Overview

overview

10

Static

static

load.msi

windows7_x64

10

load.msi

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    189s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    13-10-2021 13:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    load.msi

  • Size

    548KB

  • MD5

    dffb3d323708f624dc3469e99c3adcb3

  • SHA1

    043620bdea4fd9d48673db8081ffbd9f25d1d8ac

  • SHA256

    eceb164a69e8f79bb08099fcdf2b75071c527b0107daebc0e7a88e246b4c7f13

  • SHA512

    a30b70e5bb259410606d5e123e17b8502423912ecedf6d6ebad6b180a372c58f36231f0c85b610ad89e5328b1e63e257be932d4d3fea8971853516e31f531f84

Score
10/10
persistencesuricata

Malware Config

Signatures

  • suricata: ET MALWARE MirrorBlast CnC Activity M2

    suricata: ET MALWARE MirrorBlast CnC Activity M2

    suricata
  • suricata: ET MALWARE MirrorBlast CnC Activity M3

    suricata: ET MALWARE MirrorBlast CnC Activity M3

    suricata
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 9 IoCs
  • Modifies data under HKEY_USERS 44 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 59 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\load.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1936
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1904
    • C:\ProgramData\Local\Google\rebol-view-278-3-1.exe
      "C:\ProgramData\Local\Google\rebol-view-278-3-1.exe" -w -i -s C:\ProgramData\Local\Google\exemple.rb
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1588
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c echo %USERDOMAIN%\%USERNAME% > name && for /f "tokens=4-5 delims=. " %i in ('ver') do echo %i.%j > os && echo %PROCESSOR_ARCHITECTURE% > arch
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:288
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ver
          4⤵
            PID:1548
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1780
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot12" "" "" "6d110b0a3" "0000000000000000" "00000000000005C0" "00000000000005BC"
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:800

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Local\Google\arch
      MD5

      8a882b4a938846d19520af8484f09012

      SHA1

      4ba6aa85fc2d9c1f087fd0573ed818af71c4b6fe

      SHA256

      1009573fa6f897afcc5055f52a2216bfe7fcb308d6cab15922a5b3668df7f34b

      SHA512

      299aa6f6d42b8be1a827b8a2543b89de4c324a050d3aa34cf74b7550774586aeec60cccf83782c69569a0fb81a171e3ea6de0c56c11ec6f563b1fe1864452543

      Download Submit
    • C:\ProgramData\Local\Google\exemple.rb
      MD5

      ff4a24c83564f1a01d5a815eaa8a2bf9

      SHA1

      2e713f9fc72db1ed0cd5088172c3b24906e8be13

      SHA256

      9c109c41d497cbe752edf56c1ac0e1ffb06357160b12100cc84eb2d4ddcb7b13

      SHA512

      e628d20c9bc728709d0f46557e5fd017e4594dcbd680486acd6ed1e1721a8692644f2cf0f323b30e74d03230b8320d2f6e1b0f5fd073192e1a28aa7e8ac2c7e1

      Download Submit
    • C:\ProgramData\Local\Google\name
      MD5

      0a6d8f9a1321afcc7f86f9f9e81144d9

      SHA1

      7acc822047556dcb813f53d5e5fc5066bc29f104

      SHA256

      edc9ff56b2b61627fbec33c2a0704a825ac423e5f241c0bbdc11131da5ebe7bb

      SHA512

      f47923f35b31cc295d17484ff862508a22082270967dc5ec141027dd69093b8e77ad99b7a435e4aa1ca7dad7c4c73dbb7800f7d51601c8f0d5e4106830e49ead

      Download Submit
    • C:\ProgramData\Local\Google\os
      MD5

      d7eeeee910efb9998f6c12c7ab0e8a78

      SHA1

      70e13d2bedbe139361bbbc9e446fd029d2bf4b8b

      SHA256

      adb14fb65d546224b96815d48af6823bf74c54aab2707831d539c2c2762403fe

      SHA512

      2e87c25678e5d0c0e3e7a344f03be0819d8a790b1af64877574ff479c9619d80b406b81ac4a1e6f1ff04cbcce1446a19a243867d4d28dae43363a8140a81906d

      Download Submit
    • C:\ProgramData\Local\Google\rebol-view-278-3-1.exe
      MD5

      aa2f4fd92fe00de85428f39a6e0e9cfd

      SHA1

      1def65dde53ab24c122da6c76646a36d7d910790

      SHA256

      215e28f9660472b6271a9902573c9d190e4d7ccca33fcf8d6054941d52a3ab85

      SHA512

      952b500e4a291a8bd58810529c1fcc17d969b082d29f00460aba6ada44a30ddc41595f8b0fe71e568ecba803df69985840f10f0a9e478c796c73dc5659ce314e

      Download Submit
    • memory/288-66-0x0000000000000000-mapping.dmp
      Download
    • memory/1548-67-0x0000000000000000-mapping.dmp
      Download
    • memory/1588-62-0x0000000000000000-mapping.dmp
      Download
    • memory/1588-64-0x0000000075201000-0x0000000075203000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1936-60-0x000007FEFBC41000-0x000007FEFBC43000-memory.dmp
      Filesize

      8KB

      Download