94b1aee4ca3f71653b2a7dd14c67384416acb7b7b3bbcdc6b62abbf47fc1394f

Analysis

max time kernel
139s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-10-2024 22:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BLTools v2.9 PRO/BLTools.exe
Size

5.9MB
MD5

dfa8706c22679f73c12350c5ceef4be9
SHA1

786ebcc382749363d5bfe56dd3d9165b44abb2f3
SHA256

8c746b0086c9c1bd72a487ffa55bd896a949d89ae2f91a7aa7c6d5d6124b2510
SHA512

2654da238f67253ae96b6ade05e1d97d9debd6e0759daae23964809533d4d9c382b360202b3cd70caec97735034a54ee5a7ad7573eeb969e3185794cdf268a7d
SSDEEP

98304:1k05ee4lCP5rHvCQyYddIwF1OXvKqKQcj/zNktidLSChybf1sxPUeNh:H5e1QOdwF1OXvK1j/JkkLSwybSc

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	BLTools.exe

Executes dropped EXE 2 IoCs

pid	Process
4272	evb9ABB.tmp
1824	BLTools v2.9 PRO.exe

Loads dropped DLL 1 IoCs

pid	Process
4172	BLTools.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1824	BLTools v2.9 PRO.exe
1824	BLTools v2.9 PRO.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4172 set thread context of 4272	4172	BLTools.exe	85

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BLTools v2.9 PRO.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	BLTools.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4272	evb9ABB.tmp
4272	evb9ABB.tmp
4272	evb9ABB.tmp
4272	evb9ABB.tmp
4272	evb9ABB.tmp
4272	evb9ABB.tmp

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4172 wrote to memory of 4272	4172	BLTools.exe	85
PID 4172 wrote to memory of 4272	4172	BLTools.exe	85
PID 4172 wrote to memory of 4272	4172	BLTools.exe	85
PID 4172 wrote to memory of 4272	4172	BLTools.exe	85
PID 4172 wrote to memory of 4272	4172	BLTools.exe	85
PID 4172 wrote to memory of 4272	4172	BLTools.exe	85
PID 4172 wrote to memory of 4272	4172	BLTools.exe	85
PID 4172 wrote to memory of 4272	4172	BLTools.exe	85
PID 4172 wrote to memory of 4272	4172	BLTools.exe	85
PID 4172 wrote to memory of 4272	4172	BLTools.exe	85
PID 4172 wrote to memory of 4272	4172	BLTools.exe	85
PID 4172 wrote to memory of 4272	4172	BLTools.exe	85
PID 4172 wrote to memory of 4272	4172	BLTools.exe	85
PID 4172 wrote to memory of 4272	4172	BLTools.exe	85
PID 4172 wrote to memory of 4272	4172	BLTools.exe	85
PID 4172 wrote to memory of 4272	4172	BLTools.exe	85
PID 4172 wrote to memory of 4272	4172	BLTools.exe	85
PID 4172 wrote to memory of 1824	4172	BLTools.exe	86
PID 4172 wrote to memory of 1824	4172	BLTools.exe	86
PID 4172 wrote to memory of 1824	4172	BLTools.exe	86

C:\Users\Admin\AppData\Local\Temp\BLTools v2.9 PRO\BLTools.exe
"C:\Users\Admin\AppData\Local\Temp\BLTools v2.9 PRO\BLTools.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4172
- C:\Users\Admin\AppData\Local\Temp\evb9ABB.tmp
  "C:\Users\Admin\AppData\Local\Temp\BLTools v2.9 PRO\cookies.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4272
- C:\Users\Admin\AppData\Local\Temp\BLTools v2.9 PRO\BLTools v2.9 PRO.exe
  "C:\Users\Admin\AppData\Local\Temp\BLTools v2.9 PRO\BLTools v2.9 PRO.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  PID:1824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\evb99DF.tmp

Filesize
1KB

MD5
db06a35e2ee985807f483d8413871491

SHA1
4c7d6bccea5ddddd9b0d19c6f9d7b7852b896987

SHA256
863d00444d1ce2e014b025f9fc84ac464c2ea08955edae963599a66b3f1dd95f

SHA512
a2519b47d05e5e5249ecd4220b4ed94cabc1c7f82d238d0442b32b6a601d908f0e804414dfdec15c1e7d87e1cdbb8fa0bef7a796c405aae28273be339ea8c1a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\evb9ABB.tmp

Filesize
1KB

MD5
b8152180651818ef0e382061760fae83

SHA1
5aa82224ab08cd413f39138ac5735d412b386d17

SHA256
c1d8fa3babfd42de6cdb8a58ed9ab18ba420a5009e4702619441356cddc7ccf7

SHA512
99dc032861e0d799ecdb457b4bf3ce5eb317c1b56f46c0457227b6bc425fd9019b8a4be4fb106c5e73c9c4b4b80e9ba79bc78502c98f0b1d34eab90a342f854b

Download Submit
\??\c:\users\admin\appdata\local\temp\bltools v2.9 pro\BLTools v2.9 PRO.exe

