Analysis

  • max time kernel
    10s
  • max time network
    13s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/06/2024, 04:48

General

  • Target

    BloxstrapModded-v.2.44.exe

  • Size

    8.1MB

  • MD5

    15a687ef872a149e075daf9183e0dd06

  • SHA1

    855424e42c9aa2ed61c74f132a5fc85cf342154e

  • SHA256

    e15dd2dbe65faa8c181cf1514e80cd64262215258a0e25b9b3f5bb439525c2d0

  • SHA512

    3af64000055d8b37d1cd0110126ed2324e1009d1fa28f9866c01303e150f0d76243e3b31b640e8d965948199c92c1faa452b3b5d0bc4ef8e17496149f17a2f27

  • SSDEEP

    196608:snVSUiMDl/at5sb8oIkkCcmtob/PVuS9U8gD3hIURja+yw2EcrE2cC:CSUrDlyt5s7HkCTob/tu8exIP+ywAr3c

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\BloxstrapModded-v.2.44.exe
    "C:\Users\Admin\AppData\Local\Temp\BloxstrapModded-v.2.44.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3432
    • C:\Users\Admin\AppData\Roaming\BloxstrapModded-v.2.44.exe
      "C:\Users\Admin\AppData\Roaming\BloxstrapModded-v.2.44.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3588
      • C:\Users\Admin\AppData\Roaming\BloxstrapModded-v.2.44.exe
        "C:\Users\Admin\AppData\Roaming\BloxstrapModded-v.2.44.exe"
        3⤵
        • Executes dropped EXE
        PID:1800
      • C:\Users\Admin\AppData\Roaming\Bloxstrap.exe
        "C:\Users\Admin\AppData\Roaming\Bloxstrap.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:3000

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\BloxstrapModded-v.2.44.exe.log

          Filesize

          654B

          MD5

          2ff39f6c7249774be85fd60a8f9a245e

          SHA1

          684ff36b31aedc1e587c8496c02722c6698c1c4e

          SHA256

          e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

          SHA512

          1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

        • C:\Users\Admin\AppData\Roaming\Bloxstrap.exe

          Filesize

          7.6MB

          MD5

          04f41a01edd9d478ce2d0a1f9d3441d2

          SHA1

          718d0fd7603863da984f3a7eaad8efd3f8dfda77

          SHA256

          7ec833edb7296e73f3da4c0bb14f5d343de49a2230eb1304be80dd0228478996

          SHA512

          4eb43b9b37cf485eb936000b4a7f8f07f56d3c2cb9a5ba0c80faa216d5c8bf458bf57d2016c07c3a703f49f7c2742594eab06f2df90b36adb9e0d5ac0787f739

        • C:\Users\Admin\AppData\Roaming\BloxstrapModded-v.2.44.exe

          Filesize

          8.1MB

          MD5

          c7317fde88040107d1275f241c2501f2

          SHA1

          1a59ee0f3fd658b62f0c031ce3a60d7cb2a7e366

          SHA256

          99452e83c11a91c6500e3f9aa0e069a419d29696d4df40d9ccc82d4961f12241

          SHA512

          ee68a4afe52358d6ab9476e050e5f990dacd6daf4e36bec1cc99dae8c73a0ea009381ac8184570fd0ecb277b6f791eba5f441b940a495233168335619b49283f

        • memory/3432-0-0x00007FF8EDF53000-0x00007FF8EDF55000-memory.dmp

          Filesize

          8KB

        • memory/3432-1-0x0000000000240000-0x0000000000A5E000-memory.dmp

          Filesize

          8.1MB

        • memory/3588-15-0x0000000000CE0000-0x00000000014FA000-memory.dmp

          Filesize

          8.1MB

        • memory/3588-16-0x00007FF8EDF50000-0x00007FF8EEA11000-memory.dmp

          Filesize

          10.8MB

        • memory/3588-29-0x00007FF8EDF50000-0x00007FF8EEA11000-memory.dmp

          Filesize

          10.8MB