hxxps://malware-traffic-analysis[.]net/2021/10/05/2021-10-05-MirrorBlast-malware-with-email-and-IOCs[.]zip

Analysis

max time kernel
627s
max time network
454s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
13/05/2024, 12:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://malware-traffic-analysis.net/2021/10/05/2021-10-05-MirrorBlast-malware-with-email-and-IOCs.zip

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
2780	arab.exe
3364	rebol-view-278-3-1.exe
3424	rebol-view-278-3-1.exe
4364	rebol-view-278-3-1.exe
1788	arab.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\ProgramData\\Local\\Google\\rebol-view-278-3-1.exe -w -i -s C:\\ProgramData\\Local\\Google\\exemple.rb"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	msiexec.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe

Drops file in Windows directory 14 IoCs

description	ioc	Process
File created	C:\Windows\Installer\SourceHash{DEA88988-9EB8-4997-B469-14BBF4540314}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4CD2.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\e5a692d.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{7DAD0B07-2406-4203-AE21-B31650B1B6AE}	msiexec.exe
File created	C:\Windows\Installer\e5a692b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5a692b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1C3B.tmp	msiexec.exe
File created	C:\Windows\Installer\e5a692f.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5a692f.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI69F6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e5a692d.msi	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000003f3ccc8c3b3921e10000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800003f3ccc8c0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809003f3ccc8c000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d3f3ccc8c000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000003f3ccc8c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1080	msedge.exe
1080	msedge.exe
3892	msedge.exe
3892	msedge.exe
3600	identity_helper.exe
3600	identity_helper.exe
4308	msedge.exe
4308	msedge.exe
3428	msiexec.exe
3428	msiexec.exe
3428	msiexec.exe
3428	msiexec.exe
3428	msiexec.exe
3428	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1488	7zFM.exe
2100	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	1488	7zFM.exe
Token: 35	1488	7zFM.exe
Token: SeSecurityPrivilege	1488	7zFM.exe
Token: SeSecurityPrivilege	1488	7zFM.exe
Token: SeSecurityPrivilege	1488	7zFM.exe
Token: SeShutdownPrivilege	1880	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1880	msiexec.exe
Token: SeSecurityPrivilege	3428	msiexec.exe
Token: SeCreateTokenPrivilege	1880	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1880	msiexec.exe
Token: SeLockMemoryPrivilege	1880	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1880	msiexec.exe
Token: SeMachineAccountPrivilege	1880	msiexec.exe
Token: SeTcbPrivilege	1880	msiexec.exe
Token: SeSecurityPrivilege	1880	msiexec.exe
Token: SeTakeOwnershipPrivilege	1880	msiexec.exe
Token: SeLoadDriverPrivilege	1880	msiexec.exe
Token: SeSystemProfilePrivilege	1880	msiexec.exe
Token: SeSystemtimePrivilege	1880	msiexec.exe
Token: SeProfSingleProcessPrivilege	1880	msiexec.exe
Token: SeIncBasePriorityPrivilege	1880	msiexec.exe
Token: SeCreatePagefilePrivilege	1880	msiexec.exe
Token: SeCreatePermanentPrivilege	1880	msiexec.exe
Token: SeBackupPrivilege	1880	msiexec.exe
Token: SeRestorePrivilege	1880	msiexec.exe
Token: SeShutdownPrivilege	1880	msiexec.exe
Token: SeDebugPrivilege	1880	msiexec.exe
Token: SeAuditPrivilege	1880	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1880	msiexec.exe
Token: SeChangeNotifyPrivilege	1880	msiexec.exe
Token: SeRemoteShutdownPrivilege	1880	msiexec.exe
Token: SeUndockPrivilege	1880	msiexec.exe
Token: SeSyncAgentPrivilege	1880	msiexec.exe
Token: SeEnableDelegationPrivilege	1880	msiexec.exe
Token: SeManageVolumePrivilege	1880	msiexec.exe
Token: SeImpersonatePrivilege	1880	msiexec.exe
Token: SeCreateGlobalPrivilege	1880	msiexec.exe
Token: SeBackupPrivilege	464	vssvc.exe
Token: SeRestorePrivilege	464	vssvc.exe
Token: SeAuditPrivilege	464	vssvc.exe
Token: SeBackupPrivilege	3428	msiexec.exe
Token: SeRestorePrivilege	3428	msiexec.exe
Token: SeRestorePrivilege	3428	msiexec.exe
Token: SeTakeOwnershipPrivilege	3428	msiexec.exe
Token: SeRestorePrivilege	3428	msiexec.exe
Token: SeTakeOwnershipPrivilege	3428	msiexec.exe
Token: SeRestorePrivilege	3428	msiexec.exe
Token: SeTakeOwnershipPrivilege	3428	msiexec.exe
Token: SeRestorePrivilege	3428	msiexec.exe
Token: SeTakeOwnershipPrivilege	3428	msiexec.exe
Token: SeBackupPrivilege	2584	srtasks.exe
Token: SeRestorePrivilege	2584	srtasks.exe
Token: SeSecurityPrivilege	2584	srtasks.exe
Token: SeTakeOwnershipPrivilege	2584	srtasks.exe
Token: SeBackupPrivilege	2584	srtasks.exe
Token: SeRestorePrivilege	2584	srtasks.exe
Token: SeSecurityPrivilege	2584	srtasks.exe
Token: SeTakeOwnershipPrivilege	2584	srtasks.exe
Token: SeShutdownPrivilege	4876	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4876	msiexec.exe
Token: SeCreateTokenPrivilege	4876	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4876	msiexec.exe
Token: SeLockMemoryPrivilege	4876	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4876	msiexec.exe

