Analysis
-
max time kernel
42s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
05-09-2022 15:42
Static task
static1
Behavioral task
behavioral1
Sample
1463bbb2a82fb27ad4b86489b2910a8ec9c1a29cf19aaaa0da37b9217f674513.exe
Resource
win7-20220812-en
General
-
Target
1463bbb2a82fb27ad4b86489b2910a8ec9c1a29cf19aaaa0da37b9217f674513.exe
-
Size
3.6MB
-
MD5
e1b3507dc15459a3d8962cead57507f9
-
SHA1
bfde4b87943f40152a6f3c13b953572ead31d22e
-
SHA256
1463bbb2a82fb27ad4b86489b2910a8ec9c1a29cf19aaaa0da37b9217f674513
-
SHA512
c8c90acb7ac2d5eac7dc1c22fd460e0fd82f8b6bdd2694e776bf05b6a81f6dabf1ce335b1bfcb40cfb50f7baeee4a822897f15714926b88a245b6e3d8cd76340
-
SSDEEP
98304:BkrXnmDty5b0KA5AaYtDri80EIhdyorHe2zj:BkrXmDltJYtNILymHe2zj
Malware Config
Signatures
-
Detect Blister loader x32 8 IoCs
Processes:
resource yara_rule behavioral1/files/0x000a0000000122cd-56.dat family_blister_x32 behavioral1/files/0x000a0000000122cd-59.dat family_blister_x32 behavioral1/files/0x000a0000000122cd-60.dat family_blister_x32 behavioral1/files/0x00090000000122cf-62.dat family_blister_x32 behavioral1/files/0x00090000000122cf-65.dat family_blister_x32 behavioral1/files/0x00090000000122cf-66.dat family_blister_x32 behavioral1/memory/1884-67-0x0000000017170000-0x000000001722C000-memory.dmp family_blister_x32 behavioral1/memory/1756-68-0x0000000017170000-0x0000000017489000-memory.dmp family_blister_x32 -
Loads dropped DLL 4 IoCs
Processes:
rundll32.exerundll32.exepid Process 1884 rundll32.exe 1884 rundll32.exe 1756 rundll32.exe 1756 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
1463bbb2a82fb27ad4b86489b2910a8ec9c1a29cf19aaaa0da37b9217f674513.exeRundll32.exeRundll32.exedescription pid Process procid_target PID 1280 wrote to memory of 804 1280 1463bbb2a82fb27ad4b86489b2910a8ec9c1a29cf19aaaa0da37b9217f674513.exe 28 PID 1280 wrote to memory of 804 1280 1463bbb2a82fb27ad4b86489b2910a8ec9c1a29cf19aaaa0da37b9217f674513.exe 28 PID 1280 wrote to memory of 804 1280 1463bbb2a82fb27ad4b86489b2910a8ec9c1a29cf19aaaa0da37b9217f674513.exe 28 PID 804 wrote to memory of 1884 804 Rundll32.exe 29 PID 804 wrote to memory of 1884 804 Rundll32.exe 29 PID 804 wrote to memory of 1884 804 Rundll32.exe 29 PID 804 wrote to memory of 1884 804 Rundll32.exe 29 PID 804 wrote to memory of 1884 804 Rundll32.exe 29 PID 804 wrote to memory of 1884 804 Rundll32.exe 29 PID 804 wrote to memory of 1884 804 Rundll32.exe 29 PID 1280 wrote to memory of 1496 1280 1463bbb2a82fb27ad4b86489b2910a8ec9c1a29cf19aaaa0da37b9217f674513.exe 30 PID 1280 wrote to memory of 1496 1280 1463bbb2a82fb27ad4b86489b2910a8ec9c1a29cf19aaaa0da37b9217f674513.exe 30 PID 1280 wrote to memory of 1496 1280 1463bbb2a82fb27ad4b86489b2910a8ec9c1a29cf19aaaa0da37b9217f674513.exe 30 PID 1496 wrote to memory of 1756 1496 Rundll32.exe 31 PID 1496 wrote to memory of 1756 1496 Rundll32.exe 31 PID 1496 wrote to memory of 1756 1496 Rundll32.exe 31 PID 1496 wrote to memory of 1756 1496 Rundll32.exe 31 PID 1496 wrote to memory of 1756 1496 Rundll32.exe 31 PID 1496 wrote to memory of 1756 1496 Rundll32.exe 31 PID 1496 wrote to memory of 1756 1496 Rundll32.