Analysis
-
max time kernel
31s -
max time network
21s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02/06/2024, 04:48
Static task
static1
Behavioral task
behavioral1
Sample
BloxstrapModded-v.2.44.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
BloxstrapModded-v.2.44.exe
Resource
win10v2004-20240508-en
General
-
Target
BloxstrapModded-v.2.44.exe
-
Size
8.1MB
-
MD5
15a687ef872a149e075daf9183e0dd06
-
SHA1
855424e42c9aa2ed61c74f132a5fc85cf342154e
-
SHA256
e15dd2dbe65faa8c181cf1514e80cd64262215258a0e25b9b3f5bb439525c2d0
-
SHA512
3af64000055d8b37d1cd0110126ed2324e1009d1fa28f9866c01303e150f0d76243e3b31b640e8d965948199c92c1faa452b3b5d0bc4ef8e17496149f17a2f27
-
SSDEEP
196608:snVSUiMDl/at5sb8oIkkCcmtob/PVuS9U8gD3hIURja+yw2EcrE2cC:CSUrDlyt5s7HkCTob/tu8exIP+ywAr3c
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 2948 BloxstrapModded-v.2.44.exe 2788 BloxstrapModded-v.2.44.exe 2596 Bloxstrap.exe 1256 Process not Found -
Loads dropped DLL 1 IoCs
pid Process 2948 BloxstrapModded-v.2.44.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{70631C91-209B-11EF-A635-D2EFD46A7D0E} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2608 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2608 iexplore.exe 2608 iexplore.exe 2772 IEXPLORE.EXE 2772 IEXPLORE.EXE 2772 IEXPLORE.EXE 2772 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2304 wrote to memory of 2948 2304 BloxstrapModded-v.2.44.exe 28 PID 2304 wrote to memory of 2948 2304 BloxstrapModded-v.2.44.exe 28 PID 2304 wrote to memory of 2948 2304 BloxstrapModded-v.2.44.exe 28 PID 2948 wrote to memory of 2788 2948 BloxstrapModded-v.2.44.exe 29 PID 2948 wrote to memory of 2788 2948 BloxstrapModded-v.2.44.exe 29 PID 2948 wrote to memory of 2788 2948 BloxstrapModded-v.2.44.exe 29 PID 2948 wrote to memory of 2596 2948 BloxstrapModded-v.2.44.exe 30 PID 2948 wrote to memory of 2596 2948 BloxstrapModded-v.2.44.exe 30 PID 2948 wrote to memory of 2596 2948 BloxstrapModded-v.2.44.exe 30 PID 2596 wrote to memory of 2608 2596 Bloxstrap.exe 31 PID 2596 wrote to memory of 2608 2596 Bloxstrap.exe 31 PID 2596 wrote to memory of 2608 2596 Bloxstrap.exe 31 PID 2608 wrote to memory of 2772 2608 iexplore.exe 32 PID 2608 wrote to memory of 2772 2608 iexplore.exe 32 PID 2608 wrote to memory of 2772 2608 iexplore.exe 32 PID 2608 wrote to memory of 2772 2608 iexplore.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\BloxstrapModded-v.2.44.exe"C:\Users\Admin\AppData\Local\Temp\BloxstrapModded-v.2.44.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Users\Admin\AppData\Roaming\BloxstrapModded-v.2.44.exe"C:\Users\Admin\AppData\Roaming\BloxstrapModded-v.2.44.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Users\Admin\AppData\Roaming\BloxstrapModded-v.2.44.exe"C:\Users\Admin\AppData\Roaming\BloxstrapModded-v.2.44.exe"3⤵
- Executes dropped EXE
PID:2788
-
-
C:\Users\Admin\AppData\Roaming\Bloxstrap.exe"C:\Users\Admin\AppData\Roaming\Bloxstrap.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://aka.ms/dotnet-core-applaunch?missing_runtime=true&arch=x64&rid=win7-x64&apphost_version=6.0.20&gui=true4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2608 CREDAT:275457 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2772
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55d7db3470e2d0fb0626eff3061e9a5df
SHA1ae121ae5816e1d8f709c91985dcd38510437f958
SHA256a9d28b1107de0136dcb82f7ecb362f9b9db598b6b29c6d1d0bc2e6810c528b9d
SHA5120eae2bef4b0691898c4402b34f4014f59cf6c5a78b75cb920a7695e0bf2f4c3d04c67aa2533c9fea3ea6afc37d2c2f132f6b2e466aeb2e3b2b326644ba11a480
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ce232b6fef2699146fd84a9ae4908ee1
