94b1aee4ca3f71653b2a7dd14c67384416acb7b7b3bbcdc6b62abbf47fc1394f

Analysis

max time kernel
119s
max time network
125s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
25-10-2024 22:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BLTools v2.9 PRO/BLTools.exe
Size

5.9MB
MD5

dfa8706c22679f73c12350c5ceef4be9
SHA1

786ebcc382749363d5bfe56dd3d9165b44abb2f3
SHA256

8c746b0086c9c1bd72a487ffa55bd896a949d89ae2f91a7aa7c6d5d6124b2510
SHA512

2654da238f67253ae96b6ade05e1d97d9debd6e0759daae23964809533d4d9c382b360202b3cd70caec97735034a54ee5a7ad7573eeb969e3185794cdf268a7d
SSDEEP

98304:1k05ee4lCP5rHvCQyYddIwF1OXvKqKQcj/zNktidLSChybf1sxPUeNh:H5e1QOdwF1OXvK1j/JkkLSwybSc

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2824	evb783D.tmp
2064	BLTools v2.9 PRO.exe

Loads dropped DLL 1 IoCs

pid	Process
1824	BLTools.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2064	BLTools v2.9 PRO.exe
2064	BLTools v2.9 PRO.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1824 set thread context of 2824	1824	BLTools.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BLTools v2.9 PRO.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2824	evb783D.tmp
2824	evb783D.tmp
2824	evb783D.tmp
2824	evb783D.tmp
2824	evb783D.tmp

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1824 wrote to memory of 2824	1824	BLTools.exe	30
PID 1824 wrote to memory of 2824	1824	BLTools.exe	30
PID 1824 wrote to memory of 2824	1824	BLTools.exe	30
PID 1824 wrote to memory of 2824	1824	BLTools.exe	30
PID 1824 wrote to memory of 2824	1824	BLTools.exe	30
PID 1824 wrote to memory of 2824	1824	BLTools.exe	30
PID 1824 wrote to memory of 2824	1824	BLTools.exe	30
PID 1824 wrote to memory of 2824	1824	BLTools.exe	30
PID 1824 wrote to memory of 2824	1824	BLTools.exe	30
PID 1824 wrote to memory of 2824	1824	BLTools.exe	30
PID 1824 wrote to memory of 2824	1824	BLTools.exe	30
PID 1824 wrote to memory of 2824	1824	BLTools.exe	30
PID 1824 wrote to memory of 2824	1824	BLTools.exe	30
PID 1824 wrote to memory of 2824	1824	BLTools.exe	30
PID 1824 wrote to memory of 2824	1824	BLTools.exe	30
PID 1824 wrote to memory of 2824	1824	BLTools.exe	30
PID 1824 wrote to memory of 2824	1824	BLTools.exe	30
PID 1824 wrote to memory of 2824	1824	BLTools.exe	30
PID 1824 wrote to memory of 2064	1824	BLTools.exe	31
PID 1824 wrote to memory of 2064	1824	BLTools.exe	31
PID 1824 wrote to memory of 2064	1824	BLTools.exe	31
PID 1824 wrote to memory of 2064	1824	BLTools.exe	31
PID 2824 wrote to memory of 2104	2824	evb783D.tmp	32
PID 2824 wrote to memory of 2104	2824	evb783D.tmp	32
PID 2824 wrote to memory of 2104	2824	evb783D.tmp	32
PID 2824 wrote to memory of 2104	2824	evb783D.tmp	32

C:\Users\Admin\AppData\Local\Temp\BLTools v2.9 PRO\BLTools.exe
"C:\Users\Admin\AppData\Local\Temp\BLTools v2.9 PRO\BLTools.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1824
- C:\Users\Admin\AppData\Local\Temp\evb783D.tmp
  "C:\Users\Admin\AppData\Local\Temp\BLTools v2.9 PRO\cookies.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Windows\system32\conhost.exe
    conhost.exe
    3⤵
    PID:2104
- C:\Users\Admin\AppData\Local\Temp\BLTools v2.9 PRO\BLTools v2.9 PRO.exe
  "C:\Users\Admin\AppData\Local\Temp\BLTools v2.9 PRO\BLTools v2.9 PRO.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  PID:2064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\Users\Admin\AppData\Local\Temp\evb783D.tmp

Filesize
1KB

MD5
b8152180651818ef0e382061760fae83

SHA1
5aa82224ab08cd413f39138ac5735d412b386d17

SHA256
c1d8fa3babfd42de6cdb8a58ed9ab18ba420a5009e4702619441356cddc7ccf7

SHA512
99dc032861e0d799ecdb457b4bf3ce5eb317c1b56f46c0457227b6bc425fd9019b8a4be4fb106c5e73c9c4b4b80e9ba79bc78502c98f0b1d34eab90a342f854b

Download Submit
\??\c:\users\admin\appdata\local\temp\bltools v2.9 pro\BLTools v2.9 PRO.exe

