Malware Analysis Report

2024-10-23 17:09

Sample ID 220322-s3wyvscfbr
Target 3840x2970 DC Comics HD Wallpaper and Background.txt.iso
SHA256 59821b8aabe5acc8b1eb91ed2de2cba91b05351c3d9e3bf52ba0ba786f359b87
Tags
persistence plugx trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

59821b8aabe5acc8b1eb91ed2de2cba91b05351c3d9e3bf52ba0ba786f359b87

Threat Level: Known bad

The file 3840x2970 DC Comics HD Wallpaper and Background.txt.iso was found to be: Known bad.

Malicious Activity Summary

persistence plugx trojan

PlugX

Plugx family

PlugX Rat Payload

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Enumerates physical storage devices

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-03-22 15:41

Signatures

PlugX Rat Payload

Description Indicator Process Target
N/A N/A N/A N/A

Plugx family

plugx

Analysis: behavioral9

Detonation Overview

Submitted

2022-03-22 15:39

Reported

2022-03-22 15:50

Platform

win7-20220310-en

Max time kernel

4294344s

Max time network

319s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Bloom\libEGL.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Bloom\libEGL.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2022-03-22 15:39

Reported

2022-03-22 15:49

Platform

win10v2004-en-20220113

Max time kernel

205s

Max time network

264s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Bloom\nw.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\system32\WerFault.exe C:\Windows\system32\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Bloom\nw.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 416 -p 1416 -ip 1416

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1416 -s 472

Network

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2022-03-22 15:39

Reported

2022-03-22 15:50

Platform

win7-20220310-en

Max time kernel

4294344s

Max time network

320s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Bloom\nw_elf.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Bloom\nw_elf.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2022-03-22 15:39

Reported

2022-03-22 15:49

Platform

win10v2004-en-20220113

Max time kernel

292s

Max time network

321s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Bloom\nw_elf.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Bloom\nw_elf.dll,#1

Network

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2022-03-22 15:39

Reported

2022-03-22 15:49

Platform

win10v2004-en-20220113

Max time kernel

217s

Max time network

268s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Bloom\d3dcompiler_47.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Bloom\d3dcompiler_47.dll,#1

Network

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2022-03-22 15:39

Reported

2022-03-22 15:49

Platform

win10v2004-en-20220113

Max time kernel

303s

Max time network

328s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Bloom\ffmpeg.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Bloom\ffmpeg.dll,#1

Network

Country Destination Domain Proto
US 8.247.211.254:80 tcp
US 8.247.211.254:80 tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2022-03-22 15:39

Reported

2022-03-22 15:49

Platform

win7-20220311-en

Max time kernel

4294337s

Max time network

334s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2044 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
PID 2044 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
PID 2044 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
PID 2044 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
PID 2044 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
PID 2044 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
PID 2044 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
PID 2044 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
PID 2044 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
PID 2044 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
PID 2044 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
PID 2044 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
PID 2044 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
PID 2044 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
PID 2044 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
PID 2044 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
PID 2044 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
PID 2044 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
PID 2044 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
PID 2044 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
PID 2044 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
PID 2044 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
PID 2044 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
PID 2044 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
PID 2044 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
PID 2044 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
PID 2044 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
PID 2044 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
PID 2044 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
PID 2044 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
PID 2044 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
PID 2044 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
PID 2044 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
PID 2044 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
PID 2044 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
PID 2044 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe

"C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe"

C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe

C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Bloom\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Bloom\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Bloom\User Data" --annotation=plat=Win64 --annotation=prod=Bloom --annotation=ver=0.0.2 --initial-client-data=0x148,0x14c,0x150,0x11c,0x154,0x7fef67d9ec0,0x7fef67d9ed0,0x7fef67d9ee0

C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe

"C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe" --type=gpu-process --field-trial-handle=1076,9938032442524369588,6679438981206572997,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Bloom\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2044_2036912811" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1088 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe

"C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1076,9938032442524369588,6679438981206572997,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Bloom\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2044_2036912811" --mojo-platform-channel-handle=1368 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe

"C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1076,9938032442524369588,6679438981206572997,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Bloom\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2044_2036912811" --mojo-platform-channel-handle=1584 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe

"C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Local\Temp\Bloom\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1076,9938032442524369588,6679438981206572997,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Bloom\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2044_2036912811" --nwjs --extension-process --enable-auto-reload --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=1912 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe

"C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe" --type=gpu-process --field-trial-handle=1076,9938032442524369588,6679438981206572997,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Bloom\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2044_2036912811" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1244 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe

