blister | f9508e81f1ac31569646fde9e864e25212457ca62ac768e23fbb95c290950e99

Analysis

max time kernel
39s
max time network
49s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05-09-2022 15:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c3117be60ef780dc86581052b5e3f72969bef6471c7218e35beec60d167eb4ea.exe
Size

1.3MB
MD5

dba747247bb951822f83787ecee99cef
SHA1

263594a9735632dbbae539dff8bd413a92bfdf22
SHA256

c3117be60ef780dc86581052b5e3f72969bef6471c7218e35beec60d167eb4ea
SHA512

c51d91765c8de25572cfbb234c706ac9c47885453ee05ecf3eece236bec5d93505e3893beb4bbfeed9dc98dc970c8863d352c01991092d23a0746b0e5817628e
SSDEEP

24576:cy8QxF2jYjw5eT9eD++nO18IUyLdqkFqGp8COdutaiGLpRmi+qGUPg:cwg4l9eD/OzbdFGlqGLdg

Score

10^/10

blister loader

Malware Config

Signatures

BLISTER
BLISTER is a downloader used to deliver other malware families.
loader blister

Detect Blister loader x32 4 IoCs

loader

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Colorgaming\holorui.dll	family_blister_x32
\Users\Admin\AppData\Local\Temp\Colorgaming\holorui.dll	family_blister_x32
\Users\Admin\AppData\Local\Temp\Colorgaming\holorui.dll	family_blister_x32
behavioral21/memory/1976-61-0x0000000017170000-0x0000000017282000-memory.dmp	family_blister_x32

Loads dropped DLL 2 IoCs

Processes:

rundll32.exe

pid process

1976 rundll32.exe
1976 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1976	rundll32.exe
1976	rundll32.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

c3117be60ef780dc86581052b5e3f72969bef6471c7218e35beec60d167eb4ea.exeRundll32.exe

description	pid	process	target process
PID 1440 wrote to memory of 2020	1440	c3117be60ef780dc86581052b5e3f72969bef6471c7218e35beec60d167eb4ea.exe	Rundll32.exe
PID 1440 wrote to memory of 2020	1440	c3117be60ef780dc86581052b5e3f72969bef6471c7218e35beec60d167eb4ea.exe	Rundll32.exe
PID 1440 wrote to memory of 2020	1440	c3117be60ef780dc86581052b5e3f72969bef6471c7218e35beec60d167eb4ea.exe	Rundll32.exe
PID 2020 wrote to memory of 1976	2020	Rundll32.exe	rundll32.exe
PID 2020 wrote to memory of 1976	2020	Rundll32.exe	rundll32.exe
PID 2020 wrote to memory of 1976	2020	Rundll32.exe	rundll32.exe
PID 2020 wrote to memory of 1976	2020	Rundll32.exe	rundll32.exe
PID 2020 wrote to memory of 1976	2020	Rundll32.exe	rundll32.exe
PID 2020 wrote to memory of 1976	2020	Rundll32.exe	rundll32.exe
PID 2020 wrote to memory of 1976	2020	Rundll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\c3117be60ef780dc86581052b5e3f72969bef6471c7218e35beec60d167eb4ea.exe
"C:\Users\Admin\AppData\Local\Temp\c3117be60ef780dc86581052b5e3f72969bef6471c7218e35beec60d167eb4ea.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1440
- C:\Windows\system32\Rundll32.exe
  Rundll32.exe C:\Users\Admin\AppData\Local\Temp\Colorgaming\holorui.dll,LaunchColorCpl
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Windows\SysWOW64\rundll32.exe
    Rundll32.exe C:\Users\Admin\AppData\Local\Temp\Colorgaming\holorui.dll,LaunchColorCpl
    3⤵
    - Loads dropped DLL
    PID:1976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Colorgaming\holorui.dll

Filesize
1.1MB

MD5
2d2bf57a4e0359b19ca31cc52449c622

SHA1
3d99d8fecbabc16f732999eef599c04380f65c87

SHA256
6c6f808f9b19e1fab1c1b83dc99386f0ceee8593ddfd461ac047eae812df8733

SHA512
79e6444c2118aa9f934d6b3db0c4ff6abf7c232ea625b21a280bb01cb738b316cc255d97839ac1348d7ea87556104507755c05896179f1f551a80d5222cf876c

Download Submit
\Users\Admin\AppData\Local\Temp\Colorgaming\holorui.dll

Filesize
1.1MB

MD5
2d2bf57a4e0359b19ca31cc52449c622

SHA1
3d99d8fecbabc16f732999eef599c04380f65c87

SHA256
6c6f808f9b19e1fab1c1b83dc99386f0ceee8593ddfd461ac047eae812df8733

SHA512
79e6444c2118aa9f934d6b3db0c4ff6abf7c232ea625b21a280bb01cb738b316cc255d97839ac1348d7ea87556104507755c05896179f1f551a80d5222cf876c

Download Submit
\Users\Admin\AppData\Local\Temp\Colorgaming\holorui.dll

Filesize
1.1MB

MD5
2d2bf57a4e0359b19ca31cc52449c622

SHA1
3d99d8fecbabc16f732999eef599c04380f65c87

SHA256
6c6f808f9b19e1fab1c1b83dc99386f0ceee8593ddfd461ac047eae812df8733

SHA512
79e6444c2118aa9f934d6b3db0c4ff6abf7c232ea625b21a280bb01cb738b316cc255d97839ac1348d7ea87556104507755c05896179f1f551a80d5222cf876c

Download Submit
memory/1440-54-0x000007FEFC621000-0x000007FEFC623000-memory.dmp

Filesize
8KB

Download
memory/1976-57-0x0000000000000000-mapping.dmp

Download
memory/1976-58-0x0000000076181000-0x0000000076183000-memory.dmp

Filesize
8KB

Download
memory/1976-61-0x0000000017170000-0x0000000017282000-memory.dmp

Filesize
1.1MB

Download
memory/2020-55-0x0000000000000000-mapping.dmp

Download