Analysis
-
max time kernel
2s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
26-12-2023 13:16
Static task
static1
Behavioral task
behavioral1
Sample
718b5089505fed92d1a44dc0dbeb36dc.exe
Resource
win7-20231215-en
General
-
Target
718b5089505fed92d1a44dc0dbeb36dc.exe
-
Size
2.8MB
-
MD5
718b5089505fed92d1a44dc0dbeb36dc
-
SHA1
f4afe14c1b392514350f4495c44f998d3f19128f
-
SHA256
df872b0b7c336241db1a1ff9e83100d6ffb2b898a46c0c7b37a47dcbd002b056
-
SHA512
4c9d292125343b5b7edfe0051454fff957c040fd822e9b9d32f6a94d654dae778ca6fcb1e269adcb83363b3ade2893ae2ae63558f2906185ed67298c841bc807
-
SSDEEP
49152:xcBszOxu3gCpbwOXh+1b4yFjErlsV6SP5iWyZ9KFFdZyZmj9MJ0yEwJ84vLRaBtf:xSizpbwOxKb4y8sVwWyZ0aZw9zCvLUBN
Malware Config
Extracted
nullmixer
http://watira.xyz/
Extracted
vidar
39.7
706
https://shpak125.tumblr.com/
-
profile_id
706
Extracted
smokeloader
pub5
Extracted
smokeloader
2020
http://conceitosseg.com/upload/
http://integrasidata.com/upload/
http://ozentekstil.com/upload/
http://finbelportal.com/upload/
http://telanganadigital.com/upload/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Vidar Stealer 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1440-149-0x00000000005C0000-0x00000000006C0000-memory.dmp family_vidar behavioral1/memory/816-148-0x0000000000400000-0x00000000004C0000-memory.dmp family_vidar behavioral1/memory/816-147-0x0000000002270000-0x000000000230D000-memory.dmp family_vidar behavioral1/memory/816-327-0x0000000000400000-0x00000000004C0000-memory.dmp family_vidar -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\7zSC4958226\setup_install.exe aspack_v212_v242 \Users\Admin\AppData\Local\Temp\7zSC4958226\setup_install.exe aspack_v212_v242 \Users\Admin\AppData\Local\Temp\7zSC4958226\libstdc++-6.dll aspack_v212_v242 \Users\Admin\AppData\Local\Temp\7zSC4958226\libcurl.dll aspack_v212_v242 \Users\Admin\AppData\Local\Temp\7zSC4958226\libcurlpp.dll aspack_v212_v242 -
Executes dropped EXE 10 IoCs
Processes:
setup_install.exesonia_1.exesonia_4.exesonia_2.exesonia_7.exesonia_1.exesonia_3.exesonia_6.exesonia_5.exeTriste.exe.compid process 2820 setup_install.exe 1208 sonia_1.exe 2596 sonia_4.exe 1440 sonia_2.exe 2924 sonia_7.exe 2800 sonia_1.exe 816 sonia_3.exe 680 sonia_6.exe 1676 sonia_5.exe 3012 Triste.exe.com -
Loads dropped DLL 35 IoCs
Processes:
718b5089505fed92d1a44dc0dbeb36dc.exesetup_install.execmd.execmd.execmd.exesonia_1.exesonia_2.execmd.execmd.exesonia_3.execmd.execmd.exesonia_1.exesonia_6.exesonia_5.execmd.exepid process 2380 718b5089505fed92d1a44dc0dbeb36dc.exe 2380 718b5089505fed92d1a44dc0dbeb36dc.exe 2380 718b5089505fed92d1a44dc0dbeb36dc.exe 2820 setup_install.exe 2820 setup_install.exe 2820 setup_install.exe 2820 setup_install.exe 2820 setup_install.exe 2820 setup_install.exe 2820 setup_install.exe 2820 setup_install.exe 2892 cmd.exe 2176 cmd.exe 2892 cmd.exe 2176 cmd.exe 2092 cmd.exe 1208 sonia_1.exe 1208 sonia_1.exe 1440 sonia_2.exe 1440 sonia_2.exe 1060 cmd.exe 1208 sonia_1.exe 2468 cmd.exe 2468 cmd.exe 816 sonia_3.exe 816 sonia_3.exe 1596 cmd.exe 2504 cmd.exe 2800 sonia_1.exe 680 sonia_6.exe 2800 sonia_1.exe 680 sonia_6.exe 1676 sonia_5.exe 1676 sonia_5.exe 2080 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 44 api.db-ip.com 4 ipinfo.io 7 ipinfo.io 43 api.db-ip.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process 1492 2820 WerFault.exe 1328 816 WerFault.exe sonia_3.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
