Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

Bloxstrap.exe

windows11-21h2-x64

7

Resubmissions

06/07/2024, 08:13

240706-j4gqwsvaqg 7

06/07/2024, 08:09

240706-j2m5ws1hrr 7

06/07/2024, 08:06

240706-jzgkbsthna 7

Analysis

  • max time kernel
    195s
  • max time network
    200s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240704-en
  • resource tags

    arch:x64arch:x86image:win11-20240704-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    06/07/2024, 08:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Bloxstrap.exe

  • Size

    8.6MB

  • MD5

    299f66389937049af891ae9ec1c3a6d3

  • SHA1

    1a1f4a2ef6d148101a83d59bf18cf5f76f46806a

  • SHA256

    b38eef5655d6d82d526e9841bc95c67374e79e4ca2a15e642eb299c4e3ff24ff

  • SHA512

    0c1cc9f8fb8ea3b8b2fc4b329baa12dae725ef2e2b79cfa0f51e3cc8e9913925fd6686fdb8767e87f55e68a9f8a1740285a7277ce19f6581fc28553f33dff653

  • SSDEEP

    98304:D0d5D8d5DlTsed5DDlLpOcvGWD3pkMOYoHwfLk3vSmaR0+Mc4AN0edaAHDfysrTO:Dfs63vG0XObAbN0f

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 36 IoCs
  • Modifies registry class 53 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Bloxstrap.exe
    "C:\Users\Admin\AppData\Local\Temp\Bloxstrap.exe"
    1⤵
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:5956
    • C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\RobloxPlayerBeta.exe
      "C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\RobloxPlayerBeta.exe" --app -channel production
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of UnmapMainImage
      PID:1684
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4088
    • C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.exe
      "C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2888
      • C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\RobloxPlayerBeta.exe
        "C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\RobloxPlayerBeta.exe" --app -channel production
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of NtCreateThreadExHideFromDebugger
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of UnmapMainImage
        PID:5340
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k SDRSVC
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:5820

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.exe
      Filesize

      8.6MB

      MD5

      299f66389937049af891ae9ec1c3a6d3

      SHA1

      1a1f4a2ef6d148101a83d59bf18cf5f76f46806a

      SHA256

      b38eef5655d6d82d526e9841bc95c67374e79e4ca2a15e642eb299c4e3ff24ff

      SHA512

      0c1cc9f8fb8ea3b8b2fc4b329baa12dae725ef2e2b79cfa0f51e3cc8e9913925fd6686fdb8767e87f55e68a9f8a1740285a7277ce19f6581fc28553f33dff653

      Download Submit

    • C:\Users\Admin\AppData\Local\Bloxstrap\Modifications\ClientSettings\ClientAppSettings.json
      Filesize

      79B

      MD5

      eab6dcc312473d43c2fa8cc41280d79c

      SHA1

      b4e9ec7e579d06dfcaa5ac616de2751308a153c3

      SHA256

      0a27d3c9100ab7ab6f03c45daeb0f0cd586f3aeb59daf7986e853f9614e954fe

      SHA512

      1ce0fdc237110d644bcc8238f184554f25813ccf7142fd312ce96fbb6659081db677b04485bf66d52100136da6bb9688e48b1287455725c7b4950153aa2a4595

      Download Submit

    • C:\Users\Admin\AppData\Local\Bloxstrap\Modifications\content\sounds\ouch.ogg
      Filesize

      6KB

      MD5

      9404c52d6f311da02d65d4320bfebb59

      SHA1

      0b5b5c2e7c631894953d5828fec06bdf6adba55f

      SHA256

      c9775e361392877d1d521d0450a5368ee92d37dc542bc5e514373c9d5003f317

      SHA512

      22aa1acbcdcf56f571170d9c32fd0d025c50936387203a7827dbb925f352d2bc082a8a79db61c2d1f1795ad979e93367c80205d9141b73d806ae08fa089837c4

      Download Submit

    • C:\Users\Admin\AppData\Local\Bloxstrap\Settings.json
      Filesize

      721B

      MD5

      f011944453781cf1c88a4f9d9509dca9

      SHA1

      b688124e816f52711fe3330e3fcb6bacbb7e25ab

      SHA256

      e704d460b5abb39ce2946028a171c70bc10f0bf884ff0efc1e84ba28fbf32447

      SHA512

      c8a17fe56f395c5b1d327362e0270898fff4eb1e7cb7a5418d0b4fe2dbe5673f484706d92c89c9cfa53ff7835e7c3b8560cb28c1953b5a9147d3a53d3f56c2a3

