nullmixer | 3bc711bf1d32038cdcbbc7ff61228d50e05612cc33a8dcb271d6202f90ae4c6e

Analysis

max time kernel
3s
max time network
110s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26-12-2023 08:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

60d52e13d49f75155b26c170f5a2ec5f.exe
Size

1.5MB
MD5

60d52e13d49f75155b26c170f5a2ec5f
SHA1

cf6a04d46a3408780e413c3d11dbea4c11571883
SHA256

3bc711bf1d32038cdcbbc7ff61228d50e05612cc33a8dcb271d6202f90ae4c6e
SHA512

ceca0427a8305f4f913d5c7dcc2bc11380cbbc7e49ff97e6fd501e82c8ade94e2e67f926f66ef12ef3dd882466a577fdb3d77e9b00a9c96968795cd05d7345e6
SSDEEP

24576:Eg5soYT1zAoaJ2sw5TCVUPCSHmHscNLx07XiNkvV+yhYL0xs5yDxa5/AAp93Ru6:EgboUJwJCV4CSFcNLwyNQkyhYLQL1GH1

Score

10^/10

nullmixer privateloader risepro smokeloader pub6 aspackv2 backdoor dropper loader stealer trojan

Malware Config

Extracted

Family

nullmixer

http://marisana.xyz/

Extracted

Family

smokeloader

Botnet

pub6

Extracted

Family

smokeloader

Version

2020

http://conceitosseg.com/upload/

http://integrasidata.com/upload/

http://ozentekstil.com/upload/

http://finbelportal.com/upload/

http://telanganadigital.com/upload/

rc4.i32

Signatures

NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
dropper nullmixer
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

ASPack v2.12-2.42 8 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0006000000023210-30.dat	aspack_v212_v242
behavioral2/files/0x0006000000023210-33.dat	aspack_v212_v242
behavioral2/files/0x0006000000023210-35.dat	aspack_v212_v242
behavioral2/files/0x000600000002320d-37.dat	aspack_v212_v242
behavioral2/files/0x000600000002320f-46.dat	aspack_v212_v242
behavioral2/files/0x000600000002320f-44.dat	aspack_v212_v242
behavioral2/files/0x000600000002320c-39.dat	aspack_v212_v242
behavioral2/files/0x000600000002320c-38.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	60d52e13d49f75155b26c170f5a2ec5f.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
28	ipinfo.io
27	ipinfo.io

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3668	3280	WerFault.exe	80

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3856 wrote to memory of 4836	3856	60d52e13d49f75155b26c170f5a2ec5f.exe	116
PID 3856 wrote to memory of 4836	3856	60d52e13d49f75155b26c170f5a2ec5f.exe	116
PID 3856 wrote to memory of 4836	3856	60d52e13d49f75155b26c170f5a2ec5f.exe	116

C:\Users\Admin\AppData\Local\Temp\60d52e13d49f75155b26c170f5a2ec5f.exe
"C:\Users\Admin\AppData\Local\Temp\60d52e13d49f75155b26c170f5a2ec5f.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3856
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  PID:4836
- - C:\Users\Admin\AppData\Local\Temp\7zS4E237667\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS4E237667\setup_install.exe"
    3⤵
    PID:3280
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c karotima_2.exe
      4⤵
      PID:4724
    - - C:\Users\Admin\AppData\Local\Temp\7zS4E237667\karotima_2.exe
        
        karotima_2.exe
        5⤵
        
        PID:3808
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c karotima_1.exe
      4⤵
      PID:1008
    - - C:\Users\Admin\AppData\Local\Temp\7zS4E237667\karotima_1.exe
        
        karotima_1.exe
        5⤵
        
        PID:920
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3280 -s 524
      4⤵
      Program crash
      PID:3668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3280 -ip 3280
1⤵
PID:3180

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:4836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS4E237667\karotima_1.exe

Filesize
47KB

MD5
522bd2ce515c04c1136195c483c555ca

SHA1
119c0ac512e3385e4415591cc5fa5db0d4db5813

SHA256
46933ab28ef20ff8ac0741035ca16befd6b114fba9ec82e323c7c5c8dccd3c6e

SHA512
8d96e88814b5d8e9ea0ee45a9623a18242acb61f389843bca5796c1c9692cf83d062b8e7e8a702a72d8aa1e3a0bc4b2895948425e5039aa0f76840677e92ab28

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4E237667\karotima_1.txt

Filesize
54KB

MD5
62cf483f8eebb915660fc6f79ae17192

SHA1
bdc196110ad9be9e5566be0959332032c64c0a5c

SHA256
e5afae455cc13d7e5846bf68c706dc7f81adc21e528ecdbdc71ff03e4d9f9373

SHA512
6be71bed0b09db840d0589ede6ba8d410443c6f60ad17d879845e9b9d7302f2ddf083d525f0763130a6bad3d5a78bfb7f5e941b2eeac27153a6d9041df144d5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4E237667\karotima_2.exe

