Overview

overview

10

Static

static

3

60d52e13d4...5f.exe

windows7-x64

10

60d52e13d4...5f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    26-12-2023 08:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    60d52e13d49f75155b26c170f5a2ec5f.exe

  • Size

    1.5MB

  • MD5

    60d52e13d49f75155b26c170f5a2ec5f

  • SHA1

    cf6a04d46a3408780e413c3d11dbea4c11571883

  • SHA256

    3bc711bf1d32038cdcbbc7ff61228d50e05612cc33a8dcb271d6202f90ae4c6e

  • SHA512

    ceca0427a8305f4f913d5c7dcc2bc11380cbbc7e49ff97e6fd501e82c8ade94e2e67f926f66ef12ef3dd882466a577fdb3d77e9b00a9c96968795cd05d7345e6

  • SSDEEP

    24576:Eg5soYT1zAoaJ2sw5TCVUPCSHmHscNLx07XiNkvV+yhYL0xs5yDxa5/AAp93Ru6:EgboUJwJCV4CSFcNLwyNQkyhYLQL1GH1

Score
10/10
nullmixersmokeloaderpub6aspackv2backdoordropperevasiontrojan

Malware Config

Extracted

Family

nullmixer

C2

http://marisana.xyz/

Extracted

Family

smokeloader

Botnet

pub6

Extracted

Family

smokeloader

Version

2020

C2

http://conceitosseg.com/upload/

http://integrasidata.com/upload/

http://ozentekstil.com/upload/

http://finbelportal.com/upload/

http://telanganadigital.com/upload/
rc4.i32
rc4.i32

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs
    evasiontrojan
  • NullMixer

    NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

    droppernullmixer
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 27 IoCs
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies system certificate store 2 TTPs 4 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 49 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\60d52e13d49f75155b26c170f5a2ec5f.exe
    "C:\Users\Admin\AppData\Local\Temp\60d52e13d49f75155b26c170f5a2ec5f.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2896
    • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
      "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2516
  • C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c karotima_2.exe
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2692
    • C:\Users\Admin\AppData\Local\Temp\7zS4D924B26\karotima_2.exe
      karotima_2.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:2188
  • C:\Users\Admin\AppData\Local\Temp\7zS4D924B26\karotima_1.exe
    karotima_1.exe
    1⤵
    • Modifies Windows Defender Real-time Protection settings
    • Executes dropped EXE
    • Loads dropped DLL
    • Modifies system certificate store
    PID:2408
  • C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c karotima_1.exe
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2676
  • C:\Users\Admin\AppData\Local\Temp\7zS4D924B26\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS4D924B26\setup_install.exe"
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2088
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 368
      2⤵
      • Loads dropped DLL
      • Program crash
      PID:320

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
    Filesize

    384KB

    MD5

    06d8b69d254e878db9ce252bfe3d88e8

    SHA1

    9ba47feb68386305c785a2cb4f775b97e36d12a6

    SHA256

    a4f895a8f426c031be0f58964965de443a1e657c1705e4f3d86befa4b49ef530

    SHA512

    23a02819ba5dc5ae7b39e5254134c9283b4883e2564716da78bf4c7ef3e7ca27dc6de06d88e7e07118645713b8078040baa85afff06c91a1c975445a117680af

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
    Filesize

    893KB

    MD5

    2ecfe8526de4fe74f9278ac325034d78

    SHA1

    dc689ce64d534de59e1a1d66bd80dfc1681dea55

    SHA256

    0f9dd60097ab17107aa5cad985b97fa54ee8b61d73e9df6c1dd5efa142b17401

    SHA512

    339254313340ca33187de877406134f80ea687b5cf05eb64798b7272b9adce05499b337cbb6d620987ba67f9dce6c5cbd62c7f205c9698f62712f58d9d7b6ed0

    Download Submit

  • \Users\Admin\AppData\Local\Temp\setup_installer.exe
    Filesize

    92KB

    MD5

    305c00c540e5c010533765562d65c13e

    SHA1

    aacc016e7852e78e73a26cc19e6aca30b4a1161a

    SHA256

    bf1a789cc4befb3927cf39258e6111b2bbb8720b8e8d811daefdcd6a45500b4a

    SHA512

    b1b86d6d8d62f8f7a9c12902da86ba54a651094360101810f6fb68937531caed8ac09973462cc9f20f0381da1b634049fb6ca0f6c5b74b57fae2c74bece7867a