Filesize
3.2MB

MD5
8c949c1a3189fc8845f22295ee72a150

SHA1
1df3585b887e077251008c68f233f128c08b0b74

SHA256
53b6b47c5dbfbb8ea17990309e9549acc44d8b5d4b1c9e76ec754653f5d31870

SHA512
b27d485b3cd4633edb245659c581458f20b67859f4e7d02205a68824d41dd216882989a807c01d5468e3f99beb78850fa7aeb217f7b8ac8ad30f3a652fc24066

Download Submit
memory/1824-15-0x0000000077990000-0x0000000077B39000-memory.dmp

Filesize
1.7MB

Download
memory/1824-20-0x0000000077990000-0x0000000077B39000-memory.dmp

Filesize
1.7MB

Download
memory/1824-29-0x0000000077990000-0x0000000077B39000-memory.dmp

Filesize
1.7MB

Download
memory/1824-30-0x0000000077990000-0x0000000077B39000-memory.dmp

Filesize
1.7MB

Download
memory/1824-12-0x0000000077990000-0x0000000077B39000-memory.dmp

Filesize
1.7MB

Download
memory/1824-34-0x0000000077990000-0x0000000077B39000-memory.dmp

Filesize
1.7MB

Download
memory/1824-1-0x00000000779E1000-0x00000000779E2000-memory.dmp

Filesize
4KB

Download
memory/1824-24-0x0000000077990000-0x0000000077B39000-memory.dmp

Filesize
1.7MB

Download
memory/1824-2-0x0000000077990000-0x0000000077B39000-memory.dmp

Filesize
1.7MB

Download
memory/1824-13-0x00000000035A0000-0x0000000003BDC000-memory.dmp

Filesize
6.2MB

Download
memory/1824-42-0x00000000035A0000-0x0000000003BDC000-memory.dmp

Filesize
6.2MB

Download
memory/1824-45-0x0000000140000000-0x00000001400D3000-memory.dmp

Filesize
844KB

Download
memory/1824-40-0x00000000035A0000-0x0000000003BDC000-memory.dmp

Filesize
6.2MB

Download
memory/1824-38-0x0000000077990000-0x0000000077B39000-memory.dmp

Filesize
1.7MB

Download
memory/1824-46-0x0000000077990000-0x0000000077B39000-memory.dmp

Filesize
1.7MB

Download
memory/1824-39-0x0000000077990000-0x0000000077B39000-memory.dmp

Filesize
1.7MB

Download
memory/2064-60-0x0000000000AB0000-0x0000000000ABA000-memory.dmp

Filesize
40KB

Download
memory/2064-57-0x0000000000A40000-0x0000000000A90000-memory.dmp

Filesize
320KB

Download
memory/2064-61-0x0000000000AB0000-0x0000000000ABA000-memory.dmp

Filesize
40KB

Download
memory/2064-59-0x0000000006720000-0x0000000006862000-memory.dmp

Filesize
1.3MB

Download
memory/2064-58-0x0000000004A60000-0x0000000004AC0000-memory.dmp

Filesize
384KB

Download
memory/2064-56-0x0000000005DF0000-0x000000000671C000-memory.dmp

Filesize
9.2MB

Download
memory/2064-55-0x0000000000600000-0x0000000000620000-memory.dmp

Filesize
128KB

Download
memory/2064-54-0x00000000004C0000-0x00000000004E4000-memory.dmp

Filesize
144KB

Download
memory/2064-52-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2064-51-0x0000000000D80000-0x00000000014A8000-memory.dmp

Filesize
7.2MB

Download
memory/2104-53-0x0000000000200000-0x000000000020C000-memory.dmp

Filesize
48KB

Download
memory/2104-47-0x0000000000060000-0x0000000000068000-memory.dmp

Filesize
32KB

Download
memory/2824-41-0x0000000077990000-0x0000000077B39000-memory.dmp

Filesize
1.7MB

Download
memory/2824-6-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/2824-49-0x0000000140000000-0x000000014063C000-memory.dmp

Filesize
6.2MB

Download
memory/2824-50-0x0000000077990000-0x0000000077B39000-memory.dmp

Filesize
1.7MB

Download
memory/2824-36-0x0000000140000000-0x000000014063C000-memory.dmp

Filesize
6.2MB

Download
memory/2824-21-0x00000000004F0000-0x00000000004F1000-memory.dmp

Filesize
4KB

Download
memory/2824-4-0x0000000000430000-0x00000000004D3000-memory.dmp

Filesize
652KB

Download
memory/2824-25-0x000007FFFFFDF000-0x000007FFFFFE0000-memory.dmp

Filesize
4KB

Download
memory/2824-43-0x0000000140000000-0x000000014063C000-memory.dmp

Filesize
6.2MB

Download
memory/2824-35-0x0000000140000000-0x000000014063C000-memory.dmp

Filesize
6.2MB

Download