Suspicious use of FindShellTrayWindow 52 IoCs

pid	Process
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
1488	7zFM.exe
3892	msedge.exe
1488	7zFM.exe
1488	7zFM.exe
1488	7zFM.exe
1880	msiexec.exe
1880	msiexec.exe
4876	msiexec.exe
4876	msiexec.exe
4940	msiexec.exe
4940	msiexec.exe
2600	7zFM.exe
4204	7zFM.exe
2892	7zFM.exe
4196	7zFM.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe
3892	msedge.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
3780	OpenWith.exe
3780	OpenWith.exe
3780	OpenWith.exe
3780	OpenWith.exe
3780	OpenWith.exe
3780	OpenWith.exe
3780	OpenWith.exe
3780	OpenWith.exe
3780	OpenWith.exe
3780	OpenWith.exe
3780	OpenWith.exe
3780	OpenWith.exe
3780	OpenWith.exe
3780	OpenWith.exe
3780	OpenWith.exe
3780	OpenWith.exe
3780	OpenWith.exe
736	OpenWith.exe
736	OpenWith.exe
736	OpenWith.exe
736	OpenWith.exe
736	OpenWith.exe
736	OpenWith.exe
736	OpenWith.exe
736	OpenWith.exe
736	OpenWith.exe
736	OpenWith.exe
736	OpenWith.exe
736	OpenWith.exe
736	OpenWith.exe
736	OpenWith.exe
736	OpenWith.exe
736	OpenWith.exe
736	OpenWith.exe
736	OpenWith.exe
736	OpenWith.exe
736	OpenWith.exe
736	OpenWith.exe
4388	OpenWith.exe
4388	OpenWith.exe
4388	OpenWith.exe
4388	OpenWith.exe
4388	OpenWith.exe
4388	OpenWith.exe
4388	OpenWith.exe
4388	OpenWith.exe
4388	OpenWith.exe
4388	OpenWith.exe
4388	OpenWith.exe
4388	OpenWith.exe
4388	OpenWith.exe
4388	OpenWith.exe
4388	OpenWith.exe
4388	OpenWith.exe
4388	OpenWith.exe
4388	OpenWith.exe
4388	OpenWith.exe
3272	OpenWith.exe
3272	OpenWith.exe
3272	OpenWith.exe
3272	OpenWith.exe
3272	OpenWith.exe
3272	OpenWith.exe
3272	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3892 wrote to memory of 3884	3892	msedge.exe	81
PID 3892 wrote to memory of 3884	3892	msedge.exe	81
PID 3892 wrote to memory of 3516	3892	msedge.exe	82
PID 3892 wrote to memory of 3516	3892	msedge.exe	82
PID 3892 wrote to memory of 3516	3892	msedge.exe	82
PID 3892 wrote to memory of 3516	3892	msedge.exe	82
PID 3892 wrote to memory of 3516	3892	msedge.exe	82
PID 3892 wrote to memory of 3516	3892	msedge.exe	82
PID 3892 wrote to memory of 3516	3892	msedge.exe	82
PID 3892 wrote to memory of 3516	3892	msedge.exe	82
PID 3892 wrote to memory of 3516	3892	msedge.exe	82
PID 3892 wrote to memory of 3516	3892	msedge.exe	82
PID 3892 wrote to memory of 3516	3892	msedge.exe	82
PID 3892 wrote to memory of 3516	3892	msedge.exe	82
PID 3892 wrote to memory of 3516	3892	msedge.exe	82
PID 3892 wrote to memory of 3516	3892	msedge.exe	82
PID 3892 wrote to memory of 3516	3892	msedge.exe	82
PID 3892 wrote to memory of 3516	3892	msedge.exe	82
PID 3892 wrote to memory of 3516	3892	msedge.exe	82
PID 3892 wrote to memory of 3516	3892	msedge.exe	82
PID 3892 wrote to memory of 3516	3892	msedge.exe	82
PID 3892 wrote to memory of 3516	3892	msedge.exe	82
PID 3892 wrote to memory of 3516	3892	msedge.exe	82
PID 3892 wrote to memory of 3516	3892	msedge.exe	82
PID 3892 wrote to memory of 3516	3892	msedge.exe	82
PID 3892 wrote to memory of 3516	3892	msedge.exe	82
PID 3892 wrote to memory of 3516	3892	msedge.exe	82
PID 3892 wrote to memory of 3516	3892	msedge.exe	82
PID 3892 wrote to memory of 3516	3892	msedge.exe	82
PID 3892 wrote to memory of 3516	3892	msedge.exe	82
PID 3892 wrote to memory of 3516	3892	msedge.exe	82
PID 3892 wrote to memory of 3516	3892	msedge.exe	82
PID 3892 wrote to memory of 3516	3892	msedge.exe	82
PID 3892 wrote to memory of 3516	3892	msedge.exe	82
PID 3892 wrote to memory of 3516	3892	msedge.exe	82
PID 3892 wrote to memory of 3516	3892	msedge.exe	82
PID 3892 wrote to memory of 3516	3892	msedge.exe	82
PID 3892 wrote to memory of 3516	3892	msedge.exe	82
PID 3892 wrote to memory of 3516	3892	msedge.exe	82
PID 3892 wrote to memory of 3516	3892	msedge.exe	82
PID 3892 wrote to memory of 3516	3892	msedge.exe	82
PID 3892 wrote to memory of 3516	3892	msedge.exe	82
PID 3892 wrote to memory of 1080	3892	msedge.exe	83
PID 3892 wrote to memory of 1080	3892	msedge.exe	83
PID 3892 wrote to memory of 828	3892	msedge.exe	84
PID 3892 wrote to memory of 828	3892	msedge.exe	84
PID 3892 wrote to memory of 828	3892	msedge.exe	84
PID 3892 wrote to memory of 828	3892	msedge.exe	84
PID 3892 wrote to memory of 828	3892	msedge.exe	84
PID 3892 wrote to memory of 828	3892	msedge.exe	84
PID 3892 wrote to memory of 828	3892	msedge.exe	84
PID 3892 wrote to memory of 828	3892	msedge.exe	84
PID 3892 wrote to memory of 828	3892	msedge.exe	84
PID 3892 wrote to memory of 828	3892	msedge.exe	84
PID 3892 wrote to memory of 828	3892	msedge.exe	84
PID 3892 wrote to memory of 828	3892	msedge.exe	84
PID 3892 wrote to memory of 828	3892	msedge.exe	84
PID 3892 wrote to memory of 828	3892	msedge.exe	84
PID 3892 wrote to memory of 828	3892	msedge.exe	84
PID 3892 wrote to memory of 828	3892	msedge.exe	84
PID 3892 wrote to memory of 828	3892	msedge.exe	84
PID 3892 wrote to memory of 828	3892	msedge.exe	84
PID 3892 wrote to memory of 828	3892	msedge.exe	84
PID 3892 wrote to memory of 828	3892	msedge.exe	84