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\1463bbb2a82fb27ad4b86489b2910a8ec9c1a29cf19aaaa0da37b9217f674513.exe"C:\Users\Admin\AppData\Local\Temp\1463bbb2a82fb27ad4b86489b2910a8ec9c1a29cf19aaaa0da37b9217f674513.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\system32\Rundll32.exeRundll32.exe C:\Users\Admin\AppData\Local\Temp\TemporaryInstall\Interfacegraphic.dll,LaunchColorCpl2⤵
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Windows\SysWOW64\rundll32.exeRundll32.exe C:\Users\Admin\AppData\Local\Temp\TemporaryInstall\Interfacegraphic.dll,LaunchColorCpl3⤵
- Loads dropped DLL
PID:1884
-
-
-
C:\Windows\system32\Rundll32.exeRundll32.exe C:\Users\Admin\AppData\Local\Temp\TemporaryInstall\guiframwork.dll,LaunchColorCpl2⤵
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\SysWOW64\rundll32.exeRundll32.exe C:\Users\Admin\AppData\Local\Temp\TemporaryInstall\guiframwork.dll,LaunchColorCpl3⤵
- Loads dropped DLL
PID:1756
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
750KB
MD59603bc109dbf4ca405525aa7bee8e66e
SHA1837b8b848a7552246174537bbeb01c4cc32764f2
SHA25621912968bee6cea6929a1a3bf0330e06db3f182c07af79664dbb8a963509f20b
SHA512e39b0568be9119339c366b11157d41d7795cdaf99bbcb15193395bb3f6f9c3af4404ffd3bc20e28f5e147d576a27c8319e4fa565ed5c43ed56c72d725a9d7fac
-
Filesize
3.1MB
MD51dc30b7016ae9ba51d27624149523d9e
SHA1912a55a8fa54fa8c87602857c6d080e4e39d326b
SHA25623fc50b954bd06c256e16c61d1eda028ed00a682b8f6c6aa17a37633a6188582
SHA51207c50565352e64b1653a7303e5d9fa3ee299fd9259ea80e361e264c1c51f498b024f475bec39106e5c1386f40cc64e843aa07dac01e95055796e9d44f63236e1
-
Filesize
750KB
MD59603bc109dbf4ca405525aa7bee8e66e
SHA1837b8b848a7552246174537bbeb01c4cc32764f2
SHA25621912968bee6cea6929a1a3bf0330e06db3f182c07af79664dbb8a963509f20b
SHA512e39b0568be9119339c366b11157d41d7795cdaf99bbcb15193395bb3f6f9c3af4404ffd3bc20e28f5e147d576a27c8319e4fa565ed5c43ed56c72d725a9d7fac
-
Filesize
750KB
MD59603bc109dbf4ca405525aa7bee8e66e
SHA1837b8b848a7552246174537bbeb01c4cc32764f2
SHA25621912968bee6cea6929a1a3bf0330e06db3f182c07af79664dbb8a963509f20b
SHA512e39b0568be9119339c366b11157d41d7795cdaf99bbcb15193395bb3f6f9c3af4404ffd3bc20e28f5e147d576a27c8319e4fa565ed5c43ed56c72d725a9d7fac
-
Filesize
3.1MB
MD51dc30b7016ae9ba51d27624149523d9e
SHA1912a55a8fa54fa8c87602857c6d080e4e39d326b
SHA25623fc50b954bd06c256e16c61d1eda028ed00a682b8f6c6aa17a37633a6188582
SHA51207c50565352e64b1653a7303e5d9fa3ee299fd9259ea80e361e264c1c51f498b024f475bec39106e5c1386f40cc64e843aa07dac01e95055796e9d44f63236e1
-
Filesize
3.1MB
MD51dc30b7016ae9ba51d27624149523d9e
SHA1912a55a8fa54fa8c87602857c6d080e4e39d326b
SHA25623fc50b954bd06c256e16c61d1eda028ed00a682b8f6c6aa17a37633a6188582
SHA51207c50565352e64b1653a7303e5d9fa3ee299fd9259ea80e361e264c1c51f498b024f475bec39106e5c1386f40cc64e843aa07dac01e95055796e9d44f63236e1