Overview
overview
10Static
static
0494e1b88f...90.exe
windows7-x64
30494e1b88f...90.exe
windows10-2004-x64
30f41c175bc...07.exe
windows7-x64
30f41c175bc...07.exe
windows10-2004-x64
30f78cea418...13.exe
windows7-x64
30f78cea418...13.exe
windows10-2004-x64
312ffee3e2c...c5.exe
windows7-x64
312ffee3e2c...c5.exe
windows10-2004-x64
31449f8a93c...3a.exe
windows7-x64
71449f8a93c...3a.exe
windows10-2004-x64
71463bbb2a8...13.exe
windows7-x64
101463bbb2a8...13.exe
windows10-2004-x64
10148b25ad23...fa.exe
windows7-x64
7148b25ad23...fa.exe
windows10-2004-x64
71fe05e5f82...ec.exe
windows7-x64
101fe05e5f82...ec.exe
windows10-2004-x64
102a12cf13b7...8c.exe
windows7-x64
102a12cf13b7...8c.exe
windows10-2004-x64
102aaa916d56...f3.exe
windows7-x64
102aaa916d56...f3.exe
windows10-2004-x64
102b247f89f1...d0.exe
windows7-x64
72b247f89f1...d0.exe
windows10-2004-x64
73757406d4b...a9.exe
windows7-x64
33757406d4b...a9.exe
windows10-2004-x64
339828c100c...f5.exe
windows7-x64
339828c100c...f5.exe
windows10-2004-x64
33ac3fd9de6...e2.exe
windows7-x64
103ac3fd9de6...e2.exe
windows10-2004-x64
104c0d6edc64...3f.exe
windows7-x64
104c0d6edc64...3f.exe
windows10-2004-x64
104fe551bcea...e5.exe
windows7-x64
104fe551bcea...e5.exe
windows10-2004-x64
10Analysis
-
max time kernel
37s -
max time network
53s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
05-09-2022 15:50
Static task
static1
Behavioral task
behavioral1
Sample
0494e1b88f4a3b69162ef51971246f87c0ad434549a802ae7d54aee954190090.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
0494e1b88f4a3b69162ef51971246f87c0ad434549a802ae7d54aee954190090.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral3
Sample
0f41c175bc3b7e6c6688b143d5e8d037d5ce6671886fb3a10e5fcbaa6cd1cd07.exe
Resource
win7-20220812-en
Behavioral task
behavioral4
Sample
0f41c175bc3b7e6c6688b143d5e8d037d5ce6671886fb3a10e5fcbaa6cd1cd07.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral5
Sample
0f78cea41852b4b219e4127e5db31404d463594d7e893c1498afe0938cf83813.exe
Resource
win7-20220901-en
Behavioral task
behavioral6
Sample
0f78cea41852b4b219e4127e5db31404d463594d7e893c1498afe0938cf83813.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral7
Sample
12ffee3e2c5daf4019991827cefc744154de65568c9527755bd548d0740058c5.exe
Resource
win7-20220812-en
Behavioral task
behavioral8
Sample
12ffee3e2c5daf4019991827cefc744154de65568c9527755bd548d0740058c5.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral9
Sample
1449f8a93c3bf1bf34091945ecce2da9e7e71b8cc7235309e37031edc801303a.exe
Resource
win7-20220901-en
Behavioral task
behavioral10
Sample
1449f8a93c3bf1bf34091945ecce2da9e7e71b8cc7235309e37031edc801303a.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral11
Sample
1463bbb2a82fb27ad4b86489b2910a8ec9c1a29cf19aaaa0da37b9217f674513.exe
Resource
win7-20220812-en
Behavioral task
behavioral12
Sample
1463bbb2a82fb27ad4b86489b2910a8ec9c1a29cf19aaaa0da37b9217f674513.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral13
Sample
148b25ad23097ace1d616a362c65706e63e392133cdda5495aaa3b70e6064ffa.exe
Resource
win7-20220901-en
Behavioral task
behavioral14
Sample
148b25ad23097ace1d616a362c65706e63e392133cdda5495aaa3b70e6064ffa.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral15
Sample
1fe05e5f8237f2c9c6b079eaf4f1e21aea96b1a092a66bf3ab9633a59c50c6ec.exe
Resource
win7-20220812-en
Behavioral task
behavioral16
Sample
1fe05e5f8237f2c9c6b079eaf4f1e21aea96b1a092a66bf3ab9633a59c50c6ec.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral17
Sample
2a12cf13b7145e1ddb3cc6b36b0716ee3563f35ba5544b1c127fb553f0a2108c.exe
Resource
win7-20220812-en
Behavioral task
behavioral18
Sample
