aafde59bd18e2ea55967da235f68985cbd0e17cd39ae625fd5fae8ce001a4c4b

Resubmissions

07-01-2025 15:01

250107-sd8alaxqdq 7

06-01-2025 07:51

250106-jptrxa1kav 10

06-01-2025 07:48

250106-jnl1ns1jgv 5

08-09-2024 17:12

240908-vqwtfazere 7

Analysis

max time kernel
43s
max time network
56s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
07-01-2025 15:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BLTools v2.7.1 [PRO2].zip
Size

13.8MB
MD5

01952f721e3cebff244c689b5cd24756
SHA1

d77afa2071c5487b0cc39243a75e1aaab082975c
SHA256

aafde59bd18e2ea55967da235f68985cbd0e17cd39ae625fd5fae8ce001a4c4b
SHA512

93259ccbd91be6f62fc1b2b0d818773702a2166835dff67eab33ee27537ed452f38e61dcc6651d328d87011fb38cb243aca99ffdc78fa3b66f19fa48ae75fe53
SSDEEP

196608:DCKyX8k4lfzoILWsniW8lnJ45/9iD54+V11bFv4zmkt/P:Gtskkb1LWsnk+h

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 7 IoCs

pid	Process
4920	Btools v2.7 [PRO].exe
404	btools pro.exe
4240	main.exe
4656	CookiesCreator.exe
4924	Btools v2.7 [PRO].exe
4928	btools pro.exe
3192	main.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x001c00000002ab5f-22.dat	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4696	404	WerFault.exe	83
2104	4928	WerFault.exe	90

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Btools v2.7 [PRO].exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	btools pro.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	main.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Btools v2.7 [PRO].exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	btools pro.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	main.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CookiesCreator.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4788	7zFM.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	4788	7zFM.exe
Token: 35	4788	7zFM.exe
Token: SeSecurityPrivilege	4788	7zFM.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4788	7zFM.exe
4788	7zFM.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4920 wrote to memory of 404	4920	Btools v2.7 [PRO].exe	83
PID 4920 wrote to memory of 404	4920	Btools v2.7 [PRO].exe	83
PID 4920 wrote to memory of 404	4920	Btools v2.7 [PRO].exe	83
PID 4920 wrote to memory of 4240	4920	Btools v2.7 [PRO].exe	84
PID 4920 wrote to memory of 4240	4920	Btools v2.7 [PRO].exe	84
PID 4920 wrote to memory of 4240	4920	Btools v2.7 [PRO].exe	84
PID 4924 wrote to memory of 4928	4924	Btools v2.7 [PRO].exe	90
PID 4924 wrote to memory of 4928	4924	Btools v2.7 [PRO].exe	90
PID 4924 wrote to memory of 4928	4924	Btools v2.7 [PRO].exe	90
PID 4924 wrote to memory of 3192	4924	Btools v2.7 [PRO].exe	91
PID 4924 wrote to memory of 3192	4924	Btools v2.7 [PRO].exe	91
PID 4924 wrote to memory of 3192	4924	Btools v2.7 [PRO].exe	91

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\BLTools v2.7.1 [PRO2].zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4788

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3516

C:\Users\Admin\Desktop\New folder\Btools v2.7 [PRO].exe
"C:\Users\Admin\Desktop\New folder\Btools v2.7 [PRO].exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4920
- C:\Users\Admin\AppData\Roaming\Z44894709\btools pro.exe
  "C:\Users\Admin\AppData\Roaming\Z44894709\btools pro.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:404
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 1084
    3⤵
    - Program crash
    PID:4696
- C:\Users\Admin\AppData\Roaming\Z44894709\main.exe
  "C:\Users\Admin\AppData\Roaming\Z44894709\main.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 404 -ip 404
1⤵
PID:776

C:\Users\Admin\Desktop\New folder\CookiesCreator.exe
"C:\Users\Admin\Desktop\New folder\CookiesCreator.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4656

C:\Users\Admin\Desktop\New folder\Btools v2.7 [PRO].exe
"C:\Users\Admin\Desktop\New folder\Btools v2.7 [PRO].exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4924
- C:\Users\Admin\AppData\Roaming\Z44894709\btools pro.exe
  "C:\Users\Admin\AppData\Roaming\Z44894709\btools pro.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4928
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 1056
    3⤵
    - Program crash
    PID:2104
- C:\Users\Admin\AppData\Roaming\Z44894709\main.exe
  "C:\Users\Admin\AppData\Roaming\Z44894709\main.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4928 -ip 4928
1⤵
PID:4812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Z44894709\btools pro.exe

Filesize
3.2MB

MD5
a3adf6adf0c9fc625ef1f18fd25a61bb

SHA1
cd0bf308f87a1b8a1e73a61007837f98e32221f2

SHA256
e3ac3980c01336b88e97c13760aa8d95600118f2e58ba542966efe4fd8442fff

SHA512
65e2c0a7afa1a51a1308bf1b0ac6bd927eac2ab52abbcb65770cd933cfc2fd3a1d4d29ad7d8d58ac66eadfebf6441077386216dd64dcf586bc38075ed1707b66

Download Submit
C:\Users\Admin\AppData\Roaming\Z44894709\main.exe

Filesize
1.4MB

MD5
15176b6a17d369c09ab6b1f4564aaaaf

SHA1
e82e873539641d574e480098087a68d8fd6cc298

SHA256
8364c15317b1a87bb9c5313a97fcf0f54be14fa669ba5fb33bd82b311708b804

SHA512
8a4cea143edd8797cc318ef8b209318eb68b281fcb88e3829e05681ee7d0420d6b7f91144da4e86c41525f2e86149d94ea97196745da82c3d0245e5f243ffaa3

Download Submit
C:\Users\Admin\Desktop\New folder\Btools v2.7 [PRO].exe

Filesize
3.4MB

MD5
127e32da28efb59592ccb7349022b889

SHA1
f29034dccae28f7f5d17731270e46a9bccedea9e

SHA256
1851d8d4e6eb5b55a5405e14124a36cb93414e29b9350e54ab998b55578aa744

SHA512
fffe633962caa18b7899961f2384b7ffa9cabb61e2dd04ec0b311cd8336c89d39169b0d3153ec39208767b7fb5167d2cbf0bd2495a71477bea3c455b24cfc456

Download Submit
C:\Users\Admin\Desktop\New folder\CookiesCreator.exe

Filesize
200KB

MD5
aee127951627898ff120d3f4a3ada964

SHA1
1da0e77703872601b7cd6b74a5696d286a7545af

SHA256
a61fe2cf0e51860f3bfde5b6159f926748f7d2d0b7b397831bf695f63cf99106

SHA512
221f166ba5dd946a51301bb254a433f76c6d9cdd616d8bb3c07d88a32e3be845d348975ce0166e0a004be25d696acfce84573676f52eb79951f897302ed13866

Download Submit
memory/404-51-0x0000000000CE0000-0x0000000001024000-memory.dmp

Filesize
3.3MB

Download
memory/4656-57-0x00000000003B0000-0x0000000000CA2000-memory.dmp

Filesize
8.9MB

Download
memory/4656-58-0x0000000005B30000-0x00000000060D6000-memory.dmp

Filesize
5.6MB

Download
memory/4656-59-0x0000000005620000-0x00000000056B2000-memory.dmp

Filesize
584KB

Download
memory/4656-60-0x00000000057B0000-0x00000000057BA000-memory.dmp

Filesize
40KB

Download