Analysis
-
max time kernel
139s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
05-09-2022 15:42
Static task
static1
Behavioral task
behavioral1
Sample
1463bbb2a82fb27ad4b86489b2910a8ec9c1a29cf19aaaa0da37b9217f674513.exe
Resource
win7-20220812-en
General
-
Target
1463bbb2a82fb27ad4b86489b2910a8ec9c1a29cf19aaaa0da37b9217f674513.exe
-
Size
3.6MB
-
MD5
e1b3507dc15459a3d8962cead57507f9
-
SHA1
bfde4b87943f40152a6f3c13b953572ead31d22e
-
SHA256
1463bbb2a82fb27ad4b86489b2910a8ec9c1a29cf19aaaa0da37b9217f674513
-
SHA512
c8c90acb7ac2d5eac7dc1c22fd460e0fd82f8b6bdd2694e776bf05b6a81f6dabf1ce335b1bfcb40cfb50f7baeee4a822897f15714926b88a245b6e3d8cd76340
-
SSDEEP
98304:BkrXnmDty5b0KA5AaYtDri80EIhdyorHe2zj:BkrXmDltJYtNILymHe2zj
Malware Config
Signatures
-
Detect Blister loader x32 6 IoCs
resource yara_rule behavioral2/files/0x0008000000022e24-133.dat family_blister_x32 behavioral2/files/0x0008000000022e24-135.dat family_blister_x32 behavioral2/files/0x0008000000022e27-137.dat family_blister_x32 behavioral2/files/0x0008000000022e27-139.dat family_blister_x32 behavioral2/memory/3052-140-0x0000000017170000-0x000000001722C000-memory.dmp family_blister_x32 behavioral2/memory/1324-141-0x0000000017170000-0x0000000017489000-memory.dmp family_blister_x32 -
Loads dropped DLL 2 IoCs
pid Process 3052 rundll32.exe 1324 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 2132 wrote to memory of 4680 2132 1463bbb2a82fb27ad4b86489b2910a8ec9c1a29cf19aaaa0da37b9217f674513.exe 82 PID 2132 wrote to memory of 4680 2132 1463bbb2a82fb27ad4b86489b2910a8ec9c1a29cf19aaaa0da37b9217f674513.exe 82 PID 4680 wrote to memory of 3052 4680 Rundll32.exe 83 PID 4680 wrote to memory of 3052 4680 Rundll32.exe 83 PID 4680 wrote to memory of 3052 4680 Rundll32.exe 83 PID 2132 wrote to memory of 664 2132 1463bbb2a82fb27ad4b86489b2910a8ec9c1a29cf19aaaa0da37b9217f674513.exe 84 PID 2132 wrote to memory of 664 2132 1463bbb2a82fb27ad4b86489b2910a8ec9c1a29cf19aaaa0da37b9217f674513.exe 84 PID 664 wrote to memory of 1324 664 Rundll32.exe 85 PID 664 wrote to memory of 1324 664 Rundll32.exe 85 PID 664 wrote to memory of 1324 664 Rundll32.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\1463bbb2a82fb27ad4b86489b2910a8ec9c1a29cf19aaaa0da37b9217f674513.exe"C:\Users\Admin\AppData\Local\Temp\1463bbb2a82fb27ad4b86489b2910a8ec9c1a29cf19aaaa0da37b9217f674513.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SYSTEM32\Rundll32.exeRundll32.exe C:\Users\Admin\AppData\Local\Temp\TemporaryInstall\Interfacegraphic.dll,LaunchColorCpl2⤵
- Suspicious use of WriteProcessMemory
PID:4680 -
C:\Windows\SysWOW64\rundll32.exeRundll32.exe C:\Users\Admin\AppData\Local\Temp\TemporaryInstall\Interfacegraphic.dll,LaunchColorCpl3⤵
- Loads dropped DLL
PID:3052
-
-
-
C:\Windows\SYSTEM32\Rundll32.exeRundll32.exe C:\Users\Admin\AppData\Local\Temp\TemporaryInstall\guiframwork.dll,LaunchColorCpl2⤵
- Suspicious use of WriteProcessMemory
PID:664 -
C:\Windows\SysWOW64\rundll32.exeRundll32.exe C:\Users\Admin\AppData\Local\Temp\TemporaryInstall\guiframwork.dll,LaunchColorCpl3⤵
- Loads dropped DLL
PID:1324
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
750KB
MD59603bc109dbf4ca405525aa7bee8e66e
SHA1837b8b848a7552246174537bbeb01c4cc32764f2
SHA25621912968bee6cea6929a1a3bf0330e06db3f182c07af79664dbb8a963509f20b
SHA512e39b0568be9119339c366b11157d41d7795cdaf99bbcb15193395bb3f6f9c3af4404ffd3bc20e28f5e147d576a27c8319e4fa565ed5c43ed56c72d725a9d7fac
-
Filesize
750KB
MD59603bc109dbf4ca405525aa7bee8e66e
SHA1837b8b848a7552246174537bbeb01c4cc32764f2
SHA25621912968bee6cea6929a1a3bf0330e06db3f182c07af79664dbb8a963509f20b
SHA512e39b0568be9119339c366b11157d41d7795cdaf99bbcb15193395bb3f6f9c3af4404ffd3bc20e28f5e147d576a27c8319e4fa565ed5c43ed56c72d725a9d7fac
-
Filesize
3.1MB
MD51dc30b7016ae9ba51d27624149523d9e
SHA1912a55a8fa54fa8c87602857c6d080e4e39d326b
SHA25623fc50b954bd06c256e16c61d1eda028ed00a682b8f6c6aa17a37633a6188582
SHA51207c50565352e64b1653a7303e5d9fa3ee299fd9259ea80e361e264c1c51f498b024f475bec39106e5c1386f40cc64e843aa07dac01e95055796e9d44f63236e1
-
Filesize
3.1MB
MD51dc30b7016ae9ba51d27624149523d9e
SHA1912a55a8fa54fa8c87602857c6d080e4e39d326b
SHA25623fc50b954bd06c256e16c61d1eda028ed00a682b8f6c6aa17a37633a6188582
SHA51207c50565352e64b1653a7303e5d9fa3ee299fd9259ea80e361e264c1c51f498b024f475bec39106e5c1386f40cc64e843aa07dac01e95055796e9d44f63236e1