blister | f9508e81f1ac31569646fde9e864e25212457ca62ac768e23fbb95c290950e99

Analysis

max time kernel
154s
max time network
191s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
05-09-2022 15:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c0d6edc64d4af980e7fe0d01dc66380d5f0d1b1d845080a12ec74849880783f.exe
Size

3.6MB
MD5

746232cf955a61dc7690801d4cb885e1
SHA1

d85fc9d92a7315826fdc0ac2b17ae00d08817c54
SHA256

4c0d6edc64d4af980e7fe0d01dc66380d5f0d1b1d845080a12ec74849880783f
SHA512

af621199f0c32dac939ea7df045fc5ae01eceffba26adb24bfe33a3cc65e50f50e54e331b0c137dcca2800b3954d8bbb21fc0db3d7bc5e6c50392ce4c1bef903
SSDEEP

98304:1krXnmDty5b0KA5AaYtDri80EIhdyorHe2zk:1krXmDltJYtNILymHe2zk

Score

10^/10

blister loader

Malware Config

Signatures

BLISTER
BLISTER is a downloader used to deliver other malware families.
loader blister

Detect Blister loader x32 6 IoCs

loader

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\TemporaryInstall\Interfacegraphic.dll	family_blister_x32
C:\Users\Admin\AppData\Local\Temp\TemporaryInstall\guiframwork.dll	family_blister_x32
C:\Users\Admin\AppData\Local\Temp\TemporaryInstall\Interfacegraphic.dll	family_blister_x32
C:\Users\Admin\AppData\Local\Temp\TemporaryInstall\guiframwork.dll	family_blister_x32
behavioral30/memory/3464-140-0x0000000017170000-0x000000001722C000-memory.dmp	family_blister_x32
behavioral30/memory/3432-141-0x0000000017170000-0x0000000017489000-memory.dmp	family_blister_x32

Loads dropped DLL 2 IoCs

Processes:

rundll32.exerundll32.exe

pid process

3464 rundll32.exe
3432 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
3464	rundll32.exe
3432	rundll32.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

4c0d6edc64d4af980e7fe0d01dc66380d5f0d1b1d845080a12ec74849880783f.exeRundll32.exeRundll32.exe

description	pid	process	target process
PID 4864 wrote to memory of 4604	4864	4c0d6edc64d4af980e7fe0d01dc66380d5f0d1b1d845080a12ec74849880783f.exe	Rundll32.exe
PID 4864 wrote to memory of 4604	4864	4c0d6edc64d4af980e7fe0d01dc66380d5f0d1b1d845080a12ec74849880783f.exe	Rundll32.exe
PID 4864 wrote to memory of 2316	4864	4c0d6edc64d4af980e7fe0d01dc66380d5f0d1b1d845080a12ec74849880783f.exe	Rundll32.exe
PID 4864 wrote to memory of 2316	4864	4c0d6edc64d4af980e7fe0d01dc66380d5f0d1b1d845080a12ec74849880783f.exe	Rundll32.exe
PID 4604 wrote to memory of 3464	4604	Rundll32.exe	rundll32.exe
PID 4604 wrote to memory of 3464	4604	Rundll32.exe	rundll32.exe
PID 4604 wrote to memory of 3464	4604	Rundll32.exe	rundll32.exe
PID 2316 wrote to memory of 3432	2316	Rundll32.exe	rundll32.exe
PID 2316 wrote to memory of 3432	2316	Rundll32.exe	rundll32.exe
PID 2316 wrote to memory of 3432	2316	Rundll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\4c0d6edc64d4af980e7fe0d01dc66380d5f0d1b1d845080a12ec74849880783f.exe
"C:\Users\Admin\AppData\Local\Temp\4c0d6edc64d4af980e7fe0d01dc66380d5f0d1b1d845080a12ec74849880783f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4864
- C:\Windows\SYSTEM32\Rundll32.exe
  Rundll32.exe C:\Users\Admin\AppData\Local\Temp\TemporaryInstall\Interfacegraphic.dll,LaunchColorCpl
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4604
- - C:\Windows\SysWOW64\rundll32.exe
    Rundll32.exe C:\Users\Admin\AppData\Local\Temp\TemporaryInstall\Interfacegraphic.dll,LaunchColorCpl
    3⤵
    - Loads dropped DLL
    PID:3464
- C:\Windows\SYSTEM32\Rundll32.exe
  Rundll32.exe C:\Users\Admin\AppData\Local\Temp\TemporaryInstall\guiframwork.dll,LaunchColorCpl
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Windows\SysWOW64\rundll32.exe
    Rundll32.exe C:\Users\Admin\AppData\Local\Temp\TemporaryInstall\guiframwork.dll,LaunchColorCpl
    3⤵
    - Loads dropped DLL
    PID:3432

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TemporaryInstall\Interfacegraphic.dll

Filesize
750KB

MD5
9603bc109dbf4ca405525aa7bee8e66e

SHA1
837b8b848a7552246174537bbeb01c4cc32764f2

SHA256
21912968bee6cea6929a1a3bf0330e06db3f182c07af79664dbb8a963509f20b

SHA512
e39b0568be9119339c366b11157d41d7795cdaf99bbcb15193395bb3f6f9c3af4404ffd3bc20e28f5e147d576a27c8319e4fa565ed5c43ed56c72d725a9d7fac

Download Submit
C:\Users\Admin\AppData\Local\Temp\TemporaryInstall\Interfacegraphic.dll

Filesize
750KB

MD5
9603bc109dbf4ca405525aa7bee8e66e

SHA1
837b8b848a7552246174537bbeb01c4cc32764f2

SHA256
21912968bee6cea6929a1a3bf0330e06db3f182c07af79664dbb8a963509f20b

SHA512
e39b0568be9119339c366b11157d41d7795cdaf99bbcb15193395bb3f6f9c3af4404ffd3bc20e28f5e147d576a27c8319e4fa565ed5c43ed56c72d725a9d7fac

Download Submit
C:\Users\Admin\AppData\Local\Temp\TemporaryInstall\guiframwork.dll

Filesize
3.1MB

MD5
1dc30b7016ae9ba51d27624149523d9e

SHA1
912a55a8fa54fa8c87602857c6d080e4e39d326b

SHA256
23fc50b954bd06c256e16c61d1eda028ed00a682b8f6c6aa17a37633a6188582

SHA512
07c50565352e64b1653a7303e5d9fa3ee299fd9259ea80e361e264c1c51f498b024f475bec39106e5c1386f40cc64e843aa07dac01e95055796e9d44f63236e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\TemporaryInstall\guiframwork.dll

Filesize
3.1MB

MD5
1dc30b7016ae9ba51d27624149523d9e

SHA1
912a55a8fa54fa8c87602857c6d080e4e39d326b

SHA256
23fc50b954bd06c256e16c61d1eda028ed00a682b8f6c6aa17a37633a6188582

SHA512
07c50565352e64b1653a7303e5d9fa3ee299fd9259ea80e361e264c1c51f498b024f475bec39106e5c1386f40cc64e843aa07dac01e95055796e9d44f63236e1

Download Submit
memory/2316-134-0x0000000000000000-mapping.dmp

Download
memory/3432-137-0x0000000000000000-mapping.dmp

Download
memory/3432-141-0x0000000017170000-0x0000000017489000-memory.dmp

Filesize
3.1MB

Download
memory/3464-136-0x0000000000000000-mapping.dmp

Download
memory/3464-140-0x0000000017170000-0x000000001722C000-memory.dmp

Filesize
752KB

Download
memory/4604-132-0x0000000000000000-mapping.dmp

Download