59821b8aabe5acc8b1eb91ed2de2cba91b05351c3d9e3bf52ba0ba786f359b87

Analysis

max time kernel
4294337s
max time network
334s
platform
windows7_x64
resource
win7-20220311-en
submitted
22-03-2022 15:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bloom/Bloom.exe
Size

128.1MB
MD5

c8635ab554fb726513b5e6e54409e185
SHA1

353e271c00088c4195bd12af3241038004906ed5
SHA256

ae2b6557d6f2b37ba44cc8d7c80ebb66ec2d56392f7ee65ab3ca5108aed90674
SHA512

ac1daff8596e9258d019dbcc5f1447bf2cd1ffad87629a1742eac3a725352ca52c2f51a898936c8eaf3ffedd5f4733c86fe56d7bd69be42a2ba2242a52620dfa

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\International\Geo\Nation	Bloom.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\International\Geo\Nation	Bloom.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
700	Bloom.exe
1796	Bloom.exe
1320	Bloom.exe
2044	Bloom.exe
2044	Bloom.exe
1208	Bloom.exe
2068	Bloom.exe
2212	Bloom.exe
2476	Bloom.exe
2520	Bloom.exe
2584	Bloom.exe
2628	Bloom.exe
2716	Bloom.exe
2044	Bloom.exe
2044	Bloom.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2044	Bloom.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 1644	2044	Bloom.exe	29
PID 2044 wrote to memory of 1644	2044	Bloom.exe	29
PID 2044 wrote to memory of 1644	2044	Bloom.exe	29
PID 2044 wrote to memory of 700	2044	Bloom.exe	30
PID 2044 wrote to memory of 700	2044	Bloom.exe	30
PID 2044 wrote to memory of 700	2044	Bloom.exe	30
PID 2044 wrote to memory of 1796	2044	Bloom.exe	31
PID 2044 wrote to memory of 1796	2044	Bloom.exe	31
PID 2044 wrote to memory of 1796	2044	Bloom.exe	31
PID 2044 wrote to memory of 1320	2044	Bloom.exe	32
PID 2044 wrote to memory of 1320	2044	Bloom.exe	32
PID 2044 wrote to memory of 1320	2044	Bloom.exe	32
PID 2044 wrote to memory of 1208	2044	Bloom.exe	33
PID 2044 wrote to memory of 1208	2044	Bloom.exe	33
PID 2044 wrote to memory of 1208	2044	Bloom.exe	33
PID 2044 wrote to memory of 2068	2044	Bloom.exe	36
PID 2044 wrote to memory of 2068	2044	Bloom.exe	36
PID 2044 wrote to memory of 2068	2044	Bloom.exe	36
PID 2044 wrote to memory of 2212	2044	Bloom.exe	37
PID 2044 wrote to memory of 2212	2044	Bloom.exe	37
PID 2044 wrote to memory of 2212	2044	Bloom.exe	37
PID 2044 wrote to memory of 2476	2044	Bloom.exe	39
PID 2044 wrote to memory of 2476	2044	Bloom.exe	39
PID 2044 wrote to memory of 2476	2044	Bloom.exe	39
PID 2044 wrote to memory of 2520	2044	Bloom.exe	40
PID 2044 wrote to memory of 2520	2044	Bloom.exe	40
PID 2044 wrote to memory of 2520	2044	Bloom.exe	40
PID 2044 wrote to memory of 2584	2044	Bloom.exe	41
PID 2044 wrote to memory of 2584	2044	Bloom.exe	41
PID 2044 wrote to memory of 2584	2044	Bloom.exe	41
PID 2044 wrote to memory of 2628	2044	Bloom.exe	42
PID 2044 wrote to memory of 2628	2044	Bloom.exe	42
PID 2044 wrote to memory of 2628	2044	Bloom.exe	42
PID 2044 wrote to memory of 2716	2044	Bloom.exe	43
PID 2044 wrote to memory of 2716	2044	Bloom.exe	43
PID 2044 wrote to memory of 2716	2044	Bloom.exe	43

C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
"C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
  C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Bloom\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Bloom\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Bloom\User Data" --annotation=plat=Win64 --annotation=prod=Bloom --annotation=ver=0.0.2 --initial-client-data=0x148,0x14c,0x150,0x11c,0x154,0x7fef67d9ec0,0x7fef67d9ed0,0x7fef67d9ee0
  2⤵
  PID:1644
- C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
  "C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe" --type=gpu-process --field-trial-handle=1076,9938032442524369588,6679438981206572997,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Bloom\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2044_2036912811" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1088 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:700
- C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
  "C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1076,9938032442524369588,6679438981206572997,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Bloom\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2044_2036912811" --mojo-platform-channel-handle=1368 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1796
- C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
  "C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1076,9938032442524369588,6679438981206572997,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Bloom\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2044_2036912811" --mojo-platform-channel-handle=1584 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1320
- C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
  "C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Local\Temp\Bloom\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1076,9938032442524369588,6679438981206572997,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Bloom\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2044_2036912811" --nwjs --extension-process --enable-auto-reload --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=1912 /prefetch:1
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  PID:1208
- C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
  "C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe" --type=gpu-process --field-trial-handle=1076,9938032442524369588,6679438981206572997,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Bloom\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2044_2036912811" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1244 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2068
- C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
  "C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe" --type=gpu-process --field-trial-handle=1076,9938032442524369588,6679438981206572997,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Bloom\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2044_2036912811" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=884 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2212
- C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
  "C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1076,9938032442524369588,6679438981206572997,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Bloom\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2044_2036912811" --mojo-platform-channel-handle=2256 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2476
- C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
  "C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1076,9938032442524369588,6679438981206572997,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Bloom\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2044_2036912811" --mojo-platform-channel-handle=2268 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2520
- C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
  "C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1076,9938032442524369588,6679438981206572997,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Bloom\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2044_2036912811" --mojo-platform-channel-handle=1856 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2584
- C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
  "C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1076,9938032442524369588,6679438981206572997,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Bloom\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2044_2036912811" --mojo-platform-channel-handle=1008 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2628
- C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
  "C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1076,9938032442524369588,6679438981206572997,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Bloom\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2044_2036912811" --mojo-platform-channel-handle=1060 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2716

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2044-57-0x0000000006C80000-0x0000000006C81000-memory.dmp

Filesize
4KB

Download