Resubmissions
31/03/2025, 05:32
250331-f8mk6atxfv 329/03/2025, 20:24
250329-y659lasxbx 1029/03/2025, 20:22
250329-y5ncdsstd1 3Analysis
-
max time kernel
62s -
max time network
65s -
platform
windows10-2004_x64 -
resource
win10v2004-20250313-en -
resource tags
arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system -
submitted
31/03/2025, 05:32
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
BlsCrn.exe
Resource
win10v2004-20250313-en
7 signatures
900 seconds
General
-
Target
BlsCrn.exe
-
Size
68KB
-
MD5
8d126e89c071719bc4b36f4551024ab5
-
SHA1
e0b3bb8de47da697f029242fe45f0f861c2f4867
-
SHA256
c75462e36e1a9b989cf0a0330219667d463daa7e51666ac069046969cacaaa1f
-
SHA512
e8637e1eae28ebdfdedd2cc0027a431cae601df154f8dbd0035db5c262402038c6d592b61662dbd537c42b54a56a14812f5046f5090c2c645fd6c18d889ffe49
-
SSDEEP
384:2mvY5+dSd+cagoEb/S7sGEHeTS+yTifPQC4ItobbxW+e0ewd0SyrQfBkJ5hZf6CZ:2F5urgNOyWYCGwSVB2hZPA69km
Score
3/10
Malware Config
Signatures
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3996 POWERPNT.EXE -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString POWERPNT.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU POWERPNT.EXE -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings OpenWith.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3996 POWERPNT.EXE -
Suspicious behavior: LoadsDriver 6 IoCs
pid Process 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 660 Process not Found -
Suspicious use of SetWindowsHookEx 15 IoCs
pid Process 3996 POWERPNT.EXE 3996 POWERPNT.EXE 3996 POWERPNT.EXE 3996 POWERPNT.EXE 3996 POWERPNT.EXE 3996 POWERPNT.EXE 3996 POWERPNT.EXE 3996 POWERPNT.EXE 3996 POWERPNT.EXE 3996 POWERPNT.EXE 3996 POWERPNT.EXE 3996 POWERPNT.EXE 3788 OpenWith.exe 1608 OpenWith.exe 5172 OpenWith.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\BlsCrn.exe"C:\Users\Admin\AppData\Local\Temp\BlsCrn.exe"1⤵PID:4104
-
C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "C:\Users\Admin\Desktop\InvokePing.ppsm" /ou ""1⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3996
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3788
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1608
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5172
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3136