blister | f9508e81f1ac31569646fde9e864e25212457ca62ac768e23fbb95c290950e99

Analysis

max time kernel
65s
max time network
42s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05-09-2022 15:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a12cf13b7145e1ddb3cc6b36b0716ee3563f35ba5544b1c127fb553f0a2108c.exe
Size

3.7MB
MD5

d3d82570eaa1da170db4db23dbb14e16
SHA1

765f698108eef0a2822471d446e1f9c66b035f2c
SHA256

2a12cf13b7145e1ddb3cc6b36b0716ee3563f35ba5544b1c127fb553f0a2108c
SHA512

fa195c32a640799870f53810e47ae340b69e230c8989a96b8019852458cecffeb68a80a9c463e97a8f9dce633a91044fdf28e84e927379acd30a74bd0ce2eb64
SSDEEP

98304:rxgYxM3ES6HXzYw368t/9VmCin4olv8/wO3b:ruUOIFa4oF84cb

Score

10^/10

blister loader

Malware Config

Signatures

BLISTER
BLISTER is a downloader used to deliver other malware families.
loader blister

Detect Blister loader x32 8 IoCs

loader

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Profilinstall\GraphicalGUI.dll	family_blister_x32
\Users\Admin\AppData\Local\Temp\Profilinstall\GraphicalGUI.dll	family_blister_x32
\Users\Admin\AppData\Local\Temp\Profilinstall\GraphicalGUI.dll	family_blister_x32
C:\Users\Admin\AppData\Local\Temp\Profilinstall\Guicolor.dll	family_blister_x32
\Users\Admin\AppData\Local\Temp\Profilinstall\Guicolor.dll	family_blister_x32
\Users\Admin\AppData\Local\Temp\Profilinstall\Guicolor.dll	family_blister_x32
behavioral17/memory/1792-67-0x0000000017170000-0x0000000017488000-memory.dmp	family_blister_x32
behavioral17/memory/1708-68-0x0000000017170000-0x0000000017226000-memory.dmp	family_blister_x32

Loads dropped DLL 4 IoCs

Processes:

rundll32.exerundll32.exe

pid process

1792 rundll32.exe
1792 rundll32.exe
1708 rundll32.exe
1708 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1792	rundll32.exe
1792	rundll32.exe
1708	rundll32.exe
1708	rundll32.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

2a12cf13b7145e1ddb3cc6b36b0716ee3563f35ba5544b1c127fb553f0a2108c.exeRundll32.exeRundll32.exe

description	pid	process	target process
PID 980 wrote to memory of 2020	980	2a12cf13b7145e1ddb3cc6b36b0716ee3563f35ba5544b1c127fb553f0a2108c.exe	Rundll32.exe
PID 980 wrote to memory of 2020	980	2a12cf13b7145e1ddb3cc6b36b0716ee3563f35ba5544b1c127fb553f0a2108c.exe	Rundll32.exe
PID 980 wrote to memory of 2020	980	2a12cf13b7145e1ddb3cc6b36b0716ee3563f35ba5544b1c127fb553f0a2108c.exe	Rundll32.exe
PID 2020 wrote to memory of 1792	2020	Rundll32.exe	rundll32.exe
PID 2020 wrote to memory of 1792	2020	Rundll32.exe	rundll32.exe
PID 2020 wrote to memory of 1792	2020	Rundll32.exe	rundll32.exe
PID 2020 wrote to memory of 1792	2020	Rundll32.exe	rundll32.exe
PID 2020 wrote to memory of 1792	2020	Rundll32.exe	rundll32.exe
PID 2020 wrote to memory of 1792	2020	Rundll32.exe	rundll32.exe
PID 2020 wrote to memory of 1792	2020	Rundll32.exe	rundll32.exe
PID 980 wrote to memory of 2028	980	2a12cf13b7145e1ddb3cc6b36b0716ee3563f35ba5544b1c127fb553f0a2108c.exe	Rundll32.exe
PID 980 wrote to memory of 2028	980	2a12cf13b7145e1ddb3cc6b36b0716ee3563f35ba5544b1c127fb553f0a2108c.exe	Rundll32.exe
PID 980 wrote to memory of 2028	980	2a12cf13b7145e1ddb3cc6b36b0716ee3563f35ba5544b1c127fb553f0a2108c.exe	Rundll32.exe
PID 2028 wrote to memory of 1708	2028	Rundll32.exe	rundll32.exe
PID 2028 wrote to memory of 1708	2028	Rundll32.exe	rundll32.exe
PID 2028 wrote to memory of 1708	2028	Rundll32.exe	rundll32.exe
PID 2028 wrote to memory of 1708	2028	Rundll32.exe	rundll32.exe
PID 2028 wrote to memory of 1708	2028	Rundll32.exe	rundll32.exe
PID 2028 wrote to memory of 1708	2028	Rundll32.exe	rundll32.exe
PID 2028 wrote to memory of 1708	2028	Rundll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\2a12cf13b7145e1ddb3cc6b36b0716ee3563f35ba5544b1c127fb553f0a2108c.exe
"C:\Users\Admin\AppData\Local\Temp\2a12cf13b7145e1ddb3cc6b36b0716ee3563f35ba5544b1c127fb553f0a2108c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:980
- C:\Windows\system32\Rundll32.exe
  Rundll32.exe C:\Users\Admin\AppData\Local\Temp\Profilinstall\GraphicalGUI.dll,LaunchColorCpl
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Windows\SysWOW64\rundll32.exe
    Rundll32.exe C:\Users\Admin\AppData\Local\Temp\Profilinstall\GraphicalGUI.dll,LaunchColorCpl
    3⤵
    - Loads dropped DLL
    PID:1792
- C:\Windows\system32\Rundll32.exe
  Rundll32.exe C:\Users\Admin\AppData\Local\Temp\Profilinstall\Guicolor.dll,LaunchColorCpl
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Windows\SysWOW64\rundll32.exe
    Rundll32.exe C:\Users\Admin\AppData\Local\Temp\Profilinstall\Guicolor.dll,LaunchColorCpl
    3⤵
    - Loads dropped DLL
    PID:1708

