Analysis
-
max time kernel
10s -
max time network
13s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
02/06/2024, 04:48
Static task
static1
Behavioral task
behavioral1
Sample
BloxstrapModded-v.2.44.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
BloxstrapModded-v.2.44.exe
Resource
win10v2004-20240508-en
General
-
Target
BloxstrapModded-v.2.44.exe
-
Size
8.1MB
-
MD5
15a687ef872a149e075daf9183e0dd06
-
SHA1
855424e42c9aa2ed61c74f132a5fc85cf342154e
-
SHA256
e15dd2dbe65faa8c181cf1514e80cd64262215258a0e25b9b3f5bb439525c2d0
-
SHA512
3af64000055d8b37d1cd0110126ed2324e1009d1fa28f9866c01303e150f0d76243e3b31b640e8d965948199c92c1faa452b3b5d0bc4ef8e17496149f17a2f27
-
SSDEEP
196608:snVSUiMDl/at5sb8oIkkCcmtob/PVuS9U8gD3hIURja+yw2EcrE2cC:CSUrDlyt5s7HkCTob/tu8exIP+ywAr3c
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation BloxstrapModded-v.2.44.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation BloxstrapModded-v.2.44.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Bloxstrap.exe -
Executes dropped EXE 3 IoCs
pid Process 3588 BloxstrapModded-v.2.44.exe 1800 BloxstrapModded-v.2.44.exe 3000 Bloxstrap.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3000 Bloxstrap.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3432 wrote to memory of 3588 3432 BloxstrapModded-v.2.44.exe 82 PID 3432 wrote to memory of 3588 3432 BloxstrapModded-v.2.44.exe 82 PID 3588 wrote to memory of 1800 3588 BloxstrapModded-v.2.44.exe 83 PID 3588 wrote to memory of 1800 3588 BloxstrapModded-v.2.44.exe 83 PID 3588 wrote to memory of 3000 3588 BloxstrapModded-v.2.44.exe 84 PID 3588 wrote to memory of 3000 3588 BloxstrapModded-v.2.44.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\BloxstrapModded-v.2.44.exe"C:\Users\Admin\AppData\Local\Temp\BloxstrapModded-v.2.44.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3432 -
C:\Users\Admin\AppData\Roaming\BloxstrapModded-v.2.44.exe"C:\Users\Admin\AppData\Roaming\BloxstrapModded-v.2.44.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3588 -
C:\Users\Admin\AppData\Roaming\BloxstrapModded-v.2.44.exe"C:\Users\Admin\AppData\Roaming\BloxstrapModded-v.2.44.exe"3⤵
- Executes dropped EXE
PID:1800
-
-
C:\Users\Admin\AppData\Roaming\Bloxstrap.exe"C:\Users\Admin\AppData\Roaming\Bloxstrap.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3000
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
Filesize
7.6MB
MD504f41a01edd9d478ce2d0a1f9d3441d2
SHA1718d0fd7603863da984f3a7eaad8efd3f8dfda77
SHA2567ec833edb7296e73f3da4c0bb14f5d343de49a2230eb1304be80dd0228478996
SHA5124eb43b9b37cf485eb936000b4a7f8f07f56d3c2cb9a5ba0c80faa216d5c8bf458bf57d2016c07c3a703f49f7c2742594eab06f2df90b36adb9e0d5ac0787f739
-
Filesize
8.1MB
MD5c7317fde88040107d1275f241c2501f2
SHA11a59ee0f3fd658b62f0c031ce3a60d7cb2a7e366
SHA25699452e83c11a91c6500e3f9aa0e069a419d29696d4df40d9ccc82d4961f12241
SHA512ee68a4afe52358d6ab9476e050e5f990dacd6daf4e36bec1cc99dae8c73a0ea009381ac8184570fd0ecb277b6f791eba5f441b940a495233168335619b49283f