Analysis

  • max time kernel
    287s
  • max time network
    342s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220310-en
  • submitted
    22-03-2022 15:39

General

  • Target

    Bloom/Bloom.exe

  • Size

    128.1MB

  • MD5

    c8635ab554fb726513b5e6e54409e185

  • SHA1

    353e271c00088c4195bd12af3241038004906ed5

  • SHA256

    ae2b6557d6f2b37ba44cc8d7c80ebb66ec2d56392f7ee65ab3ca5108aed90674

  • SHA512

    ac1daff8596e9258d019dbcc5f1447bf2cd1ffad87629a1742eac3a725352ca52c2f51a898936c8eaf3ffedd5f4733c86fe56d7bd69be42a2ba2242a52620dfa

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Modifies data under HKEY_USERS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
    "C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2932
    • C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
      C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Bloom\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Bloom\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Bloom\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Bloom\User Data" --annotation=plat=Win64 --annotation=prod=Bloom --annotation=ver=0.0.2 --initial-client-data=0x274,0x278,0x27c,0x250,0x280,0x7ffa2be99ec0,0x7ffa2be99ed0,0x7ffa2be99ee0
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5100
      • C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
        C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Bloom\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Bloom\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Bloom --annotation=ver=0.0.2 --initial-client-data=0x1b8,0x1c0,0x1c4,0x138,0x1bc,0x7ff6e9044e60,0x7ff6e9044e70,0x7ff6e9044e80
        3⤵
          PID:3608
      • C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
        "C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1612,4092269735729369172,12797119001894867917,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Bloom\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2932_1991203364" --mojo-platform-channel-handle=1912 /prefetch:8
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:1112
      • C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
        "C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe" --type=gpu-process --field-trial-handle=1612,4092269735729369172,12797119001894867917,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Bloom\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2932_1991203364" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1628 /prefetch:2
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:1148
      • C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
        "C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1612,4092269735729369172,12797119001894867917,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Bloom\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2932_1991203364" --mojo-platform-channel-handle=2188 /prefetch:8
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:2552
      • C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
        "C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Local\Temp\Bloom\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1612,4092269735729369172,12797119001894867917,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Bloom\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2932_1991203364" --nwjs --extension-process --enable-auto-reload --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2644 /prefetch:1
        2⤵
        • Checks computer location settings
        • Suspicious behavior: EnumeratesProcesses
        PID:4456
      • C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
        "C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe" --type=gpu-process --field-trial-handle=1612,4092269735729369172,12797119001894867917,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Bloom\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2932_1991203364" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2016 /prefetch:2
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:3728
      • C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
        "C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,4092269735729369172,12797119001894867917,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Bloom\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2932_1991203364" --mojo-platform-channel-handle=3168 /prefetch:8
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:5052
      • C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
        "C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,4092269735729369172,12797119001894867917,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Bloom\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2932_1991203364" --mojo-platform-channel-handle=3080 /prefetch:8
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:4608
      • C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
        "C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,4092269735729369172,12797119001894867917,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Bloom\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2932_1991203364" --mojo-platform-channel-handle=3112 /prefetch:8
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:1584
      • C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
        "C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,4092269735729369172,12797119001894867917,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Bloom\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2932_1991203364" --mojo-platform-channel-handle=3144 /prefetch:8
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:1500
      • C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
        "C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1612,4092269735729369172,12797119001894867917,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Bloom\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2932_1991203364" --mojo-platform-channel-handle=3152 /prefetch:8
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:372
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
      1⤵
      • Modifies data under HKEY_USERS
      PID:1200

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Bloom\User Data\Crashpad\settings.dat

      MD5

      859077f8330f712f052806fdc9d42718

      SHA1

      2bf765b2ea5685f89a29874a4e0b10ca5407b27b

      SHA256

      40e56ba54df06db41a8faef13e407040007ed9cd06cbd94d392a6e012cc66012

      SHA512

      efe49b357d68389e8b978a24c60f39b30c2f8899a00f3e1344fadf0cfbf41b72d8652511e6ab5056769d57024ff0cdd7be733a6c3547d1f027ac189e9aa9340e

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches

      MD5

      d41d8cd98f00b204e9800998ecf8427e

      SHA1

      da39a3ee5e6b4b0d3255bfef95601890afd80709

      SHA256

      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

      SHA512

      cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    • C:\Users\Admin\AppData\Local\Temp\nw2932_1991203364\package.json

      MD5

      f2b68a4a5ff5d3a6fd2b6bab88b8bb39

      SHA1

      568f4a6315bff20309d9be2b3fe2c4e248d39c40

      SHA256

      5f60a974c59cc55c57173eae94f32b7d53b7cb11a6d97f69cb3a2af7bca5396e

      SHA512

      e10abdfbf6d0acd91107018fa209e41dad375538b02515ca24441e85245cc13e5fdd6cc0d14c2f0ada46ef70f3de9a02541a93f84d8e906563905d5a1ceb1319

    • \??\pipe\crashpad_2932_NNJTTWDFDKUSIIXI

      MD5

      d41d8cd98f00b204e9800998ecf8427e

      SHA1

      da39a3ee5e6b4b0d3255bfef95601890afd80709

      SHA256

      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

      SHA512

      cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    • memory/1200-143-0x00000247E9EC0000-0x00000247E9EC1000-memory.dmp

      Filesize

      4KB

    • memory/1200-139-0x00000247E79D0000-0x00000247E79D4000-memory.dmp

      Filesize

      16KB

    • memory/1200-138-0x00000247E76C0000-0x00000247E76D0000-memory.dmp

      Filesize

      64KB

    • memory/1200-142-0x00000247E9EE0000-0x00000247E9EE4000-memory.dmp

      Filesize

      16KB

    • memory/1200-137-0x00000247E7660000-0x00000247E7670000-memory.dmp

      Filesize

      64KB

    • memory/1200-144-0x00000247E9C60000-0x00000247E9C64000-memory.dmp

      Filesize

      16KB

    • memory/1200-145-0x00000247E79F0000-0x00000247E79F1000-memory.dmp

      Filesize

      4KB

    • memory/1200-146-0x00000247E79F0000-0x00000247E79F4000-memory.dmp

      Filesize

      16KB

    • memory/1200-147-0x00000247E7950000-0x00000247E7951000-memory.dmp

      Filesize

      4KB

    • memory/4456-140-0x0000346E00040000-0x0000346E00041000-memory.dmp

      Filesize

      4KB