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Profilinstall\GraphicalGUI.dll

Filesize
3.1MB

MD5
7ff880c23c755a3c0ecc0493c939f4cb

SHA1
2945d611ccb64a3a4322f73913cc676503a872d6

SHA256
8ae2c205220c95f0f7e1f67030a9027822cc18e941b669e2a52a5dbb5af74bc9

SHA512
85f9a39d3e6eb547d22ad1c16d103c46a4bfac70a66cabdadb2ea3d04b4f8945d6669701907221bb19613047d78a87d47b456980a64c5b50a5f8347b205ca84b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Profilinstall\Guicolor.dll

Filesize
724KB

MD5
c7e4751c628cf903da96c78a24f6a2aa

SHA1
43af06c4feb893858d7e81775ed6adbc1d49f10e

SHA256
516cac58a6bfec5b9c214b6bba0b724961148199d32fb42c01b12ac31f6a6099

SHA512
897bdcb72f2f6a1f6af40ede007c1b0a4e20b95a358c807d7be62e70e35179cd3feb0a73406df34b1503608411a84c4f86fe140f438f2c4f4b920d7a8446e2f1

Download Submit
\Users\Admin\AppData\Local\Temp\Profilinstall\GraphicalGUI.dll

Filesize
3.1MB

MD5
7ff880c23c755a3c0ecc0493c939f4cb

SHA1
2945d611ccb64a3a4322f73913cc676503a872d6

SHA256
8ae2c205220c95f0f7e1f67030a9027822cc18e941b669e2a52a5dbb5af74bc9

SHA512
85f9a39d3e6eb547d22ad1c16d103c46a4bfac70a66cabdadb2ea3d04b4f8945d6669701907221bb19613047d78a87d47b456980a64c5b50a5f8347b205ca84b

Download Submit
\Users\Admin\AppData\Local\Temp\Profilinstall\GraphicalGUI.dll

Filesize
3.1MB

MD5
7ff880c23c755a3c0ecc0493c939f4cb

SHA1
2945d611ccb64a3a4322f73913cc676503a872d6

SHA256
8ae2c205220c95f0f7e1f67030a9027822cc18e941b669e2a52a5dbb5af74bc9

SHA512
85f9a39d3e6eb547d22ad1c16d103c46a4bfac70a66cabdadb2ea3d04b4f8945d6669701907221bb19613047d78a87d47b456980a64c5b50a5f8347b205ca84b

Download Submit
\Users\Admin\AppData\Local\Temp\Profilinstall\Guicolor.dll

Filesize
724KB

MD5
c7e4751c628cf903da96c78a24f6a2aa

SHA1
43af06c4feb893858d7e81775ed6adbc1d49f10e

SHA256
516cac58a6bfec5b9c214b6bba0b724961148199d32fb42c01b12ac31f6a6099

SHA512
897bdcb72f2f6a1f6af40ede007c1b0a4e20b95a358c807d7be62e70e35179cd3feb0a73406df34b1503608411a84c4f86fe140f438f2c4f4b920d7a8446e2f1

Download Submit
\Users\Admin\AppData\Local\Temp\Profilinstall\Guicolor.dll

Filesize
724KB

MD5
c7e4751c628cf903da96c78a24f6a2aa

SHA1
43af06c4feb893858d7e81775ed6adbc1d49f10e

SHA256
516cac58a6bfec5b9c214b6bba0b724961148199d32fb42c01b12ac31f6a6099

SHA512
897bdcb72f2f6a1f6af40ede007c1b0a4e20b95a358c807d7be62e70e35179cd3feb0a73406df34b1503608411a84c4f86fe140f438f2c4f4b920d7a8446e2f1

Download Submit
memory/980-54-0x000007FEFBD71000-0x000007FEFBD73000-memory.dmp

Filesize
8KB

Download
memory/1708-63-0x0000000000000000-mapping.dmp

Download
memory/1708-68-0x0000000017170000-0x0000000017226000-memory.dmp

Filesize
728KB

Download
memory/1792-58-0x0000000074FB1000-0x0000000074FB3000-memory.dmp

Filesize
8KB

Download
memory/1792-57-0x0000000000000000-mapping.dmp

Download
memory/1792-67-0x0000000017170000-0x0000000017488000-memory.dmp

Filesize
3.1MB

Download
memory/2020-55-0x0000000000000000-mapping.dmp

Download
memory/2028-61-0x0000000000000000-mapping.dmp

Download