General

  • Target

    Bloxstrap-v2.7.0.exe

  • Size

    10.1MB

  • Sample

    241016-xazw9svgrb

  • MD5

    2c752edef5b0aa0962a3e01c4c82a2fa

  • SHA1

    9c3afd1c63f2b0dbdc2dc487709471222d2cb81e

  • SHA256

    891846bf656253ca1cdd28584a28681e9604e2a03d74cd6b99313e3bff11daf8

  • SHA512

    04d25fe7d40c8c320ffc545a038ad6ea458df6a8a552b0e0393b369a03b9bf273c72f30169bd54e8eb10757c04bdddf3859c601c1eb9e1a12fe4d15658906dfe

  • SSDEEP

    98304:TYd5DQd5Dk9Tsed5DogTrBKvGWD3nIOYoHwfLk3vSmaR0+Mc4AN0edaAHDfysrT4:Tasx3vG6IObAbN0T

Malware Config

Targets

    • Target

      Bloxstrap-v2.7.0.exe

    • Size

      10.1MB

    • MD5

      2c752edef5b0aa0962a3e01c4c82a2fa

    • SHA1

      9c3afd1c63f2b0dbdc2dc487709471222d2cb81e

    • SHA256

      891846bf656253ca1cdd28584a28681e9604e2a03d74cd6b99313e3bff11daf8

    • SHA512

      04d25fe7d40c8c320ffc545a038ad6ea458df6a8a552b0e0393b369a03b9bf273c72f30169bd54e8eb10757c04bdddf3859c601c1eb9e1a12fe4d15658906dfe

    • SSDEEP

      98304:TYd5DQd5Dk9Tsed5DogTrBKvGWD3nIOYoHwfLk3vSmaR0+Mc4AN0edaAHDfysrT4:Tasx3vG6IObAbN0T

    • Modifies WinLogon for persistence

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Renames multiple (69) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Event Triggered Execution: Image File Execution Options Injection

    • Modifies RDP port number used by Windows

    • Sets service image path in registry

    • Uses Session Manager for persistence

      Creates Session Manager registry key to run executable early in system boot.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Adds Run key to start application

    • Checks for any installed AV software in registry

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Boot or Logon Autostart Execution: Authentication Package

      Suspicious Windows Authentication Registry Modification.

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks