DOWNIISSA - S9021 (eddb863e-fc77-41c1-86e9-5210d6d58b88)

DOWNIISSA is a shellcode downloader that has been used by MirrorFace since at least 2022 to deploy payloads, including the LODEINFO backdoor.(Citation: Kaspersky LODEINFO OCT 2022)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
DOWNIISSA - S9021 (eddb863e-fc77-41c1-86e9-5210d6d58b88)	Malware	Msiexec - T1218.007 (365be77f-fc0e-42ee-bac8-4faf806d9336)	Attack Pattern	1
DOWNIISSA - S9021 (eddb863e-fc77-41c1-86e9-5210d6d58b88)	Malware	Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	1
DOWNIISSA - S9021 (eddb863e-fc77-41c1-86e9-5210d6d58b88)	Malware	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	1
DOWNIISSA - S9021 (eddb863e-fc77-41c1-86e9-5210d6d58b88)	Malware	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	1
DOWNIISSA - S9021 (eddb863e-fc77-41c1-86e9-5210d6d58b88)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	1
DOWNIISSA - S9021 (eddb863e-fc77-41c1-86e9-5210d6d58b88)	Malware	Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	1
DOWNIISSA - S9021 (eddb863e-fc77-41c1-86e9-5210d6d58b88)	Malware	Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	1
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	Msiexec - T1218.007 (365be77f-fc0e-42ee-bac8-4faf806d9336)	Attack Pattern	2
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	2
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	2