Analysis

  • max time kernel
    37s
  • max time network
    47s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    05-09-2022 15:53

General

  • Target

    b959b003c1e558ff0ccf1d0f96509b155d6f86eb20caa97b470f3422494d8d74.exe

  • Size

    1.4MB

  • MD5

    9dbbbe699a03f9a5b5fe9d9e820d36c2

  • SHA1

    5015b57d95cfacdd340d36f07076d886c3aa7e7e

  • SHA256

    b959b003c1e558ff0ccf1d0f96509b155d6f86eb20caa97b470f3422494d8d74

  • SHA512

    ed2cf8f02b79366d559dc439d062772d90f30559a680ceacab5fe764b26fc2b89704ee74f4a7a29877c087a69d85f517bb140d3efd7c01384f5750ccb5cc35ae

  • SSDEEP

    24576:D7JIUlsTxVks6Ci9BE/qdBlFE6WmV3T9NlC/ChMJJxFaQ7e3MyCn1GVkXoBv:PJxWAPh3F3JNliwQC83n6kE

Score
10/10

Malware Config

Signatures

  • BLISTER

    BLISTER is a downloader used to deliver other malware families.

  • Detect Blister loader x32 4 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b959b003c1e558ff0ccf1d0f96509b155d6f86eb20caa97b470f3422494d8d74.exe
    "C:\Users\Admin\AppData\Local\Temp\b959b003c1e558ff0ccf1d0f96509b155d6f86eb20caa97b470f3422494d8d74.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:780
    • C:\Windows\system32\Rundll32.exe
      Rundll32.exe C:\Users\Admin\AppData\Local\Temp\TempInstall\col.dll,LaunchColorCpl
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1992
      • C:\Windows\SysWOW64\rundll32.exe
        Rundll32.exe C:\Users\Admin\AppData\Local\Temp\TempInstall\col.dll,LaunchColorCpl
        3⤵
        • Loads dropped DLL
        PID:2012

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\TempInstall\col.dll

    Filesize

    1.5MB

    MD5

    6f522c8da98bed1b4726558b7d5a8e81

    SHA1

    19ff3faaa3ae1736f9785443e60a0dad857d9cce

    SHA256

    863228efa55b54a8d03a87bb602a2e418856e0028ae409357454a6303b128224

    SHA512

    604108542b0d48c67b9f0b9ceaacf511b8455c8212c571b5ee26d47d3e4e1def055d877036ae7148941420bf15c94b1a5ae003731c756303d45338575c8af81d

  • \Users\Admin\AppData\Local\Temp\TempInstall\col.dll

    Filesize

    1.5MB

    MD5

    6f522c8da98bed1b4726558b7d5a8e81

    SHA1

    19ff3faaa3ae1736f9785443e60a0dad857d9cce

    SHA256

    863228efa55b54a8d03a87bb602a2e418856e0028ae409357454a6303b128224

    SHA512

    604108542b0d48c67b9f0b9ceaacf511b8455c8212c571b5ee26d47d3e4e1def055d877036ae7148941420bf15c94b1a5ae003731c756303d45338575c8af81d

  • \Users\Admin\AppData\Local\Temp\TempInstall\col.dll

    Filesize

    1.5MB

    MD5

    6f522c8da98bed1b4726558b7d5a8e81

    SHA1

    19ff3faaa3ae1736f9785443e60a0dad857d9cce

    SHA256

    863228efa55b54a8d03a87bb602a2e418856e0028ae409357454a6303b128224

    SHA512

    604108542b0d48c67b9f0b9ceaacf511b8455c8212c571b5ee26d47d3e4e1def055d877036ae7148941420bf15c94b1a5ae003731c756303d45338575c8af81d

  • memory/780-54-0x000007FEFBD81000-0x000007FEFBD83000-memory.dmp

    Filesize

    8KB

  • memory/2012-58-0x0000000076121000-0x0000000076123000-memory.dmp

    Filesize

    8KB

  • memory/2012-61-0x0000000017170000-0x00000000172FD000-memory.dmp

    Filesize

    1.6MB