File name:	SecHex-GUI.exe.exe
Full analysis:	https://app.any.run/tasks/343f6316-b263-4a96-a64b-af2504a69959
Verdict:	Malicious activity
Threats:	Blank Grabber is an infostealer written in Python. It is designed to steal a wide array of data, such as browser login credentials, crypto wallets, Telegram sessions, and Discord tokens. It is an open-source malware, with its code available on GitHub and regularly receiving updates. Blank Grabber builder’s simple interface lets threat actors even with basic skills to deploy it and conduct attacks. Malware Trends Tracker >>>
Analysis date:	December 17, 2024, 21:25:16
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	uac evasion blankgrabber python
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (GUI) x86-64, for MS Windows, 6 sections
MD5:	DDAE2BBA596EC58F47F190858ABA8D99
SHA1:	36189D4340ED0BA9BEE057BF2B47B74B3AE3F6AC
SHA256:	B24BE7C2CE4F581C445FF8C4F158F4438B495A741F3BE97F9D3D007CC981B014
SSDEEP:	98304:Z6Ct+GmE/ZsG6TRAXfjE+DkVkFOBNdtLOSA2ibMlq0TGPWJmxGueORfqqQVH68D8:LqxqeI44a+bAdjRnbdUz

.exe	\|	Win64 Executable (generic) (87.3)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

MachineType:	AMD AMD64
TimeStamp:	2024:10:23 18:12:13+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.41
CodeSize:	172032
InitializedDataSize:	94208
UninitializedDataSize:	-
EntryPoint:	0xcdb0
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	10.0.19041.4717
ProductVersionNumber:	10.0.19041.4717
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Dynamic link library
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	Microsoft Corporation
FileDescription:	Work Folders
FileVersion:	10.0.19041.4717 (WinBuild.160101.0800)
InternalName:	Work Folders
LegalCopyright:	© Microsoft Corporation. All rights reserved.
OriginalFileName:	WorkFolders.exe
ProductName:	Microsoft® Windows® Operating System
ProductVersion:	10.0.19041.4717


(PID) Process:	(2216) ComputerDefaults.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:	write	Name:	SlowContextMenuEntries
Value: 6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:	(2216) ComputerDefaults.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(2216) ComputerDefaults.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(2216) ComputerDefaults.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(4520) reg.exe	Key:	HKEY_CLASSES_ROOT\ms-settings\shell\open\command
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(4520) reg.exe	Key:	HKEY_CLASSES_ROOT\ms-settings\shell\open
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(4520) reg.exe	Key:	HKEY_CLASSES_ROOT\ms-settings\shell
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(4520) reg.exe	Key:	HKEY_CLASSES_ROOT\ms-settings
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(3612) reg.exe	Key:	HKEY_CLASSES_ROOT\ms-settings\shell\open\command
Operation:	write	Name:	DelegateExecute
Value:

PID	Process	Filename		Type
2676	SecHex-GUI.exe.exe	C:\Users\admin\AppData\Local\Temp\_MEI26762\_ctypes.pyd		executable
		MD5:79879C679A12FAC03F472463BB8CEFF7	SHA256:8D1A21192112E13913CB77708C105034C5F251D64517017975AF8E0C4999EBA3
2676	SecHex-GUI.exe.exe	C:\Users\admin\AppData\Local\Temp\_MEI26762\blank.aes		binary
		MD5:8985DCB8B72638583FEA706D3D92E3BA	SHA256:5D66AFD6D12E18A7BF7FCB6D5B026120D8024FB506567011ED91D5EB2CB8A243
2676	SecHex-GUI.exe.exe	C:\Users\admin\AppData\Local\Temp\_MEI26762\_bz2.pyd		executable
		MD5:58FC4C56F7F400DE210E98CCB8FDC4B2	SHA256:DFC195EBB59DC5E365EFD3853D72897B8838497E15C0977B6EDB1EB347F13150
2676	SecHex-GUI.exe.exe	C:\Users\admin\AppData\Local\Temp\_MEI26762\_queue.pyd		executable
		MD5:513DCE65C09B3ABC516687F99A6971D8	SHA256:D4BE41574C3E17792A25793E6F5BF171BAEEB4255C08CB6A5CD7705A91E896FC
2676	SecHex-GUI.exe.exe	C:\Users\admin\AppData\Local\Temp\_MEI26762\libcrypto-3.dll		executable
		MD5:8377FE5949527DD7BE7B827CB1FFD324	SHA256:88E8AA1C816E9F03A3B589C7028319EF456F72ADB86C9DDCA346258B6B30402D
2676	SecHex-GUI.exe.exe	C:\Users\admin\AppData\Local\Temp\_MEI26762\_ssl.pyd		executable
		MD5:7EF27CD65635DFBA6076771B46C1B99F	SHA256:6EF0EF892DC9AD68874E2743AF7985590BB071E8AFE3BBF8E716F3F4B10F19B4
2676	SecHex-GUI.exe.exe	C:\Users\admin\AppData\Local\Temp\_MEI26762\_socket.pyd		executable
		MD5:14392D71DFE6D6BDC3EBCDBDE3C4049C	SHA256:A1E39E2386634069070903E2D9C2B51A42CB0D59C20B7BE50EF95C89C268DEB2
2676	SecHex-GUI.exe.exe	C:\Users\admin\AppData\Local\Temp\_MEI26762\_lzma.pyd		executable
		MD5:055EB9D91C42BB228A72BF5B7B77C0C8	SHA256:DE342275A648207BEF9B9662C9829AF222B160975AD8925CC5612CD0F182414E
2676	SecHex-GUI.exe.exe	C:\Users\admin\AppData\Local\Temp\_MEI26762\_sqlite3.pyd		executable
		MD5:8CD40257514A16060D5D882788855B55	SHA256:7D53DF36EE9DA2DF36C2676CFAEA84EE87E7E2A15AD8123F6ABB48717C3BC891
2676	SecHex-GUI.exe.exe	C:\Users\admin\AppData\Local\Temp\_MEI26762\libffi-8.dll		executable
		MD5:08B000C3D990BC018FCB91A1E175E06E	SHA256:135C772B42BA6353757A4D076CE03DBF792456143B42D25A62066DA46144FECE

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4712	MoUsoCoreWorker.exe	GET	200	184.24.77.35:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5340	svchost.exe	GET	200	184.24.77.35:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5340	svchost.exe	GET	200	2.19.217.218:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	2.19.217.218:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
3952	SecHex-GUI.exe.exe	GET	200	208.95.112.1:80	http://ip-api.com/line/?fields=hosting	unknown	—	—	shared

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	192.168.100.255:137	—	—	—	whitelisted
—	—	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	23.212.110.177:443	www.bing.com	Akamai International B.V.	CZ	whitelisted
—	—	192.168.100.255:138	—	—	—	whitelisted
5340	svchost.exe	184.24.77.35:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4712	MoUsoCoreWorker.exe	184.24.77.35:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5340	svchost.exe	2.19.217.218:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
4712	MoUsoCoreWorker.exe	2.19.217.218:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3952	SecHex-GUI.exe.exe	208.95.112.1:80	ip-api.com	TUT-AS	US	shared

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208 4.231.128.59	whitelisted
www.bing.com	23.212.110.177 23.212.110.178 23.212.110.209 23.212.110.201 23.212.110.200 23.212.110.185 23.212.110.179 23.212.110.202 23.212.110.208	whitelisted
google.com	142.250.185.142	whitelisted
crl.microsoft.com	184.24.77.35 184.24.77.37	whitelisted
www.microsoft.com	2.19.217.218	whitelisted
blank-0yiau.in	—	unknown
ip-api.com	208.95.112.1	shared
self.events.data.microsoft.com	20.189.173.3	whitelisted

PID	Process	Class	Message
2192	svchost.exe	Device Retrieving External IP Address Detected	INFO [ANY.RUN] External IP Check (ip-api .com)
2192	svchost.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
3952	SecHex-GUI.exe.exe	Device Retrieving External IP Address Detected	ET POLICY External IP Lookup ip-api.com

General Info

SecHex-GUI.exe.exe

DDAE2BBA596EC58F47F190858ABA8D99

36189D4340ED0BA9BEE057BF2B47B74B3AE3F6AC

B24BE7C2CE4F581C445FF8C4F158F4438B495A741F3BE97F9D3D007CC981B014

98304:Z6Ct+GmE/ZsG6TRAXfjE+DkVkFOBNdtLOSA2ibMlq0TGPWJmxGueORfqqQVH68D8:LqxqeI44a+bAdjRnbdUz

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Executing a file with an untrusted certificate

BlankGrabber has been detected

Bypass User Account Control (ComputerDefaults)

Bypass User Account Control (Modify registry)

Adds path to the Windows Defender exclusion list

Antivirus name has been found in the command line (generic signature)

Changes settings for checking scripts for malicious actions

Changes settings for protection against network attacks (IPS)

Changes settings for reporting to Microsoft Active Protection Service (MAPS)

Changes settings for real-time protection

Changes Controlled Folder Access settings

Changes settings for sending potential threat samples to Microsoft servers

Changes antivirus protection settings for downloading files from the Internet (IOAVProtection)

Resets Windows Defender malware definitions to the base version

SUSPICIOUS

Starts a Microsoft application from unusual location

Process drops legitimate windows executable

The process drops C-runtime libraries

Executable content was dropped or overwritten

Process drops python dynamic module

Application launched itself

Loads Python modules

Starts CMD.EXE for commands execution

Uses REG/REGEDIT.EXE to modify registry

Changes default file association

Found strings related to reading or modifying Windows Defender settings

Uses WEVTUTIL.EXE to query events from a log or log file

Get information on the list of running processes

Script adds exclusion path to Windows Defender

Starts POWERSHELL.EXE for commands execution

Uses WMIC.EXE to obtain Windows Installer data

Checks for external IP

Accesses product unique identifier via WMI (SCRIPT)

Script disables Windows Defender's IPS

Script disables Windows Defender's real-time protection

INFO

Reads the computer name

The sample compiled with english language support

Checks supported languages

Create files in a temporary directory

Reads security settings of Internet Explorer

Checks if a key exists in the options dictionary (POWERSHELL)

Script raised an exception (POWERSHELL)

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information