      Download Submit

    • C:\Users\Admin\AppData\Local\Bloxstrap\State.json
      Filesize

      269B

      MD5

      dff1d867431eaf46c70f10ad4505d2bb

      SHA1

      11658cdee33ad806b652cbcf06ea6d044cc99dcb

      SHA256

      6d5c985854eaab4139580143a3610501b9ba711b878d7c1b044a12998cfe0961

      SHA512

      7c5de6eb76670c6975bb35d37c2bdcedc1b49bda78e6034c6cead8b1f843b7faa177223153dbc461502bfc808b697541771d2361c9dc173a9d5789988af90744

      Download Submit

    • C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\RobloxPlayerBeta.dll
      Filesize

      16.7MB

      MD5

      6dfc619af29b1bce46cc55f2f1dd82e4

      SHA1

      e39ccb51a7e456df074f505193f7371046a51c29

      SHA256

      72e88ee5395bc66d252042e2fa975a39cff8c3ed2152ba661aacf6b997ba755d

      SHA512

      379e38a57b17cc417e949ff4ead79980d0b6829f33774d5b0e7a2e36c9247686b12a3c0915123f68e891310a594672ade26d247946213919b7ab972ec6eae495

      Download Submit

    • memory/1684-3530-0x00007FFABD5D0000-0x00007FFABD5E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1684-3551-0x00007FFABBB30000-0x00007FFABBB50000-memory.dmp

      Filesize

      128KB

      Download

    • memory/1684-3531-0x00007FFABD640000-0x00007FFABD650000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1684-3506-0x00007FFABE5F0000-0x00007FFABE620000-memory.dmp

      Filesize

      192KB

      Download

    • memory/1684-3505-0x00007FFABE5F0000-0x00007FFABE620000-memory.dmp

      Filesize

      192KB

      Download

    • memory/1684-3504-0x00007FFABE5F0000-0x00007FFABE620000-memory.dmp

      Filesize

      192KB

      Download

    • memory/1684-3502-0x00007FFABE5A0000-0x00007FFABE5B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1684-3501-0x00007FFABE5A0000-0x00007FFABE5B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1684-3500-0x00007FFABE480000-0x00007FFABE490000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1684-3507-0x00007FFABE5F0000-0x00007FFABE620000-memory.dmp

      Filesize

      192KB

      Download

    • memory/1684-3512-0x00007FFABD8D0000-0x00007FFABD8E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1684-3515-0x00007FFABD8F0000-0x00007FFABD910000-memory.dmp

      Filesize

      128KB

      Download

    • memory/1684-3518-0x00007FFABD9E0000-0x00007FFABD9EC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/1684-3517-0x00007FFABD8F0000-0x00007FFABD910000-memory.dmp

      Filesize

      128KB

      Download

    • memory/1684-3516-0x00007FFABD8F0000-0x00007FFABD910000-memory.dmp

      Filesize

      128KB

      Download

    • memory/1684-3514-0x00007FFABD8F0000-0x00007FFABD910000-memory.dmp

      Filesize

      128KB

      Download

    • memory/1684-3513-0x00007FFABD8F0000-0x00007FFABD910000-memory.dmp

      Filesize

      128KB

      Download

    • memory/1684-3511-0x00007FFABD8D0000-0x00007FFABD8E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1684-3510-0x00007FFABD840000-0x00007FFABD850000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1684-3509-0x00007FFABD840000-0x00007FFABD850000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1684-3521-0x00007FFABBF50000-0x00007FFABBF60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1684-3522-0x00007FFABBF50000-0x00007FFABBF60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1684-3524-0x00007FFABC100000-0x00007FFABC110000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1684-3523-0x00007FFABC100000-0x00007FFABC110000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1684-3520-0x00007FFABBDE0000-0x00007FFABBDF0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1684-3519-0x00007FFABBDE0000-0x00007FFABBDF0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1684-3528-0x00007FFABC120000-0x00007FFABC130000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1684-3527-0x00007FFABC120000-0x00007FFABC130000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1684-3526-0x00007FFABC120000-0x00007FFABC130000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1684-3525-0x00007FFABC100000-0x00007FFABC110000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1684-3499-0x00007FFABE480000-0x00007FFABE490000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1684-3532-0x00007FFABD640000-0x00007FFABD650000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1684-3508-0x00007FFABE680000-0x00007FFABE689000-memory.dmp