Filesize
126KB

MD5
ef230bb3a09805ecb77398dea393eb05

SHA1
7952dcefdbc3bfc88cc21635cf86074177d5ec0d

SHA256
c22a881e28abc4525bbb0814828ccc7b639c05c998278bb156d123586e606d18

SHA512
74684675d98f47bf13cd7e6d4578c9d5da7062c5ad4b0965a2a680f54d0a1c7c3f73df0ea34d96a3b8ab4edce15b58343fdb088dc430dff9c099912a4db0deb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4E237667\karotima_2.txt

Filesize
74KB

MD5
73dbc534282cddd54b1dc9f3ab991212

SHA1
f5c0c3bb94ee9aa201ef8a35efa28c889bac3993

SHA256
37560964093d9baa439f3ca9815f8ce186887fda496f75687e0da67d120ae86c

SHA512
92735bac9b0d740e08cbcf15da71309fe1f2450196a6c55ca8c80837ae15ddd56393bc744a03fa236761a98507680c25e593a49fc472d0d61e8a16c3d1c2662d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4E237667\libcurl.dll

Filesize
205KB

MD5
ec6ef6ee0aa544cc672fea8a850d1cff

SHA1
28e13b8a7a78d9a999167ec9066a499d4d23e598

SHA256
601ba49b2645ae36a1e75753b515280f5910f7f08a0e03846bf2e9347b5c7f49

SHA512
6ece70f3ee21c2d75c0e22a90d76be277ed569bcb1bc4035dbef70865e6783f1024a0a1c9a31ac9cbec38f78e2306b4319f38986569ef18a6f82a8f1889218ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4E237667\libcurl.dll

Filesize
126KB

MD5
8a1e605308f1d47614d4aad3bfaba972

SHA1
d32d5912c57eb3e5c33d3a57a991ffb2ccdf48b2

SHA256
0568dad9a31914262f158438cf74f597e7c92c10f737db73b03b9f6547c4f29b

SHA512
ed7a55279983e8d8ef816413085eae75c983486fc5c53fc638ce04e1995b1539f310e6336bf627dbd99b2c0d577afa48ebc69dde27c5d3da52460c88c07169f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4E237667\libcurlpp.dll

Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4E237667\libgcc_s_dw2-1.dll

Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4E237667\libgcc_s_dw2-1.dll

Filesize
81KB

MD5
9e015769289de92107fe973728b8e348

SHA1
f0cc97550b27973e182d2fc415fd21d814e50e2e

SHA256
125cafe7a2df62efe2127f07d284ad1e599969200de99bce0f148df01040dc20

SHA512
4283b54da64dea811bc886253214d5182d32eb73a4485d88e186c9b167c206c046f7d58cf672c0756afea3cb40fd5012dbfd03b11d2b6bd0f5984a33a713f7e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4E237667\libgcc_s_dw2-1.dll

Filesize
92KB

MD5
0a1d05a50ba6f68c4f9ca8a73735cb04

SHA1
d8afd2f7d5f9759972cf1ef29042c5fc1777948f

SHA256
dfdceafbca6e6275f039891899c8aa5b909f75c0a2d63c31c6d7900e11852782

SHA512
1ff811af9c39e40107df4bf8ee376c5174cdcda7911f8b9f25cbf60f7c12a3717fdb31ab570cc0a7c79fd5925866f7c238fc602089f0d703b6b187bdf1f99b3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4E237667\libstdc++-6.dll

Filesize
303KB

MD5
ae1b40eaa2837af31166cf9a13d56ef8

SHA1
ab7337bb64527f06a6036c721238a01d4e9e2c7a

SHA256
6b2f8726d5bca1e2523e9de67cd82ef1fd14ae63359626bde41e3312de0c82d5

SHA512
67375a7a6de9d420e651c732f091145d6b2ee39a4d73503f7998f90a33017219d4ff8ebd9f7599923cab5e48ac7bca646b10d1ae232649c202faceb9c2d6a813

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4E237667\libstdc++-6.dll

Filesize
24KB

MD5
7dd19d926f93512876d52bc2fa8a1674

SHA1
8310a7713e4b0c02017528473a93821cf16cb4a2

SHA256
337a4c7a9f8f697340dd8d6c377e05cad900b2d2ec7d85447d59c3d3d50f50e0

SHA512
ed0993dbd840e9610c32d813d0c3879da656bd75babd4d853a83b7f987d6acde03639c4fe0baa1c916748e6c2516642f75bd795d5e3f191013f438f8eb0c3a2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4E237667\libwinpthread-1.dll

Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4E237667\setup_install.exe

Filesize
287KB

MD5
3b51df78ffa71e3932aad06f0526e1db

SHA1
1d21bab4761467fcaaf12c8bb237cb679e0e704d

SHA256
5a773cc52816f6b01c91700e47aa9e7d1dd96875c29bb37493c5185658a05f61

SHA512
866cf8acc56c61e9acc44e9b4194e60d3f0813a02f46a292b06d0545dc87ec3c94bca7a82c3515a98ccc4753e6e7ffc3d3c9a69b62e5434ac79a73e3aade1525