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://malware-traffic-analysis.net/2021/10/05/2021-10-05-MirrorBlast-malware-with-email-and-IOCs.zip
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaa37e46f8,0x7ffaa37e4708,0x7ffaa37e4718
  2⤵
  PID:3884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,10535351111439257434,6855797622568577256,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
  2⤵
  PID:3516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,10535351111439257434,6855797622568577256,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,10535351111439257434,6855797622568577256,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:8
  2⤵
  PID:828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,10535351111439257434,6855797622568577256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:2236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,10535351111439257434,6855797622568577256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:2940
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,10535351111439257434,6855797622568577256,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5308 /prefetch:8
  2⤵
  PID:1976
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,10535351111439257434,6855797622568577256,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5308 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,10535351111439257434,6855797622568577256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
  2⤵
  PID:5000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,10535351111439257434,6855797622568577256,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
  2⤵
  PID:4928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2136,10535351111439257434,6855797622568577256,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5076 /prefetch:8
  2⤵
  PID:1604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,10535351111439257434,6855797622568577256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4800 /prefetch:1
  2⤵
  PID:3664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,10535351111439257434,6855797622568577256,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5896 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,10535351111439257434,6855797622568577256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5960 /prefetch:1
  2⤵
  PID:2736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,10535351111439257434,6855797622568577256,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6076 /prefetch:1
  2⤵
  PID:2416

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1996

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2868

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1756

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\2021-10-05-MirrorBlast-malware-with-email-and-IOCs.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1488

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Desktop\2021-10-05-MirrorBlast-malware-with-email-and-IOCs\filter.msi"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1880

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3428
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2584
- C:\ProgramData\001\arab.exe
  "C:\ProgramData\001\arab.exe" C:\ProgramData\001\arab.bin
  2⤵
  - Executes dropped EXE
  PID:2780
- C:\ProgramData\Local\Google\rebol-view-278-3-1.exe
  "C:\ProgramData\Local\Google\rebol-view-278-3-1.exe" -w -i -s C:/ProgramData/Local/Google/exemple.rb
  2⤵
  - Executes dropped EXE
  PID:3364
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c echo %USERDOMAIN%\%USERNAME% > name && for /f "tokens=4-5 delims=. " %i in ('ver') do echo %i.%j > os && echo %PROCESSOR_ARCHITECTURE% > arch
    3⤵
    PID:1444
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ver
      4⤵
      PID:3816
- C:\ProgramData\Local\Google\rebol-view-278-3-1.exe
  "C:\ProgramData\Local\Google\rebol-view-278-3-1.exe" -w -i -s C:/ProgramData/Local/Google/exemple.rb
  2⤵
  - Executes dropped EXE
  PID:3424
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c echo %USERDOMAIN%\%USERNAME% > name && for /f "tokens=4-5 delims=. " %i in ('ver') do echo %i.%j > os && echo %PROCESSOR_ARCHITECTURE% > arch
    3⤵
    PID:1156
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ver
      4⤵
      PID:4724

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:464

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Desktop\2021-10-05-MirrorBlast-malware-with-email-and-IOCs\10opd3r_load.msi"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4876

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /f "C:\Users\Admin\Desktop\2021-10-05-MirrorBlast-malware-with-email-and-IOCs\10opd3r_load.msi"
1⤵
PID:436

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Desktop\2021-10-05-MirrorBlast-malware-with-email-and-IOCs\10opd3r_load.msi"
1⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:4940

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\2021-10-05-MirrorBlast-malware-with-email-and-IOCs\ProgramData\Local\Google\uuid"
1⤵
- Suspicious use of FindShellTrayWindow
PID:2600

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\2021-10-05-MirrorBlast-malware-with-email-and-IOCs\ProgramData\Local\Google\os"
1⤵
- Suspicious use of FindShellTrayWindow
PID:4204

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\2021-10-05-MirrorBlast-malware-with-email-and-IOCs\ProgramData\Local\Google\name"
1⤵
- Suspicious use of FindShellTrayWindow
PID:2892

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" a -i#7zMap14452:222:7zEvent10638 -ad -saa -- "C:\Users\Admin\Desktop\2021-10-05-MirrorBlast-malware-with-email-and-IOCs\ProgramData\Local\Google\exemple"
1⤵
PID:1164

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\2021-10-05-MirrorBlast-malware-with-email-and-IOCs\ProgramData\Local\Google\arch"
1⤵
- Suspicious use of FindShellTrayWindow
PID:4196

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3780
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\2021-10-05-MirrorBlast-malware-with-email-and-IOCs\ProgramData\Local\Google\uuid
  2⤵
  PID:3868

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:736
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\2021-10-05-MirrorBlast-malware-with-email-and-IOCs\ProgramData\Local\Google\os
  2⤵
  PID:1560

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4388
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\2021-10-05-MirrorBlast-malware-with-email-and-IOCs\ProgramData\Local\Google\name
  2⤵
  PID:2228

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3272
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\2021-10-05-MirrorBlast-malware-with-email-and-IOCs\ProgramData\Local\Google\arch
  2⤵
  PID:880

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:2100
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\2021-10-05-MirrorBlast-malware-with-email-and-IOCs\ProgramData\Local\Google\exemple.rb
  2⤵
  PID:228

C:\Users\Admin\Desktop\2021-10-05-MirrorBlast-malware-with-email-and-IOCs\ProgramData\Local\Google\rebol-view-278-3-1.exe
"C:\Users\Admin\Desktop\2021-10-05-MirrorBlast-malware-with-email-and-IOCs\ProgramData\Local\Google\rebol-view-278-3-1.exe"
1⤵
- Executes dropped EXE
PID:4364

C:\Users\Admin\Desktop\2021-10-05-MirrorBlast-malware-with-email-and-IOCs\ProgramData\001\arab.exe
"C:\Users\Admin\Desktop\2021-10-05-MirrorBlast-malware-with-email-and-IOCs\ProgramData\001\arab.exe"
1⤵
- Executes dropped EXE
PID:1788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5a692c.rbs

Filesize
1KB

MD5
eca4ea8456aa851fc7de8c7c711fe12d

SHA1
6952f34d9b9b1eed7bd5da9c1b89501048c124c2

SHA256
c6137872656f4dde717d3d557621767d3166c3e9ee321c34a74fbad29c6bd09d

SHA512
006f41fc3884a0352458d2017eb2c945c83dc1d580ee0072d56d7842e8304abd3286848c891ac349f68a6a91a3ef3ef632522b448046fd1cace93d261b10b3a9

Download Submit
C:\Config.Msi\e5a692e.rbs

Filesize
3KB

MD5
a7dbd3db5265c500487f87a96ce2e238

SHA1
5dff846c27be9bcdf3332ba5d62748691bab6823

SHA256
40d774262fd01e6fb990803401e8a3a0932de44509e1cbf8cfe523074f6a3f81

SHA512
aec77d8d8569501774d3cc988a68e5ad6a331354283dccf49619e9f9fcd823a18f3092f1f01d4e107d7cd260cbda2f0f71f3a65c0c0982447f14812695c4bea4

Download Submit
C:\Config.Msi\e5a6930.rbs

Filesize
4KB

MD5
f73896202f1af89a491ac53a4367fc5b

SHA1
314576a998d21bdcba1265521cb6b7de0018347c

SHA256
4d2ff2f554738bfdd29d7b60f3b43c94cd4089404cfe39a18c3f34ca2b796f6a

SHA512
cae01f515bf2500722c98622eea9d94bf1672c75ca174fdbc2f8f5da37c6db014f6f5bed91295071e3f81bf37c610ee0cdb7b77e8315241b003a9878a8e4bf95

