Analysis

  • max time kernel
    1799s
  • max time network
    1783s
  • platform
    windows7_x64
  • resource
    win7-en-20210920
  • submitted
    04-10-2021 17:50

General

  • Target

    load.msi

  • Size

    548KB

  • MD5

    13173913da1f35728d84e78a3de983c9

  • SHA1

    9a1437af2d653fc265472a47edab9f22d49b1941

  • SHA256

    0e6451e1f0eadb89390f4360e2a49a2ffb66e92e8b3ae75400095e75f4dd6abb

  • SHA512

    3627ec46eb5b8cbdfd28015b38de6cd2279ff15be67e1a5d0c58a86fc1c165a39f4dd2d664977f7ce8a4ded9d2d678ce09c6fa3962e1b93f8543049313527a52

Score
10/10

Malware Config

Signatures

  • suricata: ET MALWARE MirrorBlast CnC Activity M2

    suricata: ET MALWARE MirrorBlast CnC Activity M2

  • suricata: ET MALWARE MirrorBlast CnC Activity M3

    suricata: ET MALWARE MirrorBlast CnC Activity M3

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 9 IoCs
  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 59 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\load.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1080
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1504
    • C:\ProgramData\Local\Google\rebol-view-278-3-1.exe
      "C:\ProgramData\Local\Google\rebol-view-278-3-1.exe" -w -i -s C:/ProgramData/Local/Google/exemple.rb
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1040
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c echo %USERDOMAIN%\%USERNAME% > name && for /f "tokens=4-5 delims=. " %i in ('ver') do echo %i.%j > os && echo %PROCESSOR_ARCHITECTURE% > arch
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1488
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ver
          4⤵
            PID:1308
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:788
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot13" "" "" "66d15495b" "0000000000000000" "000000000000055C" "00000000000003C0"
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:816

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Local\Google\arch

      MD5

      8a882b4a938846d19520af8484f09012

      SHA1

      4ba6aa85fc2d9c1f087fd0573ed818af71c4b6fe

      SHA256

      1009573fa6f897afcc5055f52a2216bfe7fcb308d6cab15922a5b3668df7f34b

      SHA512

      299aa6f6d42b8be1a827b8a2543b89de4c324a050d3aa34cf74b7550774586aeec60cccf83782c69569a0fb81a171e3ea6de0c56c11ec6f563b1fe1864452543

    • C:\ProgramData\Local\Google\exemple.rb

      MD5

      73002084795612b74c26e7c4db0ef48f

      SHA1

      366337f7f7088f3accd78d6385216dbfaa6af42e

      SHA256

      8c1eb0ac7b5dbee43746828bfa4ddaaebeb46290d9161674027d80ef99bb243e

      SHA512

      d0377e3c1353596bbd37f58632d363faafe8fd5df62e5026ef1e76b611a771de7b2f1e42fe283c97637e48417c37eaf1a5dd66b800a914d307cfc695d25dd431

    • C:\ProgramData\Local\Google\name

      MD5

      0656072377662dbd302ff90bed7fefba

      SHA1

      140d7b0cf64c79daebb8111a7912b3850cdd166c

      SHA256

      2d08e3f9197a89717e7ce2185d16138f9884e343eb5133dc19caab2629453ca3

      SHA512

      8ae6669deede2aa34c4d140ff895336a3021383bfa0f470110297efc2e9a6961fe676f95519e159080215e9a5b818f86f8b2686309976a910c670afbfa974158

    • C:\ProgramData\Local\Google\os

      MD5

      d7eeeee910efb9998f6c12c7ab0e8a78

      SHA1

      70e13d2bedbe139361bbbc9e446fd029d2bf4b8b

      SHA256

      adb14fb65d546224b96815d48af6823bf74c54aab2707831d539c2c2762403fe

      SHA512

      2e87c25678e5d0c0e3e7a344f03be0819d8a790b1af64877574ff479c9619d80b406b81ac4a1e6f1ff04cbcce1446a19a243867d4d28dae43363a8140a81906d

    • C:\ProgramData\Local\Google\rebol-view-278-3-1.exe

      MD5

      aa2f4fd92fe00de85428f39a6e0e9cfd

      SHA1

      1def65dde53ab24c122da6c76646a36d7d910790

      SHA256

      215e28f9660472b6271a9902573c9d190e4d7ccca33fcf8d6054941d52a3ab85

      SHA512

      952b500e4a291a8bd58810529c1fcc17d969b082d29f00460aba6ada44a30ddc41595f8b0fe71e568ecba803df69985840f10f0a9e478c796c73dc5659ce314e

    • memory/1040-55-0x0000000000000000-mapping.dmp

    • memory/1040-57-0x0000000075FC1000-0x0000000075FC3000-memory.dmp

      Filesize

      8KB

    • memory/1080-53-0x000007FEFBFC1000-0x000007FEFBFC3000-memory.dmp

      Filesize

      8KB

    • memory/1308-60-0x0000000000000000-mapping.dmp

    • memory/1488-59-0x0000000000000000-mapping.dmp