Overview

overview

7

Static

static

3

Bloxstrap-v2.7.0.exe

windows11-21h2-x64

7

Analysis

  • max time kernel
    210s
  • max time network
    207s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    13/09/2024, 18:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Bloxstrap-v2.7.0.exe

  • Size

    10.1MB

  • MD5

    2c752edef5b0aa0962a3e01c4c82a2fa

  • SHA1

    9c3afd1c63f2b0dbdc2dc487709471222d2cb81e

  • SHA256

    891846bf656253ca1cdd28584a28681e9604e2a03d74cd6b99313e3bff11daf8

  • SHA512

    04d25fe7d40c8c320ffc545a038ad6ea458df6a8a552b0e0393b369a03b9bf273c72f30169bd54e8eb10757c04bdddf3859c601c1eb9e1a12fe4d15658906dfe

  • SSDEEP

    98304:TYd5DQd5Dk9Tsed5DogTrBKvGWD3nIOYoHwfLk3vSmaR0+Mc4AN0edaAHDfysrT4:Tasx3vG6IObAbN0T

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 3 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of NtCreateThreadExHideFromDebugger 3 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 63 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 19 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of UnmapMainImage 3 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Bloxstrap-v2.7.0.exe
    "C:\Users\Admin\AppData\Local\Temp\Bloxstrap-v2.7.0.exe"
    1⤵
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2572
    • C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-43ad1853ad91427d\RobloxPlayerBeta.exe
      "C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-43ad1853ad91427d\RobloxPlayerBeta.exe" --app -channel production
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of UnmapMainImage
      PID:5256
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
    1⤵
      PID:3192
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x00000000000004B8 0x00000000000004C4
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:8788
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k DevicesFlow -s DevicesFlowUserSvc
      1⤵
        PID:9200
      • C:\Windows\System32\oobe\UserOOBEBroker.exe
        C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
        1⤵
        • Drops file in Windows directory
        PID:3308
      • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
        C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
        1⤵
        • System Location Discovery: System Language Discovery
        PID:4528
      • C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.exe
        "C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:7316
        • C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-43ad1853ad91427d\RobloxPlayerBeta.exe
          "C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-43ad1853ad91427d\RobloxPlayerBeta.exe" --app -channel production
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of NtCreateThreadExHideFromDebugger
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Modifies system certificate store
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of UnmapMainImage
          PID:5924
      • C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.exe
        "C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:3596
        • C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-43ad1853ad91427d\RobloxPlayerBeta.exe
          "C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-43ad1853ad91427d\RobloxPlayerBeta.exe" --app -channel production
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of NtCreateThreadExHideFromDebugger
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of UnmapMainImage
          PID:2704
      • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
        "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
        1⤵
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:3544

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.exe
        Filesize

        10.1MB

        MD5

        2c752edef5b0aa0962a3e01c4c82a2fa

        SHA1

        9c3afd1c63f2b0dbdc2dc487709471222d2cb81e

        SHA256

        891846bf656253ca1cdd28584a28681e9604e2a03d74cd6b99313e3bff11daf8

        SHA512

        04d25fe7d40c8c320ffc545a038ad6ea458df6a8a552b0e0393b369a03b9bf273c72f30169bd54e8eb10757c04bdddf3859c601c1eb9e1a12fe4d15658906dfe

        Download Submit

      • C:\Users\Admin\AppData\Local\Bloxstrap\Modifications\ClientSettings\ClientAppSettings.json
        Filesize

        79B

        MD5

        eab6dcc312473d43c2fa8cc41280d79c

        SHA1

        b4e9ec7e579d06dfcaa5ac616de2751308a153c3

        SHA256

        0a27d3c9100ab7ab6f03c45daeb0f0cd586f3aeb59daf7986e853f9614e954fe

        SHA512

        1ce0fdc237110d644bcc8238f184554f25813ccf7142fd312ce96fbb6659081db677b04485bf66d52100136da6bb9688e48b1287455725c7b4950153aa2a4595

