Overview
overview
10Static
static
10Install.lnk
windows7_x64
3Install.lnk
windows10-2004_x64
3Bloom/Bloom.exe
windows7_x64
7Bloom/Bloom.exe
windows10-2004_x64
7Bloom/d3dc...47.dll
windows7_x64
3Bloom/d3dc...47.dll
windows10-2004_x64
1Bloom/ffmpeg.dll
windows7_x64
1Bloom/ffmpeg.dll
windows10-2004_x64
1Bloom/libEGL.dll
windows7_x64
1Bloom/libEGL.dll
windows10-2004_x64
1Bloom/libGLESv2.dll
windows7_x64
3Bloom/libGLESv2.dll
windows10-2004_x64
3Bloom/node.dll
windows7_x64
1Bloom/node.dll
windows10-2004_x64
1Bloom/nw.dll
windows7_x64
3Bloom/nw.dll
windows10-2004_x64
3Bloom/nw_elf.dll
windows7_x64
1Bloom/nw_elf.dll
windows10-2004_x64
1resources.bat
windows7_x64
6resources.bat
windows10-2004_x64
10Analysis
-
max time kernel
287s -
max time network
342s -
platform
windows10-2004_x64 -
resource
win10v2004-20220310-en -
submitted
22-03-2022 15:39
Static task
static1
Behavioral task
behavioral1
Sample
Install.lnk
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
Install.lnk
Resource
win10v2004-20220310-en
Behavioral task
behavioral3
Sample
Bloom/Bloom.exe
Resource
win7-20220311-en
Behavioral task
behavioral4
Sample
Bloom/Bloom.exe
Resource
win10v2004-20220310-en
Behavioral task
behavioral5
Sample
Bloom/d3dcompiler_47.dll
Resource
win7-20220311-en
Behavioral task
behavioral6
Sample
Bloom/d3dcompiler_47.dll
Resource
win10v2004-en-20220113
Behavioral task
behavioral7
Sample
Bloom/ffmpeg.dll
Resource
win7-20220310-en
Behavioral task
behavioral8
Sample
Bloom/ffmpeg.dll
Resource
win10v2004-en-20220113
Behavioral task
behavioral9
Sample
Bloom/libEGL.dll
Resource
win7-20220310-en
Behavioral task
behavioral10
Sample
Bloom/libEGL.dll
Resource
win10v2004-en-20220113
Behavioral task
behavioral11
Sample
Bloom/libGLESv2.dll
Resource
win7-20220311-en
Behavioral task
behavioral12
Sample
Bloom/libGLESv2.dll
Resource
win10v2004-20220310-en
Behavioral task
behavioral13
Sample
Bloom/node.dll
Resource
win7-20220311-en
Behavioral task
behavioral14
Sample
Bloom/node.dll
Resource
win10v2004-20220310-en
Behavioral task
behavioral15
Sample
Bloom/nw.dll
Resource
win7-20220311-en
Behavioral task
behavioral16
Sample
Bloom/nw.dll
Resource
win10v2004-en-20220113
Behavioral task
behavioral17
Sample
Bloom/nw_elf.dll
Resource
win7-20220310-en
Behavioral task
behavioral18
Sample
Bloom/nw_elf.dll
Resource
win10v2004-en-20220113
Behavioral task
behavioral19
Sample
resources.bat
Resource
win7-20220310-en
Behavioral task
behavioral20
Sample
resources.bat
Resource
win10v2004-en-20220113
General
-
Target
Bloom/Bloom.exe
-
Size
128.1MB
-
MD5
c8635ab554fb726513b5e6e54409e185
-
SHA1
353e271c00088c4195bd12af3241038004906ed5
-
SHA256
ae2b6557d6f2b37ba44cc8d7c80ebb66ec2d56392f7ee65ab3ca5108aed90674
-
SHA512
ac1daff8596e9258d019dbcc5f1447bf2cd1ffad87629a1742eac3a725352ca52c2f51a898936c8eaf3ffedd5f4733c86fe56d7bd69be42a2ba2242a52620dfa
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Bloom.exeBloom.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation Bloom.exe Key value queried \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation Bloom.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
Bloom.exeBloom.exeBloom.exeBloom.exeBloom.exeBloom.exeBloom.exeBloom.exeBloom.exeBloom.exeBloom.exepid process 1148 Bloom.exe 1148 Bloom.exe 1112 Bloom.exe 1112 Bloom.exe 2552 Bloom.exe 2552 Bloom.exe 2932 Bloom.exe 2932 Bloom.exe 4456 Bloom.exe 4456 Bloom.exe 3728 Bloom.exe 3728 Bloom.exe 5052 Bloom.exe 5052 Bloom.exe 4608 Bloom.exe 4608 Bloom.exe 1584 Bloom.exe 1584 Bloom.exe 1500 Bloom.exe 1500 Bloom.exe 372 Bloom.exe 372 Bloom.exe 2932 Bloom.exe 2932 Bloom.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Bloom.exepid process 2932 Bloom.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
Bloom.exeBloom.exedescription pid process target process PID 2932 wrote to memory of 5100 2932 Bloom.exe Bloom.exe PID 2932 wrote to memory of 5100 2932 Bloom.exe Bloom.exe PID 5100 wrote to memory of 3608 5100 Bloom.exe Bloom.exe PID 5100 wrote to memory of 3608 5100 Bloom.exe Bloom.exe PID 2932 wrote to memory of 1148 2932 Bloom.exe Bloom.exe PID 2932 wrote to memory of 1148 2932 Bloom.exe Bloom.exe PID 2932 wrote to memory of 1112 2932 Bloom.exe Bloom.exe PID 2932 wrote to memory of 1112 2932 Bloom.exe Bloom.exe PID 2932 wrote to memory of 2552 2932 Bloom.exe Bloom.exe PID 2932 wrote to memory of 2552 2932 Bloom.exe Bloom.exe PID 2932 wrote to memory of 4456 2932 Bloom.exe Bloom.exe PID 2932 wrote to memory of 4456 2932 Bloom.exe Bloom.exe PID 2932 wrote to memory of 3728 2932 Bloom.exe Bloom.exe PID 2932 wrote to memory of 3728 2932 Bloom.exe Bloom.exe PID 2932 wrote to memory of 5052 2932 Bloom.exe Bloom.exe PID 2932 wrote to memory of 5052 2932 Bloom.exe Bloom.exe PID 2932 wrote to memory of 4608 2932 Bloom.exe Bloom.exe PID 2932 wrote to memory of 4608 2932 Bloom.exe Bloom.exe PID 2932 wrote to memory of 1584 2932 Bloom.exe Bloom.exe PID 2932 wrote to memory of 1584 2932 Bloom.exe Bloom.exe PID 2932 wrote to memory of 1500 2932 Bloom.exe Bloom.exe PID 2932 wrote to memory of 1500 2932 Bloom.exe Bloom.exe PID 2932 wrote to memory of 372 2932 Bloom.exe Bloom.exe PID 2932 wrote to memory of 372 2932 Bloom.exe Bloom.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe"C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exeC:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Bloom\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Bloom\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Bloom\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Bloom\User Data" --annotation=plat=Win64 --annotation=prod=Bloom --annotation=ver=0.0.2 --initial-client-data=0x274,0x278,0x27c,0x250,0x280,0x7ffa2be99ec0,0x7ffa2be99ed0,0x7ffa2be99ee02⤵