    Download Submit

  • \Users\Admin\AppData\Local\Temp\setup_installer.exe
    Filesize

    894KB

    MD5

    2ed0cf28097b6695dfc2ccc8312fa92c

    SHA1

    c349ada2744bcf60470224063aaaf4dd7f51a2e8

    SHA256

    e8f2fd4249576b6870eef435764ce9d3d5fdeacc1b434403f49c8370e9b2083e

    SHA512

    875b95d16858d3052ce93a50e2dbf3332d011639c561f0bdc23b2df51fed3bc4f42bebb3cdc0e3b370358d2d30910f0198e35470f42f93fd4ce19563e3f16aa1

    Download Submit

  • \Users\Admin\AppData\Local\Temp\setup_installer.exe
    Filesize

    381KB

    MD5

    5fdfec4aa5837c1fe487c8954748ed5c

    SHA1

    760c823be75f0113793372014dc554b9e55f2eab

    SHA256

    aa34c44bbc261ac32a9f56c1cbc5541ce5d9e2559df0619a89a3dc379a694c87

    SHA512

    ad01895f728335c4abadd1813d10ae1e8abfdfa54048e662736d8c727bac138d11ed8b6d31bea7d6e2a334159de297cbeb40929556ed1df58dd63d538996de1a

    Download Submit

  • memory/1232-107-0x0000000002D80000-0x0000000002D95000-memory.dmp

    Filesize

    84KB

    Download

  • memory/2088-65-0x000000006FE40000-0x000000006FFC6000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2088-60-0x0000000064940000-0x0000000064959000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2088-138-0x0000000000400000-0x000000000051E000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2088-77-0x0000000000400000-0x000000000051E000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2088-76-0x0000000000400000-0x000000000051E000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2088-75-0x0000000000400000-0x000000000051E000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2088-74-0x0000000000400000-0x000000000051E000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2088-73-0x0000000000400000-0x000000000051E000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2088-69-0x000000006B280000-0x000000006B2A6000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2088-143-0x000000006FE40000-0x000000006FFC6000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2088-66-0x000000006FE40000-0x000000006FFC6000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2088-63-0x000000006FE40000-0x000000006FFC6000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2088-62-0x000000006B440000-0x000000006B4CF000-memory.dmp

    Filesize

    572KB

    Download

  • memory/2088-139-0x0000000064940000-0x0000000064959000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2088-59-0x000000006B440000-0x000000006B4CF000-memory.dmp

    Filesize

    572KB

    Download

  • memory/2088-57-0x000000006B440000-0x000000006B4CF000-memory.dmp

    Filesize

    572KB

    Download

  • memory/2088-51-0x000000006B440000-0x000000006B4CF000-memory.dmp

    Filesize

    572KB

    Download

  • memory/2088-48-0x000000006B280000-0x000000006B2A6000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2088-43-0x0000000000400000-0x000000000051E000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2088-140-0x000000006B280000-0x000000006B2A6000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2088-141-0x000000006B440000-0x000000006B4CF000-memory.dmp

    Filesize

    572KB

    Download

  • memory/2088-71-0x0000000000400000-0x000000000051E000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2088-70-0x000000006B280000-0x000000006B2A6000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2088-67-0x000000006FE40000-0x000000006FFC6000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2088-58-0x000000006FE40000-0x000000006FFC6000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2088-142-0x000000006EB40000-0x000000006EB63000-memory.dmp

    Filesize

    140KB

    Download

  • memory/2188-90-0x00000000002A0000-0x00000000003A0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2188-108-0x0000000000400000-0x00000000008A5000-memory.dmp

    Filesize

    4.6MB

    Download

  • memory/2188-92-0x00000000001E0000-0x00000000001E9000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2188-95-0x0000000000400000-0x00000000008A5000-memory.dmp

    Filesize

    4.6MB

    Download

  • memory/2516-38-0x00000000030E0000-0x00000000031FE000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2516-39-0x00000000030E0000-0x00000000031FE000-memory.dmp

    Filesize

    1.1MB

    Download