Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10/11/2024, 23:06
Behavioral task
behavioral1
Sample
BLTools_v2.9__PRO_.zip
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
BLTools_v2.9__PRO_.zip
Resource
win10v2004-20241007-en
General
-
Target
BLTools_v2.9__PRO_.zip
-
Size
9.9MB
-
MD5
8586f2582de2dac652004ce8818a7741
-
SHA1
6c940e8dbe7ddfd23ea0efb79087728651d1aa9f
-
SHA256
c838c451a5edbc8ab8bd38a3d8d37623e97fa2f109d60bb7fe7b91d80279dbb5
-
SHA512
ce7cefe5c485316f94ba9034df5839cbaf71f1013b9e78ef313c70427bae9245849a2aa9df05dfd38c47b8719ad00aca5b8f9ce0e8a6d3c7e874b56d003b5e33
-
SSDEEP
196608:7Zkf5xM9FU495KnWXeWYGLq2uFn440rzX5ub18l3V2aC2/5K5ZD7Reu7ZvTvwqVn:lxvnuWLqR440/pCQ3k4w5Z9ZvzwOSsm2
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2608 BLTools v2.9 [PRO].exe 2884 BLTools v2.9 [PRO].exe -
Loads dropped DLL 12 IoCs
pid Process 1184 Process not Found 1184 Process not Found 1184 Process not Found 1184 Process not Found 1184 Process not Found 1184 Process not Found 1184 Process not Found 1184 Process not Found 2388 WerFault.exe 2388 WerFault.exe 2388 WerFault.exe 2388 WerFault.exe -
resource yara_rule behavioral1/files/0x0007000000016d36-394.dat vmprotect behavioral1/memory/2608-414-0x000000013F440000-0x0000000140312000-memory.dmp vmprotect behavioral1/memory/2884-433-0x000000013F4D0000-0x00000001403A2000-memory.dmp vmprotect -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: BLTools v2.9 [PRO].exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 5 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2608 BLTools v2.9 [PRO].exe 2884 BLTools v2.9 [PRO].exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2608 BLTools v2.9 [PRO].exe 2608 BLTools v2.9 [PRO].exe 2608 BLTools v2.9 [PRO].exe 2608 BLTools v2.9 [PRO].exe 2608 BLTools v2.9 [PRO].exe 2608 BLTools v2.9 [PRO].exe 2608 BLTools v2.9 [PRO].exe 2884 BLTools v2.9 [PRO].exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2904 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeRestorePrivilege 2904 7zFM.exe Token: 35 2904 7zFM.exe Token: SeSecurityPrivilege 2904 7zFM.exe Token: SeShutdownPrivilege 2608 BLTools v2.9 [PRO].exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2904 7zFM.exe 2904 7zFM.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2884 wrote to memory of 2388 2884 BLTools v2.9 [PRO].exe 33 PID 2884 wrote to memory of 2388 2884 BLTools v2.9 [PRO].exe 33 PID 2884 wrote to memory of 2388 2884 BLTools v2.9 [PRO].exe 33
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\BLTools_v2.9__PRO_.zip"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2904
-
C:\Users\Admin\Desktop\BLTools v2.9 [PRO]\BLTools v2.9 [PRO].exe"C:\Users\Admin\Desktop\BLTools v2.9 [PRO]\BLTools v2.9 [PRO].exe"1⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2608
-
C:\Users\Admin\Desktop\BLTools v2.9 [PRO]\BLTools v2.9 [PRO].exe"C:\Users\Admin\Desktop\BLTools v2.9 [PRO]\BLTools v2.9 [PRO].exe"1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2884 -s 2602⤵
- Loads dropped DLL
PID:2388
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7zE85BBEA96\BLTools v2.9 [PRO]\[Results] Cookies Checker\[16.04.2024] [12.42.58]LOGI 2\YouTube\NoSubscribers.txt
Filesize8KB
MD50847bf790b4d7ec5c05bf5ecf911d3b4
SHA16740f67e54ca510b34fbc7e959e062cc004d9c4d
SHA2568777ed29ad8d3c4fcd45d9e55dd6ce072a32227198ff6ce7bcbdaaa7b5d23055
SHA512c8ad15124e66eb46a39f42c883b8c6d0241affefa2c77957878b39c49533147da0e3be4c1e31fb1579574c6fc98899ab61d46669aaf04a04dacccd81d6f5d998
-
C:\Users\Admin\AppData\Local\Temp\7zE85BBEA96\BLTools v2.9 [PRO]\[Results] Cookies Checker\[16.04.2024] [12.42.58]LOGI 2\YouTube\Sorted by Year\2023\[0 sub] [0 videos] [0 views] [monetize false] [brand false] [1 channels] [Дата регистрации 20 нояб. 2023 г.].txt
Filesize2KB
MD5bef31f66287ccd0f96bc48f105538573
SHA105fa574f3a934b69bf4ba3a07626d408ae5ee2e5
SHA256fcd18d5be13b029daa30f1045c25c15c180642e514de3a84a11620cde73fd279
SHA512bf23aa02241549a04abd0d6832e637a672b241e873d9eec58b22f4841d6d8cf6086053ec1501496f32943e328462c69843d13f951eb0eed719d3e2ba0c07f0d9
-
C:\Users\Admin\AppData\Local\Temp\7zE85BBEA96\BLTools v2.9 [PRO]\[Results] Cookies Checker\[16.04.2024] [12.42.58]LOGI 2\YouTube\Subscribers\[11 sub] [4 videos] [47 views] [monetize false] [brand false] [1 channels] [Joined Jan 24, 2015].txt
Filesize3KB
MD501e104c694b1a15a6eda3c381f424e12
SHA19b960d2573b71f60605e10e6113c92aedf21c89e
SHA25689c11a75bbf7fcc2010309b687e47a11b73d5c6ea3933f942cacca573b8164e0
SHA5125376068d78c10cc6b6bc5315893ec66938bf68a90be029f4c9a7907c71d9569f34ec420fb58b3c567eed60d236c6092debc5c83d608049b524419e2946ad9f9c
-
Filesize
7.1MB
MD5bef86c9792f7f8bc658ca1d1bce63c60
SHA1d7d3fe3ae1e950cd4192d46a0bf6505ec3858689
SHA2562ebfc2838c33ff2fc3547369bf0e8bcdfe41c245ede9241602f44afbf7c3cfdb
SHA5126ec05fa9bd6ab5c8f1aaa323c81d9f8ae5905a9dba4c511a57c473f568fa551115442ac325547beaecb5c9813446689be37e0485a8fa78f03bf9e82386a93de7