Overview

overview

7

Static

static

3

blur-installer.exe

windows10-1703-x64

7

blur-installer.exe

windows10-2004-x64

7

blur-installer.exe

windows11-21h2-x64

7

Analysis

  • max time kernel
    144s
  • max time network
    153s
  • platform
    windows11-21h2_x64
  • resource
    win11-20231215-en
  • resource tags

    arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    02/02/2024, 12:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    blur-installer.exe

  • Size

    56.0MB

  • MD5

    cc8d0921084401992c3f84cf6db0a9a5

  • SHA1

    0f85447fa43ba0d77d60e857ed238f046347c4c5

  • SHA256

    adeb24697fb2c829c513f1812aa5645717640599a5aeb964d45ec616e0ebd6b6

  • SHA512

    dc662cfb40416553cad0738fe4c7407f3b04457f47bd766832a694f896e5834956eefe5bacce32022de33bca1a637e85f589479fe38b89b03ef259439753e644

  • SSDEEP

    1572864:njXb31SEpfRrEE1sioTNq9ikYyjgL7c31nppNOnFMQi:njx1J7+ioyikY+gH41nppNlH

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\blur-installer.exe
    "C:\Users\Admin\AppData\Local\Temp\blur-installer.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4500
    • C:\Users\Admin\AppData\Local\Temp\is-1QTRA.tmp\blur-installer.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-1QTRA.tmp\blur-installer.tmp" /SL5="$7020E,57819947,879104,C:\Users\Admin\AppData\Local\Temp\blur-installer.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:1672
      • C:\Users\Admin\AppData\Local\Temp\is-GAQKF.tmp\VC_redist.x86.exe
        "C:\Users\Admin\AppData\Local\Temp\is-GAQKF.tmp\VC_redist.x86.exe" /install /passive /norestart
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4236
        • C:\Windows\Temp\{3D93C64B-BE4D-4F86-8787-24A668E1C871}\.cr\VC_redist.x86.exe
          "C:\Windows\Temp\{3D93C64B-BE4D-4F86-8787-24A668E1C871}\.cr\VC_redist.x86.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\is-GAQKF.tmp\VC_redist.x86.exe" -burn.filehandle.attached=564 -burn.filehandle.self=572 /install /passive /norestart
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:6096

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Programs\blur\lib\vapoursynth\Lib\site-packages\setuptools-58.0.4.dist-info\is-TM545.tmp
    Filesize

    4B

    MD5

    365c9bfeb7d89244f2ce01c1de44cb85

    SHA1

    d7a03141d5d6b1e88b6b59ef08b6681df212c599

    SHA256

    ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

    SHA512

    d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

    Download Submit

  • C:\Users\Admin\AppData\Local\Programs\blur\lib\vapoursynth\Lib\site-packages\wheel\vendored\packaging\is-3ECCM.tmp
    Filesize

    1KB

    MD5

    b0dac8ef6953fb835c7d633e6a427ba7

    SHA1

    f521b39e0501e178412d557ac85d625626b85326

    SHA256

    c79f44850e7b4cc4fe9134722d9576e4766f6061b06ee713a3a88a87f3b4b4cc

    SHA512

    de5d2189075a26dc2e9ba41c1bbf2d4ccd3d5fb475802a0d7a70e311a301c4c4cb619d9f15c6263a420583b4f8bf87fcd589d6f96fe7b1edc367b875d54cfdda

    Download Submit

  • C:\Users\Admin\AppData\Local\Programs\blur\lib\vapoursynth\Scripts\is-9IT3G.tmp
    Filesize

    103KB

    MD5

    449919a8dbc0882ab75fbeb012634dd7

    SHA1

    c457948d731f7d414a0f06a75c348d4035b19c86

    SHA256

    f5ddfb8a27580e38c964a5455704a51df94e3796723ba145ed8ac44734110e93

    SHA512

    0d0d94e063d6c49c4e4fc8e1dd933e6a4acca48cd875d274543a134b849f0db2aa5f92826c0dc3f728817b9adf005947ca0f94c878ae139ac9d372518c43fb91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-1QTRA.tmp\blur-installer.tmp
    Filesize

    2.4MB

    MD5

    631a84aa53ac86810c968de7cc3ad668

    SHA1

    5b2668a23901e518d8afe227084d15fb9827a42c

    SHA256

    063f708bb216d19679baf007405c3b928b0ae00ef8a6d0e458ffa1a69403f261

    SHA512

    4d12cc9979d0a9fd83e60e729731eb9faceec12e6822bc2101329983cc5fbefe3b9d49a55d6110a88cdd0243d805bd4ea8d2aa157d7873c1fdef7c70f8540510

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-1QTRA.tmp\blur-installer.tmp
    Filesize

