c21483485569acee77d71b019ed48ba151fa6bdc9c90f2e3f30ffbb5092c7fb2

Analysis

max time kernel
120s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
25-05-2024 17:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Mirage 1.16 v0.2/DIM-1/data/capabilities.gz
Size

47B
MD5

0a358a239cff670b93b4db36aee855ef
SHA1

c27c74a24322339a534f003c05c73d0eec9518be
SHA256

2b818c4a2100a78c92ba11192142d1d5076af04d13010f16f4d18c8026c80f6b
SHA512

312eb14af1398bebce6037c399e86e04b15306be21997171d1bf0497f661e890ac1d1473e40e1eebe71600ea3d9213e901acdf566ecb28c6f74d58522cd98c52

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1620	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1620	AcroRd32.exe
1620	AcroRd32.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 2620	2392	cmd.exe	29
PID 2392 wrote to memory of 2620	2392	cmd.exe	29
PID 2392 wrote to memory of 2620	2392	cmd.exe	29
PID 2620 wrote to memory of 1904	2620	rundll32.exe	30
PID 2620 wrote to memory of 1904	2620	rundll32.exe	30
PID 2620 wrote to memory of 1904	2620	rundll32.exe	30
PID 1904 wrote to memory of 1620	1904	rundll32.exe	32
PID 1904 wrote to memory of 1620	1904	rundll32.exe	32
PID 1904 wrote to memory of 1620	1904	rundll32.exe	32
PID 1904 wrote to memory of 1620	1904	rundll32.exe	32

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Mirage 1.16 v0.2\DIM-1\data\capabilities.gz"
1⤵
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Mirage 1.16 v0.2\DIM-1\data\capabilities.gz
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2620
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Mirage 1.16 v0.2\DIM-1\data\capabilities.gz
    3⤵
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1904
  - - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
      "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Mirage 1.16 v0.2\DIM-1\data\capabilities.gz"
      4⤵
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      PID:1620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
acfc584de3330f403bf9710e3b21b294

SHA1
7468db13077bc903785b96120d613c0960588e7f

SHA256
55c580f14783628fd5b0e22a3b6c6aadc340a5abe8dcb6c4aee381d2a05d7037

SHA512
99c63a9e1f1068bd08328214de2058275f68a9ae4e591759d438c6f4c1789bc6d77acf3f66118093da31079acefb32a49e13df71fe225e3778e69c3f9ab9a9f7

Download Submit