Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
32s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
20/07/2024, 00:03
Behavioral task
behavioral1
Sample
BLTools 2.9.1 Pro.rar
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
BLTools 2.9.1 Pro.rar
Resource
win10v2004-20240709-en
Behavioral task
behavioral3
Sample
BLTools 2.9.1 Pro.exe
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
BLTools 2.9.1 Pro.exe
Resource
win10v2004-20240709-en
General
-
Target
BLTools 2.9.1 Pro.exe
-
Size
6.4MB
-
MD5
d3b80d2e6480771f7e418d35fdee5ef3
-
SHA1
7d9f1c09aebbf199d913b911073c99792b315f26
-
SHA256
b1906ad0d515c2e29b7bf0cc47ea25cf0c63c6be5f828f5b73943f5e6915063e
-
SHA512
01e1bcddcd0efefcf31a65809be5d8ccb679870829cf08a4c8b4aa8db298b9b002ff8971b13321c9eb64b6a41dd70d5ca13e5a886395a2883013f939736dd91a
-
SSDEEP
196608:chJoo8pE2SNowmev8lJKjieK7adi6tC2w5hz:SeHSWe0lJP7wH5it
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2776 powershell.exe 2680 powershell.exe -
Executes dropped EXE 2 IoCs
pid Process 2624 bltools.exe 3028 BLTools78E.tmp -
Loads dropped DLL 1 IoCs
pid Process 2432 BLTools 2.9.1 Pro.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2624 bltools.exe 2624 bltools.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2432 set thread context of 3028 2432 BLTools 2.9.1 Pro.exe 35 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 2432 BLTools 2.9.1 Pro.exe 2432 BLTools 2.9.1 Pro.exe 2432 BLTools 2.9.1 Pro.exe 2432 BLTools 2.9.1 Pro.exe 2432 BLTools 2.9.1 Pro.exe 2432 BLTools 2.9.1 Pro.exe 2432 BLTools 2.9.1 Pro.exe 2432 BLTools 2.9.1 Pro.exe 2432 BLTools 2.9.1 Pro.exe 2432 BLTools 2.9.1 Pro.exe 2432 BLTools 2.9.1 Pro.exe 2432 BLTools 2.9.1 Pro.exe 2432 BLTools 2.9.1 Pro.exe 2432 BLTools 2.9.1 Pro.exe 2432 BLTools 2.9.1 Pro.exe 2432 BLTools 2.9.1 Pro.exe 2432 BLTools 2.9.1 Pro.exe 2776 powershell.exe 2680 powershell.exe 3028 BLTools78E.tmp 3028 BLTools78E.tmp 3028 BLTools78E.tmp 3028 BLTools78E.tmp 3028 BLTools78E.tmp -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2776 powershell.exe Token: SeDebugPrivilege 2680 powershell.exe -
Suspicious use of WriteProcessMemory 31 IoCs
description pid Process procid_target PID 2432 wrote to memory of 2680 2432 BLTools 2.9.1 Pro.exe 30 PID 2432 wrote to memory of 2680 2432 BLTools 2.9.1 Pro.exe 30 PID 2432 wrote to memory of 2680 2432 BLTools 2.9.1 Pro.exe 30 PID 2432 wrote to memory of 2776 2432 BLTools 2.9.1 Pro.exe 32 PID 2432 wrote to memory of 2776 2432 BLTools 2.9.1 Pro.exe 32 PID 2432 wrote to memory of 2776 2432 BLTools 2.9.1 Pro.exe 32 PID 2432 wrote to memory of 2624 2432 BLTools 2.9.1 Pro.exe 34 PID 2432 wrote to memory of 2624 2432 BLTools 2.9.1 Pro.exe 34 PID 2432 wrote to memory of 2624 2432 BLTools 2.9.1 Pro.exe 34 PID 2432 wrote to memory of 2624 2432 BLTools 2.9.1 Pro.exe 34 PID 2432 wrote to memory of 3028 2432 BLTools 2.9.1 Pro.exe 35 PID 2432 wrote to memory of 3028 2432 BLTools 