Overview
overview
7Static
static
3DeepwokenM....4.exe
windows10-2004-x64
7DeepwokenM...er.exe
windows10-2004-x64
7DeepwokenM...ME.txt
windows10-2004-x64
1DeepwokenM...ox.dll
windows10-2004-x64
1DeepwokenM...ns.dll
windows10-2004-x64
1DeepwokenM...on.dll
windows10-2004-x64
1DeepwokenM...UI.dll
windows10-2004-x64
1DeepwokenM...le.dll
windows10-2004-x64
1DeepwokenM...ty.dll
windows10-2004-x64
1DeepwokenM...rk.dll
windows10-2004-x64
1DeepwokenM...gs.txt
windows10-2004-x64
1Analysis
-
max time kernel
39s -
max time network
41s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
18/04/2024, 09:57
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
DeepwokenMaster/Bloxstrap-v2.5.4.exe
Resource
win10v2004-20240412-en
windows10-2004-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
DeepwokenMaster/Loader.exe
Resource
win10v2004-20240412-en
windows10-2004-x64
12 signatures
150 seconds
Behavioral task
behavioral3
Sample
DeepwokenMaster/README.txt
Resource
win10v2004-20240412-en
windows10-2004-x64
1 signatures
150 seconds
Behavioral task
behavioral4
Sample
DeepwokenMaster/bin/FastColoredTextBox.dll
Resource
win10v2004-20240412-en
windows10-2004-x64
0 signatures
150 seconds
Behavioral task
behavioral5
Sample
DeepwokenMaster/bin/Microsoft.Expression.Interactions.dll
Resource
win10v2004-20240412-en
windows10-2004-x64
0 signatures
150 seconds
Behavioral task
behavioral6
Sample
DeepwokenMaster/bin/Newtonsoft.Json.dll
Resource
win10v2004-20240412-en
windows10-2004-x64
0 signatures
150 seconds
Behavioral task
behavioral7
Sample
DeepwokenMaster/bin/Siticone.UI.dll
Resource
win10v2004-20240412-en
windows10-2004-x64
0 signatures
150 seconds
Behavioral task
behavioral8
Sample
DeepwokenMaster/bin/System.ValueTuple.dll
Resource
win10v2004-20240412-en
windows10-2004-x64
0 signatures
150 seconds
Behavioral task
behavioral9
Sample
DeepwokenMaster/bin/System.Windows.Interactivity.dll
Resource
win10v2004-20240412-en
windows10-2004-x64
0 signatures
150 seconds
Behavioral task
behavioral10
Sample
DeepwokenMaster/bin/WPFSpark.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
0 signatures
150 seconds
Behavioral task
behavioral11
Sample
DeepwokenMaster/configs/Settings.txt
Resource
win10v2004-20240412-en
windows10-2004-x64
1 signatures
150 seconds
General
-
Target
DeepwokenMaster/Bloxstrap-v2.5.4.exe
-
Size
7.6MB
-
MD5
dbb820772caf0003967ef0f269fbdeb1
-
SHA1
31992bd4977a7dfeba67537a2da6c9ca64bc304c
-
SHA256
b2ac1e407ed3ecd7c7faa6de929a68fb51145662cf793c40b69eb59295bba6bc
-
SHA512
e8ac879c7198dffb78bc6ee4ad49b5de40a5a7dbbda53d427d0a034941487d13c8bb2b8d590a1fcdd81cd6abb8f21fdfcd52924eb00c45a42ee06c1e4b3d590f
-
SSDEEP
98304:XNd5DSd5DxTsed5D2ZT00UuOYoHwfLk3vSmaR0+Mc4AN0edaAHDfysrTl1:X+sdtObAbN0u
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\Control Panel\International\Geo\Nation Bloxstrap-v2.5.4.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133579079442950470" chrome.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1424 chrome.exe 1424 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 1424 chrome.exe 1424 chrome.exe 1424 chrome.exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
description pid Process Token: SeDebugPrivilege 576 Bloxstrap-v2.5.4.exe Token: SeShutdownPrivilege 1424 chrome.exe Token: SeCreatePagefilePrivilege 1424 chrome.exe Token: SeShutdownPrivilege 1424 chrome.exe Token: SeCreatePagefilePrivilege 1424 chrome.exe Token: SeShutdownPrivilege 1424 chrome.exe Token: SeCreatePagefilePrivilege 1424 chrome.exe Token: SeShutdownPrivilege 1424 chrome.exe Token: SeCreatePagefilePrivilege 1424 chrome.exe Token: SeShutdownPrivilege 1424 chrome.exe Token: SeCreatePagefilePrivilege 1424 chrome.exe Token: SeShutdownPrivilege 1424 chrome.exe Token: SeCreatePagefilePrivilege 1424 chrome.exe Token: SeShutdownPrivilege 1424 chrome.exe Token: SeCreatePagefilePrivilege 1424 chrome.exe Token: SeShutdownPrivilege 1424 chrome.exe Token: SeCreatePagefilePrivilege 1424 chrome.exe Token: SeShutdownPrivilege 1424 chrome.exe Token: SeCreatePagefilePrivilege 