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4E237667\setup_install.exe

Filesize
28KB

MD5
f7ff75d1e096f5a31ed965579cbb0f9e

SHA1
f40d33de28e7a08965c6fbf9a1805ee11cdd3921

SHA256
94e984151fd8530a9395c0191eea8746928af51390d9a6c3625ac4e65f93c87d

SHA512
660988bc0ecd7d46b593e39169e4499cec48c2f93b94eda70d9d15c3520c7ce5e5e8c9de1b2e7a59f5fd3b757a6c10029713001e7127b79abef444989469bc9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4E237667\setup_install.exe

Filesize
93KB

MD5
aeeb524dc7319a8d0f21c833830f38ee

SHA1
2315072a0a6cd8b8dd6465be3e7ea8907c7a3ff7

SHA256
b844d12ce9ced7b26303b00130275559e42b7889e2a88b693ee244b96c574bde

SHA512
3f90f745207afc2d6d10ca20e7140a576dc232c5def762b99677dd2c29decfad0e564f74ed57bb6acab188a297f9308db27523d391514d26a39411ce4fb8be0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CC4F.tmp

Filesize
45KB

MD5
3ea5a4178ce9eec1445a91e24ecfd78e

SHA1
69958f70dc9c9376e67935309e8d6ef50ab23ab0

SHA256
0721b9ee5e33e76240d9c268918c0af698c8ee2bb0a42ce553d50971ecc482c6

SHA512
dc6f39f70ba203dab1ffcd630de7b8e05aee2702d08b9c6840b407037aa639f43c2bc0204eda17191b0baffd1e5cb837626bdd7d0d49faf538122ced8b7d325f

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

Filesize
1KB

MD5
7318b49bc9bf54dd030879eba1177b6e

SHA1
ef37e4dda75243b4d00ad0332e97ca3cee1bcfad

SHA256
8a1684ec7b267f08a85a4cff640abb51331e94bc60185b61e33182400480cbc0

SHA512
fd9a728cf08e8d8e8725aa1111b75224bb605dd1ab9adf6179ce4082e103ba902977d91e487ba1560e060dadefac5d8191384558b38cee3db181d25b9218ebec

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

Filesize
33KB

MD5
aa5e0afafddb7397666330d555b4b073

SHA1
e4fda00bd54f98123d6b314c90b3e811991be285

SHA256
2c26bd2429bdef9c1f0b575e987799ffa5832466ec82b98f693f1f045cdd7706

SHA512
cc79c64b36fd1dabacc7ebb7bf7c90f72c0df7442c01fb9c59aadfb1be2546c6a0e52a099431859ae65e32bf4d64359817b55cd0a91716bfda972c28f9764da1

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

Filesize
5KB

MD5
5338aff766646150cfe9d85c5ab51e70

SHA1
3e33561b21482422619347065e6495969be62bcb

SHA256
22cf770491b25566488dd1cd41072614170a24afe86bf90e5ae6008e9ac4a29c

SHA512
737d5a1cdc8f4e35db3655f8d442d9b302bacc2fce01c44da9885695d11c1e7a4f23e9c9d24854e53eb60d2a0d4fc83855572034aeee6bf803ad0f42c04acb67

Download Submit
C:\Users\Admin\AppData\Roaming\gudtfgf

Filesize
154KB

MD5
97867d93b3f93f04ab7ae3927c7c3f64

SHA1
2c41f7fbefe931f90b5fe4bf994519cb041822ab

SHA256
af9dc1e93e97bcced0eb9cf9e56fb9a02d4dc7782006ca87bcab0838193506d6

SHA512
e108cc0b1f00aca69623fa2f87f6a087582b4ec497417af04c15fa2ae69b57441b2fd49f173efefaa762706b99aaa2e5bcd1aa86768ba7f4ca19fc4a055a76ec

Download Submit
memory/3280-60-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/3280-105-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/3280-59-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/3280-58-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/3280-57-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3280-53-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/3280-54-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3280-51-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3280-50-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/3280-49-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3280-47-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3280-62-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/3280-64-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/3280-65-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/3280-63-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/3280-108-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3280-106-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/3280-61-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/3280-56-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3280-55-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3280-52-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3280-48-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3280-104-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3280-80-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3280-84-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/3280-107-0x000000006EB40000-0x000000006EB63000-memory.dmp

Filesize
140KB

Download
memory/3280-87-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3280-86-0x000000006EB40000-0x000000006EB63000-memory.dmp

Filesize
140KB

Download
memory/3280-81-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/3280-78-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/3280-34-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/3448-79-0x0000000003210000-0x0000000003225000-memory.dmp

Filesize
84KB

Download
memory/3808-71-0x0000000000AD0000-0x0000000000BD0000-memory.dmp

Filesize
1024KB

Download
memory/3808-85-0x0000000000400000-0x00000000008A5000-memory.dmp

Filesize
4.6MB

Download
memory/3808-74-0x0000000000400000-0x00000000008A5000-memory.dmp

Filesize
4.6MB

Download
memory/3808-73-0x0000000000A00000-0x0000000000A09000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads