b11fa6b0699d9f9c43be01194e6383348ee504f78863454d26e048fe61397518

Analysis

max time kernel
143s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19/07/2024, 13:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MirClient.exe
Size

1.8MB
MD5

a48d7e53c577120e91d66a08d143b201
SHA1

ff6094aaa48380621e641e2a20d9eccaae01d507
SHA256

471e91720740b733284ee8448d682656934793f46085075d26919df32c06ed95
SHA512

ab4baca83152ee90158a2feb397cc860da20af9e867cec2540a2c9631e5f82a2dafb3d24d6bec33b9705a51fbe532f665b22dcb0fde75f580e2fdf975613fba9
SSDEEP

24576:jnY6PFW0+3cjyaiB6F/BB+Jj96Lz8Ol3TOpm9ieeIAQBlqBzqMEFNs8q6IFy9pMP:jVimpgnTOimf7D0zuFNskpMP

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	MirClient.exe
File opened (read-only)	\??\R:	MirClient.exe
File opened (read-only)	\??\S:	MirClient.exe
File opened (read-only)	\??\Y:	MirClient.exe
File opened (read-only)	\??\Z:	MirClient.exe
File opened (read-only)	\??\E:	MirClient.exe
File opened (read-only)	\??\I:	MirClient.exe
File opened (read-only)	\??\N:	MirClient.exe
File opened (read-only)	\??\O:	MirClient.exe
File opened (read-only)	\??\P:	MirClient.exe
File opened (read-only)	\??\A:	MirClient.exe
File opened (read-only)	\??\G:	MirClient.exe
File opened (read-only)	\??\L:	MirClient.exe
File opened (read-only)	\??\T:	MirClient.exe
File opened (read-only)	\??\U:	MirClient.exe
File opened (read-only)	\??\W:	MirClient.exe
File opened (read-only)	\??\X:	MirClient.exe
File opened (read-only)	\??\B:	MirClient.exe
File opened (read-only)	\??\H:	MirClient.exe
File opened (read-only)	\??\J:	MirClient.exe
File opened (read-only)	\??\K:	MirClient.exe
File opened (read-only)	\??\M:	MirClient.exe
File opened (read-only)	\??\V:	MirClient.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2572	MirClient.exe
2572	MirClient.exe
2572	MirClient.exe
2572	MirClient.exe
2572	MirClient.exe
2572	MirClient.exe
2572	MirClient.exe
2572	MirClient.exe
2572	MirClient.exe
2572	MirClient.exe
2572	MirClient.exe
2572	MirClient.exe
2572	MirClient.exe
2572	MirClient.exe
2572	MirClient.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2572	MirClient.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2572	MirClient.exe

C:\Users\Admin\AppData\Local\Temp\MirClient.exe
"C:\Users\Admin\AppData\Local\Temp\MirClient.exe"
1⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2572-0-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2572-2-0x0000000003FD0000-0x00000000041ED000-memory.dmp

Filesize
2.1MB

Download
memory/2572-3-0x0000000003FD0000-0x00000000041ED000-memory.dmp

Filesize
2.1MB

Download
memory/2572-6-0x00000000020C0000-0x00000000020C1000-memory.dmp

Filesize
4KB

Download
memory/2572-7-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/2572-8-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2572-9-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/2572-10-0x0000000003FD0000-0x00000000041ED000-memory.dmp

Filesize
2.1MB

Download
memory/2572-11-0x00000000020C0000-0x00000000020C1000-memory.dmp

Filesize
4KB

Download
memory/2572-12-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/2572-13-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/2572-14-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/2572-16-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/2572-17-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/2572-18-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/2572-19-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/2572-20-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/2572-21-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/2572-22-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/2572-23-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/2572-24-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download