Download Submit
C:\ProgramData\001\arab.bin

Filesize
261B

MD5
01bd4206c38b1a2cc925c10ea78f3be7

SHA1
fd941083abcd7392f1071f035293cacca02f3b03

SHA256
f6f2874755794840dc06a660603c78d4b4a294099719ff86f9e3c1af3e713172

SHA512
a97f1dd147dc7ce2bd5b38ae5cbb0799b5b53073ba9617c1cf21c1c7f4c3870a5b0c4575c681971c6bd51572f98e91c48ccd910aa7b908fa090d83a7804ee2ec

Download Submit
C:\ProgramData\001\arab.exe

Filesize
288KB

MD5
6c14b77096d4d6bfbe97f93411103e72

SHA1
af1c6129ef6bbc51b31c6cc64799cc6299047a39

SHA256
e95681e20ab19a50abdacd73c7d9eac9cfec7d949a23b8346b84d8f4bc493ca5

SHA512
3f6a5f53ee8c7268e297aafe33b408fb529b4647b5b31155e21b02d85d60799a5ec7eea65365c75bd4151a6e48a2b5d8bfcfe56e967919470388fbb7b1c72924

Download Submit
C:\ProgramData\Local\Google\arch

Filesize
6B

MD5
8a882b4a938846d19520af8484f09012

SHA1
4ba6aa85fc2d9c1f087fd0573ed818af71c4b6fe

SHA256
1009573fa6f897afcc5055f52a2216bfe7fcb308d6cab15922a5b3668df7f34b

SHA512
299aa6f6d42b8be1a827b8a2543b89de4c324a050d3aa34cf74b7550774586aeec60cccf83782c69569a0fb81a171e3ea6de0c56c11ec6f563b1fe1864452543

Download Submit
C:\ProgramData\Local\Google\exemple.rb

Filesize
1002B

MD5
73002084795612b74c26e7c4db0ef48f

SHA1
366337f7f7088f3accd78d6385216dbfaa6af42e

SHA256
8c1eb0ac7b5dbee43746828bfa4ddaaebeb46290d9161674027d80ef99bb243e

SHA512
d0377e3c1353596bbd37f58632d363faafe8fd5df62e5026ef1e76b611a771de7b2f1e42fe283c97637e48417c37eaf1a5dd66b800a914d307cfc695d25dd431

Download Submit
C:\ProgramData\Local\Google\name

Filesize
18B

MD5
aeba54e87efe494502179c0cc16c388e

SHA1
f053768cc6597e32054690a4a7741af9f93033d4

SHA256
a9333fd8057b1f9138ffe7488b969591b6e098d8c22d59b816190de9a5bb6d1f

SHA512
8a42d54addaa9e0d20dda0b3d08e9e4ae93fc8e0274e01949b2c3909d052b6c41cc0523cd671319bcd3afc14bee465cab043343c6b7af4f97e83b42b41cfcb7f

Download Submit
C:\ProgramData\Local\Google\os

Filesize
8B

MD5
83228b44ffe10b0d443969580b022f44

SHA1
1ebe8668b8ce8d9524cc539ab9c6af022e861d60

SHA256
b57eac3cb43c42d7f2cc137b372a9271fe3906444bd9a9ed4b16c20ee3e9e70d

SHA512
cc7c82779ffce41b68bb21a48c9872c27177353eac12d9f0364d98abbefda106af05486cf8a246a6192754d077d19fed46ce4e0018b7eb1ef724b1f15b397660

