blister | 1463bbb2a82fb27ad4b86489b2910a8ec9c1a29cf19aaaa0da37b9217f674513

Analysis

max time kernel
139s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
05-09-2022 15:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1463bbb2a82fb27ad4b86489b2910a8ec9c1a29cf19aaaa0da37b9217f674513.exe
Size

3.6MB
MD5

e1b3507dc15459a3d8962cead57507f9
SHA1

bfde4b87943f40152a6f3c13b953572ead31d22e
SHA256

1463bbb2a82fb27ad4b86489b2910a8ec9c1a29cf19aaaa0da37b9217f674513
SHA512

c8c90acb7ac2d5eac7dc1c22fd460e0fd82f8b6bdd2694e776bf05b6a81f6dabf1ce335b1bfcb40cfb50f7baeee4a822897f15714926b88a245b6e3d8cd76340
SSDEEP

98304:BkrXnmDty5b0KA5AaYtDri80EIhdyorHe2zj:BkrXmDltJYtNILymHe2zj

Score

10^/10

blister loader

Malware Config

Signatures

BLISTER
BLISTER is a downloader used to deliver other malware families.
loader blister

Detect Blister loader x32 6 IoCs

loader

resource	yara_rule
behavioral2/files/0x0008000000022e24-133.dat	family_blister_x32
behavioral2/files/0x0008000000022e24-135.dat	family_blister_x32
behavioral2/files/0x0008000000022e27-137.dat	family_blister_x32
behavioral2/files/0x0008000000022e27-139.dat	family_blister_x32
behavioral2/memory/3052-140-0x0000000017170000-0x000000001722C000-memory.dmp	family_blister_x32
behavioral2/memory/1324-141-0x0000000017170000-0x0000000017489000-memory.dmp	family_blister_x32

Loads dropped DLL 2 IoCs

pid	Process
3052	rundll32.exe
1324	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 4680	2132	1463bbb2a82fb27ad4b86489b2910a8ec9c1a29cf19aaaa0da37b9217f674513.exe	82
PID 2132 wrote to memory of 4680	2132	1463bbb2a82fb27ad4b86489b2910a8ec9c1a29cf19aaaa0da37b9217f674513.exe	82
PID 4680 wrote to memory of 3052	4680	Rundll32.exe	83
PID 4680 wrote to memory of 3052	4680	Rundll32.exe	83
PID 4680 wrote to memory of 3052	4680	Rundll32.exe	83
PID 2132 wrote to memory of 664	2132	1463bbb2a82fb27ad4b86489b2910a8ec9c1a29cf19aaaa0da37b9217f674513.exe	84
PID 2132 wrote to memory of 664	2132	1463bbb2a82fb27ad4b86489b2910a8ec9c1a29cf19aaaa0da37b9217f674513.exe	84
PID 664 wrote to memory of 1324	664	Rundll32.exe	85
PID 664 wrote to memory of 1324	664	Rundll32.exe	85
PID 664 wrote to memory of 1324	664	Rundll32.exe	85

C:\Users\Admin\AppData\Local\Temp\1463bbb2a82fb27ad4b86489b2910a8ec9c1a29cf19aaaa0da37b9217f674513.exe
"C:\Users\Admin\AppData\Local\Temp\1463bbb2a82fb27ad4b86489b2910a8ec9c1a29cf19aaaa0da37b9217f674513.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Windows\SYSTEM32\Rundll32.exe
  Rundll32.exe C:\Users\Admin\AppData\Local\Temp\TemporaryInstall\Interfacegraphic.dll,LaunchColorCpl
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4680
- - C:\Windows\SysWOW64\rundll32.exe
    Rundll32.exe C:\Users\Admin\AppData\Local\Temp\TemporaryInstall\Interfacegraphic.dll,LaunchColorCpl
    3⤵
    - Loads dropped DLL
    PID:3052
- C:\Windows\SYSTEM32\Rundll32.exe
  Rundll32.exe C:\Users\Admin\AppData\Local\Temp\TemporaryInstall\guiframwork.dll,LaunchColorCpl
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:664
- - C:\Windows\SysWOW64\rundll32.exe
    Rundll32.exe C:\Users\Admin\AppData\Local\Temp\TemporaryInstall\guiframwork.dll,LaunchColorCpl
    3⤵
    - Loads dropped DLL
    PID:1324

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TemporaryInstall\Interfacegraphic.dll

Filesize
750KB

MD5
9603bc109dbf4ca405525aa7bee8e66e

SHA1
837b8b848a7552246174537bbeb01c4cc32764f2

SHA256
21912968bee6cea6929a1a3bf0330e06db3f182c07af79664dbb8a963509f20b

SHA512
e39b0568be9119339c366b11157d41d7795cdaf99bbcb15193395bb3f6f9c3af4404ffd3bc20e28f5e147d576a27c8319e4fa565ed5c43ed56c72d725a9d7fac

Download Submit
C:\Users\Admin\AppData\Local\Temp\TemporaryInstall\Interfacegraphic.dll

Filesize
750KB

MD5
9603bc109dbf4ca405525aa7bee8e66e

SHA1
837b8b848a7552246174537bbeb01c4cc32764f2

SHA256
21912968bee6cea6929a1a3bf0330e06db3f182c07af79664dbb8a963509f20b

SHA512
e39b0568be9119339c366b11157d41d7795cdaf99bbcb15193395bb3f6f9c3af4404ffd3bc20e28f5e147d576a27c8319e4fa565ed5c43ed56c72d725a9d7fac

Download Submit
C:\Users\Admin\AppData\Local\Temp\TemporaryInstall\guiframwork.dll

Filesize
3.1MB

MD5
1dc30b7016ae9ba51d27624149523d9e

SHA1
912a55a8fa54fa8c87602857c6d080e4e39d326b

SHA256
23fc50b954bd06c256e16c61d1eda028ed00a682b8f6c6aa17a37633a6188582

SHA512
07c50565352e64b1653a7303e5d9fa3ee299fd9259ea80e361e264c1c51f498b024f475bec39106e5c1386f40cc64e843aa07dac01e95055796e9d44f63236e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\TemporaryInstall\guiframwork.dll

Filesize
3.1MB

MD5
1dc30b7016ae9ba51d27624149523d9e

SHA1
912a55a8fa54fa8c87602857c6d080e4e39d326b

SHA256
23fc50b954bd06c256e16c61d1eda028ed00a682b8f6c6aa17a37633a6188582

SHA512
07c50565352e64b1653a7303e5d9fa3ee299fd9259ea80e361e264c1c51f498b024f475bec39106e5c1386f40cc64e843aa07dac01e95055796e9d44f63236e1

Download Submit
memory/1324-141-0x0000000017170000-0x0000000017489000-memory.dmp

Filesize
3.1MB

Download
memory/3052-140-0x0000000017170000-0x000000001722C000-memory.dmp

Filesize
752KB

Download