Filesize
3.2MB

MD5
8c949c1a3189fc8845f22295ee72a150

SHA1
1df3585b887e077251008c68f233f128c08b0b74

SHA256
53b6b47c5dbfbb8ea17990309e9549acc44d8b5d4b1c9e76ec754653f5d31870

SHA512
b27d485b3cd4633edb245659c581458f20b67859f4e7d02205a68824d41dd216882989a807c01d5468e3f99beb78850fa7aeb217f7b8ac8ad30f3a652fc24066

Download Submit
memory/1824-85-0x0000000006E30000-0x00000000073D4000-memory.dmp

Filesize
5.6MB

Download
memory/1824-84-0x0000000005BD0000-0x0000000005C30000-memory.dmp

Filesize
384KB

Download
memory/1824-87-0x0000000006430000-0x00000000064EA000-memory.dmp

Filesize
744KB

Download
memory/1824-88-0x00000000073E0000-0x0000000007472000-memory.dmp

Filesize
584KB

Download
memory/1824-86-0x0000000005D00000-0x0000000005E42000-memory.dmp

Filesize
1.3MB

Download
memory/1824-77-0x0000000000620000-0x0000000000D48000-memory.dmp

Filesize
7.2MB

Download
memory/1824-89-0x00000000096F0000-0x0000000009728000-memory.dmp

Filesize
224KB

Download
memory/1824-90-0x0000000009490000-0x000000000949E000-memory.dmp

Filesize
56KB

Download
memory/1824-83-0x00000000056B0000-0x0000000005700000-memory.dmp

Filesize
320KB

Download
memory/1824-82-0x0000000006500000-0x0000000006E2C000-memory.dmp

Filesize
9.2MB

Download
memory/1824-81-0x0000000005630000-0x0000000005650000-memory.dmp

Filesize
128KB

Download
memory/1824-91-0x0000000007C30000-0x0000000007C42000-memory.dmp

Filesize
72KB

Download
memory/1824-92-0x0000000007960000-0x0000000007968000-memory.dmp

Filesize
32KB

Download
memory/1824-80-0x00000000055C0000-0x00000000055E4000-memory.dmp

Filesize
144KB

Download
memory/1824-79-0x0000000001640000-0x0000000001641000-memory.dmp

Filesize
4KB

Download
memory/4172-12-0x0000000004840000-0x0000000004E7C000-memory.dmp

Filesize
6.2MB

Download
memory/4172-16-0x00007FFF7F370000-0x00007FFF7F565000-memory.dmp

Filesize
2.0MB

Download
memory/4172-76-0x00007FFF7F370000-0x00007FFF7F565000-memory.dmp

Filesize
2.0MB

Download
memory/4172-75-0x0000000140000000-0x00000001400D3000-memory.dmp

Filesize
844KB

Download
memory/4172-93-0x0000000004840000-0x0000000004E7C000-memory.dmp

Filesize
6.2MB

Download
memory/4172-3-0x00007FFF7F370000-0x00007FFF7F565000-memory.dmp

Filesize
2.0MB

Download
memory/4172-78-0x0000000004840000-0x0000000004E7C000-memory.dmp

Filesize
6.2MB

Download
memory/4172-69-0x00007FFF7F370000-0x00007FFF7F565000-memory.dmp

Filesize
2.0MB

Download
memory/4172-68-0x00007FFF7F370000-0x00007FFF7F565000-memory.dmp

Filesize
2.0MB

Download
memory/4172-2-0x00007FFF7F370000-0x00007FFF7F565000-memory.dmp

Filesize
2.0MB

Download
memory/4172-19-0x00007FFF7F370000-0x00007FFF7F565000-memory.dmp

Filesize
2.0MB

Download
memory/4172-6-0x00007FFF7F370000-0x00007FFF7F565000-memory.dmp

Filesize
2.0MB

Download
memory/4172-1-0x00007FFF7F40D000-0x00007FFF7F40E000-memory.dmp

Filesize
4KB

Download
memory/4172-7-0x00007FFF7F370000-0x00007FFF7F565000-memory.dmp

Filesize
2.0MB

Download
memory/4172-9-0x00007FFF7F370000-0x00007FFF7F565000-memory.dmp

Filesize
2.0MB

Download
memory/4172-8-0x00007FFF7F370000-0x00007FFF7F565000-memory.dmp

Filesize
2.0MB

Download
memory/4172-4-0x00007FFF7F370000-0x00007FFF7F565000-memory.dmp

Filesize
2.0MB

Download
memory/4172-5-0x00007FFF7F370000-0x00007FFF7F565000-memory.dmp

Filesize
2.0MB

Download
memory/4272-72-0x0000000000050000-0x00000000000F3000-memory.dmp

Filesize
652KB

Download
memory/4272-22-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/4272-73-0x00007FFEFF570000-0x00007FFEFF580000-memory.dmp

Filesize
64KB

Download
memory/4272-71-0x0000000140000000-0x000000014063C000-memory.dmp

Filesize
6.2MB

Download