1424 chrome.exe Token: SeShutdownPrivilege 1424 chrome.exe Token: SeCreatePagefilePrivilege 1424 chrome.exe Token: SeShutdownPrivilege 1424 chrome.exe Token: SeCreatePagefilePrivilege 1424 chrome.exe Token: SeShutdownPrivilege 1424 chrome.exe Token: SeCreatePagefilePrivilege 1424 chrome.exe Token: SeShutdownPrivilege 1424 chrome.exe Token: SeCreatePagefilePrivilege 1424 chrome.exe Token: SeShutdownPrivilege 1424 chrome.exe Token: SeCreatePagefilePrivilege 1424 chrome.exe Token: SeShutdownPrivilege 1424 chrome.exe Token: SeCreatePagefilePrivilege 1424 chrome.exe Token: SeShutdownPrivilege 1424 chrome.exe Token: SeCreatePagefilePrivilege 1424 chrome.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 1424 chrome.exe 1424 chrome.exe 1424 chrome.exe 1424 chrome.exe 1424 chrome.exe 1424 chrome.exe 1424 chrome.exe 1424 chrome.exe 1424 chrome.exe 1424 chrome.exe 1424 chrome.exe 1424 chrome.exe 1424 chrome.exe 1424 chrome.exe 1424 chrome.exe 1424 chrome.exe 1424 chrome.exe 1424 chrome.exe 1424 chrome.exe 1424 chrome.exe 1424 chrome.exe 1424 chrome.exe 1424 chrome.exe 1424 chrome.exe 1424 chrome.exe 1424 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 1424 chrome.exe 1424 chrome.exe 1424 chrome.exe 1424 chrome.exe 1424 chrome.exe 1424 chrome.exe 1424 chrome.exe 1424 chrome.exe 1424 chrome.exe 1424 chrome.exe 1424 chrome.exe 1424 chrome.exe 1424 chrome.exe 1424 chrome.exe 1424 chrome.exe 1424 chrome.exe 1424 chrome.exe 1424 chrome.exe 1424 chrome.exe 1424 chrome.exe 1424 chrome.exe 1424 chrome.exe 1424 chrome.exe 1424 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1424 wrote to memory of 1124 1424 chrome.exe 99 PID 1424 wrote to memory of 1124 1424 chrome.exe 99 PID 1424 wrote to memory of 3456 1424 chrome.exe 100 PID 1424 wrote to memory of 3456 1424 chrome.exe 100 PID 1424 wrote to memory of 3456 1424 chrome.exe 100 PID 1424 wrote to memory of 3456 1424 chrome.exe 100 PID 1424 wrote to memory of 3456 1424 chrome.exe 100 PID 1424 wrote to memory of 3456 1424 chrome.exe 100 PID 1424 wrote to memory of 3456 1424 chrome.exe 100 PID 1424 wrote to memory of 3456 1424 chrome.exe 100 PID 1424 wrote to memory of 3456 1424 chrome.exe 100 PID 1424 wrote to memory of 3456 1424 chrome.exe 100 PID 1424 wrote to memory of 3456 1424 chrome.exe 100 PID 1424 wrote to memory of 3456 1424 chrome.exe 100 PID 1424 wrote to memory of 3456 1424 chrome.exe 100 PID 1424 wrote to memory of 3456 1424 chrome.exe 100 PID 1424 wrote to memory of 3456 1424 chrome.exe 100 PID 1424 wrote to memory of 3456 1424 chrome.exe 100 PID 1424 wrote to memory of 3456 1424 chrome.exe 100 PID 1424 wrote to memory of 3456 1424 chrome.exe 100 PID 1424 wrote to memory of 3456 1424 chrome.exe 100 PID 1424 wrote to memory of 3456 1424 chrome.exe 100 PID 1424 wrote to memory of 3456 1424 chrome.exe 100 PID 1424 wrote to memory of 3456 1424 chrome.exe 100 PID 1424 wrote to memory of 3456 1424 chrome.exe 100 PID 1424 wrote to memory of 3456 1424 chrome.exe 100 PID 1424 wrote to memory of 3456 1424 chrome.exe 100 PID 1424 wrote to memory of 3456 1424 chrome.exe 100 PID 1424 wrote to memory of 3456 1424 chrome.exe 100 PID 1424 wrote to memory of 3456 1424 chrome.exe 100 PID 1424 wrote to memory of 3456 1424 chrome.exe 100 PID 1424 wrote to memory of 3456 1424 chrome.exe 100 PID 1424 wrote to memory of 3456 1424 chrome.exe 100 PID 1424 wrote to memory of 2416 1424 chrome.exe 101 PID 1424 wrote to memory of 2416 1424 chrome.exe 101 PID 1424 wrote to memory of 2320 1424 chrome.exe 102 PID 1424 wrote to memory of 2320 1424 chrome.exe 102 PID 1424 wrote to memory of 2320 1424 chrome.exe 102 PID 1424 wrote to memory of 2320 1424 chrome.exe 102 PID 1424 wrote to memory of 2320 1424 chrome.exe 102 PID 1424 wrote to memory of 2320 1424 chrome.exe 102 PID 1424 wrote to memory of 2320 1424 chrome.exe 102 PID 1424 wrote to memory of 2320 1424 chrome.exe 102 PID 1424 wrote to memory of 2320 1424 chrome.exe 102 PID 1424 wrote to memory of 2320 1424 chrome.exe 102 PID 1424 wrote to memory of 2320 1424 