Analysis

  • max time kernel
    37s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    05-09-2022 15:53

General

  • Target

    c9cc4d95ca1197328a743a41b09c2375d54ac97fcdde5e07bda660396710eccd.exe

  • Size

    3.4MB

  • MD5

    61a5cbc68cc4f44373f088b68dc77551

  • SHA1

    a5901558d19fac101d8c11bb7a0a07cb2dd26bb5

  • SHA256

    c9cc4d95ca1197328a743a41b09c2375d54ac97fcdde5e07bda660396710eccd

  • SHA512

    e592e28a6e901030f1d3cba59a6ebe8dc1e6df51c3d3ca7e0344f627dd40e62f99ecf90270ce302962da128942a9aaf952483a52eb7b73b51f28f541bd46b6fc

  • SSDEEP

    98304:UWhQkBPK3tMxUYUZKM7ASJPoJQ8eTY3Tn/jkrmT0:UiQSNOzKM7ASJPX8eTwjkrV

Score
10/10

Malware Config

Signatures

  • BLISTER

    BLISTER is a downloader used to deliver other malware families.

  • Detect Blister loader x32 8 IoCs
  • Loads dropped DLL 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c9cc4d95ca1197328a743a41b09c2375d54ac97fcdde5e07bda660396710eccd.exe
    "C:\Users\Admin\AppData\Local\Temp\c9cc4d95ca1197328a743a41b09c2375d54ac97fcdde5e07bda660396710eccd.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1384
    • C:\Windows\system32\Rundll32.exe
      Rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dataperformance\FramworkGUI.dll,LaunchColorCpl
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:996
      • C:\Windows\SysWOW64\rundll32.exe
        Rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dataperformance\FramworkGUI.dll,LaunchColorCpl
        3⤵
        • Loads dropped DLL
        PID:1144
    • C:\Windows\system32\Rundll32.exe
      Rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dataperformance\Storage.dll,LaunchColorCpl
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2028
      • C:\Windows\SysWOW64\rundll32.exe
        Rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dataperformance\Storage.dll,LaunchColorCpl
        3⤵
        • Loads dropped DLL
        PID:1724

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Dataperformance\FramworkGUI.dll

    Filesize

    3.1MB

    MD5

    3a9cbd39d977b2b95ee9ee3184953762

    SHA1

    eed69851b97ecfe6edf9a66439d76adbfc270d3d

    SHA256

    e7368bc19f746a8eff5a208f1b8ae5b0fe15bf5e9b9c93db3e8be42f87887f30

    SHA512

    0b2e144141e730351c888b0752e6f9c00a5e77328c027c2ddc25d04d2a866139008550775772a4ff0d1cffcacbd9bfefad9d66c62703302187164c3bc3efc516

  • C:\Users\Admin\AppData\Local\Temp\Dataperformance\Storage.dll

    Filesize

    707KB

    MD5

    007236733e6ea31367c9aa59076d2996

    SHA1

    3bebd05627fbae2cc4756d07aed2070744981746

    SHA256

    86b32bcc02284d44a1a124c938257c2e33c04d800ea71991e954b5c661630308

    SHA512

    abb2582e0237e29850c54ab02c47b853f1cc5142804f50aae77a40dc0e3eebf1cb13b0f81cabc8eb6e54193f659c08cb6c072ba91888b4998fe1998a154a6362

  • \Users\Admin\AppData\Local\Temp\Dataperformance\FramworkGUI.dll

    Filesize

    3.1MB

    MD5

    3a9cbd39d977b2b95ee9ee3184953762

    SHA1

    eed69851b97ecfe6edf9a66439d76adbfc270d3d

    SHA256

    e7368bc19f746a8eff5a208f1b8ae5b0fe15bf5e9b9c93db3e8be42f87887f30

    SHA512

    0b2e144141e730351c888b0752e6f9c00a5e77328c027c2ddc25d04d2a866139008550775772a4ff0d1cffcacbd9bfefad9d66c62703302187164c3bc3efc516

  • \Users\Admin\AppData\Local\Temp\Dataperformance\FramworkGUI.dll

    Filesize

    3.1MB

    MD5

    3a9cbd39d977b2b95ee9ee3184953762

    SHA1

    eed69851b97ecfe6edf9a66439d76adbfc270d3d

    SHA256

    e7368bc19f746a8eff5a208f1b8ae5b0fe15bf5e9b9c93db3e8be42f87887f30

    SHA512

    0b2e144141e730351c888b0752e6f9c00a5e77328c027c2ddc25d04d2a866139008550775772a4ff0d1cffcacbd9bfefad9d66c62703302187164c3bc3efc516

  • \Users\Admin\AppData\Local\Temp\Dataperformance\Storage.dll

    Filesize

    707KB

    MD5

    007236733e6ea31367c9aa59076d2996

    SHA1

    3bebd05627fbae2cc4756d07aed2070744981746

    SHA256

    86b32bcc02284d44a1a124c938257c2e33c04d800ea71991e954b5c661630308

    SHA512

    abb2582e0237e29850c54ab02c47b853f1cc5142804f50aae77a40dc0e3eebf1cb13b0f81cabc8eb6e54193f659c08cb6c072ba91888b4998fe1998a154a6362

  • \Users\Admin\AppData\Local\Temp\Dataperformance\Storage.dll

    Filesize

    707KB

    MD5

    007236733e6ea31367c9aa59076d2996

    SHA1

    3bebd05627fbae2cc4756d07aed2070744981746

    SHA256

    86b32bcc02284d44a1a124c938257c2e33c04d800ea71991e954b5c661630308

    SHA512

    abb2582e0237e29850c54ab02c47b853f1cc5142804f50aae77a40dc0e3eebf1cb13b0f81cabc8eb6e54193f659c08cb6c072ba91888b4998fe1998a154a6362

  • memory/996-55-0x0000000000000000-mapping.dmp

  • memory/1144-57-0x0000000000000000-mapping.dmp

  • memory/1144-58-0x0000000076DC1000-0x0000000076DC3000-memory.dmp

    Filesize

    8KB

  • memory/1144-67-0x0000000017170000-0x0000000017489000-memory.dmp

    Filesize

    3.1MB

  • memory/1384-54-0x000007FEFC481000-0x000007FEFC483000-memory.dmp

    Filesize

    8KB

  • memory/1724-63-0x0000000000000000-mapping.dmp

  • memory/1724-68-0x0000000017170000-0x0000000017222000-memory.dmp

    Filesize

    712KB

  • memory/2028-61-0x0000000000000000-mapping.dmp