        Download Submit

      • C:\Users\Admin\AppData\Local\Bloxstrap\Modifications\content\textures\Cursors\KeyboardMouse\ArrowFarCursor.png
        Filesize

        235B

        MD5

        acd9e073f889363b3ebd9f7cc5c59c02

        SHA1

        d6f667a7706bb4c19634f7db37d0a8db31d73cfd

        SHA256

        7ff3078f857af8d09824c1091170eb991cc3cc32798a17667d45c813fa606388

        SHA512

        08c944cefab8979dab2796c1fc94f8ac5f22f46b524d940afc7ea2d47872d3239de5bf04fcc577d4ff2931574318524a430e9484b815941c14346d46281211a5

        Download Submit

      • C:\Users\Admin\AppData\Local\Bloxstrap\Settings.json
        Filesize

        714B

        MD5

        72236361f82f124698574209fbc09807

        SHA1

        423255ec63e552339c81ab8109c5fa5cb29f4c80

        SHA256

        d4098b3e4d600370dfadb50136dc28e2f96e95779f112bb035806278924cdc86

        SHA512

        b47645d047b0dfa2beb4c0455ad4b20a6434ed736000b37034a1cc9e162b91c75a63e95607e5f93cec755213d925d1044a98cfc221fd27d1cdcb6c4d10023acc

        Download Submit

      • C:\Users\Admin\AppData\Local\Bloxstrap\State.json
        Filesize

        406B

        MD5

        7ff31d80641b40942a6a454553200dcb

        SHA1

        b361b6ddaef55077557d0709fd338cc5fe4e4456

        SHA256

        f8b1ed238d697325d4ca34272af0ef25b983fee92a27efc706d7d7d02e03bdc5

        SHA512

        736da931f7d136036bc1d473374942ac78c2d39a3b63f70b08b72ad1fc9b72f5aebf1a7438b9d91e7e5e8d985bd5381a04a826a9b004118a414207d6a2f8dc99

        Download Submit

      • C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-43ad1853ad91427d\RobloxPlayerBeta.dll
        Filesize

        19.0MB

        MD5

        c2bde2217e783b033ebed99c727029c2

        SHA1

        97ea2a15f34f15b43b6bb6ef246d0f04bd37e406

        SHA256

        2978eb1d2271311f300f27d2b30689c9857338c72683b52d3d5a02e8b0c6dd89

        SHA512

        86b96dfec2f1500e3a94bfe8146bfa430ad000e9392faa072070f9e1d947b5263b76b714043bd92236799e9fc4500913575e7c44f85269bfe7440e1ad81d0a9b

        Download Submit

      • C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-43ad1853ad91427d\content\sounds\ouch.ogg
        Filesize

        6KB

        MD5

        9404c52d6f311da02d65d4320bfebb59

        SHA1

        0b5b5c2e7c631894953d5828fec06bdf6adba55f

        SHA256

        c9775e361392877d1d521d0450a5368ee92d37dc542bc5e514373c9d5003f317

        SHA512

        22aa1acbcdcf56f571170d9c32fd0d025c50936387203a7827dbb925f352d2bc082a8a79db61c2d1f1795ad979e93367c80205d9141b73d806ae08fa089837c4

        Download Submit

      • C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-43ad1853ad91427d\content\textures\Cursors\KeyboardMouse\ArrowCursor.png
        Filesize

        232B

        MD5

        126ac632390df9aa91ee259d80c98a2a

        SHA1

        0e1016a9e8cf4914adba426414acd81e57567a7c

        SHA256

        0ab24d553e82033f2333d6b6bbd22ba387f2a1a31565a1dba808ee50415f4934

        SHA512

        3fb86c0a42482a37fa588bfbb0143fc1d96982a68675e9a745ce6520fd5178ef9a979e8bfc8f77352b25b8660e41f6b74aedde6623ad9e792d8b5187227de614

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
        Filesize

        10KB

        MD5

        198f782de35af7a91fe69620c36b5678

        SHA1

        dc32e8b9a6b01dcca84af8d429f51f9751c05666

        SHA256

        bad741c6cbdf43ee030b033d3f6d879be5a0df6089425fe135f648bf5b5afae5

        SHA512

        eaa1b075328a024209813bd628e82dea85e47a08c47a463025e0aaad3139125259a4e5a1d1de8d33a0fc01aea6a56fd106bd64c3a61ef3ed4ef9fba777e7b43e