chrome.exe 102 PID 1424 wrote to memory of 2320 1424 chrome.exe 102 PID 1424 wrote to memory of 2320 1424 chrome.exe 102 PID 1424 wrote to memory of 2320 1424 chrome.exe 102 PID 1424 wrote to memory of 2320 1424 chrome.exe 102 PID 1424 wrote to memory of 2320 1424 chrome.exe 102 PID 1424 wrote to memory of 2320 1424 chrome.exe 102 PID 1424 wrote to memory of 2320 1424 chrome.exe 102 PID 1424 wrote to memory of 2320 1424 chrome.exe 102 PID 1424 wrote to memory of 2320 1424 chrome.exe 102 PID 1424 wrote to memory of 2320 1424 chrome.exe 102 PID 1424 wrote to memory of 2320 1424 chrome.exe 102 PID 1424 wrote to memory of 2320 1424 chrome.exe 102 PID 1424 wrote to memory of 2320 1424 chrome.exe 102 PID 1424 wrote to memory of 2320 1424 chrome.exe 102 PID 1424 wrote to memory of 2320 1424 chrome.exe 102 PID 1424 wrote to memory of 2320 1424 chrome.exe 102 PID 1424 wrote to memory of 2320 1424 chrome.exe 102 PID 1424 wrote to memory of 2320 1424 chrome.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\DeepwokenMaster\Bloxstrap-v2.5.4.exe"C:\Users\Admin\AppData\Local\Temp\DeepwokenMaster\Bloxstrap-v2.5.4.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:576
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff84008ab58,0x7ff84008ab68,0x7ff84008ab782⤵PID:1124
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1788 --field-trial-handle=1960,i,15289179749356538550,12415501045916731579,131072 /prefetch:22⤵PID:3456
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 --field-trial-handle=1960,i,15289179749356538550,12415501045916731579,131072 /prefetch:82⤵PID:2416
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2276 --field-trial-handle=1960,i,15289179749356538550,12415501045916731579,131072 /prefetch:82⤵PID:2320
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3092 --field-trial-handle=1960,i,15289179749356538550,12415501045916731579,131072 /prefetch:12⤵PID:3092
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3100 --field-trial-handle=1960,i,15289179749356538550,12415501045916731579,131072 /prefetch:12⤵PID:1360
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4388 --field-trial-handle=1960,i,15289179749356538550,12415501045916731579,131072 /prefetch:12⤵PID:2812
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3988 --field-trial-handle=1960,i,15289179749356538550,12415501045916731579,131072 /prefetch:82⤵PID:3096
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4624 --field-trial-handle=1960,i,15289179749356538550,12415501045916731579,131072 /prefetch:82⤵PID:3776
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4700 --field-trial-handle=1960,i,15289179749356538550,12415501045916731579,131072 /prefetch:82⤵PID:5248
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4956 --field-trial-handle=1960,i,15289179749356538550,12415501045916731579,131072 /prefetch:82⤵PID:5264
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4928 --field-trial-handle=1960,i,15289179749356538550,12415501045916731579,131072 /prefetch:82⤵PID:5416
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:1480
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
6KB
MD53aaf0858a691508c0d89fb01737b85f6
SHA13283b32240bedc3ba507e89f9fee083b9a8f8609
SHA256039be2b6dcde4536bdeca1e6cb84fde987dfde492a4dfbb06de3883385f19897
SHA51296b1c118e8f69b166bb80ebc5f19eeadfdcd5115e368160f6bbdef063297f4665632bdf7d4df0110dfdbe75302c3df4210ba1d98cdfc6c0150535e4013fb3c1c
-
Filesize
16KB
MD5331c5947db468e35cf9fc529b8e53ad8
SHA1e99227657e2f09fd92ff42d2b42dbc7e7af9b576
SHA256095560f9f339bc9937b89784d8c9607c453da2cb4bc4134b55b03ee0373bf509
SHA512f063ed5d3990c34cc7f0372b7a4015f53519ec3ca8fec94e3d4f00d76cba3da26ae0369cf09dae0e8ac2ea47758c5007fd3519a40f0abef699cd0c33b6c5a6cb
-
Filesize
251KB
MD5392d3901fa992c4a667e90a641ae2edc
SHA10867f3ac57926a6d838db23720812d6a7fa607b2
SHA256d5e0d732d1ffcfce12f834e0afc77ef19dce290614225fa58d35a0e42e1b2e45
SHA512d56456861c6c5cc0c333518c826a47fb890639b8a0017993573f5b0a30865aded02c401f7039631fa728ba984144c21e6e9ada50db3239a24ff3f69a2ae987fd