59821b8aabe5acc8b1eb91ed2de2cba91b05351c3d9e3bf52ba0ba786f359b87

Analysis

max time kernel
4294337s
max time network
334s
platform
windows7_x64
resource
win7-20220311-en
submitted
22-03-2022 15:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bloom/Bloom.exe
Size

128.1MB
MD5

c8635ab554fb726513b5e6e54409e185
SHA1

353e271c00088c4195bd12af3241038004906ed5
SHA256

ae2b6557d6f2b37ba44cc8d7c80ebb66ec2d56392f7ee65ab3ca5108aed90674
SHA512

ac1daff8596e9258d019dbcc5f1447bf2cd1ffad87629a1742eac3a725352ca52c2f51a898936c8eaf3ffedd5f4733c86fe56d7bd69be42a2ba2242a52620dfa

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Bloom.exeBloom.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\International\Geo\Nation	Bloom.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\International\Geo\Nation	Bloom.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

Bloom.exeBloom.exeBloom.exeBloom.exeBloom.exeBloom.exeBloom.exeBloom.exeBloom.exeBloom.exeBloom.exeBloom.exe

pid	process
700	Bloom.exe
1796	Bloom.exe
1320	Bloom.exe
2044	Bloom.exe
2044	Bloom.exe
1208	Bloom.exe
2068	Bloom.exe
2212	Bloom.exe
2476	Bloom.exe
2520	Bloom.exe
2584	Bloom.exe
2628	Bloom.exe
2716	Bloom.exe
2044	Bloom.exe
2044	Bloom.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Bloom.exe

pid process

2044 Bloom.exe

pid	process
2044	Bloom.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

Bloom.exe

description	pid	process	target process
PID 2044 wrote to memory of 1644	2044	Bloom.exe	Bloom.exe
PID 2044 wrote to memory of 1644	2044	Bloom.exe	Bloom.exe
PID 2044 wrote to memory of 1644	2044	Bloom.exe	Bloom.exe
PID 2044 wrote to memory of 700	2044	Bloom.exe	Bloom.exe
PID 2044 wrote to memory of 700	2044	Bloom.exe	Bloom.exe
PID 2044 wrote to memory of 700	2044	Bloom.exe	Bloom.exe
PID 2044 wrote to memory of 1796	2044	Bloom.exe	Bloom.exe
PID 2044 wrote to memory of 1796	2044	Bloom.exe	Bloom.exe
PID 2044 wrote to memory of 1796	2044	Bloom.exe	Bloom.exe
PID 2044 wrote to memory of 1320	2044	Bloom.exe	Bloom.exe
PID 2044 wrote to memory of 1320	2044	Bloom.exe	Bloom.exe
PID 2044 wrote to memory of 1320	2044	Bloom.exe	Bloom.exe
PID 2044 wrote to memory of 1208	2044	Bloom.exe	Bloom.exe
PID 2044 wrote to memory of 1208	2044	Bloom.exe	Bloom.exe
PID 2044 wrote to memory of 1208	2044	Bloom.exe	Bloom.exe
PID 2044 wrote to memory of 2068	2044	Bloom.exe	Bloom.exe
PID 2044 wrote to memory of 2068	2044	Bloom.exe	Bloom.exe
PID 2044 wrote to memory of 2068	2044	Bloom.exe	Bloom.exe
PID 2044 wrote to memory of 2212	2044	Bloom.exe	Bloom.exe
PID 2044 wrote to memory of 2212	2044	Bloom.exe	Bloom.exe
PID 2044 wrote to memory of 2212	2044	Bloom.exe	Bloom.exe
PID 2044 wrote to memory of 2476	2044	Bloom.exe	Bloom.exe
PID 2044 wrote to memory of 2476	2044	Bloom.exe	Bloom.exe
PID 2044 wrote to memory of 2476	2044	Bloom.exe	Bloom.exe
PID 2044 wrote to memory of 2520	2044	Bloom.exe	Bloom.exe
PID 2044 wrote to memory of 2520	2044	Bloom.exe	Bloom.exe
PID 2044 wrote to memory of 2520	2044	Bloom.exe	Bloom.exe
PID 2044 wrote to memory of 2584	2044	Bloom.exe	Bloom.exe
PID 2044 wrote to memory of 2584	2044	Bloom.exe	Bloom.exe
PID 2044 wrote to memory of 2584	2044	Bloom.exe	Bloom.exe
PID 2044 wrote to memory of 2628	2044	Bloom.exe	Bloom.exe
PID 2044 wrote to memory of 2628	2044	Bloom.exe	Bloom.exe
PID 2044 wrote to memory of 2628	2044	Bloom.exe	Bloom.exe
PID 2044 wrote to memory of 2716	2044	Bloom.exe	Bloom.exe
PID 2044 wrote to memory of 2716	2044	Bloom.exe	Bloom.exe
PID 2044 wrote to memory of 2716	2044	Bloom.exe	Bloom.exe

