nullmixer | 72b24e99cdd46d7cee31af6d8858782b775db1753d4ed954774a2b1306d5dd89

General

Target

5d2d3d4eae63a13afbd30c96b70a56cf.exe
Size

1.5MB
MD5

5d2d3d4eae63a13afbd30c96b70a56cf
SHA1

bdce10de18c09ebb6b388eeef3c11c43e9e8d39c
SHA256

72b24e99cdd46d7cee31af6d8858782b775db1753d4ed954774a2b1306d5dd89
SHA512

5c46660a3572d435161942f548f7f321d8369fe858563b45fb7d93bfd4ebdd98f5bc01093f47dd7de0d55f9a6b4c85e15bb0c2930ef220a2dfdd9599c32f61d3
SSDEEP

24576:Eg5ngsT7c6L5PDh+TwMShDHActO6s5E7GPW7lm2q/k0VRjEK2E:EgBv/9L5rhXvMIO6s5axw2qM0/jE1E

Score

10^/10

nullmixer smokeloader pub6 backdoor dropper trojan

Malware Config

Extracted

Family

nullmixer

C2

http://wxkeww.xyz/

Extracted

Family

smokeloader

Botnet

pub6

Extracted

Family

smokeloader

Version

2020

C2

http://conceitosseg.com/upload/

http://integrasidata.com/upload/

http://ozentekstil.com/upload/

http://finbelportal.com/upload/

http://telanganadigital.com/upload/

rc4.i32

Signatures

NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
dropper nullmixer
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Executes dropped EXE 1 IoCs

pid	Process
2188	setup_installer.exe

Loads dropped DLL 4 IoCs

pid	Process
2056	5d2d3d4eae63a13afbd30c96b70a56cf.exe
2188	setup_installer.exe
2188	setup_installer.exe
2188	setup_installer.exe

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ipinfo.io
5	ipinfo.io
11	api.db-ip.com
12	api.db-ip.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2936	2704	WerFault.exe	34

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2056 wrote to memory of 2188	2056	5d2d3d4eae63a13afbd30c96b70a56cf.exe	28
PID 2056 wrote to memory of 2188	2056	5d2d3d4eae63a13afbd30c96b70a56cf.exe	28
PID 2056 wrote to memory of 2188	2056	5d2d3d4eae63a13afbd30c96b70a56cf.exe	28
PID 2056 wrote to memory of 2188	2056	5d2d3d4eae63a13afbd30c96b70a56cf.exe	28
PID 2056 wrote to memory of 2188	2056	5d2d3d4eae63a13afbd30c96b70a56cf.exe	28
PID 2056 wrote to memory of 2188	2056	5d2d3d4eae63a13afbd30c96b70a56cf.exe	28
PID 2056 wrote to memory of 2188	2056	5d2d3d4eae63a13afbd30c96b70a56cf.exe	28

C:\Users\Admin\AppData\Local\Temp\5d2d3d4eae63a13afbd30c96b70a56cf.exe
"C:\Users\Admin\AppData\Local\Temp\5d2d3d4eae63a13afbd30c96b70a56cf.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2188
- - C:\Users\Admin\AppData\Local\Temp\7zSC888E016\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zSC888E016\setup_install.exe"
    3⤵
    PID:2704
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 372
      4⤵
      Program crash
      PID:2936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c karotima_1.exe
1⤵
PID:1724
- C:\Users\Admin\AppData\Local\Temp\7zSC888E016\karotima_1.exe
  karotima_1.exe
  2⤵
  PID:2156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c karotima_2.exe
1⤵
PID:1892
- C:\Users\Admin\AppData\Local\Temp\7zSC888E016\karotima_2.exe
  karotima_2.exe
  2⤵
  PID:1996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

Filesize
94KB

MD5
5216b511f5e74d0c481a23dde6afec5a

SHA1
4e433d1acdf0840aead082139003f016a0a0000f

SHA256
972a812b93429b27a5b5ce2c3dca670215e516b979db66cd4581719b368b9f4d

SHA512
05e9aac243871205cffe01e8a6abfa66c4927480bb3c98f2e8c5f7d2c23240fff770dcec2d262de425031f321ce220128022488f3183ad5c98ce03ef3486950e

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

Filesize
92KB

MD5
305c00c540e5c010533765562d65c13e

SHA1
aacc016e7852e78e73a26cc19e6aca30b4a1161a

SHA256
bf1a789cc4befb3927cf39258e6111b2bbb8720b8e8d811daefdcd6a45500b4a

SHA512
b1b86d6d8d62f8f7a9c12902da86ba54a651094360101810f6fb68937531caed8ac09973462cc9f20f0381da1b634049fb6ca0f6c5b74b57fae2c74bece7867a

Download Submit
\Users\Admin\AppData\Local\Temp\setup_installer.exe

Filesize
381KB

MD5
97d07e3524a2b69158581cf3434b607a

SHA1
c624cbc70b1a83c6db1ee26e673f55806931eea6

SHA256
596e055c7cdc5e845f6e277ebcc44ec2f5c2f85a9b4ea7d047156fbce36e10a0

SHA512
d7ed2ed416d2862a11e9ff55fa00f6564ff656b3ec8efd4a7197ef0c85d78a98e90e535447bbc79dbd9987283f0bb749cbcf30c51a8dd600d55127175a6aa4bc

Download Submit
memory/1256-134-0x0000000002BB0000-0x0000000002BC5000-memory.dmp

Filesize
84KB

Download
memory/1996-91-0x0000000000240000-0x0000000000249000-memory.dmp

Filesize
36KB

Download
memory/1996-135-0x0000000000400000-0x0000000002B7D000-memory.dmp

Filesize
39.5MB

Download
memory/1996-138-0x0000000000240000-0x0000000000249000-memory.dmp

Filesize
36KB

Download
memory/1996-95-0x0000000000400000-0x0000000002B7D000-memory.dmp

Filesize
39.5MB

Download
memory/1996-90-0x0000000002CF0000-0x0000000002DF0000-memory.dmp

Filesize
1024KB

Download
memory/2188-31-0x0000000002610000-0x000000000272E000-memory.dmp

Filesize
1.1MB

Download
memory/2188-38-0x0000000002610000-0x000000000272E000-memory.dmp

Filesize
1.1MB

Download
memory/2704-70-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2704-77-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2704-75-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2704-74-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2704-73-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2704-72-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2704-67-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2704-65-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2704-63-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2704-62-0x0000000000A40000-0x0000000000B5E000-memory.dmp

Filesize
1.1MB

Download
memory/2704-58-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2704-56-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2704-48-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2704-76-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2704-69-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2704-66-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2704-61-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2704-59-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2704-57-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2704-45-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2704-143-0x000000006EB40000-0x000000006EB63000-memory.dmp

Filesize
140KB

Download
memory/2704-144-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2704-142-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2704-141-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2704-140-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2704-139-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads