Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

7

BLTools 2.9.1 Pro.rar

windows7-x64

3

BLTools 2.9.1 Pro.rar

windows10-2004-x64

3

BLTools 2.9.1 Pro.exe

windows7-x64

8

BLTools 2.9.1 Pro.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    32s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    20/07/2024, 00:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    BLTools 2.9.1 Pro.exe

  • Size

    6.4MB

  • MD5

    d3b80d2e6480771f7e418d35fdee5ef3

  • SHA1

    7d9f1c09aebbf199d913b911073c99792b315f26

  • SHA256

    b1906ad0d515c2e29b7bf0cc47ea25cf0c63c6be5f828f5b73943f5e6915063e

  • SHA512

    01e1bcddcd0efefcf31a65809be5d8ccb679870829cf08a4c8b4aa8db298b9b002ff8971b13321c9eb64b6a41dd70d5ca13e5a886395a2883013f939736dd91a

  • SSDEEP

    196608:chJoo8pE2SNowmev8lJKjieK7adi6tC2w5hz:SeHSWe0lJP7wH5it

Score
8/10
execution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\BLTools 2.9.1 Pro.exe
    "C:\Users\Admin\AppData\Local\Temp\BLTools 2.9.1 Pro.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2432
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\BLTools 2.9.1 Pro.exe" -Force
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2680
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionExtension ".tmp" -Force
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2776
    • C:\Users\Admin\AppData\Local\Temp\bltools.exe
      "C:\Users\Admin\AppData\Local\Temp\bltools.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:2624
    • \??\c:\Users\Admin\AppData\Local\Temp\BLTools78E.tmp
      "C:\Users\Admin\AppData\Local\Temp\bltoolsupdater.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3028
      • C:\Windows\system32\conhost.exe
        conhost.exe
        3⤵
          PID:2032

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\bltools.exe
      Filesize

      3.2MB

      MD5

      025d637741b1b326ded2e99e6b54ed77

      SHA1

      5fb6a288559f54aeb42203cf5e44a072c74f942f

      SHA256

      d68b3cdca20f0b871a653a3203e4292846e766b45fb989856a2de0fb9e0c4860

      SHA512

      720f4f03febbe7fdd661c14349680f6511a69487b0bdf5cd47ab4594b1fad49edeb0bde8e287272d84e21efc916ba91ca71bfa2632eba76e379e07815163d26b

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      24a0f1f2deb21b9258a6366ec1e4f223

      SHA1

      acad6f659ff994b7655ecd1ec751b6bf02e94180

      SHA256

      c39caac5f2611d64726a39d8e84c4a20ad03f0e8cc42f6b5435ece0daac46743

      SHA512

      1e6fac5fcf0b36f77e9d01a64bbe714c6a419eabca5e087f7eda095e09f74185e7564f5960677b7ccae87b78e0022d2fc3421f89190410ee86629ee696ef544c

      Download Submit

    • \Users\Admin\AppData\Local\Temp\BLTools78E.tmp
      Filesize

      1KB

      MD5

      db30934e4e99457803a2cf88a44626cc

      SHA1

      a896a5142afe483dbaffffd995a60af8aa0041e7

      SHA256

      3caac67799ec53a3bec09d555a37b14922a9955eb1d96275fe02e6070dafd8bd

      SHA512

      7494ab50fa46f0a898da5fabfe310a91cdaad2fd5b9980d3d47af8d1f13e9b3362baf2e6e421a9082a3aa5fa011fbab65e3597ccf11025468a6447dc9d6eea74

      Download Submit

    • memory/2032-77-0x00000000001F0000-0x00000000001FE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2032-74-0x00000000000A0000-0x00000000000A8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2432-43-0x0000000005EB0000-0x00000000064DD000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/2432-6-0x0000000076FC0000-0x0000000077169000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2432-11-0x0000000076FC0000-0x0000000077169000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2432-8-0x0000000076FC0000-0x0000000077169000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2432-9-0x0000000076FC0000-0x0000000077169000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2432-7-0x0000000076FC0000-0x0000000077169000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2432-2-0x0000000077011000-0x0000000077012000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2432-24-0x0000000076FC0000-0x0000000077169000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2432-3-0x0000000076FC0000-0x0000000077169000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2432-44-0x0000000005EB0000-0x00000000064DD000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/2432-57-0x0000000140000000-0x00000001401DD000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/2432-58-0x0000000076FC0000-0x0000000077169000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2432-60-0x0000000005EB0000-0x00000000064DD000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/2432-10-0x0000000076FC0000-0x0000000077169000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2432-0-0x0000000140000000-0x00000001401DD000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/2432-4-0x0000000140000000-0x00000001401DD000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/2624-66-0x0000000005E80000-0x00000000067AC000-memory.dmp

      Filesize

      9.2MB

      Download

    • memory/2624-64-0x00000000002F0000-0x00000000002F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2624-78-0x0000000000B70000-0x0000000000B7A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2624-71-0x0000000000B70000-0x0000000000B7A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2624-72-0x0000000000B70000-0x0000000000B7A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2624-70-0x00000000067B0000-0x00000000068F2000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/2624-69-0x0000000000820000-0x0000000000840000-memory.dmp

      Filesize

      128KB

      Download

    • memory/2624-59-0x0000000000EC0000-0x0000000001610000-memory.dmp

      Filesize

      7.3MB

      Download

    • memory/2624-68-0x0000000000CA0000-0x0000000000D00000-memory.dmp

      Filesize

      384KB

      Download

    • memory/2624-67-0x00000000004C0000-0x0000000000510000-memory.dmp

      Filesize

      320KB

      Download

    • memory/2624-65-0x0000000000490000-0x00000000004B4000-memory.dmp

      Filesize

      144KB

      Download

    • memory/2680-23-0x0000000076FC0000-0x0000000077169000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2680-22-0x0000000076FC0000-0x0000000077169000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2680-28-0x0000000076FC0000-0x0000000077169000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2680-29-0x0000000076FC0000-0x0000000077169000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2680-27-0x0000000076FC0000-0x0000000077169000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2680-26-0x0000000001EE0000-0x0000000001EE8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2680-25-0x0000000076FC0000-0x0000000077169000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2776-21-0x000000001B450000-0x000000001B732000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/3028-53-0x000007FFFFFDC000-0x000007FFFFFDD000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3028-38-0x00000000004E0000-0x00000000004E1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3028-49-0x00000000004F0000-0x00000000004F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3028-73-0x0000000076FC0000-0x0000000077169000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/3028-76-0x0000000140000000-0x000000014062D000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/3028-61-0x0000000140000000-0x000000014062D000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/3028-63-0x0000000140000000-0x000000014062D000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/3028-36-0x0000000000430000-0x00000000004D4000-memory.dmp

      Filesize

      656KB

      Download