"C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe" --type=gpu-process --field-trial-handle=1076,9938032442524369588,6679438981206572997,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Bloom\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2044_2036912811" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=884 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe

"C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1076,9938032442524369588,6679438981206572997,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Bloom\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2044_2036912811" --mojo-platform-channel-handle=2256 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe

"C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1076,9938032442524369588,6679438981206572997,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Bloom\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2044_2036912811" --mojo-platform-channel-handle=2268 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe

"C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1076,9938032442524369588,6679438981206572997,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Bloom\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2044_2036912811" --mojo-platform-channel-handle=1856 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe

"C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1076,9938032442524369588,6679438981206572997,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Bloom\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2044_2036912811" --mojo-platform-channel-handle=1008 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe

"C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1076,9938032442524369588,6679438981206572997,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Bloom\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2044_2036912811" --mojo-platform-channel-handle=1060 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:443 dns.google tcp
US 8.8.8.8:443 dns.google tcp
US 8.8.8.8:443 dns.google udp
US 8.8.8.8:443 dns.google udp
US 8.8.8.8:443 dns.google udp

Files

C:\Users\Admin\AppData\Local\Bloom\User Data\Crashpad\settings.dat

MD5 076beab1a441ec9ff2fbb37f3f9d8c94
SHA1 03b3810cac5d079db35a31c94bf1b0307ccfcbbf
SHA256 7469538c6907e283652b6026b6e3680cc7421c07a320dbfb851fdd813a65f406
SHA512 60d6f11768fae1affd7f6e4545f20dca025ccb3e94b9be97f41644aa0eae13f8acfca4830a4d658d0beeab9489967e86485ce53e399aa456326a7a3345d9c4d9

C:\Users\Admin\AppData\Local\Temp\nw2044_2036912811\package.json

MD5 f2b68a4a5ff5d3a6fd2b6bab88b8bb39
SHA1 568f4a6315bff20309d9be2b3fe2c4e248d39c40
SHA256 5f60a974c59cc55c57173eae94f32b7d53b7cb11a6d97f69cb3a2af7bca5396e
SHA512 e10abdfbf6d0acd91107018fa209e41dad375538b02515ca24441e85245cc13e5fdd6cc0d14c2f0ada46ef70f3de9a02541a93f84d8e906563905d5a1ceb1319

\??\pipe\crashpad_2044_NOPVKWOSCBQPZYHD

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2044-57-0x0000000006C80000-0x0000000006C81000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2022-03-22 15:39

Reported

2022-03-22 15:50

Platform

win10v2004-20220310-en

Max time kernel

287s

Max time network

342s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\System32\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2932 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
PID 2932 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
PID 5100 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
PID 5100 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
PID 2932 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
PID 2932 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
PID 2932 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
PID 2932 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
PID 2932 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
PID 2932 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
PID 2932 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
PID 2932 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
PID 2932 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
PID 2932 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
PID 2932 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
PID 2932 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
PID 2932 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
PID 2932 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
PID 2932 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
PID 2932 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
PID 2932 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
PID 2932 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
PID 2932 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe
PID 2932 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe

"C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe"

C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe

C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Bloom\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Bloom\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Bloom\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Bloom\User Data" --annotation=plat=Win64 --annotation=prod=Bloom --annotation=ver=0.0.2 --initial-client-data=0x274,0x278,0x27c,0x250,0x280,0x7ffa2be99ec0,0x7ffa2be99ed0,0x7ffa2be99ee0

C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe

C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Bloom\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Bloom\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Bloom --annotation=ver=0.0.2 --initial-client-data=0x1b8,0x1c0,0x1c4,0x138,0x1bc,0x7ff6e9044e60,0x7ff6e9044e70,0x7ff6e9044e80

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS

C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe

"C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1612,4092269735729369172,12797119001894867917,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Bloom\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2932_1991203364" --mojo-platform-channel-handle=1912 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe

"C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe" --type=gpu-process --field-trial-handle=1612,4092269735729369172,12797119001894867917,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Bloom\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2932_1991203364" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1628 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe

"C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1612,4092269735729369172,12797119001894867917,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Bloom\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2932_1991203364" --mojo-platform-channel-handle=2188 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe

"C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Local\Temp\Bloom\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1612,4092269735729369172,12797119001894867917,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Bloom\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2932_1991203364" --nwjs --extension-process --enable-auto-reload --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2644 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe

"C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe" --type=gpu-process --field-trial-handle=1612,4092269735729369172,12797119001894867917,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Bloom\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2932_1991203364" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2016 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe

"C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,4092269735729369172,12797119001894867917,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Bloom\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2932_1991203364" --mojo-platform-channel-handle=3168 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe

"C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,4092269735729369172,12797119001894867917,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Bloom\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2932_1991203364" --mojo-platform-channel-handle=3080 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe

"C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,4092269735729369172,12797119001894867917,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Bloom\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2932_1991203364" --mojo-platform-channel-handle=3112 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe

"C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,4092269735729369172,12797119001894867917,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Bloom\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2932_1991203364" --mojo-platform-channel-handle=3144 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe

"C:\Users\Admin\AppData\Local\Temp\Bloom\Bloom.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1612,4092269735729369172,12797119001894867917,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Bloom\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2932_1991203364" --mojo-platform-channel-handle=3152 /prefetch:8

Network

Country Destination Domain Proto
NL 104.110.191.133:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 dns.google udp
US 8.8.4.4:443 dns.google tcp
US 8.8.4.4:443 dns.google tcp
US 8.8.4.4:443 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.4.4:443 dns.google udp

Files

C:\Users\Admin\AppData\Local\Bloom\User Data\Crashpad\settings.dat

MD5 859077f8330f712f052806fdc9d42718
SHA1 2bf765b2ea5685f89a29874a4e0b10ca5407b27b
SHA256 40e56ba54df06db41a8faef13e407040007ed9cd06cbd94d392a6e012cc66012
SHA512 efe49b357d68389e8b978a24c60f39b30c2f8899a00f3e1344fadf0cfbf41b72d8652511e6ab5056769d57024ff0cdd7be733a6c3547d1f027ac189e9aa9340e

C:\Users\Admin\AppData\Local\Temp\nw2932_1991203364\package.json

MD5 f2b68a4a5ff5d3a6fd2b6bab88b8bb39
SHA1 568f4a6315bff20309d9be2b3fe2c4e248d39c40
SHA256 5f60a974c59cc55c57173eae94f32b7d53b7cb11a6d97f69cb3a2af7bca5396e
SHA512 e10abdfbf6d0acd91107018fa209e41dad375538b02515ca24441e85245cc13e5fdd6cc0d14c2f0ada46ef70f3de9a02541a93f84d8e906563905d5a1ceb1319

\??\pipe\crashpad_2932_NNJTTWDFDKUSIIXI

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1200-137-0x00000247E7660000-0x00000247E7670000-memory.dmp

memory/1200-138-0x00000247E76C0000-0x00000247E76D0000-memory.dmp

memory/1200-139-0x00000247E79D0000-0x00000247E79D4000-memory.dmp

memory/4456-140-0x0000346E00040000-0x0000346E00041000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1200-142-0x00000247E9EE0000-0x00000247E9EE4000-memory.dmp

memory/1200-143-0x00000247E9EC0000-0x00000247E9EC1000-memory.dmp

memory/1200-144-0x00000247E9C60000-0x00000247E9C64000-memory.dmp

memory/1200-145-0x00000247E79F0000-0x00000247E79F1000-memory.dmp

memory/1200-146-0x00000247E79F0000-0x00000247E79F4000-memory.dmp

memory/1200-147-0x00000247E7950000-0x00000247E7951000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2022-03-22 15:39

Reported

2022-03-22 15:48

Platform

win7-20220310-en

Max time kernel

4294367s

Max time network

318s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\resources.bat"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Windows\CurrentVersion\Run\Bloom = "C:\\Users\\Admin\\AppData\\Roaming\\Bloom\\Bloom.exe --zAZsKBNE" C:\Windows\system32\reg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 536 wrote to memory of 1268 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 536 wrote to memory of 1268 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 536 wrote to memory of 1268 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 536 wrote to memory of 580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 536 wrote to memory of 580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 536 wrote to memory of 580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\resources.bat"

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v Bloom /f

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v Bloom /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Bloom\Bloom.exe --zAZsKBNE" /f

Network

N/A

Files

memory/536-54-0x000007FEFC511000-0x000007FEFC513000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2022-03-22 15:39

Reported

2022-03-22 15:48

Platform

win10v2004-en-20220113

Max time kernel

54s

Max time network

130s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\resources.bat"

Signatures

PlugX

trojan plugx

PlugX Rat Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Bloom\Bloom.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bloom = "C:\\Users\\Admin\\AppData\\Roaming\\Bloom\\Bloom.exe --zAZsKBNE" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\reg.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1056 wrote to memory of 1576 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tar.exe
PID 1056 wrote to memory of 1576 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tar.exe
PID 1056 wrote to memory of 1796 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1056 wrote to memory of 1796 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1056 wrote to memory of 1952 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1056 wrote to memory of 1952 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1056 wrote to memory of 2232 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Bloom\Bloom.exe
PID 1056 wrote to memory of 2232 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Bloom\Bloom.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\resources.bat"

C:\Windows\system32\tar.exe

tar -xvf "app.zip" -C "C:\Users\Admin\AppData\Roaming"

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v Bloom /f

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v Bloom /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Bloom\Bloom.exe --zAZsKBNE" /f

C:\Users\Admin\AppData\Roaming\Bloom\Bloom.exe

"C:\Users\Admin\AppData\Roaming\Bloom\Bloom.exe"

Network

Files

C:\Users\Admin\AppData\Roaming\Bloom\Bloom.exe

MD5 c8635ab554fb726513b5e6e54409e185
SHA1 353e271c00088c4195bd12af3241038004906ed5
SHA256 ae2b6557d6f2b37ba44cc8d7c80ebb66ec2d56392f7ee65ab3ca5108aed90674
SHA512 ac1daff8596e9258d019dbcc5f1447bf2cd1ffad87629a1742eac3a725352ca52c2f51a898936c8eaf3ffedd5f4733c86fe56d7bd69be42a2ba2242a52620dfa

C:\Users\Admin\AppData\Roaming\Bloom\Bloom.exe

MD5 c8635ab554fb726513b5e6e54409e185
SHA1 353e271c00088c4195bd12af3241038004906ed5
SHA256 ae2b6557d6f2b37ba44cc8d7c80ebb66ec2d56392f7ee65ab3ca5108aed90674
SHA512 ac1daff8596e9258d019dbcc5f1447bf2cd1ffad87629a1742eac3a725352ca52c2f51a898936c8eaf3ffedd5f4733c86fe56d7bd69be42a2ba2242a52620dfa

C:\Users\Admin\AppData\Roaming\Bloom\nw_elf.dll

MD5 c73b8e71aa716278dda520c7f6d7d3b8
SHA1 2331fd8b3ed2cc02ee860f5faa0f12d6a80b00fe
SHA256 51cd730f33682a99410117cdac984f2e1ea21f7c8af113b0e830532e9849b316
SHA512 3475e87a75d0d5483945dd9fe81b56d66baca35342b1db0e21bc28b3dcccf193b834b067d268447a538343be81b23af4dbfbd864258261ce5d45d69ef88692a6

C:\Users\Admin\AppData\Roaming\Bloom\nw_elf.dll

MD5 c73b8e71aa716278dda520c7f6d7d3b8
SHA1 2331fd8b3ed2cc02ee860f5faa0f12d6a80b00fe
SHA256 51cd730f33682a99410117cdac984f2e1ea21f7c8af113b0e830532e9849b316
SHA512 3475e87a75d0d5483945dd9fe81b56d66baca35342b1db0e21bc28b3dcccf193b834b067d268447a538343be81b23af4dbfbd864258261ce5d45d69ef88692a6

C:\Users\Admin\AppData\Roaming\Bloom\nw.dll

MD5 3d2dadc029a8b5fc745a956c1a5ee568
SHA1 a353b0fec54f5c853109b175cea49893b72f539e
SHA256 b756c3f4de49600d23f369718cad7eb8645f7ada1dfafc71f47c18e3e2c5aadd
SHA512 c513823f9ffaaba52d90f0a7733274787cbc9f380b3670da145a96947b4e1f6a539393f29ee22b65432048b8e15bd4014b760ec73e4e63a7b80975706467a5b5

C:\Users\Admin\AppData\Roaming\Bloom\ffmpeg.dll

MD5 dd861e1e5a552fa88759b995d92a8c52
SHA1 c1e8ab9f6abc84ce46ea3ddadbf7c5f5b671776a
SHA256 09385bebc5b187013f61eadbbd78cc3ce57450f817ac015f80eeec088487e1a4
SHA512 0ebc82b17fe04cedb97451183c6280fec3838bed8ed0944530ea025e7aa36dac73092d16a9b975094b2ac85b1184d2f985598bc1856776f1679303c0e4e6f42a

C:\Users\Admin\AppData\Roaming\Bloom\ffmpeg.dll

MD5 dd861e1e5a552fa88759b995d92a8c52
SHA1 c1e8ab9f6abc84ce46ea3ddadbf7c5f5b671776a
SHA256 09385bebc5b187013f61eadbbd78cc3ce57450f817ac015f80eeec088487e1a4
SHA512 0ebc82b17fe04cedb97451183c6280fec3838bed8ed0944530ea025e7aa36dac73092d16a9b975094b2ac85b1184d2f985598bc1856776f1679303c0e4e6f42a