Download Submit
C:\ProgramData\Local\Google\rebol-view-278-3-1.exe

Filesize
844KB

MD5
aa2f4fd92fe00de85428f39a6e0e9cfd

SHA1
1def65dde53ab24c122da6c76646a36d7d910790

SHA256
215e28f9660472b6271a9902573c9d190e4d7ccca33fcf8d6054941d52a3ab85

SHA512
952b500e4a291a8bd58810529c1fcc17d969b082d29f00460aba6ada44a30ddc41595f8b0fe71e568ecba803df69985840f10f0a9e478c796c73dc5659ce314e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a8e767fd33edd97d306efb6905f93252

SHA1
a6f80ace2b57599f64b0ae3c7381f34e9456f9d3

SHA256
c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb

SHA512
07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
439b5e04ca18c7fb02cf406e6eb24167

SHA1
e0c5bb6216903934726e3570b7d63295b9d28987

SHA256
247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654

SHA512
d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\04d4347b-d1d3-40c3-9280-4951fe40fd59.tmp

Filesize
6KB

MD5
daa8b0ec604f3667f2731c9cc5d06736

SHA1
d629e3f19861747e394a3e2a430bf58c1d30909b

SHA256
4260941e9dfd8d8df418c0f50eb7e550bd29c09af2e6a50f4fb694882222315a

SHA512
dd6c46dd78c7c6fa5f37e2637442c4471a0a8f2406664448ca82717cd31798e3cbc1e36310345a53757914619cb1acae56e1b1bb2f579f7b8f81aa40c52d2900

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
06ad427e708881538e4b071ccadbb5b4

SHA1
aae9ca3dc229365b39923af3bfd87e88195f78cb

SHA256
a0935c7d8c24114c22dce6e6afe8b30d6f2a6f675b298ad536cf7bf74b5f354f

SHA512
16d661f75e16e6999eb93c1a06f7705e6509ddb33d5872ad23cd8778bdf1ed9561d7a1d7109531811eb8e088157ab248a0acf483096405a41ac4d118b6b75149

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
865823609ea719295ae6308b1f9c5973

SHA1
5aa7cbd5054371a290ca4e7a3d6d131fae9b3e8f

SHA256
5a59d1387ce79d13634e02579c4ed2acd52f3c00adf0e4ab0980ff293c7ae02b

SHA512
284144578d1eceb4100508b921635835d60c99c25839e4307c71bf1a2c306f99a111321336cd1c014797caac8128db0b60f78912394049863f03b13556a9a9f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3ec90766d683a26e917faa3d6c586a9d

SHA1
889b2d87da0ebcf3431985d8f22f12edd9b514e5

SHA256
3436bdb5bd7fc5f0cd73bff32c069a3806a1cff4ebc6a7e57ab8fa61e1f22be6

SHA512
758a2a7ab3c9c105a11e79e6824b4d715a7bd27e6edce5fcf83c7e84358785f89fad25a0dc3e0b685d031d6fa531e7d553a81760524fb1d27a3b8c86fddfd33b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b0b3815f50ea69a4dca25fd0892afa8a

SHA1
e541b853d8dfe1b46317cb04e2814bb5f61ff197

SHA256
2ae9a7ac6779b4c8d6e8e1d6fb20ffc161321c195165ff6449324dc33dc73df3

SHA512
d7a2378d726b360d9ebf4ead05528cd7d392b750e121f518d49d6e3497b81c28bdf00ba36b0e08ed77bbdcf75144736d9f3e30f2b7b3a670a6fefde20b5fef68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5e963d797e8ade790e2c0b70d34b735d

SHA1
23aac6d8770458ad07d224722caef59ee3a19290

SHA256
7d6c0379401336af61849420a0670c8efef96ee96b1492f39d2f362a27fc3b85

SHA512
b64423aeaa391bf99099d267d62bbdac4180ca11639a7e9d0daa48ecc741d393374e684e8a0c455697e41b832a2f3c73d28046ff50fd0f6ef1f10c51a2cc559b

Download Submit
C:\Users\Admin\Desktop\2021-10-05-MirrorBlast-malware-with-email-and-IOCs\10opd3r_load.msi