2a12cf13b7145e1ddb3cc6b36b0716ee3563f35ba5544b1c127fb553f0a2108c.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral19
Sample
2aaa916d56cfe95abb65fbc222bfdfa2b16a3ffb6660c1bdc211004302a1aef3.exe
Resource
win7-20220812-en
Behavioral task
behavioral20
Sample
2aaa916d56cfe95abb65fbc222bfdfa2b16a3ffb6660c1bdc211004302a1aef3.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral21
Sample
2b247f89f132b4674e69a4403e715f7eb951278e77bdb9a9f62605d21b6df2d0.exe
Resource
win7-20220812-en
Behavioral task
behavioral22
Sample
2b247f89f132b4674e69a4403e715f7eb951278e77bdb9a9f62605d21b6df2d0.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral23
Sample
3757406d4b995a2a6e9f5b12a5ce317b84425b3534065a39705f49a5bdc0d4a9.exe
Resource
win7-20220812-en
Behavioral task
behavioral24
Sample
3757406d4b995a2a6e9f5b12a5ce317b84425b3534065a39705f49a5bdc0d4a9.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral25
Sample
39828c100cf2134d3cc8f57a9c5eb40c1206a5a339f3c60aba202eb8bf1420f5.exe
Resource
win7-20220812-en
Behavioral task
behavioral26
Sample
39828c100cf2134d3cc8f57a9c5eb40c1206a5a339f3c60aba202eb8bf1420f5.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral27
Sample
3ac3fd9de619c934b0fad04b0384898d98cd69444da2d2bbf3bdd6a7e922fce2.exe
Resource
win7-20220901-en
Behavioral task
behavioral28
Sample
3ac3fd9de619c934b0fad04b0384898d98cd69444da2d2bbf3bdd6a7e922fce2.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral29
Sample
4c0d6edc64d4af980e7fe0d01dc66380d5f0d1b1d845080a12ec74849880783f.exe
Resource
win7-20220812-en
Behavioral task
behavioral30
Sample
4c0d6edc64d4af980e7fe0d01dc66380d5f0d1b1d845080a12ec74849880783f.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral31
Sample
4fe551bcea5e07879ec84a7f1cea1036cfd0a3b03151403542cab6bd8541f8e5.exe
Resource
win7-20220812-en
General
-
Target
3ac3fd9de619c934b0fad04b0384898d98cd69444da2d2bbf3bdd6a7e922fce2.exe
-
Size
3.5MB
-
MD5
5a400b8c8efe3eb9d70fa9ee4569ce5d
-
SHA1
1da1f81315aff1b7ffe320b9883dcac2ab05c6a8
-
SHA256
3ac3fd9de619c934b0fad04b0384898d98cd69444da2d2bbf3bdd6a7e922fce2
-
SHA512
af657f501ca949286dcfc0170cdedebe326c5836a2599de523bf68439d1128280d14cbe46e444f05c00de0777f803d4fa83adc48494d9d0a1a9c902ffb054b5e
-
SSDEEP
98304:q3ah4ACuy5iqfcnv6bePNMbSK2FP0C1wqF8CGIk:qQrCuygYePNiSZwqmCxk
Malware Config
Signatures
-
Detect Blister loader x32 8 IoCs
resource yara_rule behavioral27/files/0x0009000000013a09-56.dat family_blister_x32 behavioral27/files/0x0009000000013a09-59.dat family_blister_x32 behavioral27/files/0x0009000000013a09-60.dat family_blister_x32 behavioral27/files/0x000a000000013a31-62.dat family_blister_x32 behavioral27/files/0x000a000000013a31-66.dat family_blister_x32 behavioral27/files/0x000a000000013a31-65.dat family_blister_x32 behavioral27/memory/2040-67-0x0000000017170000-0x0000000017487000-memory.dmp family_blister_x32 behavioral27/memory/1528-68-0x0000000017170000-0x000000001722B000-memory.dmp family_blister_x32 -
Loads dropped DLL 4 IoCs
pid Process 2040 rundll32.exe 2040 rundll32.exe 1528 rundll32.exe 1528 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1252 wrote to memory of 844 1252 3ac3fd9de619c934b0fad04b0384898d98cd69444da2d2bbf3bdd6a7e922fce2.exe 27 PID 1252 wrote to memory of 844 1252 3ac3fd9de619c934b0fad04b0384898d98cd69444da2d2bbf3bdd6a7e922fce2.exe 27 PID 1252 wrote to memory of 844 1252 3ac3fd9de619c934b0fad04b0384898d98cd69444da2d2bbf3bdd6a7e922fce2.exe 27 PID 844 wrote to memory of 2040 844 Rundll32.exe 28 PID 844 wrote to memory of 2040 844 Rundll32.exe 28 PID 844 wrote to memory of 2040 844 Rundll32.exe 28 PID 844 wrote to memory of 2040 844 Rundll32.exe 28 PID 