Analysis
-
max time kernel
21s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05-10-2024 18:49
Behavioral task
behavioral1
Sample
Bloxtrap.exe
Resource
win7-20240903-en
windows7-x64
5 signatures
150 seconds
General
-
Target
Bloxtrap.exe
-
Size
231KB
-
MD5
30e78c99e6dadf3e214426fad0aa70ad
-
SHA1
e7c69f6df99f06632a451d633e615f274b5eaed6
-
SHA256
e347a40fb7e3ef7705992bce042a420c6fd25913aa931e6fd78ad91b6024e0ee
-
SHA512
7c93c81962a0930821bc972578f1cdd5b0309005d5ef63a52ea28cfd6dab8dac5364b57c5cb9360b3166a724c4c4bbf30d48f78f09b435c7c8b9c8676e8bb859
-
SSDEEP
6144:8loZM+rIkd8g+EtXHkv/iD4o1me/1+mpusl3ySXLqb8e1mFOi:aoZtL+EP8o1me/1+mpusl3ySXK6
Malware Config
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule behavioral1/memory/2320-1-0x0000000001070000-0x00000000010B0000-memory.dmp family_umbral -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 ip-api.com -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeDebugPrivilege 2320 Bloxtrap.exe Token: SeIncreaseQuotaPrivilege 2848 wmic.exe Token: SeSecurityPrivilege 2848 wmic.exe Token: SeTakeOwnershipPrivilege 2848 wmic.exe Token: SeLoadDriverPrivilege 2848 wmic.exe Token: SeSystemProfilePrivilege 2848 wmic.exe Token: SeSystemtimePrivilege 2848 wmic.exe Token: SeProfSingleProcessPrivilege 2848 wmic.exe Token: SeIncBasePriorityPrivilege 2848 wmic.exe Token: SeCreatePagefilePrivilege 2848 wmic.exe Token: SeBackupPrivilege 2848 wmic.exe Token: SeRestorePrivilege 2848 wmic.exe Token: SeShutdownPrivilege 2848 wmic.exe Token: SeDebugPrivilege 2848 wmic.exe Token: SeSystemEnvironmentPrivilege 2848 wmic.exe Token: SeRemoteShutdownPrivilege 2848 wmic.exe Token: SeUndockPrivilege 2848 wmic.exe Token: SeManageVolumePrivilege 2848 wmic.exe Token: 33 2848 wmic.exe Token: 34 2848 wmic.exe Token: 35 2848 wmic.exe Token: SeIncreaseQuotaPrivilege 2848 wmic.exe Token: SeSecurityPrivilege 2848 wmic.exe Token: SeTakeOwnershipPrivilege 2848 wmic.exe Token: SeLoadDriverPrivilege 2848 wmic.exe Token: SeSystemProfilePrivilege 2848 wmic.exe Token: SeSystemtimePrivilege 2848 wmic.exe Token: SeProfSingleProcessPrivilege 2848 wmic.exe Token: SeIncBasePriorityPrivilege 2848 wmic.exe Token: SeCreatePagefilePrivilege 2848 wmic.exe Token: SeBackupPrivilege 2848 wmic.exe Token: SeRestorePrivilege 2848 wmic.exe Token: SeShutdownPrivilege 2848 wmic.exe Token: SeDebugPrivilege 2848 wmic.exe Token: SeSystemEnvironmentPrivilege 2848 wmic.exe Token: SeRemoteShutdownPrivilege 2848 wmic.exe Token: SeUndockPrivilege 2848 wmic.exe Token: SeManageVolumePrivilege 2848 wmic.exe Token: 33 2848 wmic.exe Token: 34 2848 wmic.exe Token: 35 2848 wmic.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2320 wrote to memory of 2848 2320 Bloxtrap.exe 28 PID 2320 wrote to memory of 2848 2320 Bloxtrap.exe 28 PID 2320 wrote to memory of 2848 2320 Bloxtrap.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\Bloxtrap.exe"C:\Users\Admin\AppData\Local\Temp\Bloxtrap.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2848
-