Analysis

  • max time kernel
    38s
  • max time network
    41s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    01-09-2022 17:51

General

  • Target

    f57aa9ab17ac7f1cb81871d28fb70e3a3072801f5da5d615549032c809190817.exe

  • Size

    454KB

  • MD5

    eab4905720f7b315f4e061f6092bab07

  • SHA1

    742c84ccd773d3c60ecf75be8fb8231bfca702d5

  • SHA256

    f57aa9ab17ac7f1cb81871d28fb70e3a3072801f5da5d615549032c809190817

  • SHA512

    a3973ad44c53ef33abea5f341ff5f7934b6045136cabbffb8cd2c7b667722e13e4eb8b1f21fa2b663929bdb89f402e6d1f53d4561cef7639988d61ecf103dd26

  • SSDEEP

    12288:8j01lUPCTgvBwXW2eHEnMisaLfBtgh6avAmu/q1:71yqTWAWTAMihfBtghF+G

Score
10/10

Malware Config

Signatures

  • BLISTER

    BLISTER is a downloader used to deliver other malware families.

  • Detect Blister loader x64 6 IoCs
  • Loads dropped DLL 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f57aa9ab17ac7f1cb81871d28fb70e3a3072801f5da5d615549032c809190817.exe
    "C:\Users\Admin\AppData\Local\Temp\f57aa9ab17ac7f1cb81871d28fb70e3a3072801f5da5d615549032c809190817.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:784
    • C:\Windows\system32\Rundll32.exe
      Rundll32.exe C:\Users\Admin\AppData\Local\Temp\3d_dxg\VGAuthService.dll,DXGIReportAdapterConfiguration
      2⤵
      • Loads dropped DLL
      PID:1428

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\3d_dxg\VGAuthService.dll

    Filesize

    621KB

    MD5

    160389696ed7f37f164f1947eda00830

    SHA1

    8fa0c8bd42a2e28820b4288fdc9d983348fd0724

    SHA256

    149c3d044abc3c3a15ba1bb55db7e05cbf87008bd3d23d7dd4a3e31fcfd7af10

    SHA512

    754476ae08414a28a86bebd1f99dd4ff1caef6a6b9e920ae9f84716ea2e9d1bd82c98c4f3a71065f7ef4afcbd889464a02d3628873a60a3e5596fdd08fa0196f

  • \Users\Admin\AppData\Local\Temp\3d_dxg\VGAuthService.dll

    Filesize

    621KB

    MD5

    160389696ed7f37f164f1947eda00830

    SHA1

    8fa0c8bd42a2e28820b4288fdc9d983348fd0724

    SHA256

    149c3d044abc3c3a15ba1bb55db7e05cbf87008bd3d23d7dd4a3e31fcfd7af10

    SHA512

    754476ae08414a28a86bebd1f99dd4ff1caef6a6b9e920ae9f84716ea2e9d1bd82c98c4f3a71065f7ef4afcbd889464a02d3628873a60a3e5596fdd08fa0196f

  • \Users\Admin\AppData\Local\Temp\3d_dxg\VGAuthService.dll

    Filesize

    621KB

    MD5

    160389696ed7f37f164f1947eda00830

    SHA1

    8fa0c8bd42a2e28820b4288fdc9d983348fd0724

    SHA256

    149c3d044abc3c3a15ba1bb55db7e05cbf87008bd3d23d7dd4a3e31fcfd7af10

    SHA512

    754476ae08414a28a86bebd1f99dd4ff1caef6a6b9e920ae9f84716ea2e9d1bd82c98c4f3a71065f7ef4afcbd889464a02d3628873a60a3e5596fdd08fa0196f

  • \Users\Admin\AppData\Local\Temp\3d_dxg\VGAuthService.dll

    Filesize

    621KB

    MD5

    160389696ed7f37f164f1947eda00830

    SHA1

    8fa0c8bd42a2e28820b4288fdc9d983348fd0724

    SHA256

    149c3d044abc3c3a15ba1bb55db7e05cbf87008bd3d23d7dd4a3e31fcfd7af10

    SHA512

    754476ae08414a28a86bebd1f99dd4ff1caef6a6b9e920ae9f84716ea2e9d1bd82c98c4f3a71065f7ef4afcbd889464a02d3628873a60a3e5596fdd08fa0196f

  • \Users\Admin\AppData\Local\Temp\3d_dxg\VGAuthService.dll

    Filesize

    621KB

    MD5

    160389696ed7f37f164f1947eda00830

    SHA1

    8fa0c8bd42a2e28820b4288fdc9d983348fd0724

    SHA256

    149c3d044abc3c3a15ba1bb55db7e05cbf87008bd3d23d7dd4a3e31fcfd7af10

    SHA512

    754476ae08414a28a86bebd1f99dd4ff1caef6a6b9e920ae9f84716ea2e9d1bd82c98c4f3a71065f7ef4afcbd889464a02d3628873a60a3e5596fdd08fa0196f

  • memory/784-54-0x000007FEFB871000-0x000007FEFB873000-memory.dmp

    Filesize

    8KB

  • memory/1428-55-0x0000000000000000-mapping.dmp

  • memory/1428-61-0x000007FEF6480000-0x000007FEF6520000-memory.dmp

    Filesize

    640KB