Filesize
548KB

MD5
13173913da1f35728d84e78a3de983c9

SHA1
9a1437af2d653fc265472a47edab9f22d49b1941

SHA256
0e6451e1f0eadb89390f4360e2a49a2ffb66e92e8b3ae75400095e75f4dd6abb

SHA512
3627ec46eb5b8cbdfd28015b38de6cd2279ff15be67e1a5d0c58a86fc1c165a39f4dd2d664977f7ce8a4ded9d2d678ce09c6fa3962e1b93f8543049313527a52

Download Submit
C:\Users\Admin\Desktop\2021-10-05-MirrorBlast-malware-with-email-and-IOCs\ProgramData\Local\Google\name

Filesize
31B

MD5
d711ee9c21d7890b6bcba9084248d5fd

SHA1
f7307e0922726e5cbf8b54ea8a6126f023b8daf9

SHA256
05f0a15c64adae29c13b458d56b225e67c33c81b78c49a792d75ca658d93bb70

SHA512
a1fcf1c5c4253fe9cde575247f12075a33f9dd71b206a6df2caf89707f8b03d266a4d79a1a8c4887cac0da8fe2fc6d8ec8f2f6edf8827bfa203e1ec3502d6396

Download Submit
C:\Users\Admin\Desktop\2021-10-05-MirrorBlast-malware-with-email-and-IOCs\ProgramData\Local\Google\uuid

Filesize
36B

MD5
ce7313ffeb22da6e1c2b9581b4423e55

SHA1
b74bc267663d7904eaa7d7806464422fb574147f

SHA256
6dafcb567c44079c788e695d9fea6e5dff69a514451ec318e71dd8e795ddede0

SHA512
0a106f356f2b6248c6d5f77235af2d5f64555b8add60f88e85a71c770d564057444a17a67f614b3f90ffb0fd27c97618fc6b97eb417e7dc00c6bf9f1cef89579

Download Submit
C:\Users\Admin\Desktop\2021-10-05-MirrorBlast-malware-with-email-and-IOCs\filter.msi

Filesize
184KB

MD5
8b6199f5d5465c327c8c30ac9fdfd23a

SHA1
40c894efe07f5e54ffebddd13575eacc9a0968bb

SHA256
ed7709cbbad9e164a45235be5270d6fb3492010ea945728a7d58f65f63434e58

SHA512
169bf6e3b547b4c1a0d94dc1841e1bf86efa0c6f3b3bda55d3259c2465d0f500c3ea8642c283dfd3811ae08a55cc7caf9a4ce30eff1a052ef4bd3cc3c9aac594

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 508999.crdownload

Filesize
2.7MB

MD5
18c79a3915121517737d1d69219f32b1

SHA1
3c2b0454022c13db17170f8ea8043a8435fa69d6

SHA256
032a874bc9250336b2b8734d8981797962b9097ea4348f132add594238e20f10

SHA512
be30aae78c3313851e22d22237889f38bea744967a75ae977bb2d9502f6aa44daf954b046ef90d46800a8fc9196b989e7960645f13a2cd58f75c3d47f4e05641

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
d17575c7e5100a36efad00986bc436b6

SHA1
fe8ea2a254275318ec249c61fe437f99580933ba

SHA256
b70581085944c405614d03da2f36e6e674a95b1dd143331523d92a7f46df6237

SHA512
17b726ef4eefd63d7825a2f71a27ab1d14ca99bfae2c54c3a848ab6196055c5828da53cd633c869581bda39bdedeb73911402f174d5a27a0b81b2a8c4058cc8a

Download Submit
\??\Volume{8ccc3c3f-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{82fb32a8-afd1-461b-b5de-70975861443b}_OnDiskSnapshotProp

Filesize
6KB

MD5
997b8d2d72203a4f1fb39e1832f8c342

SHA1
da7319636973426ad2437d9ebedd8e507e7d7402

SHA256
0e23c8c41e688990c9cfd1095a72b299fbe3b9f84e14f578aae381e33e74c349

SHA512
23e331c1c9751be6ea62b0249398914462c90d794758e29941c4ccf6afd84d38b6c6f3be4e9b5571595980d9d4454383fd05a51975b152bb6b87694767398e64

Download Submit