Analysis
-
max time kernel
1799s -
max time network
1783s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
04-10-2021 17:50
Static task
static1
Behavioral task
behavioral1
Sample
load.msi
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
load.msi
Resource
win10v20210408
General
-
Target
load.msi
-
Size
548KB
-
MD5
13173913da1f35728d84e78a3de983c9
-
SHA1
9a1437af2d653fc265472a47edab9f22d49b1941
-
SHA256
0e6451e1f0eadb89390f4360e2a49a2ffb66e92e8b3ae75400095e75f4dd6abb
-
SHA512
3627ec46eb5b8cbdfd28015b38de6cd2279ff15be67e1a5d0c58a86fc1c165a39f4dd2d664977f7ce8a4ded9d2d678ce09c6fa3962e1b93f8543049313527a52
Malware Config
Signatures
-
suricata: ET MALWARE MirrorBlast CnC Activity M2
suricata: ET MALWARE MirrorBlast CnC Activity M2
-
suricata: ET MALWARE MirrorBlast CnC Activity M3
suricata: ET MALWARE MirrorBlast CnC Activity M3
-
Executes dropped EXE 1 IoCs
Processes:
rebol-view-278-3-1.exepid Process 1040 rebol-view-278-3-1.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
msiexec.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\ msiexec.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\ProgramData\\Local\\Google\\rebol-view-278-3-1.exe -w -i -s C:\\ProgramData\\Local\\Google\\exemple.rb" msiexec.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc Process File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\X: msiexec.exe -
Drops file in Windows directory 9 IoCs
Processes:
msiexec.exeDrvInst.exedescription ioc Process File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\Installer\2f67e.msi msiexec.exe File opened for modification C:\Windows\Installer\2f67e.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIF852.tmp msiexec.exe File opened for modification C:\Windows\Installer\2f67f.ipi msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File created C:\Windows\Installer\2f67f.ipi msiexec.exe -
Modifies data under HKEY_USERS 43 IoCs
Processes:
DrvInst.exedescription ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
msiexec.exepid Process 1504 msiexec.exe 1504 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 59 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exeDrvInst.exedescription pid Process Token: SeShutdownPrivilege 1080 msiexec.exe Token: SeIncreaseQuotaPrivilege 1080 msiexec.exe Token: SeRestorePrivilege 1504 msiexec.exe Token: SeTakeOwnershipPrivilege 1504 msiexec.exe Token: SeSecurityPrivilege 1504 msiexec.exe Token: SeCreateTokenPrivilege 1080 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1080 msiexec.exe Token: SeLockMemoryPrivilege 1080 msiexec.exe Token: SeIncreaseQuotaPrivilege 1080 msiexec.exe Token: SeMachineAccountPrivilege 1080 msiexec.exe Token: SeTcbPrivilege 1080 msiexec.exe Token: SeSecurityPrivilege 1080 msiexec.exe Token: SeTakeOwnershipPrivilege 1080 msiexec.exe Token: SeLoadDriverPrivilege 1080 msiexec.exe Token: SeSystemProfilePrivilege 1080 msiexec.exe Token: SeSystemtimePrivilege 1080 msiexec.exe Token: SeProfSingleProcessPrivilege 1080 msiexec.exe Token: SeIncBasePriorityPrivilege 1080 msiexec.exe Token: SeCreatePagefilePrivilege 1080 msiexec.exe Token: SeCreatePermanentPrivilege 1080 msiexec.exe Token: SeBackupPrivilege 1080 msiexec.exe Token: SeRestorePrivilege 1080 msiexec.exe Token: SeShutdownPrivilege 1080 msiexec.exe Token: SeDebugPrivilege 1080 msiexec.exe Token: SeAuditPrivilege 1080 msiexec.exe Token: SeSystemEnvironmentPrivilege 1080 msiexec.exe Token: SeChangeNotifyPrivilege 1080 msiexec.exe Token: SeRemoteShutdownPrivilege 1080 msiexec.exe Token: SeUndockPrivilege 1080 msiexec.exe Token: SeSyncAgentPrivilege 1080 msiexec.exe Token: SeEnableDelegationPrivilege 1080 msiexec.exe Token: SeManageVolumePrivilege 1080 msiexec.exe Token: SeImpersonatePrivilege 1080 msiexec.exe Token: SeCreateGlobalPrivilege 1080 msiexec.exe Token: SeBackupPrivilege 788 vssvc.exe Token: SeRestorePrivilege 788 vssvc.exe Token: SeAuditPrivilege 788 vssvc.exe Token: SeBackupPrivilege 1504 msiexec.exe Token: SeRestorePrivilege 1504 msiexec.exe Token: SeRestorePrivilege 816 DrvInst.exe Token: SeRestorePrivilege 816 DrvInst.exe Token: SeRestorePrivilege 816 DrvInst.exe Token: SeRestorePrivilege 816 DrvInst.exe Token: SeRestorePrivilege 816 DrvInst.exe Token: SeRestorePrivilege 816 DrvInst.exe Token: SeRestorePrivilege 816 DrvInst.exe Token: SeLoadDriverPrivilege 816 DrvInst.exe Token: SeLoadDriverPrivilege 816 DrvInst.exe Token: SeLoadDriverPrivilege 816 DrvInst.exe Token: SeRestorePrivilege 1504 msiexec.exe Token: SeTakeOwnershipPrivilege 1504 msiexec.exe Token: SeRestorePrivilege 1504 msiexec.exe Token: SeTakeOwnershipPrivilege 1504 msiexec.exe Token: SeRestorePrivilege 1504 msiexec.exe Token: SeTakeOwnershipPrivilege 1504 msiexec.exe Token: SeRestorePrivilege 1504 msiexec.exe Token: SeTakeOwnershipPrivilege 1504 msiexec.exe Token: SeRestorePrivilege 1504 msiexec.exe Token: SeTakeOwnershipPrivilege 1504 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid Process 1080 msiexec.exe 1080 msiexec.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
msiexec.exerebol-view-278-3-1.execmd.exedescription pid Process procid_target PID 1504 wrote to memory of 1040 1504 msiexec.exe 31 PID 1504 wrote to memory of 1040 1504 msiexec.exe 31 PID 1504 wrote to memory of 1040 1504 msiexec.exe 31 PID 1504 wrote to memory of 1040 1504 msiexec.exe 31 PID 1040 wrote to memory of 1488 1040 rebol-view-278-3-1.exe 32 PID 1040 wrote to memory of 1488 1040 rebol-view-278-3-1.exe 32 PID 1040 wrote to memory of 1488 1040 rebol-view-278-3-1.exe 32 PID 1040 wrote to memory of 1488 1040 rebol-view-278-3-1.exe 32 PID 1488 wrote to memory of 1308 1488 cmd.exe 34 PID 1488 wrote to memory of 1308 1488 cmd.exe 34 PID 1488 wrote to memory of 1308 1488 cmd.exe 34 PID 1488 wrote to memory of 1308 1488 cmd.exe 34
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\load.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1080
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\ProgramData\Local\Google\rebol-view-278-3-1.exe"C:\ProgramData\Local\Google\rebol-view-278-3-1.exe" -w -i -s C:/ProgramData/Local/Google/exemple.rb2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo %USERDOMAIN%\%USERNAME% > name && for /f "tokens=4-5 delims=. " %i in ('ver') do echo %i.%j > os && echo %PROCESSOR_ARCHITECTURE% > arch3⤵
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ver4⤵PID:1308
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:788
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot13" "" "" "66d15495b" "0000000000000000" "000000000000055C" "00000000000003C0"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:816
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
8a882b4a938846d19520af8484f09012
SHA14ba6aa85fc2d9c1f087fd0573ed818af71c4b6fe
SHA2561009573fa6f897afcc5055f52a2216bfe7fcb308d6cab15922a5b3668df7f34b
SHA512299aa6f6d42b8be1a827b8a2543b89de4c324a050d3aa34cf74b7550774586aeec60cccf83782c69569a0fb81a171e3ea6de0c56c11ec6f563b1fe1864452543
-
MD5
73002084795612b74c26e7c4db0ef48f
SHA1366337f7f7088f3accd78d6385216dbfaa6af42e
SHA2568c1eb0ac7b5dbee43746828bfa4ddaaebeb46290d9161674027d80ef99bb243e
SHA512d0377e3c1353596bbd37f58632d363faafe8fd5df62e5026ef1e76b611a771de7b2f1e42fe283c97637e48417c37eaf1a5dd66b800a914d307cfc695d25dd431
-
MD5
0656072377662dbd302ff90bed7fefba
SHA1140d7b0cf64c79daebb8111a7912b3850cdd166c
SHA2562d08e3f9197a89717e7ce2185d16138f9884e343eb5133dc19caab2629453ca3
SHA5128ae6669deede2aa34c4d140ff895336a3021383bfa0f470110297efc2e9a6961fe676f95519e159080215e9a5b818f86f8b2686309976a910c670afbfa974158
-
MD5
d7eeeee910efb9998f6c12c7ab0e8a78
SHA170e13d2bedbe139361bbbc9e446fd029d2bf4b8b
SHA256adb14fb65d546224b96815d48af6823bf74c54aab2707831d539c2c2762403fe
SHA5122e87c25678e5d0c0e3e7a344f03be0819d8a790b1af64877574ff479c9619d80b406b81ac4a1e6f1ff04cbcce1446a19a243867d4d28dae43363a8140a81906d
-
MD5
aa2f4fd92fe00de85428f39a6e0e9cfd
SHA11def65dde53ab24c122da6c76646a36d7d910790
SHA256215e28f9660472b6271a9902573c9d190e4d7ccca33fcf8d6054941d52a3ab85
SHA512952b500e4a291a8bd58810529c1fcc17d969b082d29f00460aba6ada44a30ddc41595f8b0fe71e568ecba803df69985840f10f0a9e478c796c73dc5659ce314e