blister | f9508e81f1ac31569646fde9e864e25212457ca62ac768e23fbb95c290950e99

Analysis

max time kernel
36s
max time network
55s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
05-09-2022 15:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca4a22ce761737a04ebdba0fd8063a81642d7d96fea052c8debe9acf7791df20.exe
Size

3.4MB
MD5

dc21a8a77238419f38f09d31ed3440b7
SHA1

2a8f8431db1f03ede2c9b87eb4454b89cb0e9060
SHA256

ca4a22ce761737a04ebdba0fd8063a81642d7d96fea052c8debe9acf7791df20
SHA512

fddf7347f150c1908b252255dbc1a8dd254446747c4eaf7fd88eee3dc2cfdd35054d626b4e4bd7b9f74e2ff7c13d0079f4df04b5c7a8a30d712166fedfca1d7d
SSDEEP

49152:NXIK9iC4wSi+OXS6mOdOsVzPa4DnkcEr3JuRU+TAyPM5Bqe2t4dpPS3AOcD65:CK9d4wb9MO1RPa44cElYThPMs8PSiG

Score

10^/10

blister loader

Malware Config

Signatures

BLISTER
BLISTER is a downloader used to deliver other malware families.
loader blister

Detect Blister loader x32 8 IoCs

loader

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\dirtempdata\api.dll	family_blister_x32
\Users\Admin\AppData\Local\Temp\dirtempdata\api.dll	family_blister_x32
\Users\Admin\AppData\Local\Temp\dirtempdata\api.dll	family_blister_x32
C:\Users\Admin\AppData\Local\Temp\dirtempdata\diagnostic.dll	family_blister_x32
\Users\Admin\AppData\Local\Temp\dirtempdata\diagnostic.dll	family_blister_x32
\Users\Admin\AppData\Local\Temp\dirtempdata\diagnostic.dll	family_blister_x32
behavioral27/memory/1392-67-0x0000000017170000-0x0000000017483000-memory.dmp	family_blister_x32
behavioral27/memory/828-68-0x0000000017170000-0x0000000017227000-memory.dmp	family_blister_x32

Loads dropped DLL 4 IoCs

Processes:

rundll32.exerundll32.exe

pid process

1392 rundll32.exe
1392 rundll32.exe
828 rundll32.exe
828 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1392	rundll32.exe
1392	rundll32.exe
828	rundll32.exe
828	rundll32.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

ca4a22ce761737a04ebdba0fd8063a81642d7d96fea052c8debe9acf7791df20.exeRundll32.exeRundll32.exe

description	pid	process	target process
PID 1532 wrote to memory of 1516	1532	ca4a22ce761737a04ebdba0fd8063a81642d7d96fea052c8debe9acf7791df20.exe	Rundll32.exe
PID 1532 wrote to memory of 1516	1532	ca4a22ce761737a04ebdba0fd8063a81642d7d96fea052c8debe9acf7791df20.exe	Rundll32.exe
PID 1532 wrote to memory of 1516	1532	ca4a22ce761737a04ebdba0fd8063a81642d7d96fea052c8debe9acf7791df20.exe	Rundll32.exe
PID 1516 wrote to memory of 1392	1516	Rundll32.exe	rundll32.exe
PID 1516 wrote to memory of 1392	1516	Rundll32.exe	rundll32.exe
PID 1516 wrote to memory of 1392	1516	Rundll32.exe	rundll32.exe
PID 1516 wrote to memory of 1392	1516	Rundll32.exe	rundll32.exe
PID 1516 wrote to memory of 1392	1516	Rundll32.exe	rundll32.exe
PID 1516 wrote to memory of 1392	1516	Rundll32.exe	rundll32.exe
PID 1516 wrote to memory of 1392	1516	Rundll32.exe	rundll32.exe
PID 1532 wrote to memory of 468	1532	ca4a22ce761737a04ebdba0fd8063a81642d7d96fea052c8debe9acf7791df20.exe	Rundll32.exe
PID 1532 wrote to memory of 468	1532	ca4a22ce761737a04ebdba0fd8063a81642d7d96fea052c8debe9acf7791df20.exe	Rundll32.exe
PID 1532 wrote to memory of 468	1532	ca4a22ce761737a04ebdba0fd8063a81642d7d96fea052c8debe9acf7791df20.exe	Rundll32.exe
PID 468 wrote to memory of 828	468	Rundll32.exe	rundll32.exe
PID 468 wrote to memory of 828	468	Rundll32.exe	rundll32.exe
PID 468 wrote to memory of 828	468	Rundll32.exe	rundll32.exe
PID 468 wrote to memory of 828	468	Rundll32.exe	rundll32.exe
PID 468 wrote to memory of 828	468	Rundll32.exe	rundll32.exe
PID 468 wrote to memory of 828	468	Rundll32.exe	rundll32.exe
PID 468 wrote to memory of 828	468	Rundll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\ca4a22ce761737a04ebdba0fd8063a81642d7d96fea052c8debe9acf7791df20.exe
"C:\Users\Admin\AppData\Local\Temp\ca4a22ce761737a04ebdba0fd8063a81642d7d96fea052c8debe9acf7791df20.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1532
- C:\Windows\system32\Rundll32.exe
  Rundll32.exe C:\Users\Admin\AppData\Local\Temp\dirtempdata\api.dll,LaunchColorCpl
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1516
- - C:\Windows\SysWOW64\rundll32.exe
    Rundll32.exe C:\Users\Admin\AppData\Local\Temp\dirtempdata\api.dll,LaunchColorCpl
    3⤵
    - Loads dropped DLL
    PID:1392
- C:\Windows\system32\Rundll32.exe
  Rundll32.exe C:\Users\Admin\AppData\Local\Temp\dirtempdata\diagnostic.dll,LaunchColorCpl
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:468
- - C:\Windows\SysWOW64\rundll32.exe
    Rundll32.exe C:\Users\Admin\AppData\Local\Temp\dirtempdata\diagnostic.dll,LaunchColorCpl
    3⤵
    - Loads dropped DLL
    PID:828

