Analysis

  • max time kernel
    37s
  • max time network
    53s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    05-09-2022 15:50

General

  • Target

    3ac3fd9de619c934b0fad04b0384898d98cd69444da2d2bbf3bdd6a7e922fce2.exe

  • Size

    3.5MB

  • MD5

    5a400b8c8efe3eb9d70fa9ee4569ce5d

  • SHA1

    1da1f81315aff1b7ffe320b9883dcac2ab05c6a8

  • SHA256

    3ac3fd9de619c934b0fad04b0384898d98cd69444da2d2bbf3bdd6a7e922fce2

  • SHA512

    af657f501ca949286dcfc0170cdedebe326c5836a2599de523bf68439d1128280d14cbe46e444f05c00de0777f803d4fa83adc48494d9d0a1a9c902ffb054b5e

  • SSDEEP

    98304:q3ah4ACuy5iqfcnv6bePNMbSK2FP0C1wqF8CGIk:qQrCuygYePNiSZwqmCxk

Score
10/10

Malware Config

Signatures

  • BLISTER

    BLISTER is a downloader used to deliver other malware families.

  • Detect Blister loader x32 8 IoCs
  • Loads dropped DLL 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3ac3fd9de619c934b0fad04b0384898d98cd69444da2d2bbf3bdd6a7e922fce2.exe
    "C:\Users\Admin\AppData\Local\Temp\3ac3fd9de619c934b0fad04b0384898d98cd69444da2d2bbf3bdd6a7e922fce2.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1252
    • C:\Windows\system32\Rundll32.exe
      Rundll32.exe C:\Users\Admin\AppData\Local\Temp\Tempfile\interfacegui.dll,LaunchColorCpl
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:844
      • C:\Windows\SysWOW64\rundll32.exe
        Rundll32.exe C:\Users\Admin\AppData\Local\Temp\Tempfile\interfacegui.dll,LaunchColorCpl
        3⤵
        • Loads dropped DLL
        PID:2040
    • C:\Windows\system32\Rundll32.exe
      Rundll32.exe C:\Users\Admin\AppData\Local\Temp\Tempfile\colorui.dll,LaunchColorCpl
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1744
      • C:\Windows\SysWOW64\rundll32.exe
        Rundll32.exe C:\Users\Admin\AppData\Local\Temp\Tempfile\colorui.dll,LaunchColorCpl
        3⤵
        • Loads dropped DLL
        PID:1528

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Tempfile\colorui.dll

    Filesize

    736KB

    MD5

    51c97b49ac56ec2183077a127305ea52

    SHA1

    4fc99ab0e17fbadbb6cf1bb92398f57c0b71e4c7

    SHA256

    25a0d6a839c4dc708dcdd1ef9395570cc86d54d4725b7daf56964017f66be3c1

    SHA512

    99160fd02e10429d15232e984781e57e8caf9e86fd07f904b2a6a26d33803186187ebadd87a30b16d52998631ec8ab351f52b43ecaa5da428457c317aa9f0fd3

  • C:\Users\Admin\AppData\Local\Temp\Tempfile\interfacegui.dll

    Filesize

    3.1MB

    MD5

    9360132c2ca6e068f3cfda5f7ec2e8b8

    SHA1

    b45ab5bb6561daecdb36e075ce15f765bf9b5cc0

    SHA256

    3c7480998ade344b74e956f7d3a3f1a989aaf43446163a62f0a8ed34b0c010d0

    SHA512

    4f8eb75b504c89e4b5b3fc7b55f21e8e85269ddb626fcecf2b101ba5fc563fe6e160c31e47444ea17328b2c13bf9a84e6be7b4d671b005c4ac2b6bf77c641002

  • \Users\Admin\AppData\Local\Temp\Tempfile\colorui.dll

    Filesize

    736KB

    MD5

    51c97b49ac56ec2183077a127305ea52

    SHA1

    4fc99ab0e17fbadbb6cf1bb92398f57c0b71e4c7

    SHA256

    25a0d6a839c4dc708dcdd1ef9395570cc86d54d4725b7daf56964017f66be3c1

    SHA512

    99160fd02e10429d15232e984781e57e8caf9e86fd07f904b2a6a26d33803186187ebadd87a30b16d52998631ec8ab351f52b43ecaa5da428457c317aa9f0fd3

  • \Users\Admin\AppData\Local\Temp\Tempfile\colorui.dll

    Filesize

    736KB

    MD5

    51c97b49ac56ec2183077a127305ea52

    SHA1

    4fc99ab0e17fbadbb6cf1bb92398f57c0b71e4c7

    SHA256

    25a0d6a839c4dc708dcdd1ef9395570cc86d54d4725b7daf56964017f66be3c1

    SHA512

    99160fd02e10429d15232e984781e57e8caf9e86fd07f904b2a6a26d33803186187ebadd87a30b16d52998631ec8ab351f52b43ecaa5da428457c317aa9f0fd3

  • \Users\Admin\AppData\Local\Temp\Tempfile\interfacegui.dll

    Filesize

    3.1MB

    MD5

    9360132c2ca6e068f3cfda5f7ec2e8b8

    SHA1

    b45ab5bb6561daecdb36e075ce15f765bf9b5cc0

    SHA256

    3c7480998ade344b74e956f7d3a3f1a989aaf43446163a62f0a8ed34b0c010d0

    SHA512

    4f8eb75b504c89e4b5b3fc7b55f21e8e85269ddb626fcecf2b101ba5fc563fe6e160c31e47444ea17328b2c13bf9a84e6be7b4d671b005c4ac2b6bf77c641002

  • \Users\Admin\AppData\Local\Temp\Tempfile\interfacegui.dll

    Filesize

    3.1MB

    MD5

    9360132c2ca6e068f3cfda5f7ec2e8b8

    SHA1

    b45ab5bb6561daecdb36e075ce15f765bf9b5cc0

    SHA256

    3c7480998ade344b74e956f7d3a3f1a989aaf43446163a62f0a8ed34b0c010d0

    SHA512

    4f8eb75b504c89e4b5b3fc7b55f21e8e85269ddb626fcecf2b101ba5fc563fe6e160c31e47444ea17328b2c13bf9a84e6be7b4d671b005c4ac2b6bf77c641002

  • memory/844-55-0x0000000000000000-mapping.dmp

  • memory/1252-54-0x000007FEFB741000-0x000007FEFB743000-memory.dmp

    Filesize

    8KB

  • memory/1528-63-0x0000000000000000-mapping.dmp

  • memory/1528-68-0x0000000017170000-0x000000001722B000-memory.dmp

    Filesize

    748KB

  • memory/1744-61-0x0000000000000000-mapping.dmp

  • memory/2040-58-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

    Filesize

    8KB

  • memory/2040-57-0x0000000000000000-mapping.dmp

  • memory/2040-67-0x0000000017170000-0x0000000017487000-memory.dmp

    Filesize

    3.1MB