c75462e36e1a9b989cf0a0330219667d463daa7e51666ac069046969cacaaa1f

Resubmissions

31/03/2025, 05:32

250331-f8mk6atxfv 3

29/03/2025, 20:24

250329-y659lasxbx 10

29/03/2025, 20:22

250329-y5ncdsstd1 3

Analysis

max time kernel
62s
max time network
65s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
31/03/2025, 05:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BlsCrn.exe
Size

68KB
MD5

8d126e89c071719bc4b36f4551024ab5
SHA1

e0b3bb8de47da697f029242fe45f0f861c2f4867
SHA256

c75462e36e1a9b989cf0a0330219667d463daa7e51666ac069046969cacaaa1f
SHA512

e8637e1eae28ebdfdedd2cc0027a431cae601df154f8dbd0035db5c262402038c6d592b61662dbd537c42b54a56a14812f5046f5090c2c645fd6c18d889ffe49
SSDEEP

384:2mvY5+dSd+cagoEb/S7sGEHeTS+yTifPQC4ItobbxW+e0ewd0SyrQfBkJ5hZf6CZ:2F5urgNOyWYCGwSVB2hZPA69km

Score

3^/10

discovery

Malware Config

Signatures

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3996	POWERPNT.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3996	POWERPNT.EXE

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
660	Process not Found

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
3996	POWERPNT.EXE
3996	POWERPNT.EXE
3996	POWERPNT.EXE
3996	POWERPNT.EXE
3996	POWERPNT.EXE
3996	POWERPNT.EXE
3996	POWERPNT.EXE
3996	POWERPNT.EXE
3996	POWERPNT.EXE
3996	POWERPNT.EXE
3996	POWERPNT.EXE
3996	POWERPNT.EXE
3788	OpenWith.exe
1608	OpenWith.exe
5172	OpenWith.exe

C:\Users\Admin\AppData\Local\Temp\BlsCrn.exe
"C:\Users\Admin\AppData\Local\Temp\BlsCrn.exe"
1⤵
PID:4104

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "C:\Users\Admin\Desktop\InvokePing.ppsm" /ou ""
1⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3996

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3788

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1608

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5172

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3996-12-0x00007FFEF2C50000-0x00007FFEF2E45000-memory.dmp

Filesize
2.0MB

Download
memory/3996-8-0x00007FFEF2C50000-0x00007FFEF2E45000-memory.dmp

Filesize
2.0MB

Download
memory/3996-4-0x00007FFEB2CD0000-0x00007FFEB2CE0000-memory.dmp

Filesize
64KB

Download
memory/3996-3-0x00007FFEB2CD0000-0x00007FFEB2CE0000-memory.dmp

Filesize
64KB

Download
memory/3996-6-0x00007FFEB2CD0000-0x00007FFEB2CE0000-memory.dmp

Filesize
64KB

Download
memory/3996-2-0x00007FFEB2CD0000-0x00007FFEB2CE0000-memory.dmp

Filesize
64KB

Download
memory/3996-5-0x00007FFEF2CED000-0x00007FFEF2CEE000-memory.dmp

Filesize
4KB

Download
memory/3996-13-0x00007FFEF2C50000-0x00007FFEF2E45000-memory.dmp

Filesize
2.0MB

Download
memory/3996-14-0x00007FFEF2C50000-0x00007FFEF2E45000-memory.dmp

Filesize
2.0MB

Download
memory/3996-9-0x00007FFEF2C50000-0x00007FFEF2E45000-memory.dmp

Filesize
2.0MB

Download
memory/3996-24-0x00007FFEF2C50000-0x00007FFEF2E45000-memory.dmp

Filesize
2.0MB

Download
memory/3996-20-0x00007FFEB2CD0000-0x00007FFEB2CE0000-memory.dmp

Filesize
64KB

Download
memory/3996-7-0x00007FFEB2CD0000-0x00007FFEB2CE0000-memory.dmp

Filesize
64KB

Download
memory/3996-15-0x00007FFEB0370000-0x00007FFEB0380000-memory.dmp

Filesize
64KB

Download
memory/3996-11-0x00007FFEF2C50000-0x00007FFEF2E45000-memory.dmp

Filesize
2.0MB

Download
memory/3996-16-0x00007FFEB0370000-0x00007FFEB0380000-memory.dmp

Filesize
64KB

Download
memory/3996-10-0x00007FFEF2C50000-0x00007FFEF2E45000-memory.dmp

Filesize
2.0MB

Download
memory/3996-17-0x00007FFEF2C50000-0x00007FFEF2E45000-memory.dmp

Filesize
2.0MB

Download
memory/3996-23-0x00007FFEB2CD0000-0x00007FFEB2CE0000-memory.dmp

Filesize
64KB

Download
memory/3996-22-0x00007FFEB2CD0000-0x00007FFEB2CE0000-memory.dmp

Filesize
64KB

Download
memory/3996-21-0x00007FFEB2CD0000-0x00007FFEB2CE0000-memory.dmp

Filesize
64KB

Download
memory/4104-0-0x00007FF7B8890000-0x00007FF7B88B8000-memory.dmp

Filesize
160KB

Download
memory/4104-1-0x00007FF7B8890000-0x00007FF7B88B8000-memory.dmp

Filesize
160KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads