3ed15d1915a0408416f2db5a1c89a8b628b73428f3f768ae5ded17783f88ea27

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-09-2024 06:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bloodlike.exe
Size

750KB
MD5

3471130ee839f6cba7abaf6111fa2d95
SHA1

7a2222ba4034d054e6f976835e4139286f1d3d00
SHA256

2147f70eb8ebf3d80eef30e2e6e9d75758294682d052a954af53510087bfa512
SHA512

d6a93951f206174472377faf0b20df7fd5638389f4489b310d2679b91b3e6dba36a98dccd6f000adfbe3546238d90cb6813410b1dc3b1b355ee934dac79b7d02
SSDEEP

12288:lXZEFyI2w//6CDquAh67/bAAkh9B9LbtS+OWbhxIK0Hc0CeD43JZHVDwrG8qjWK3:lXeFbRqkGhg/sJTthtOWb4riRVmqjWJ6

Score

7^/10

discovery execution

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
3064	Bloodlike.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\androsporangium.Pan	Bloodlike.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\resources\dlgsmaalets.him	Bloodlike.exe
File opened for modification	C:\Windows\Fonts\evenworthy.ini	Bloodlike.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2340	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bloodlike.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2340	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2340	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 2340	3064	Bloodlike.exe	30
PID 3064 wrote to memory of 2340	3064	Bloodlike.exe	30
PID 3064 wrote to memory of 2340	3064	Bloodlike.exe	30
PID 3064 wrote to memory of 2340	3064	Bloodlike.exe	30

C:\Users\Admin\AppData\Local\Temp\Bloodlike.exe
"C:\Users\Admin\AppData\Local\Temp\Bloodlike.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -windowstyle minimized "$Slutnoters=Get-Content 'C:\Users\Admin\AppData\Local\Thundershowers\Immortalizes65\Hedgehopper\Sylvette.Far';$Gibbus126=$Slutnoters.SubString(55230,3);.$Gibbus126($Slutnoters)"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nstAA06.tmp\nsExec.dll

Filesize
7KB

MD5
11092c1d3fbb449a60695c44f9f3d183

SHA1
b89d614755f2e943df4d510d87a7fc1a3bcf5a33

SHA256
2cd3a2d4053954db1196e2526545c36dfc138c6de9b81f6264632f3132843c77

SHA512
c182e0a1f0044b67b4b9fb66cef9c4955629f6811d98bbffa99225b03c43c33b1e85cacabb39f2c45ead81cd85e98b201d5f9da4ee0038423b1ad947270c134a

Download Submit
memory/2340-19-0x0000000072FB1000-0x0000000072FB2000-memory.dmp

Filesize
4KB

Download
memory/2340-23-0x0000000072FB0000-0x000000007355B000-memory.dmp

Filesize
5.7MB

Download
memory/2340-22-0x0000000072FB0000-0x000000007355B000-memory.dmp

Filesize
5.7MB

Download
memory/2340-21-0x0000000072FB0000-0x000000007355B000-memory.dmp

Filesize
5.7MB

Download
memory/2340-20-0x0000000072FB0000-0x000000007355B000-memory.dmp

Filesize
5.7MB

Download
memory/2340-24-0x0000000072FB0000-0x000000007355B000-memory.dmp

Filesize
5.7MB

Download