blister | f9508e81f1ac31569646fde9e864e25212457ca62ac768e23fbb95c290950e99

Analysis

max time kernel
144s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
05-09-2022 15:53

Target

b959b003c1e558ff0ccf1d0f96509b155d6f86eb20caa97b470f3422494d8d74.exe
Size

1.4MB
MD5

9dbbbe699a03f9a5b5fe9d9e820d36c2
SHA1

5015b57d95cfacdd340d36f07076d886c3aa7e7e
SHA256

b959b003c1e558ff0ccf1d0f96509b155d6f86eb20caa97b470f3422494d8d74
SHA512

ed2cf8f02b79366d559dc439d062772d90f30559a680ceacab5fe764b26fc2b89704ee74f4a7a29877c087a69d85f517bb140d3efd7c01384f5750ccb5cc35ae
SSDEEP

24576:D7JIUlsTxVks6Ci9BE/qdBlFE6WmV3T9NlC/ChMJJxFaQ7e3MyCn1GVkXoBv:PJxWAPh3F3JNliwQC83n6kE

Score

10^/10

blister loader

BLISTER
BLISTER is a downloader used to deliver other malware families.
loader blister

Detect Blister loader x32 3 IoCs

loader

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\TempInstall\col.dll	family_blister_x32
C:\Users\Admin\AppData\Local\Temp\TempInstall\col.dll	family_blister_x32
behavioral16/memory/4992-136-0x0000000017170000-0x00000000172FD000-memory.dmp	family_blister_x32

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4992 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
4992	rundll32.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

b959b003c1e558ff0ccf1d0f96509b155d6f86eb20caa97b470f3422494d8d74.exeRundll32.exe

description	pid	process	target process
PID 2608 wrote to memory of 4276	2608	b959b003c1e558ff0ccf1d0f96509b155d6f86eb20caa97b470f3422494d8d74.exe	Rundll32.exe
PID 2608 wrote to memory of 4276	2608	b959b003c1e558ff0ccf1d0f96509b155d6f86eb20caa97b470f3422494d8d74.exe	Rundll32.exe
PID 4276 wrote to memory of 4992	4276	Rundll32.exe	rundll32.exe
PID 4276 wrote to memory of 4992	4276	Rundll32.exe	rundll32.exe
PID 4276 wrote to memory of 4992	4276	Rundll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\b959b003c1e558ff0ccf1d0f96509b155d6f86eb20caa97b470f3422494d8d74.exe
"C:\Users\Admin\AppData\Local\Temp\b959b003c1e558ff0ccf1d0f96509b155d6f86eb20caa97b470f3422494d8d74.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2608
- C:\Windows\SYSTEM32\Rundll32.exe
  Rundll32.exe C:\Users\Admin\AppData\Local\Temp\TempInstall\col.dll,LaunchColorCpl
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4276
- - C:\Windows\SysWOW64\rundll32.exe
    Rundll32.exe C:\Users\Admin\AppData\Local\Temp\TempInstall\col.dll,LaunchColorCpl
    3⤵
    - Loads dropped DLL
    PID:4992

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\TempInstall\col.dll

Filesize
1.5MB

MD5
6f522c8da98bed1b4726558b7d5a8e81

SHA1
19ff3faaa3ae1736f9785443e60a0dad857d9cce

SHA256
863228efa55b54a8d03a87bb602a2e418856e0028ae409357454a6303b128224

SHA512
604108542b0d48c67b9f0b9ceaacf511b8455c8212c571b5ee26d47d3e4e1def055d877036ae7148941420bf15c94b1a5ae003731c756303d45338575c8af81d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TempInstall\col.dll

Filesize
1.5MB

MD5
6f522c8da98bed1b4726558b7d5a8e81

SHA1
19ff3faaa3ae1736f9785443e60a0dad857d9cce

SHA256
863228efa55b54a8d03a87bb602a2e418856e0028ae409357454a6303b128224

SHA512
604108542b0d48c67b9f0b9ceaacf511b8455c8212c571b5ee26d47d3e4e1def055d877036ae7148941420bf15c94b1a5ae003731c756303d45338575c8af81d

Download Submit
memory/4276-132-0x0000000000000000-mapping.dmp

Download
memory/4992-134-0x0000000000000000-mapping.dmp

Download
memory/4992-136-0x0000000017170000-0x00000000172FD000-memory.dmp

Filesize
1.6MB

Download