blister | f9508e81f1ac31569646fde9e864e25212457ca62ac768e23fbb95c290950e99

Analysis

max time kernel
118s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
05-09-2022 15:53

Target

b91eb833de386ea3d73d2954f0dce9fe38e4bf96594620af6c0935b9ee0d7e81.exe
Size

730KB
MD5

fb22207876c27361a84dd83ebb73ad0b
SHA1

7c9ec0647cf3dafba2e4e2d7f559cae1e92bbf57
SHA256

b91eb833de386ea3d73d2954f0dce9fe38e4bf96594620af6c0935b9ee0d7e81
SHA512

c8301e0e47ee3c3155ed5047328538a1f6a5b9de8c01b63d10efb5bfef16d2aa9b70f69a6c1dd6255b87e7b42c50af3a8a9d671e06d4d567ac8c9e4af8f8d013
SSDEEP

12288:9sOol4XixHibVqWMl2Vm6d5cx4tpE3oDY1bDRwn87cLHQo4zLXBFG0r74YLtlh:9yniZqRud5ptpNiDyn4Z3XX7IOH

Score

10^/10

blister loader

BLISTER
BLISTER is a downloader used to deliver other malware families.
loader blister

Detect Blister loader x32 3 IoCs

loader

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Helper.CC\Helper.CC.dll	family_blister_x32
C:\Users\Admin\AppData\Local\Temp\Helper.CC\Helper.CC.dll	family_blister_x32
behavioral14/memory/2388-136-0x0000000017170000-0x000000001724D000-memory.dmp	family_blister_x32

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

2388 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
2388	rundll32.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

b91eb833de386ea3d73d2954f0dce9fe38e4bf96594620af6c0935b9ee0d7e81.exeRundll32.exe

description	pid	process	target process
PID 504 wrote to memory of 1832	504	b91eb833de386ea3d73d2954f0dce9fe38e4bf96594620af6c0935b9ee0d7e81.exe	Rundll32.exe
PID 504 wrote to memory of 1832	504	b91eb833de386ea3d73d2954f0dce9fe38e4bf96594620af6c0935b9ee0d7e81.exe	Rundll32.exe
PID 1832 wrote to memory of 2388	1832	Rundll32.exe	rundll32.exe
PID 1832 wrote to memory of 2388	1832	Rundll32.exe	rundll32.exe
PID 1832 wrote to memory of 2388	1832	Rundll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\b91eb833de386ea3d73d2954f0dce9fe38e4bf96594620af6c0935b9ee0d7e81.exe
"C:\Users\Admin\AppData\Local\Temp\b91eb833de386ea3d73d2954f0dce9fe38e4bf96594620af6c0935b9ee0d7e81.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:504
- C:\Windows\SYSTEM32\Rundll32.exe
  Rundll32.exe C:\Users\Admin\AppData\Local\Temp\Helper.CC\Helper.CC.dll,LaunchColorCpl
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1832
- - C:\Windows\SysWOW64\rundll32.exe
    Rundll32.exe C:\Users\Admin\AppData\Local\Temp\Helper.CC\Helper.CC.dll,LaunchColorCpl
    3⤵
    - Loads dropped DLL
    PID:2388

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\Helper.CC\Helper.CC.dll

Filesize
871KB

MD5
672780f51dca49d1654c0373eeba74c4

SHA1
90bb4a455e7141af504a66917aa417fcd2b96d6b

SHA256
44e5770751679f178f90ef7bd57e8e4ccfb6051767d8e906708c52184bf27f32

SHA512
bbcd4e0f6c00a113927abd36431f513f569bf75c29b457325b1c0572fac0d1829a1c10bf1842d86ae59339673e1c3a4d2344fb0126dcd27c31f4458eaf8ae697

Download Submit
C:\Users\Admin\AppData\Local\Temp\Helper.CC\Helper.CC.dll

Filesize
871KB

MD5
672780f51dca49d1654c0373eeba74c4

SHA1
90bb4a455e7141af504a66917aa417fcd2b96d6b

SHA256
44e5770751679f178f90ef7bd57e8e4ccfb6051767d8e906708c52184bf27f32

SHA512
bbcd4e0f6c00a113927abd36431f513f569bf75c29b457325b1c0572fac0d1829a1c10bf1842d86ae59339673e1c3a4d2344fb0126dcd27c31f4458eaf8ae697

Download Submit
memory/1832-132-0x0000000000000000-mapping.dmp

Download
memory/2388-134-0x0000000000000000-mapping.dmp

Download
memory/2388-136-0x0000000017170000-0x000000001724D000-memory.dmp

Filesize
884KB

Download