blister | f9508e81f1ac31569646fde9e864e25212457ca62ac768e23fbb95c290950e99

Analysis

max time kernel
40s
max time network
49s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05-09-2022 15:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1463bbb2a82fb27ad4b86489b2910a8ec9c1a29cf19aaaa0da37b9217f674513.exe
Size

3.6MB
MD5

e1b3507dc15459a3d8962cead57507f9
SHA1

bfde4b87943f40152a6f3c13b953572ead31d22e
SHA256

1463bbb2a82fb27ad4b86489b2910a8ec9c1a29cf19aaaa0da37b9217f674513
SHA512

c8c90acb7ac2d5eac7dc1c22fd460e0fd82f8b6bdd2694e776bf05b6a81f6dabf1ce335b1bfcb40cfb50f7baeee4a822897f15714926b88a245b6e3d8cd76340
SSDEEP

98304:BkrXnmDty5b0KA5AaYtDri80EIhdyorHe2zj:BkrXmDltJYtNILymHe2zj

Score

10^/10

blister loader

Malware Config

Signatures

BLISTER
BLISTER is a downloader used to deliver other malware families.
loader blister

Detect Blister loader x32 8 IoCs

loader

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\TemporaryInstall\Interfacegraphic.dll	family_blister_x32
\Users\Admin\AppData\Local\Temp\TemporaryInstall\Interfacegraphic.dll	family_blister_x32
\Users\Admin\AppData\Local\Temp\TemporaryInstall\Interfacegraphic.dll	family_blister_x32
C:\Users\Admin\AppData\Local\Temp\TemporaryInstall\guiframwork.dll	family_blister_x32
\Users\Admin\AppData\Local\Temp\TemporaryInstall\guiframwork.dll	family_blister_x32
\Users\Admin\AppData\Local\Temp\TemporaryInstall\guiframwork.dll	family_blister_x32
behavioral11/memory/1708-67-0x0000000017170000-0x000000001722C000-memory.dmp	family_blister_x32
behavioral11/memory/916-68-0x0000000017170000-0x0000000017489000-memory.dmp	family_blister_x32

Loads dropped DLL 4 IoCs

Processes:

rundll32.exerundll32.exe

pid process

1708 rundll32.exe
1708 rundll32.exe
916 rundll32.exe
916 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1708	rundll32.exe
1708	rundll32.exe
916	rundll32.exe
916	rundll32.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

1463bbb2a82fb27ad4b86489b2910a8ec9c1a29cf19aaaa0da37b9217f674513.exeRundll32.exeRundll32.exe

description	pid	process	target process
PID 288 wrote to memory of 1908	288	1463bbb2a82fb27ad4b86489b2910a8ec9c1a29cf19aaaa0da37b9217f674513.exe	Rundll32.exe
PID 288 wrote to memory of 1908	288	1463bbb2a82fb27ad4b86489b2910a8ec9c1a29cf19aaaa0da37b9217f674513.exe	Rundll32.exe
PID 288 wrote to memory of 1908	288	1463bbb2a82fb27ad4b86489b2910a8ec9c1a29cf19aaaa0da37b9217f674513.exe	Rundll32.exe
PID 1908 wrote to memory of 1708	1908	Rundll32.exe	rundll32.exe
PID 1908 wrote to memory of 1708	1908	Rundll32.exe	rundll32.exe
PID 1908 wrote to memory of 1708	1908	Rundll32.exe	rundll32.exe
PID 1908 wrote to memory of 1708	1908	Rundll32.exe	rundll32.exe
PID 1908 wrote to memory of 1708	1908	Rundll32.exe	rundll32.exe
PID 1908 wrote to memory of 1708	1908	Rundll32.exe	rundll32.exe
PID 1908 wrote to memory of 1708	1908	Rundll32.exe	rundll32.exe
PID 288 wrote to memory of 2028	288	1463bbb2a82fb27ad4b86489b2910a8ec9c1a29cf19aaaa0da37b9217f674513.exe	Rundll32.exe
PID 288 wrote to memory of 2028	288	1463bbb2a82fb27ad4b86489b2910a8ec9c1a29cf19aaaa0da37b9217f674513.exe	Rundll32.exe
PID 288 wrote to memory of 2028	288	1463bbb2a82fb27ad4b86489b2910a8ec9c1a29cf19aaaa0da37b9217f674513.exe	Rundll32.exe
PID 2028 wrote to memory of 916	2028	Rundll32.exe	rundll32.exe
PID 2028 wrote to memory of 916	2028	Rundll32.exe	rundll32.exe
PID 2028 wrote to memory of 916	2028	Rundll32.exe	rundll32.exe
PID 2028 wrote to memory of 916	2028	Rundll32.exe	rundll32.exe
PID 2028 wrote to memory of 916	2028	Rundll32.exe	rundll32.exe
PID 2028 wrote to memory of 916	2028	Rundll32.exe	rundll32.exe
PID 2028 wrote to memory of 916	2028	Rundll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\1463bbb2a82fb27ad4b86489b2910a8ec9c1a29cf19aaaa0da37b9217f674513.exe
"C:\Users\Admin\AppData\Local\Temp\1463bbb2a82fb27ad4b86489b2910a8ec9c1a29cf19aaaa0da37b9217f674513.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:288
- C:\Windows\system32\Rundll32.exe
  Rundll32.exe C:\Users\Admin\AppData\Local\Temp\TemporaryInstall\Interfacegraphic.dll,LaunchColorCpl
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1908
- - C:\Windows\SysWOW64\rundll32.exe
    Rundll32.exe C:\Users\Admin\AppData\Local\Temp\TemporaryInstall\Interfacegraphic.dll,LaunchColorCpl
    3⤵
    - Loads dropped DLL
    PID:1708
- C:\Windows\system32\Rundll32.exe
  Rundll32.exe C:\Users\Admin\AppData\Local\Temp\TemporaryInstall\guiframwork.dll,LaunchColorCpl
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Windows\SysWOW64\rundll32.exe
    Rundll32.exe C:\Users\Admin\AppData\Local\Temp\TemporaryInstall\guiframwork.dll,LaunchColorCpl
    3⤵
    - Loads dropped DLL
    PID:916

