95fbc670f0be4c388f5bac560d996f4e15276985c78edb374b286efb0bc719cb

Analysis

max time kernel
15s
max time network
12s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27-06-2024 19:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BLTools v2.2.rar
Size

2.2MB
MD5

208ac8ab5d4d1d756c8bc9aab93f87b5
SHA1

20590983b2509e860de5c605e586ef90d76b516f
SHA256

95fbc670f0be4c388f5bac560d996f4e15276985c78edb374b286efb0bc719cb
SHA512

c42e37b08be8ca03906894c613fe6bb1a195f6eaa6fa53ee376d0885cc0c16b207f02fba55c19cc86a6fb47c0fa91650c1e565a1465e0ba39c2f10db0aa4fc37
SSDEEP

49152:6QZYh5I+koFa+2oMiGsbMTLfkIPTnyqm65ZY9woYR81p:6QZoFsFiGvAqnXjY9PYKz

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1532	BLTools v2.2.exe

Loads dropped DLL 9 IoCs

pid	Process
1532	BLTools v2.2.exe
1532	BLTools v2.2.exe
1532	BLTools v2.2.exe
1532	BLTools v2.2.exe
828	WerFault.exe
828	WerFault.exe
828	WerFault.exe
828	WerFault.exe
828	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
828	1532	WerFault.exe	31

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1532	BLTools v2.2.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2668	7zFM.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	2668	7zFM.exe
Token: 35	2668	7zFM.exe
Token: SeSecurityPrivilege	2668	7zFM.exe
Token: SeDebugPrivilege	1532	BLTools v2.2.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2668	7zFM.exe
2668	7zFM.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 2668	2412	cmd.exe	29
PID 2412 wrote to memory of 2668	2412	cmd.exe	29
PID 2412 wrote to memory of 2668	2412	cmd.exe	29
PID 1532 wrote to memory of 828	1532	BLTools v2.2.exe	33
PID 1532 wrote to memory of 828	1532	BLTools v2.2.exe	33
PID 1532 wrote to memory of 828	1532	BLTools v2.2.exe	33
PID 1532 wrote to memory of 828	1532	BLTools v2.2.exe	33

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\BLTools v2.2.rar"
1⤵
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\BLTools v2.2.rar"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2668

C:\Users\Admin\Desktop\BLTools v2.2\BLTools v2.2.exe
"C:\Users\Admin\Desktop\BLTools v2.2\BLTools v2.2.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1532
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1532 -s 1316
  2⤵
  - Loads dropped DLL
  - Program crash
  PID:828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\BLTools v2.2\AlphaFS.dll

Filesize
359KB

MD5
f2f6f6798d306d6d7df4267434b5c5f9

SHA1
23be62c4f33fc89563defa20e43453b7cdfc9d28

SHA256
837f2ceab6bbd9bc4bf076f1cb90b3158191888c3055dd2b78a1e23f1c3aafdd

SHA512
1f0c52e1d6e27382599c91ebd5e58df387c6f759d755533e36688b402417101c0eb1d6812e523d23048e0d03548fd0985a3fd7f96c66625c6299b1537c872211

Download Submit
C:\Users\Admin\Desktop\BLTools v2.2\BLTools v2.2.exe

Filesize
4.6MB

MD5
c7f2e182794882c0450f6674439d983c

SHA1
274bc5d7c138648b41c4b37ad43cc37e7e11f337

SHA256
a42d9f80ef502f004ebd0b850164d9706da51359f1bd27dde891c66f4ba8e55b

SHA512
e28eb29433df7690a61269dc10102e848abb479891345f49a9674c4c6e48a80f3f5875f53edd01b1eb4180e5ea8dfe2e2ff64eb94758297797225e5035ddc3e8

Download Submit
C:\Users\Admin\Desktop\BLTools v2.2\Extreme.Net.dll

Filesize
121KB

MD5
f79f0e3a0361cac000e2d3553753cd68

SHA1
4314bcef76fddc9379a8f3a266b37d685d0adb79

SHA256
8a6518ab7419fbec3ac9875baa3afb410ad1398c7aa622a09cd9084ec6cadfcd

SHA512
c77516e7f5540ecd13fa5d8cecfce34629acecd9b5a445f5f48902c9e823328fa9a6694ecaa39f5b6053de61c2b850c2d87df25357548afaad6ec37eb3e5e355

Download Submit
memory/1532-42-0x0000000000F00000-0x000000000139A000-memory.dmp

Filesize
4.6MB

Download
memory/1532-46-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/1532-50-0x0000000000ED0000-0x0000000000EF4000-memory.dmp

Filesize
144KB

Download
memory/1532-51-0x0000000000A40000-0x0000000000A4A000-memory.dmp

Filesize
40KB

Download
memory/1532-52-0x0000000000A40000-0x0000000000A4A000-memory.dmp

Filesize
40KB

Download