844 wrote to memory of 2040 844 Rundll32.exe 28 PID 844 wrote to memory of 2040 844 Rundll32.exe 28 PID 844 wrote to memory of 2040 844 Rundll32.exe 28 PID 1252 wrote to memory of 1744 1252 3ac3fd9de619c934b0fad04b0384898d98cd69444da2d2bbf3bdd6a7e922fce2.exe 29 PID 1252 wrote to memory of 1744 1252 3ac3fd9de619c934b0fad04b0384898d98cd69444da2d2bbf3bdd6a7e922fce2.exe 29 PID 1252 wrote to memory of 1744 1252 3ac3fd9de619c934b0fad04b0384898d98cd69444da2d2bbf3bdd6a7e922fce2.exe 29 PID 1744 wrote to memory of 1528 1744 Rundll32.exe 30 PID 1744 wrote to memory of 1528 1744 Rundll32.exe 30 PID 1744 wrote to memory of 1528 1744 Rundll32.exe 30 PID 1744 wrote to memory of 1528 1744 Rundll32.exe 30 PID 1744 wrote to memory of 1528 1744 Rundll32.exe 30 PID 1744 wrote to memory of 1528 1744 Rundll32.exe 30 PID 1744 wrote to memory of 1528 1744 Rundll32.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\3ac3fd9de619c934b0fad04b0384898d98cd69444da2d2bbf3bdd6a7e922fce2.exe"C:\Users\Admin\AppData\Local\Temp\3ac3fd9de619c934b0fad04b0384898d98cd69444da2d2bbf3bdd6a7e922fce2.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Windows\system32\Rundll32.exeRundll32.exe C:\Users\Admin\AppData\Local\Temp\Tempfile\interfacegui.dll,LaunchColorCpl2⤵
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Windows\SysWOW64\rundll32.exeRundll32.exe C:\Users\Admin\AppData\Local\Temp\Tempfile\interfacegui.dll,LaunchColorCpl3⤵
- Loads dropped DLL
PID:2040
-
-
-
C:\Windows\system32\Rundll32.exeRundll32.exe C:\Users\Admin\AppData\Local\Temp\Tempfile\colorui.dll,LaunchColorCpl2⤵
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\rundll32.exeRundll32.exe C:\Users\Admin\AppData\Local\Temp\Tempfile\colorui.dll,LaunchColorCpl3⤵
- Loads dropped DLL
PID:1528
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
736KB
MD551c97b49ac56ec2183077a127305ea52
SHA14fc99ab0e17fbadbb6cf1bb92398f57c0b71e4c7
SHA25625a0d6a839c4dc708dcdd1ef9395570cc86d54d4725b7daf56964017f66be3c1
SHA51299160fd02e10429d15232e984781e57e8caf9e86fd07f904b2a6a26d33803186187ebadd87a30b16d52998631ec8ab351f52b43ecaa5da428457c317aa9f0fd3
-
Filesize
3.1MB
MD59360132c2ca6e068f3cfda5f7ec2e8b8
SHA1b45ab5bb6561daecdb36e075ce15f765bf9b5cc0
SHA2563c7480998ade344b74e956f7d3a3f1a989aaf43446163a62f0a8ed34b0c010d0
SHA5124f8eb75b504c89e4b5b3fc7b55f21e8e85269ddb626fcecf2b101ba5fc563fe6e160c31e47444ea17328b2c13bf9a84e6be7b4d671b005c4ac2b6bf77c641002
-
Filesize
736KB
MD551c97b49ac56ec2183077a127305ea52
SHA14fc99ab0e17fbadbb6cf1bb92398f57c0b71e4c7
SHA25625a0d6a839c4dc708dcdd1ef9395570cc86d54d4725b7daf56964017f66be3c1
SHA51299160fd02e10429d15232e984781e57e8caf9e86fd07f904b2a6a26d33803186187ebadd87a30b16d52998631ec8ab351f52b43ecaa5da428457c317aa9f0fd3
-
Filesize
736KB
MD551c97b49ac56ec2183077a127305ea52
SHA14fc99ab0e17fbadbb6cf1bb92398f57c0b71e4c7
SHA25625a0d6a839c4dc708dcdd1ef9395570cc86d54d4725b7daf56964017f66be3c1
SHA51299160fd02e10429d15232e984781e57e8caf9e86fd07f904b2a6a26d33803186187ebadd87a30b16d52998631ec8ab351f52b43ecaa5da428457c317aa9f0fd3
-
Filesize
3.1MB
MD59360132c2ca6e068f3cfda5f7ec2e8b8
SHA1b45ab5bb6561daecdb36e075ce15f765bf9b5cc0
SHA2563c7480998ade344b74e956f7d3a3f1a989aaf43446163a62f0a8ed34b0c010d0
SHA5124f8eb75b504c89e4b5b3fc7b55f21e8e85269ddb626fcecf2b101ba5fc563fe6e160c31e47444ea17328b2c13bf9a84e6be7b4d671b005c4ac2b6bf77c641002
-
Filesize
3.1MB
MD59360132c2ca6e068f3cfda5f7ec2e8b8
SHA1b45ab5bb6561daecdb36e075ce15f765bf9b5cc0
SHA2563c7480998ade344b74e956f7d3a3f1a989aaf43446163a62f0a8ed34b0c010d0
SHA5124f8eb75b504c89e4b5b3fc7b55f21e8e85269ddb626fcecf2b101ba5fc563fe6e160c31e47444ea17328b2c13bf9a84e6be7b4d671b005c4ac2b6bf77c641002