeg.exe

Filesize
3.7MB

MD5
b73afa47a43f7c16659c1045ad3d7faf

SHA1
623ff0aa3a783a216dc1e907d3be0a541ec83f6b

SHA256
71d99b4af6fa5ce131fb440729e1de414343ecd034b523f0842fd0f8c1972574

SHA512
6a4405fb52fb68ae36f42bcc6c67313168da66738f7c9b22929fc6274ecc93473af310ff418ab37c4299498af0bc3389e596017744932eb8b3a4ab975d9e6942

Download Submit
\Users\Admin\AppData\Roaming\FFmpeg\ffmpeg\bin\ffmpeg.exe

Filesize
4.2MB

MD5
95656340988c4fdde99cf86ab04f68c5

SHA1
ce5d64216f0800cfe30db8435632aeab941d13a1

SHA256
ef6041757a19d2a35788182ee8b806460a52b84fbc7d024514163bac70d2527e

SHA512
664a245ce8a82b743a6a7168c4326013b0ed0fb595b284cfa0502c3ae4e4ecc5ec11287e55517759a1ce46b8c67edbe152193035e0a8517e78f87b5838b84f57

Download Submit
memory/872-94-0x000000013F570000-0x0000000140570000-memory.dmp

Filesize
16.0MB

Download