C:\Users\Admin\AppData\Roaming\Bloom\nw.dll

MD5 3d2dadc029a8b5fc745a956c1a5ee568
SHA1 a353b0fec54f5c853109b175cea49893b72f539e
SHA256 b756c3f4de49600d23f369718cad7eb8645f7ada1dfafc71f47c18e3e2c5aadd
SHA512 c513823f9ffaaba52d90f0a7733274787cbc9f380b3670da145a96947b4e1f6a539393f29ee22b65432048b8e15bd4014b760ec73e4e63a7b80975706467a5b5

Analysis: behavioral1

Detonation Overview

Submitted

2022-03-22 15:39

Reported

2022-03-22 15:48

Platform

win7-20220311-en

Max time kernel

4294179s

Max time network

130s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Install.lnk

Signatures

Enumerates physical storage devices

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Install.lnk

Network

N/A

Files

memory/852-54-0x000007FEFBFE1000-0x000007FEFBFE3000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2022-03-22 15:39

Reported

2022-03-22 15:49

Platform

win10v2004-en-20220113

Max time kernel

222s

Max time network

280s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Bloom\libEGL.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Bloom\libEGL.dll,#1

Network

Country Destination Domain Proto
NL 178.79.208.1:80 tcp
NL 178.79.208.1:80 tcp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2022-03-22 15:39

Reported

2022-03-22 15:50

Platform

win10v2004-20220310-en

Max time kernel

168s

Max time network

254s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Bloom\libGLESv2.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\system32\WerFault.exe C:\Windows\system32\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Bloom\libGLESv2.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 432 -p 3708 -ip 3708

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 3708 -s 340

Network

Country Destination Domain Proto
NL 104.110.191.133:80 tcp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2022-03-22 15:39

Reported

2022-03-22 15:50

Platform

win10v2004-20220310-en

Max time kernel

163s

Max time network

265s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Bloom\node.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Bloom\node.dll,#1

Network

Country Destination Domain Proto
NL 104.80.225.205:443 tcp
NL 84.53.175.107:80 tcp
NL 84.53.175.107:80 tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-03-22 15:39

Reported

2022-03-22 15:48

Platform

win10v2004-20220310-en

Max time kernel

226s

Max time network

300s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Install.lnk

Signatures

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Install.lnk

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 8.8.8.8:53 licensing.mp.microsoft.com udp
US 20.96.63.25:443 licensing.mp.microsoft.com tcp
US 8.8.8.8:53 storesdk.dsx.mp.microsoft.com udp
NL 104.80.225.205:443 storesdk.dsx.mp.microsoft.com tcp
US 20.96.63.25:443 licensing.mp.microsoft.com tcp
US 20.96.63.25:443 licensing.mp.microsoft.com tcp
US 20.96.63.25:443 licensing.mp.microsoft.com tcp
US 8.8.8.8:53 api.msn.com udp
US 204.79.197.203:443 api.msn.com tcp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2022-03-22 15:39

Reported

2022-03-22 15:49

Platform

win7-20220311-en

Max time kernel

4294181s

Max time network

143s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Bloom\d3dcompiler_47.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\system32\WerFault.exe C:\Windows\system32\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1672 wrote to memory of 1704 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 1672 wrote to memory of 1704 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 1672 wrote to memory of 1704 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Bloom\d3dcompiler_47.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1672 -s 92

Network

N/A

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2022-03-22 15:39

Reported

2022-03-22 15:49

Platform

win7-20220311-en

Max time kernel

4294361s

Max time network

319s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Bloom\node.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Bloom\node.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2022-03-22 15:39

Reported

2022-03-22 15:49

Platform

win7-20220311-en

Max time kernel

4294360s

Max time network

318s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Bloom\nw.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\system32\WerFault.exe C:\Windows\system32\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1352 wrote to memory of 2028 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 1352 wrote to memory of 2028 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 1352 wrote to memory of 2028 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Bloom\nw.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1352 -s 204

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2022-03-22 15:39

Reported

2022-03-22 15:50

Platform

win7-20220310-en

Max time kernel

4294343s

Max time network

319s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Bloom\ffmpeg.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Bloom\ffmpeg.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2022-03-22 15:39

Reported

2022-03-22 15:49

Platform

win7-20220311-en

Max time kernel

4294362s

Max time network

319s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Bloom\libGLESv2.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\system32\WerFault.exe C:\Windows\system32\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1824 wrote to memory of 588 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 1824 wrote to memory of 588 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 1824 wrote to memory of 588 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Bloom\libGLESv2.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1824 -s 92

Network

N/A

Files

N/A