      Filesize

      36KB

      Download

    • memory/1684-3503-0x00007FFABE5F0000-0x00007FFABE620000-memory.dmp

      Filesize

      192KB

      Download

    • memory/1684-3556-0x00007FFABC160000-0x00007FFABC186000-memory.dmp

      Filesize

      152KB

      Download

    • memory/1684-3558-0x00007FFABC160000-0x00007FFABC186000-memory.dmp

      Filesize

      152KB

      Download

    • memory/1684-3562-0x00007FFABE5F0000-0x00007FFABE620000-memory.dmp

      Filesize

      192KB

      Download

    • memory/1684-3561-0x00007FFABE5F0000-0x00007FFABE620000-memory.dmp

      Filesize

      192KB

      Download

    • memory/1684-3560-0x00007FFABE470000-0x00007FFABE471000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1684-3559-0x00007FFABC160000-0x00007FFABC186000-memory.dmp

      Filesize

      152KB

      Download

    • memory/1684-3557-0x00007FFABC160000-0x00007FFABC186000-memory.dmp

      Filesize

      152KB

      Download

    • memory/1684-3529-0x00007FFABD5D0000-0x00007FFABD5E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1684-3555-0x00007FFABC160000-0x00007FFABC186000-memory.dmp

      Filesize

      152KB

      Download

    • memory/1684-3554-0x00007FFABBB30000-0x00007FFABBB50000-memory.dmp

      Filesize

      128KB

      Download

    • memory/1684-3553-0x00007FFABBB30000-0x00007FFABBB50000-memory.dmp

      Filesize

      128KB

      Download

    • memory/1684-3552-0x00007FFABBB30000-0x00007FFABBB50000-memory.dmp

      Filesize

      128KB

      Download

    • memory/1684-3550-0x00007FFABBB30000-0x00007FFABBB50000-memory.dmp

      Filesize

      128KB

      Download

    • memory/1684-3549-0x00007FFABBB00000-0x00007FFABBB10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1684-3548-0x00007FFABBB00000-0x00007FFABBB10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1684-3547-0x00007FFABB9F0000-0x00007FFABBA00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1684-3546-0x00007FFABB9F0000-0x00007FFABBA00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1684-3545-0x00007FFABDAD0000-0x00007FFABDAD9000-memory.dmp

      Filesize

      36KB

      Download

    • memory/1684-3544-0x00007FFABDAD0000-0x00007FFABDAD9000-memory.dmp

      Filesize

      36KB

      Download

    • memory/1684-3543-0x00007FFABDAD0000-0x00007FFABDAD9000-memory.dmp

      Filesize

      36KB

      Download

    • memory/1684-3542-0x00007FFABDAD0000-0x00007FFABDAD9000-memory.dmp

      Filesize

      36KB

      Download

    • memory/1684-3541-0x00007FFABDAD0000-0x00007FFABDAD9000-memory.dmp

      Filesize

      36KB

      Download

    • memory/1684-3540-0x00007FFABDAB0000-0x00007FFABDAC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1684-3539-0x00007FFABDAB0000-0x00007FFABDAC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1684-3538-0x00007FFABDAB0000-0x00007FFABDAC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1684-3537-0x00007FFABD680000-0x00007FFABD68D000-memory.dmp

      Filesize

      52KB

      Download

    • memory/1684-3536-0x00007FFABD680000-0x00007FFABD68D000-memory.dmp

      Filesize

      52KB

      Download

    • memory/1684-3535-0x00007FFABD680000-0x00007FFABD68D000-memory.dmp

      Filesize

      52KB

      Download

    • memory/1684-3534-0x00007FFABD680000-0x00007FFABD68D000-memory.dmp

      Filesize

      52KB

      Download

    • memory/1684-3533-0x00007FFABD680000-0x00007FFABD68D000-memory.dmp

      Filesize

      52KB

      Download

    • memory/5956-0-0x00007FFAAAF2B000-0x00007FFAAAF2C000-memory.dmp

      Filesize

      4KB

      Download

    • memory/5956-1-0x00007FFAAAF2B000-0x00007FFAAAF2C000-memory.dmp

      Filesize

      4KB

      Download