Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
12-05-2024 17:14
Static task
static1
Behavioral task
behavioral1
Sample
BlastedCrack.exe
Resource
win7-20240221-en
General
-
Target
BlastedCrack.exe
-
Size
549KB
-
MD5
0321782a20a84473a2bf7204f4b94d49
-
SHA1
0232950dfddc20314c4bed9815590191ce31283c
-
SHA256
f1273b7c08ddef61d8240de5fb61c780575b9330c4868c383076e21a79d03d22
-
SHA512
5be35b75c329057f5cd81a532405cc55e5460a2992fc1a7e2585db68750215a80f9b019175d062a45291884da54431fe31f6f1b2daf600c25116857531eef0e5
-
SSDEEP
12288:UCQjgAtAHM+vetZxF5EWry8AJGy0wT+t13X2F:U5ZWs+OZVEWry8AFU3X2F
Malware Config
Extracted
44caliber
https://discord.com/api/webhooks/1217779080850706492/4knjig6DiCOeXSkGA1LGWaAo5XXa_s8z91RQ954jqRgqAhjOtgNK-aoBNJU45eHP5Ir2
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation BlastedCrack.exe -
Executes dropped EXE 1 IoCs
pid Process 2432 XWors.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 7 freegeoip.app 8 freegeoip.app -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2432 XWors.exe 2432 XWors.exe 2432 XWors.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2432 XWors.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 340 wrote to memory of 2432 340 BlastedCrack.exe 83 PID 340 wrote to memory of 2432 340 BlastedCrack.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\BlastedCrack.exe"C:\Users\Admin\AppData\Local\Temp\BlastedCrack.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:340 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\XWors.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\XWors.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2432
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
303KB
MD5a147413e40194267cf19da405bbb8be4
SHA18f1c9d6c88f1ca967ecd4e9749195ff006e59be1
SHA256652920284464f45452dd695167982d5f73909284063a21e66899ad785be5325c
SHA5124a8f3ebb1b4cb3fbea4fc0f0a0df44953ef33e5fc66b13ab3d02801e02e1deb171c4955e2331d526e2af1ac4de9b12b3b2e8994b3da7feff6e9b68fea457c0cd
-
Filesize
992B
MD59238ad2608f57aaac6da2b2a822701d4
SHA121fc46daf0a8969a14bd07f9f9d10a1b2828036b
SHA2561ac3ca9e60cc963701872728a84e0bfbddafeb017e29a81867612ba706078279
SHA512c110718703eac037a5f427ad64e3c135bb4481af8d147610eb7d5a9ec708736c21bc94f614c5264ef02ab4d64da1271d97d1266ed9c30644c7ddd44bdbcf4ea6