SHA10ed62515807f882472f639c34888c34da71aa6c9
SHA256c2fda59e5f4982e895e134f3098e391ea965b57b22826bc77d0ae51ffbe46486
SHA512c6810b6dc8a49bdee21f27bad3f680ce0500534bc5187a23cb99295d4009f8369eb421f383b8d2837c3429e955d3dcd813159143176208410ace93adea7a4367
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53329e96d810091d5b3607038361c2992
SHA1f8e15906c904b4cbec9809cf667192e7710cef09
SHA256038695efe796736a2c20e0182dfb5dda304df387ffea52c292b03b0281970b70
SHA512618044919afe0fc2355ff9bccf79ded9f4a081e0bd02a3907687acb74b51d9fe36844ec5fad4daeb0b0acb867f585c4e9993ab8b9c2c541b38cc8b66c81cb7db
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e33d1650cd68e196e7668ebf2b7c0ec1
SHA195a8c8f81900cc994d91ace65ab51415a8ccad0f
SHA25678d0d3b20eea959bb63d272b8b522d0ee89dd1078c5b3c4debcedce56c5b43b6
SHA51226074ad7bb1239af40670ae1f5e2139f2602f62cb5f5b8985a9b4ff579621e89b048f732a12d352267c5085e42c183217557a3ff339cc6b4891a1fd1608dc004
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59118e1154c3904a38d137076b1f220fc
SHA1bd903ea952cca559e87687b0936ca0704a3941b2
SHA2561f08e8ab8e2000c21d3cb423380de972e344e2b082b0a1d1bace1a4eeb62af2e
SHA512cbcfe7b64198690727f89d7dceef4ef585c1b5ff07e6fe67228e4fd455376a5ca30e9a824880eed7391a183812d0880a0f3c08c85735cdb18b5e34d2803de466
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD546ff97216540daa00d1be6fc9dea7eac
SHA14e7915674715e7f24d0e6f61ca12c345b7f6e56b
SHA2566ed762ffe92dbb9ea66638035a005caafe102041cd20318d71e97613d02c011c
SHA512a8775fdbda752cdee49a5524e33b2b24aeaf5b2da0149ae44e1f9524729ddb86bcd5e90ee36d37bcec3bc5aa809859b923e38f39d0b193f8dc779a4e0dd57be0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD577080c28a607b4b54dc83bba0efa3511
SHA16ac30842cd2ae40ea707a34aa5c3ac0981561080
SHA2569e43fa54f8c0c7b52dfd9c19367b8f5757f3b04b8b864b45d8485a8e760236b7
SHA51260da8d23b10a819a26bd3f9858e1004929a3657ae967a5bd63cbdb085c316c4dea994ecb4b53abb717cf2f5f40d1726f9f57a16fb42350f3c09b5d2ff68c65b3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52f501af5126c784f0417f2aecfb72db4
SHA1f574ece7c2c2557535ac5906930cd4b54a4c2fbb
SHA2562a5414cc38af08d67cc1cfc9a2f5cfbcf292c4b8b4051882375352d8a186e919
SHA512bbe91e12068bd8a4c7f3402d3b87abbaf5c223ae3720939a8dd2cc437a6868cc333a262daa741486f5388802cd15211ae2e733d4a0f6c0dcbd4ccb0acbaed340
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56e34ea9ee4cfafde8cc3f0e06b8f9f79
SHA18077b0e9ccc8878f1b30d43d6cead7627b67bd11
SHA256ee80b0a66a35f84c69e84c4ca3b04974c7e75c8125847b4a023321a249442f76
SHA512fa5d816e1d0075fe979c5beaa689255386872d62704fddeb40d116d0a19f1bac4216fb8cd38c5c986ff8b8f2d8f9552ca055524ece7bb97bf2cab9d33c39d7e0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58058bfda7926ee7274622efb12475526
SHA135a46a3a3d932a683afa88ea9988a99ec61e95fb
SHA25650eb535da4ac64cb2defe98a01dca157a0edb2656e557eb994c3db7a9a6c9dc1
SHA5121bbdeabc7a3ec3f89871c53e3b66530bd7a2fc07daeef28a7d6d469eeb4651391175a0d2d4f88559c185c55c3846582294890f36f9a3addd3d36a8bba5356fe2
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
8.1MB
MD5c7317fde88040107d1275f241c2501f2
SHA11a59ee0f3fd658b62f0c031ce3a60d7cb2a7e366
SHA25699452e83c11a91c6500e3f9aa0e069a419d29696d4df40d9ccc82d4961f12241
SHA512ee68a4afe52358d6ab9476e050e5f990dacd6daf4e36bec1cc99dae8c73a0ea009381ac8184570fd0ecb277b6f791eba5f441b940a495233168335619b49283f
-
Filesize
7.6MB
MD504f41a01edd9d478ce2d0a1f9d3441d2
SHA1718d0fd7603863da984f3a7eaad8efd3f8dfda77
SHA2567ec833edb7296e73f3da4c0bb14f5d343de49a2230eb1304be80dd0228478996
SHA5124eb43b9b37cf485eb936000b4a7f8f07f56d3c2cb9a5ba0c80faa216d5c8bf458bf57d2016c07c3a703f49f7c2742594eab06f2df90b36adb9e0d5ac0787f739