2.9.1 Pro.exe 35 PID 2432 wrote to memory of 3028 2432 BLTools 2.9.1 Pro.exe 35 PID 2432 wrote to memory of 3028 2432 BLTools 2.9.1 Pro.exe 35 PID 2432 wrote to memory of 3028 2432 BLTools 2.9.1 Pro.exe 35 PID 2432 wrote to memory of 3028 2432 BLTools 2.9.1 Pro.exe 35 PID 2432 wrote to memory of 3028 2432 BLTools 2.9.1 Pro.exe 35 PID 2432 wrote to memory of 3028 2432 BLTools 2.9.1 Pro.exe 35 PID 2432 wrote to memory of 3028 2432 BLTools 2.9.1 Pro.exe 35 PID 2432 wrote to memory of 3028 2432 BLTools 2.9.1 Pro.exe 35 PID 2432 wrote to memory of 3028 2432 BLTools 2.9.1 Pro.exe 35 PID 2432 wrote to memory of 3028 2432 BLTools 2.9.1 Pro.exe 35 PID 2432 wrote to memory of 3028 2432 BLTools 2.9.1 Pro.exe 35 PID 2432 wrote to memory of 3028 2432 BLTools 2.9.1 Pro.exe 35 PID 2432 wrote to memory of 3028 2432 BLTools 2.9.1 Pro.exe 35 PID 2432 wrote to memory of 3028 2432 BLTools 2.9.1 Pro.exe 35 PID 2432 wrote to memory of 3028 2432 BLTools 2.9.1 Pro.exe 35 PID 3028 wrote to memory of 2032 3028 BLTools78E.tmp 36 PID 3028 wrote to memory of 2032 3028 BLTools78E.tmp 36 PID 3028 wrote to memory of 2032 3028 BLTools78E.tmp 36 PID 3028 wrote to memory of 2032 3028 BLTools78E.tmp 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\BLTools 2.9.1 Pro.exe"C:\Users\Admin\AppData\Local\Temp\BLTools 2.9.1 Pro.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\BLTools 2.9.1 Pro.exe" -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2680
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionExtension ".tmp" -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2776
-
-
C:\Users\Admin\AppData\Local\Temp\bltools.exe"C:\Users\Admin\AppData\Local\Temp\bltools.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2624
-
-
\??\c:\Users\Admin\AppData\Local\Temp\BLTools78E.tmp"C:\Users\Admin\AppData\Local\Temp\bltoolsupdater.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\system32\conhost.execonhost.exe3⤵PID:2032
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD5025d637741b1b326ded2e99e6b54ed77
SHA15fb6a288559f54aeb42203cf5e44a072c74f942f
SHA256d68b3cdca20f0b871a653a3203e4292846e766b45fb989856a2de0fb9e0c4860
SHA512720f4f03febbe7fdd661c14349680f6511a69487b0bdf5cd47ab4594b1fad49edeb0bde8e287272d84e21efc916ba91ca71bfa2632eba76e379e07815163d26b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD524a0f1f2deb21b9258a6366ec1e4f223
SHA1acad6f659ff994b7655ecd1ec751b6bf02e94180
SHA256c39caac5f2611d64726a39d8e84c4a20ad03f0e8cc42f6b5435ece0daac46743
SHA5121e6fac5fcf0b36f77e9d01a64bbe714c6a419eabca5e087f7eda095e09f74185e7564f5960677b7ccae87b78e0022d2fc3421f89190410ee86629ee696ef544c
-
Filesize
1KB
MD5db30934e4e99457803a2cf88a44626cc
SHA1a896a5142afe483dbaffffd995a60af8aa0041e7
SHA2563caac67799ec53a3bec09d555a37b14922a9955eb1d96275fe02e6070dafd8bd
SHA5127494ab50fa46f0a898da5fabfe310a91cdaad2fd5b9980d3d47af8d1f13e9b3362baf2e6e421a9082a3aa5fa011fbab65e3597ccf11025468a6447dc9d6eea74