    422KB

    MD5

    8ee366a5cbd12d0ba374d206337c49a7

    SHA1

    c9045aeaffaa0070ecc6851833b01df041ca3065

    SHA256

    2fc8dcb79e7eddfd92136ff2edb8f46b6351077ca30cce70be7b9c055970ddf9

    SHA512

    8dfb6280994887118e7b7ab369a8eec22b9bc3b759c80c58823f0cdd36e74f7ce5ae3baf16879fb583298da69971fe955d9e7c72b1e63352e9f01c58ff630e31

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-GAQKF.tmp\VC_redist.x86.exe
    Filesize

    1.2MB

    MD5

    fead96953149186cc5f8cbdc83fb22bd

    SHA1

    316bce9c71a233a272abb29af0e40d1beee349ee

    SHA256

    f30d30b24c31ba87ad822a09b79a74ef3eb9dc7ed8307bb22a4289ef05d0ccbe

    SHA512

    7ea2435c79dd5822fcf0e88e4b020643f35d6763bacd51d01d57bfabc2886af49afbdfac4ab223356f6d6f41febf4acc194ec59526df6ff687923a9847e78b90

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-GAQKF.tmp\VC_redist.x86.exe
    Filesize

    1.1MB

    MD5

    9b757b69017da67662e6a9661018cc46

    SHA1

    df563c37b3abb914b8aefc1784c77758024666d9

    SHA256

    7a3d4bf81cc0232b84029d05fbc90728fa9c4e95c3de784e64ccd013305b3c2f

    SHA512

    6e54abc59c91d0651d05ff9c0b2909aecde1c8ea38679cb404eed5dde8644a3be31fda21f2805799c5e923b3e68e7a5def83e22f0f5f99549e1c1d987c86912c

    Download Submit

  • C:\Windows\Temp\{3D93C64B-BE4D-4F86-8787-24A668E1C871}\.cr\VC_redist.x86.exe
    Filesize

    618KB

    MD5

    1d85081c270ceb9d1ed815cc42cedf28

    SHA1

    1b0c179e4518acd1adc3d61c6f1e7f6b4e2c229b

    SHA256

    5fbac8182425faa2db5db47aae68d01ae52528d5855f2dc6307c7cc4ec530bf7

    SHA512

    ddbfd12db80f6fc76bb6ca19c0f0429b6730a3a8f29e66284a6b0ded3e8ea8e86bffc4c87491bc9242362564ec61eb1d97fe48b3c8cefe82c146e6ee3a21ae4b

    Download Submit

  • C:\Windows\Temp\{3D93C64B-BE4D-4F86-8787-24A668E1C871}\.cr\VC_redist.x86.exe
    Filesize

    632KB

    MD5

    1636039e4940c80acaeb369852f79cef

    SHA1

    7d2b5110d1bf729d7fcd9e42a2b01a58dcc66a69

    SHA256

    d116ecd1f04402430eb8ff5e07357f7ab2a2e0aa12dd6c5156e7f92705568e0e

    SHA512

    3ba5c3225b74594d6121a45f225204e8eb4b80afc60849fe78a933afcc81f8db7221cdcbe5789ade1b3f2d784dc3659c08692f7bd808b85198cb78e601d8da02

    Download Submit

  • C:\Windows\Temp\{66671F19-F58D-4D6A-8A2B-A4E44207B9C6}\.ba\logo.png
    Filesize

    1KB

    MD5

    d6bd210f227442b3362493d046cea233

    SHA1

    ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

    SHA256

    335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

    SHA512

    464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

    Download Submit

  • C:\Windows\Temp\{66671F19-F58D-4D6A-8A2B-A4E44207B9C6}\.ba\wixstdba.dll
    Filesize

    191KB

    MD5

    eab9caf4277829abdf6223ec1efa0edd

    SHA1

    74862ecf349a9bedd32699f2a7a4e00b4727543d

    SHA256

    a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

    SHA512

    45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

    Download Submit

  • memory/1672-5-0x0000000002720000-0x0000000002721000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1672-2413-0x0000000000400000-0x000000000071E000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/1672-282-0x0000000000400000-0x000000000071E000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/1672-7-0x0000000000400000-0x000000000071E000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/1672-2492-0x0000000000400000-0x000000000071E000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/1672-2498-0x0000000000400000-0x000000000071E000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/4500-0-0x0000000000400000-0x00000000004E4000-memory.dmp

    Filesize

    912KB

    Download

  • memory/4500-6-0x0000000000400000-0x00000000004E4000-memory.dmp

    Filesize

    912KB

    Download

  • memory/4500-2499-0x0000000000400000-0x00000000004E4000-memory.dmp

    Filesize

    912KB

    Download