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dirtempdata\api.dll

Filesize
3.1MB

MD5
cd0eda8961ff27f4b34611bab9a4c301

SHA1
3894f34ccc797c24d4acae71ac95545db0e6aebb

SHA256
fa885e9ea1293552cb45a89e740426fa9c313225ff77ad1980dfea83b6c4a91c

SHA512
c32437fdbae6001659864f17f3694b92184059ab35ffceed77eb79692ef2825fa0b90d8b563e95ab3b6ad206446bc2f0188713cf4e3cdba5daf81be75486e04b

Download Submit
C:\Users\Admin\AppData\Local\Temp\dirtempdata\diagnostic.dll

Filesize
720KB

MD5
d36f5530cd564bbe628286ce945ab03f

SHA1
8c656f404de52c1165bc819b5a07653c8efd128d

SHA256
ba3a50930e7a144637faf88a98f2990a27532bfd20a93dc160eb2db4fbc17b58

SHA512
8980b09edb0d68f96c92623da1cac2c3c9e75467bff68263997d43393856ba979cadddddcd6914b7cdb8803df643e85001c1e3aecfc97388175bbb7fbc9cc45c

Download Submit
\Users\Admin\AppData\Local\Temp\dirtempdata\api.dll

Filesize
3.1MB

MD5
cd0eda8961ff27f4b34611bab9a4c301

SHA1
3894f34ccc797c24d4acae71ac95545db0e6aebb

SHA256
fa885e9ea1293552cb45a89e740426fa9c313225ff77ad1980dfea83b6c4a91c

SHA512
c32437fdbae6001659864f17f3694b92184059ab35ffceed77eb79692ef2825fa0b90d8b563e95ab3b6ad206446bc2f0188713cf4e3cdba5daf81be75486e04b

Download Submit
\Users\Admin\AppData\Local\Temp\dirtempdata\api.dll

Filesize
3.1MB

MD5
cd0eda8961ff27f4b34611bab9a4c301

SHA1
3894f34ccc797c24d4acae71ac95545db0e6aebb

SHA256
fa885e9ea1293552cb45a89e740426fa9c313225ff77ad1980dfea83b6c4a91c

SHA512
c32437fdbae6001659864f17f3694b92184059ab35ffceed77eb79692ef2825fa0b90d8b563e95ab3b6ad206446bc2f0188713cf4e3cdba5daf81be75486e04b

Download Submit
\Users\Admin\AppData\Local\Temp\dirtempdata\diagnostic.dll

Filesize
720KB

MD5
d36f5530cd564bbe628286ce945ab03f

SHA1
8c656f404de52c1165bc819b5a07653c8efd128d

SHA256
ba3a50930e7a144637faf88a98f2990a27532bfd20a93dc160eb2db4fbc17b58

SHA512
8980b09edb0d68f96c92623da1cac2c3c9e75467bff68263997d43393856ba979cadddddcd6914b7cdb8803df643e85001c1e3aecfc97388175bbb7fbc9cc45c

Download Submit
\Users\Admin\AppData\Local\Temp\dirtempdata\diagnostic.dll

Filesize
720KB

MD5
d36f5530cd564bbe628286ce945ab03f

SHA1
8c656f404de52c1165bc819b5a07653c8efd128d

SHA256
ba3a50930e7a144637faf88a98f2990a27532bfd20a93dc160eb2db4fbc17b58

SHA512
8980b09edb0d68f96c92623da1cac2c3c9e75467bff68263997d43393856ba979cadddddcd6914b7cdb8803df643e85001c1e3aecfc97388175bbb7fbc9cc45c

Download Submit
memory/468-61-0x0000000000000000-mapping.dmp

Download
memory/828-63-0x0000000000000000-mapping.dmp

Download
memory/828-68-0x0000000017170000-0x0000000017227000-memory.dmp

Filesize
732KB

Download
memory/1392-58-0x0000000075FE1000-0x0000000075FE3000-memory.dmp

Filesize
8KB

Download
memory/1392-57-0x0000000000000000-mapping.dmp

Download
memory/1392-67-0x0000000017170000-0x0000000017483000-memory.dmp

Filesize
3.1MB

Download
memory/1516-55-0x0000000000000000-mapping.dmp

Download
memory/1532-54-0x000007FEFBC31000-0x000007FEFBC33000-memory.dmp

Filesize
8KB

Download