Analysis

  • max time kernel
    46s
  • max time network
    43s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    05-09-2022 15:50

General

  • Target

    4fe551bcea5e07879ec84a7f1cea1036cfd0a3b03151403542cab6bd8541f8e5.exe

  • Size

    710KB

  • MD5

    97784e623f9efc0ca6533245fc0fcf70

  • SHA1

    8ced24f78ffe0a40d4f098e6cf409270795e3194

  • SHA256

    4fe551bcea5e07879ec84a7f1cea1036cfd0a3b03151403542cab6bd8541f8e5

  • SHA512

    20bc90e883737298925e2d34c24ed6072b11867764ce13f0bc616572a7a7247b2c27a02c17fb48d421120637c9ff10527bb4b65a0c82cffb7836be8392bbcb05

  • SSDEEP

    12288:LsOol4XilY6i8PtMDx5c2cC2LLEHdXPOwzXlEr3Ou0AIy1QD+vnxfbNr+5C4/qeE:Ly3f91MDx5mTwfOwz2reuV91QWxm9/9O

Score
10/10

Malware Config

Signatures

  • BLISTER

    BLISTER is a downloader used to deliver other malware families.

  • Detect Blister loader x32 4 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4fe551bcea5e07879ec84a7f1cea1036cfd0a3b03151403542cab6bd8541f8e5.exe
    "C:\Users\Admin\AppData\Local\Temp\4fe551bcea5e07879ec84a7f1cea1036cfd0a3b03151403542cab6bd8541f8e5.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1428
    • C:\Windows\system32\Rundll32.exe
      Rundll32.exe C:\Users\Admin\AppData\Local\Temp\guirtsframworks\Pasade.dll,LaunchColorCpl
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:900
      • C:\Windows\SysWOW64\rundll32.exe
        Rundll32.exe C:\Users\Admin\AppData\Local\Temp\guirtsframworks\Pasade.dll,LaunchColorCpl
        3⤵
        • Loads dropped DLL
        PID:1272

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\guirtsframworks\Pasade.dll

    Filesize

    847KB

    MD5

    3c06be1ef63f32b72d5fb850ff2e1fd9

    SHA1

    b5c5b1bb2b47c6ed4ecbfaaa29eaea4a6c4b82a5

    SHA256

    f5104d0ead2f178711b1e23db3c16846de7d1a3ac04dbe09bacebb847775d76d

    SHA512

    45cad5db5b4eb3d0d1674e12be8c99733e335b990b3cef07e6b532f292e984bd87bc75a59b4d595732249031942e59a06b58d635cbd0a337a8913f5054edde2d

  • \Users\Admin\AppData\Local\Temp\guirtsframworks\Pasade.dll

    Filesize

    847KB

    MD5

    3c06be1ef63f32b72d5fb850ff2e1fd9

    SHA1

    b5c5b1bb2b47c6ed4ecbfaaa29eaea4a6c4b82a5

    SHA256

    f5104d0ead2f178711b1e23db3c16846de7d1a3ac04dbe09bacebb847775d76d

    SHA512

    45cad5db5b4eb3d0d1674e12be8c99733e335b990b3cef07e6b532f292e984bd87bc75a59b4d595732249031942e59a06b58d635cbd0a337a8913f5054edde2d

  • \Users\Admin\AppData\Local\Temp\guirtsframworks\Pasade.dll

    Filesize

    847KB

    MD5

    3c06be1ef63f32b72d5fb850ff2e1fd9

    SHA1

    b5c5b1bb2b47c6ed4ecbfaaa29eaea4a6c4b82a5

    SHA256

    f5104d0ead2f178711b1e23db3c16846de7d1a3ac04dbe09bacebb847775d76d

    SHA512

    45cad5db5b4eb3d0d1674e12be8c99733e335b990b3cef07e6b532f292e984bd87bc75a59b4d595732249031942e59a06b58d635cbd0a337a8913f5054edde2d

  • memory/900-55-0x0000000000000000-mapping.dmp

  • memory/1272-57-0x0000000000000000-mapping.dmp

  • memory/1272-58-0x0000000075FC1000-0x0000000075FC3000-memory.dmp

    Filesize

    8KB

  • memory/1272-61-0x0000000017170000-0x0000000017245000-memory.dmp

    Filesize

    852KB

  • memory/1428-54-0x000007FEFB871000-0x000007FEFB873000-memory.dmp

    Filesize

    8KB