blister | f9508e81f1ac31569646fde9e864e25212457ca62ac768e23fbb95c290950e99

Analysis

max time kernel
138s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
05-09-2022 15:53

Target

c0f1ebcca8a8094853aa65210ddde80f6a9ffe7b3f2d75d5652b166722b3aa4a.exe
Size

695KB
MD5

1fc7bfc48c95c47e06b59d795b6df6ca
SHA1

2f2b5234734ecdc341572ab0cd0aa2c7df30a6da
SHA256

c0f1ebcca8a8094853aa65210ddde80f6a9ffe7b3f2d75d5652b166722b3aa4a
SHA512

9c70a20d66f74c4bb1c6837027b3bd3809bca7404c0d8899c90169f3da45e6a5265a9e0b4b11001a83f641f8118fd8412f64e7859cf281db813802b08e9c6ee3
SSDEEP

12288:9sOol4XixHXc8cR8oxB5cD4w4k+WE97am7hA1RE1TcZVM7giqV2Ez38/CFtJlH/:9ynXHc9753w4ktSBA61ToM7giqhA/cH/

Score

10^/10

blister loader

BLISTER
BLISTER is a downloader used to deliver other malware families.
loader blister

Detect Blister loader x32 3 IoCs

loader

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Helper.CC\Helper.CC.dll	family_blister_x32
C:\Users\Admin\AppData\Local\Temp\Helper.CC\Helper.CC.dll	family_blister_x32
behavioral20/memory/4432-136-0x0000000017170000-0x0000000017244000-memory.dmp	family_blister_x32

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4432 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
4432	rundll32.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

c0f1ebcca8a8094853aa65210ddde80f6a9ffe7b3f2d75d5652b166722b3aa4a.exeRundll32.exe

description	pid	process	target process
PID 4580 wrote to memory of 3864	4580	c0f1ebcca8a8094853aa65210ddde80f6a9ffe7b3f2d75d5652b166722b3aa4a.exe	Rundll32.exe
PID 4580 wrote to memory of 3864	4580	c0f1ebcca8a8094853aa65210ddde80f6a9ffe7b3f2d75d5652b166722b3aa4a.exe	Rundll32.exe
PID 3864 wrote to memory of 4432	3864	Rundll32.exe	rundll32.exe
PID 3864 wrote to memory of 4432	3864	Rundll32.exe	rundll32.exe
PID 3864 wrote to memory of 4432	3864	Rundll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\c0f1ebcca8a8094853aa65210ddde80f6a9ffe7b3f2d75d5652b166722b3aa4a.exe
"C:\Users\Admin\AppData\Local\Temp\c0f1ebcca8a8094853aa65210ddde80f6a9ffe7b3f2d75d5652b166722b3aa4a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4580
- C:\Windows\SYSTEM32\Rundll32.exe
  Rundll32.exe C:\Users\Admin\AppData\Local\Temp\Helper.CC\Helper.CC.dll,LaunchColorCpl
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3864
- - C:\Windows\SysWOW64\rundll32.exe
    Rundll32.exe C:\Users\Admin\AppData\Local\Temp\Helper.CC\Helper.CC.dll,LaunchColorCpl
    3⤵
    - Loads dropped DLL
    PID:4432

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\Helper.CC\Helper.CC.dll

Filesize
836KB

MD5
c7428d3dcbefd49f0f060d6771f17a5b

SHA1
b21b0b2cc73331d61e984a0ad28dbe5588cba361

SHA256
a34821b50aadee0dd85c382c43f44dae1e5fef0febf2f7aed6abf3f3e21f7994

SHA512
a011d0f52774525ff97420ecd1f13147a7e73040ee8f571025b57f6168521752e657f2f72496a2ee781a50905677cccfe4316232570367dec1b63c5feaa16c59

Download Submit
C:\Users\Admin\AppData\Local\Temp\Helper.CC\Helper.CC.dll

Filesize
836KB

MD5
c7428d3dcbefd49f0f060d6771f17a5b

SHA1
b21b0b2cc73331d61e984a0ad28dbe5588cba361

SHA256
a34821b50aadee0dd85c382c43f44dae1e5fef0febf2f7aed6abf3f3e21f7994

SHA512
a011d0f52774525ff97420ecd1f13147a7e73040ee8f571025b57f6168521752e657f2f72496a2ee781a50905677cccfe4316232570367dec1b63c5feaa16c59

Download Submit
memory/3864-132-0x0000000000000000-mapping.dmp

Download
memory/4432-134-0x0000000000000000-mapping.dmp

Download
memory/4432-136-0x0000000017170000-0x0000000017244000-memory.dmp

Filesize
848KB

Download