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
        Filesize

        10KB

        MD5

        cb7f12dcfdc6b608d86b97369da20559

        SHA1

        a0c46e2add40a9688adec2f4b935fb6995b708b7

        SHA256

        9fc7074def0916577b2407558a84bf96a9275f88a0bc825f531abcd6b946d997

        SHA512

        a252846389d80fdba0998b5dba13a8fa4b42c7e76fdc5de39c6741e6bf99baf05b0ef31dda6621f697eb4aaaa2241210a6ac33b96ba291e2394092a2ebc73cce

        Download Submit

      • memory/2572-0-0x00007FF937F3B000-0x00007FF937F3C000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2572-1-0x00007FF937F3B000-0x00007FF937F3C000-memory.dmp

        Filesize

        4KB

        Download

      • memory/5256-3626-0x00007FF94AD60000-0x00007FF94AD70000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5256-3621-0x00007FF94AEA0000-0x00007FF94AEAD000-memory.dmp

        Filesize

        52KB

        Download

      • memory/5256-3615-0x00007FF948E60000-0x00007FF948E70000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5256-3641-0x00007FF948AF0000-0x00007FF948B10000-memory.dmp

        Filesize

        128KB

        Download

      • memory/5256-3649-0x00007FF94B5B0000-0x00007FF94B5E0000-memory.dmp

        Filesize

        192KB

        Download

      • memory/5256-3648-0x00007FF94B5B0000-0x00007FF94B5E0000-memory.dmp

        Filesize

        192KB

        Download

      • memory/5256-3647-0x00007FF94B430000-0x00007FF94B431000-memory.dmp

        Filesize

        4KB

        Download

      • memory/5256-3646-0x00007FF9490D0000-0x00007FF9490F6000-memory.dmp

        Filesize

        152KB

        Download

      • memory/5256-3645-0x00007FF9490D0000-0x00007FF9490F6000-memory.dmp

        Filesize

        152KB

        Download

      • memory/5256-3644-0x00007FF9490D0000-0x00007FF9490F6000-memory.dmp

        Filesize

        152KB

        Download

      • memory/5256-3643-0x00007FF9490D0000-0x00007FF9490F6000-memory.dmp

        Filesize

        152KB

        Download

      • memory/5256-3642-0x00007FF9490D0000-0x00007FF9490F6000-memory.dmp

        Filesize

        152KB

        Download

      • memory/5256-3640-0x00007FF948AF0000-0x00007FF948B10000-memory.dmp

        Filesize

        128KB

        Download

      • memory/5256-3639-0x00007FF948AF0000-0x00007FF948B10000-memory.dmp

        Filesize

        128KB

        Download

      • memory/5256-3638-0x00007FF948AF0000-0x00007FF948B10000-memory.dmp

        Filesize

        128KB

        Download

      • memory/5256-3637-0x00007FF948AF0000-0x00007FF948B10000-memory.dmp

        Filesize

        128KB

        Download

      • memory/5256-3636-0x00007FF948AC0000-0x00007FF948AD0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5256-3635-0x00007FF948AC0000-0x00007FF948AD0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5256-3634-0x00007FF9489B0000-0x00007FF9489C0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5256-3633-0x00007FF9489B0000-0x00007FF9489C0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5256-3632-0x00007FF94AD80000-0x00007FF94AD89000-memory.dmp

        Filesize

        36KB

        Download

      • memory/5256-3631-0x00007FF94AD80000-0x00007FF94AD89000-memory.dmp

        Filesize

        36KB

        Download

      • memory/5256-3630-0x00007FF94AD80000-0x00007FF94AD89000-memory.dmp

        Filesize

        36KB

        Download

      • memory/5256-3629-0x00007FF94AD80000-0x00007FF94AD89000-memory.dmp

        Filesize

        36KB

        Download

      • memory/5256-3628-0x00007FF94AD80000-0x00007FF94AD89000-memory.dmp

        Filesize

        36KB

        Download

      • memory/5256-3627-0x00007FF94AD60000-0x00007FF94AD70000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5256-3593-0x00007FF94B5B0000-0x00007FF94B5E0000-memory.dmp