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exeC:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Bloom\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Bloom\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Bloom --annotation=ver=0.0.2 --initial-client-data=0x1b8,0x1c0,0x1c4,0x138,0x1bc,0x7ff6e9044e60,0x7ff6e9044e70,0x7ff6e9044e803⤵PID:3608
-
C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe"C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1612,4092269735729369172,12797119001894867917,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Bloom\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2932_1991203364" --mojo-platform-channel-handle=1912 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1112 -
C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe"C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe" --type=gpu-process --field-trial-handle=1612,4092269735729369172,12797119001894867917,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Bloom\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2932_1991203364" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1628 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:1148 -
C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe"C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1612,4092269735729369172,12797119001894867917,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Bloom\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2932_1991203364" --mojo-platform-channel-handle=2188 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2552 -
C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe"C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Local\Temp\Bloom\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1612,4092269735729369172,12797119001894867917,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Bloom\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2932_1991203364" --nwjs --extension-process --enable-auto-reload --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2644 /prefetch:12⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
PID:4456 -
C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe"C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe" --type=gpu-process --field-trial-handle=1612,4092269735729369172,12797119001894867917,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Bloom\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2932_1991203364" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2016 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:3728 -
C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe"C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,4092269735729369172,12797119001894867917,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Bloom\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2932_1991203364" --mojo-platform-channel-handle=3168 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5052 -
C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe"C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,4092269735729369172,12797119001894867917,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Bloom\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2932_1991203364" --mojo-platform-channel-handle=3080 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4608 -
C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe"C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,4092269735729369172,12797119001894867917,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Bloom\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2932_1991203364" --mojo-platform-channel-handle=3112 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1584 -
C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe"C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,4092269735729369172,12797119001894867917,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Bloom\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2932_1991203364" --mojo-platform-channel-handle=3144 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1500 -
C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe"C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1612,4092269735729369172,12797119001894867917,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Bloom\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2932_1991203364" --mojo-platform-channel-handle=3152 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:372
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
- Modifies data under HKEY_USERS
PID:1200
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
859077f8330f712f052806fdc9d42718
SHA12bf765b2ea5685f89a29874a4e0b10ca5407b27b
SHA25640e56ba54df06db41a8faef13e407040007ed9cd06cbd94d392a6e012cc66012
SHA512efe49b357d68389e8b978a24c60f39b30c2f8899a00f3e1344fadf0cfbf41b72d8652511e6ab5056769d57024ff0cdd7be733a6c3547d1f027ac189e9aa9340e
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
MD5
f2b68a4a5ff5d3a6fd2b6bab88b8bb39
SHA1568f4a6315bff20309d9be2b3fe2c4e248d39c40
SHA2565f60a974c59cc55c57173eae94f32b7d53b7cb11a6d97f69cb3a2af7bca5396e
SHA512e10abdfbf6d0acd91107018fa209e41dad375538b02515ca24441e85245cc13e5fdd6cc0d14c2f0ada46ef70f3de9a02541a93f84d8e906563905d5a1ceb1319
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e