blister | f9508e81f1ac31569646fde9e864e25212457ca62ac768e23fbb95c290950e99

Analysis

max time kernel
37s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05-09-2022 15:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b959b003c1e558ff0ccf1d0f96509b155d6f86eb20caa97b470f3422494d8d74.exe
Size

1.4MB
MD5

9dbbbe699a03f9a5b5fe9d9e820d36c2
SHA1

5015b57d95cfacdd340d36f07076d886c3aa7e7e
SHA256

b959b003c1e558ff0ccf1d0f96509b155d6f86eb20caa97b470f3422494d8d74
SHA512

ed2cf8f02b79366d559dc439d062772d90f30559a680ceacab5fe764b26fc2b89704ee74f4a7a29877c087a69d85f517bb140d3efd7c01384f5750ccb5cc35ae
SSDEEP

24576:D7JIUlsTxVks6Ci9BE/qdBlFE6WmV3T9NlC/ChMJJxFaQ7e3MyCn1GVkXoBv:PJxWAPh3F3JNliwQC83n6kE

Score

10^/10

blister loader

Malware Config

Signatures

BLISTER
BLISTER is a downloader used to deliver other malware families.
loader blister

Detect Blister loader x32 4 IoCs

loader

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\TempInstall\col.dll	family_blister_x32
\Users\Admin\AppData\Local\Temp\TempInstall\col.dll	family_blister_x32
\Users\Admin\AppData\Local\Temp\TempInstall\col.dll	family_blister_x32
behavioral15/memory/2012-61-0x0000000017170000-0x00000000172FD000-memory.dmp	family_blister_x32

Loads dropped DLL 2 IoCs

Processes:

rundll32.exe

pid process

2012 rundll32.exe
2012 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
2012	rundll32.exe
2012	rundll32.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

b959b003c1e558ff0ccf1d0f96509b155d6f86eb20caa97b470f3422494d8d74.exeRundll32.exe

description	pid	process	target process
PID 780 wrote to memory of 1992	780	b959b003c1e558ff0ccf1d0f96509b155d6f86eb20caa97b470f3422494d8d74.exe	Rundll32.exe
PID 780 wrote to memory of 1992	780	b959b003c1e558ff0ccf1d0f96509b155d6f86eb20caa97b470f3422494d8d74.exe	Rundll32.exe
PID 780 wrote to memory of 1992	780	b959b003c1e558ff0ccf1d0f96509b155d6f86eb20caa97b470f3422494d8d74.exe	Rundll32.exe
PID 1992 wrote to memory of 2012	1992	Rundll32.exe	rundll32.exe
PID 1992 wrote to memory of 2012	1992	Rundll32.exe	rundll32.exe
PID 1992 wrote to memory of 2012	1992	Rundll32.exe	rundll32.exe
PID 1992 wrote to memory of 2012	1992	Rundll32.exe	rundll32.exe
PID 1992 wrote to memory of 2012	1992	Rundll32.exe	rundll32.exe
PID 1992 wrote to memory of 2012	1992	Rundll32.exe	rundll32.exe
PID 1992 wrote to memory of 2012	1992	Rundll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\b959b003c1e558ff0ccf1d0f96509b155d6f86eb20caa97b470f3422494d8d74.exe
"C:\Users\Admin\AppData\Local\Temp\b959b003c1e558ff0ccf1d0f96509b155d6f86eb20caa97b470f3422494d8d74.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:780
- C:\Windows\system32\Rundll32.exe
  Rundll32.exe C:\Users\Admin\AppData\Local\Temp\TempInstall\col.dll,LaunchColorCpl
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1992
- - C:\Windows\SysWOW64\rundll32.exe
    Rundll32.exe C:\Users\Admin\AppData\Local\Temp\TempInstall\col.dll,LaunchColorCpl
    3⤵
    - Loads dropped DLL
    PID:2012

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TempInstall\col.dll

Filesize
1.5MB

MD5
6f522c8da98bed1b4726558b7d5a8e81

SHA1
19ff3faaa3ae1736f9785443e60a0dad857d9cce

SHA256
863228efa55b54a8d03a87bb602a2e418856e0028ae409357454a6303b128224

SHA512
604108542b0d48c67b9f0b9ceaacf511b8455c8212c571b5ee26d47d3e4e1def055d877036ae7148941420bf15c94b1a5ae003731c756303d45338575c8af81d

Download Submit
\Users\Admin\AppData\Local\Temp\TempInstall\col.dll

Filesize
1.5MB

MD5
6f522c8da98bed1b4726558b7d5a8e81

SHA1
19ff3faaa3ae1736f9785443e60a0dad857d9cce

SHA256
863228efa55b54a8d03a87bb602a2e418856e0028ae409357454a6303b128224

SHA512
604108542b0d48c67b9f0b9ceaacf511b8455c8212c571b5ee26d47d3e4e1def055d877036ae7148941420bf15c94b1a5ae003731c756303d45338575c8af81d

Download Submit
\Users\Admin\AppData\Local\Temp\TempInstall\col.dll

Filesize
1.5MB

MD5
6f522c8da98bed1b4726558b7d5a8e81

SHA1
19ff3faaa3ae1736f9785443e60a0dad857d9cce

SHA256
863228efa55b54a8d03a87bb602a2e418856e0028ae409357454a6303b128224

SHA512
604108542b0d48c67b9f0b9ceaacf511b8455c8212c571b5ee26d47d3e4e1def055d877036ae7148941420bf15c94b1a5ae003731c756303d45338575c8af81d

Download Submit
memory/780-54-0x000007FEFBD81000-0x000007FEFBD83000-memory.dmp

Filesize
8KB

Download
memory/1992-55-0x0000000000000000-mapping.dmp

Download
memory/2012-57-0x0000000000000000-mapping.dmp

Download
memory/2012-58-0x0000000076121000-0x0000000076123000-memory.dmp

Filesize
8KB

Download
memory/2012-61-0x0000000017170000-0x00000000172FD000-memory.dmp

Filesize
1.6MB

Download