274086842325654e8c2e2f756629b4fc3532d2b54cbcea3ab207b23782fa56a7

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 15:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BLdraftedCopy200524.exe
Size

472KB
MD5

04b8fc8f6182aa25305b19c0917aa7d7
SHA1

fcf7d768cb6ba5067723b694984fd20b8e0a079a
SHA256

f08569862f95f332a676932f77eed6f4321c1e6bf3f24a6f3398dc6608ca8353
SHA512

0118012b0eb44b91037b8a31fb5fd3fc55042d9009756badf221d9c24943e294521688cc90c47285ecd11d165a8c6b6bf4bcf6675d0412e2c385346e8cc53811
SSDEEP

12288:vi3hR5SANo8/O2zaKBtD1sJG9GIzwmG5hvnHQ:K3hv5j/zbDmskwwm+dQ

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 3 IoCs

Processes:

BLdraftedCopy200524.exe

pid process

2280 BLdraftedCopy200524.exe
2280 BLdraftedCopy200524.exe
2280 BLdraftedCopy200524.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

BLdraftedCopy200524.exeBLdraftedCopy200524.exe

pid process

2280 BLdraftedCopy200524.exe
4592 BLdraftedCopy200524.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

BLdraftedCopy200524.exe

description pid process target process

PID 2280 set thread context of 4592 2280 BLdraftedCopy200524.exe BLdraftedCopy200524.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

BLdraftedCopy200524.exe

pid process

2280 BLdraftedCopy200524.exe

pid	process
2280	BLdraftedCopy200524.exe
2280	BLdraftedCopy200524.exe
2280	BLdraftedCopy200524.exe

pid	process
2280	BLdraftedCopy200524.exe
4592	BLdraftedCopy200524.exe

description	pid	process	target process
PID 2280 set thread context of 4592	2280	BLdraftedCopy200524.exe	BLdraftedCopy200524.exe

pid	process
2280	BLdraftedCopy200524.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

BLdraftedCopy200524.exe

description	pid	process	target process
PID 2280 wrote to memory of 4592	2280	BLdraftedCopy200524.exe	BLdraftedCopy200524.exe
PID 2280 wrote to memory of 4592	2280	BLdraftedCopy200524.exe	BLdraftedCopy200524.exe
PID 2280 wrote to memory of 4592	2280	BLdraftedCopy200524.exe	BLdraftedCopy200524.exe
PID 2280 wrote to memory of 4592	2280	BLdraftedCopy200524.exe	BLdraftedCopy200524.exe
PID 2280 wrote to memory of 4592	2280	BLdraftedCopy200524.exe	BLdraftedCopy200524.exe

C:\Users\Admin\AppData\Local\Temp\BLdraftedCopy200524.exe
"C:\Users\Admin\AppData\Local\Temp\BLdraftedCopy200524.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2280

C:\Users\Admin\AppData\Local\Temp\BLdraftedCopy200524.exe
"C:\Users\Admin\AppData\Local\Temp\BLdraftedCopy200524.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsa6013.tmp\BgImage.dll

Filesize
7KB

MD5
9436196007f65f0ae96f64b1c8b2572e

SHA1
4b004b5c2865c9450876be83faa8cc96e1d12c01

SHA256
286f246ee18bf91c4a80fa2cdb61077a4bcf0a3fd6582be4b4ab6a5cb3de44c9

SHA512
5c172675fbbea214471ac35eebaa6ab9bd1306268144085adbad3bba4a815430ed028cac169e8b5a6fd00818684f65d7bdd32f11773bc6152e62ef80f895d35e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa6013.tmp\System.dll

Filesize
11KB

MD5
8b3830b9dbf87f84ddd3b26645fed3a0

SHA1
223bef1f19e644a610a0877d01eadc9e28299509

SHA256
f004c568d305cd95edbd704166fcd2849d395b595dff814bcc2012693527ac37

SHA512
d13cfd98db5ca8dc9c15723eee0e7454975078a776bce26247228be4603a0217e166058ebadc68090afe988862b7514cb8cb84de13b3de35737412a6f0a8ac03

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa6013.tmp\nsDialogs.dll

Filesize
9KB

MD5
82c3f38cd34739872af07443c65d0bd8

SHA1
1f4ee2d394404a291eda6419f856adaf4b960237

SHA256
59cdb2c12d5635fd25af4007b70222507948be41fa9885b7f07967c2510a5311

SHA512
3a81c0613b1ea906ad4f103b02620217de69a8676dbb7ec41cf31f342a0a74562815a8d4f2efe9866fc16365f58524ac71652e99920acea355f020028775743d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Krydsrevisionernes.lnk

Filesize
942B

MD5
2fe82fd4d941121fc8da8af1141e3bfb

SHA1
02f001f05177fd71642157fd235e375d8489b197

SHA256
bea2b4fc97cae0f0b514a60c43e6a55fe67e3f733e3734a7cdf5e7860a56372d

SHA512
3fd58d84ae39130fcf30737bc4310d02d632b54036731484669b0dac4882691a14f64680a5a33580e75f2bd5ec1b6efb7a4529fae666af55edebc986918654ab

Download Submit
memory/2280-45-0x00000000771B1000-0x00000000772D1000-memory.dmp

Filesize
1.1MB

Download
memory/2280-46-0x0000000010004000-0x0000000010005000-memory.dmp

Filesize
4KB

Download
memory/4592-47-0x0000000077238000-0x0000000077239000-memory.dmp

Filesize
4KB

Download
memory/4592-48-0x0000000077255000-0x0000000077256000-memory.dmp

Filesize
4KB

Download
memory/4592-49-0x0000000000490000-0x00000000016E4000-memory.dmp

Filesize
18.3MB

Download
memory/4592-51-0x00000000771B1000-0x00000000772D1000-memory.dmp

Filesize
1.1MB

Download