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TemporaryInstall\Interfacegraphic.dll

Filesize
750KB

MD5
9603bc109dbf4ca405525aa7bee8e66e

SHA1
837b8b848a7552246174537bbeb01c4cc32764f2

SHA256
21912968bee6cea6929a1a3bf0330e06db3f182c07af79664dbb8a963509f20b

SHA512
e39b0568be9119339c366b11157d41d7795cdaf99bbcb15193395bb3f6f9c3af4404ffd3bc20e28f5e147d576a27c8319e4fa565ed5c43ed56c72d725a9d7fac

Download Submit
C:\Users\Admin\AppData\Local\Temp\TemporaryInstall\guiframwork.dll

Filesize
3.1MB

MD5
1dc30b7016ae9ba51d27624149523d9e

SHA1
912a55a8fa54fa8c87602857c6d080e4e39d326b

SHA256
23fc50b954bd06c256e16c61d1eda028ed00a682b8f6c6aa17a37633a6188582

SHA512
07c50565352e64b1653a7303e5d9fa3ee299fd9259ea80e361e264c1c51f498b024f475bec39106e5c1386f40cc64e843aa07dac01e95055796e9d44f63236e1

Download Submit
\Users\Admin\AppData\Local\Temp\TemporaryInstall\Interfacegraphic.dll

Filesize
750KB

MD5
9603bc109dbf4ca405525aa7bee8e66e

SHA1
837b8b848a7552246174537bbeb01c4cc32764f2

SHA256
21912968bee6cea6929a1a3bf0330e06db3f182c07af79664dbb8a963509f20b

SHA512
e39b0568be9119339c366b11157d41d7795cdaf99bbcb15193395bb3f6f9c3af4404ffd3bc20e28f5e147d576a27c8319e4fa565ed5c43ed56c72d725a9d7fac

Download Submit
\Users\Admin\AppData\Local\Temp\TemporaryInstall\Interfacegraphic.dll

Filesize
750KB

MD5
9603bc109dbf4ca405525aa7bee8e66e

SHA1
837b8b848a7552246174537bbeb01c4cc32764f2

SHA256
21912968bee6cea6929a1a3bf0330e06db3f182c07af79664dbb8a963509f20b

SHA512
e39b0568be9119339c366b11157d41d7795cdaf99bbcb15193395bb3f6f9c3af4404ffd3bc20e28f5e147d576a27c8319e4fa565ed5c43ed56c72d725a9d7fac

Download Submit
\Users\Admin\AppData\Local\Temp\TemporaryInstall\guiframwork.dll

Filesize
3.1MB

MD5
1dc30b7016ae9ba51d27624149523d9e

SHA1
912a55a8fa54fa8c87602857c6d080e4e39d326b

SHA256
23fc50b954bd06c256e16c61d1eda028ed00a682b8f6c6aa17a37633a6188582

SHA512
07c50565352e64b1653a7303e5d9fa3ee299fd9259ea80e361e264c1c51f498b024f475bec39106e5c1386f40cc64e843aa07dac01e95055796e9d44f63236e1

Download Submit
\Users\Admin\AppData\Local\Temp\TemporaryInstall\guiframwork.dll

Filesize
3.1MB

MD5
1dc30b7016ae9ba51d27624149523d9e

SHA1
912a55a8fa54fa8c87602857c6d080e4e39d326b

SHA256
23fc50b954bd06c256e16c61d1eda028ed00a682b8f6c6aa17a37633a6188582

SHA512
07c50565352e64b1653a7303e5d9fa3ee299fd9259ea80e361e264c1c51f498b024f475bec39106e5c1386f40cc64e843aa07dac01e95055796e9d44f63236e1

Download Submit
memory/288-54-0x000007FEFBC61000-0x000007FEFBC63000-memory.dmp

Filesize
8KB

Download
memory/916-63-0x0000000000000000-mapping.dmp

Download
memory/916-68-0x0000000017170000-0x0000000017489000-memory.dmp

Filesize
3.1MB

Download
memory/1708-58-0x0000000075B11000-0x0000000075B13000-memory.dmp

Filesize
8KB

Download
memory/1708-57-0x0000000000000000-mapping.dmp

Download
memory/1708-67-0x0000000017170000-0x000000001722C000-memory.dmp

Filesize
752KB

Download
memory/1908-55-0x0000000000000000-mapping.dmp

Download
memory/2028-61-0x0000000000000000-mapping.dmp

Download