        Filesize

        192KB

        Download

      • memory/5256-3625-0x00007FF94AD60000-0x00007FF94AD70000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5256-3624-0x00007FF94AEA0000-0x00007FF94AEAD000-memory.dmp

        Filesize

        52KB

        Download

      • memory/5256-3623-0x00007FF94AEA0000-0x00007FF94AEAD000-memory.dmp

        Filesize

        52KB

        Download

      • memory/5256-3622-0x00007FF94AEA0000-0x00007FF94AEAD000-memory.dmp

        Filesize

        52KB

        Download

      • memory/5256-3605-0x00007FF949730000-0x00007FF94973C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/5256-3620-0x00007FF94AEA0000-0x00007FF94AEAD000-memory.dmp

        Filesize

        52KB

        Download

      • memory/5256-3619-0x00007FF94AE60000-0x00007FF94AE70000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5256-3618-0x00007FF94AE60000-0x00007FF94AE70000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5256-3617-0x00007FF94ADF0000-0x00007FF94AE00000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5256-3616-0x00007FF94ADF0000-0x00007FF94AE00000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5256-3614-0x00007FF948E60000-0x00007FF948E70000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5256-3613-0x00007FF948E60000-0x00007FF948E70000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5256-3612-0x00007FF948E40000-0x00007FF948E50000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5256-3611-0x00007FF948E40000-0x00007FF948E50000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5256-3610-0x00007FF948E40000-0x00007FF948E50000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5256-3609-0x00007FF948C90000-0x00007FF948CA0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5256-3608-0x00007FF948C90000-0x00007FF948CA0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5256-3607-0x00007FF948B20000-0x00007FF948B30000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5256-3606-0x00007FF948B20000-0x00007FF948B30000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5256-3604-0x00007FF949640000-0x00007FF949660000-memory.dmp

        Filesize

        128KB

        Download

      • memory/5256-3603-0x00007FF949640000-0x00007FF949660000-memory.dmp

        Filesize

        128KB

        Download

      • memory/5256-3602-0x00007FF949640000-0x00007FF949660000-memory.dmp

        Filesize

        128KB

        Download

      • memory/5256-3601-0x00007FF949640000-0x00007FF949660000-memory.dmp

        Filesize

        128KB

        Download

      • memory/5256-3600-0x00007FF949640000-0x00007FF949660000-memory.dmp

        Filesize

        128KB

        Download

      • memory/5256-3599-0x00007FF949620000-0x00007FF949630000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5256-3598-0x00007FF949620000-0x00007FF949630000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5256-3597-0x00007FF949590000-0x00007FF9495A0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5256-3596-0x00007FF949590000-0x00007FF9495A0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5256-3591-0x00007FF94B5B0000-0x00007FF94B5E0000-memory.dmp

        Filesize

        192KB

        Download

      • memory/5256-3590-0x00007FF94B5B0000-0x00007FF94B5E0000-memory.dmp

        Filesize

        192KB

        Download

      • memory/5256-3589-0x00007FF94B560000-0x00007FF94B570000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5256-3588-0x00007FF94B560000-0x00007FF94B570000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5256-3594-0x00007FF94B5B0000-0x00007FF94B5E0000-memory.dmp

        Filesize

        192KB

        Download

      • memory/5256-3595-0x00007FF94B640000-0x00007FF94B649000-memory.dmp

        Filesize

        36KB

        Download

      • memory/5256-3592-0x00007FF94B5B0000-0x00007FF94B5E0000-memory.dmp

        Filesize

        192KB

        Download

      • memory/5256-3586-0x00007FF94B440000-0x00007FF94B450000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5256-3587-0x00007FF94B440000-0x00007FF94B450000-memory.dmp

        Filesize

        64KB

        Download