C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
"C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2044

C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Bloom\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Bloom\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Bloom\User Data" --annotation=plat=Win64 --annotation=prod=Bloom --annotation=ver=0.0.2 --initial-client-data=0x148,0x14c,0x150,0x11c,0x154,0x7fef67d9ec0,0x7fef67d9ed0,0x7fef67d9ee0
2⤵
PID:1644

C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
"C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe" --type=gpu-process --field-trial-handle=1076,9938032442524369588,6679438981206572997,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Bloom\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2044_2036912811" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1088 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:700

C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
"C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1076,9938032442524369588,6679438981206572997,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Bloom\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2044_2036912811" --mojo-platform-channel-handle=1368 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1796

C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
"C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1076,9938032442524369588,6679438981206572997,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Bloom\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2044_2036912811" --mojo-platform-channel-handle=1584 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1320

C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
"C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Local\Temp\Bloom\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1076,9938032442524369588,6679438981206572997,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Bloom\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2044_2036912811" --nwjs --extension-process --enable-auto-reload --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=1912 /prefetch:1
2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
PID:1208

C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
"C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe" --type=gpu-process --field-trial-handle=1076,9938032442524369588,6679438981206572997,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Bloom\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2044_2036912811" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1244 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2068

C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
"C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe" --type=gpu-process --field-trial-handle=1076,9938032442524369588,6679438981206572997,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Bloom\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2044_2036912811" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=884 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2212

C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
"C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1076,9938032442524369588,6679438981206572997,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Bloom\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2044_2036912811" --mojo-platform-channel-handle=2256 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2476

C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
"C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1076,9938032442524369588,6679438981206572997,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Bloom\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2044_2036912811" --mojo-platform-channel-handle=2268 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2520

C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
"C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1076,9938032442524369588,6679438981206572997,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Bloom\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2044_2036912811" --mojo-platform-channel-handle=1856 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2584

C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
"C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1076,9938032442524369588,6679438981206572997,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Bloom\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2044_2036912811" --mojo-platform-channel-handle=1008 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2628

C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
"C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1076,9938032442524369588,6679438981206572997,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Bloom\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2044_2036912811" --mojo-platform-channel-handle=1060 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2716

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Bloom\User Data\Crashpad\settings.dat
MD5
076beab1a441ec9ff2fbb37f3f9d8c94

SHA1
03b3810cac5d079db35a31c94bf1b0307ccfcbbf

SHA256
7469538c6907e283652b6026b6e3680cc7421c07a320dbfb851fdd813a65f406

SHA512
60d6f11768fae1affd7f6e4545f20dca025ccb3e94b9be97f41644aa0eae13f8acfca4830a4d658d0beeab9489967e86485ce53e399aa456326a7a3345d9c4d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nw2044_2036912811\package.json
MD5
f2b68a4a5ff5d3a6fd2b6bab88b8bb39

SHA1
568f4a6315bff20309d9be2b3fe2c4e248d39c40

SHA256
5f60a974c59cc55c57173eae94f32b7d53b7cb11a6d97f69cb3a2af7bca5396e

SHA512
e10abdfbf6d0acd91107018fa209e41dad375538b02515ca24441e85245cc13e5fdd6cc0d14c2f0ada46ef70f3de9a02541a93f84d8e906563905d5a1ceb1319

Download Submit
\??\pipe\crashpad_2044_NOPVKWOSCBQPZYHD
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2044-57-0x0000000006C80000-0x0000000006C81000-memory.dmp

Filesize
4KB

Download