718b5089505fed92d1a44dc0dbeb36dc.exesetup_install.execmd.execmd.exedescription pid process target process PID 2380 wrote to memory of 2820 2380 718b5089505fed92d1a44dc0dbeb36dc.exe setup_install.exe PID 2380 wrote to memory of 2820 2380 718b5089505fed92d1a44dc0dbeb36dc.exe setup_install.exe PID 2380 wrote to memory of 2820 2380 718b5089505fed92d1a44dc0dbeb36dc.exe setup_install.exe PID 2380 wrote to memory of 2820 2380 718b5089505fed92d1a44dc0dbeb36dc.exe setup_install.exe PID 2380 wrote to memory of 2820 2380 718b5089505fed92d1a44dc0dbeb36dc.exe setup_install.exe PID 2380 wrote to memory of 2820 2380 718b5089505fed92d1a44dc0dbeb36dc.exe setup_install.exe PID 2380 wrote to memory of 2820 2380 718b5089505fed92d1a44dc0dbeb36dc.exe setup_install.exe PID 2820 wrote to memory of 2892 2820 setup_install.exe cmd.exe PID 2820 wrote to memory of 2892 2820 setup_install.exe cmd.exe PID 2820 wrote to memory of 2892 2820 setup_install.exe cmd.exe PID 2820 wrote to memory of 2892 2820 setup_install.exe cmd.exe PID 2820 wrote to memory of 2892 2820 setup_install.exe cmd.exe PID 2820 wrote to memory of 2892 2820 setup_install.exe cmd.exe PID 2820 wrote to memory of 2892 2820 setup_install.exe cmd.exe PID 2820 wrote to memory of 2176 2820 setup_install.exe cmd.exe PID 2820 wrote to memory of 2176 2820 setup_install.exe cmd.exe PID 2820 wrote to memory of 2176 2820 setup_install.exe cmd.exe PID 2820 wrote to memory of 2176 2820 setup_install.exe cmd.exe PID 2820 wrote to memory of 2176 2820 setup_install.exe cmd.exe PID 2820 wrote to memory of 2176 2820 setup_install.exe cmd.exe PID 2820 wrote to memory of 2176 2820 setup_install.exe cmd.exe PID 2820 wrote to memory of 2468 2820 setup_install.exe cmd.exe PID 2820 wrote to memory of 2468 2820 setup_install.exe cmd.exe PID 2820 wrote to memory of 2468 2820 setup_install.exe cmd.exe PID 2820 wrote to memory of 2468 2820 setup_install.exe cmd.exe PID 2820 wrote to memory of 2468 2820 setup_install.exe cmd.exe PID 2820 wrote to memory of 2468 2820 setup_install.exe cmd.exe PID 2820 wrote to memory of 2468 2820 setup_install.exe cmd.exe PID 2820 wrote to memory of 2092 2820 setup_install.exe cmd.exe PID 2820 wrote to memory of 2092 2820 setup_install.exe cmd.exe PID 2820 wrote to memory of 2092 2820 setup_install.exe cmd.exe PID 2820 wrote to memory of 2092 2820 setup_install.exe cmd.exe PID 2820 wrote to memory of 2092 2820 setup_install.exe cmd.exe PID 2820 wrote to memory of 2092 2820 setup_install.exe cmd.exe PID 2820 wrote to memory of 2092 2820 setup_install.exe cmd.exe PID 2820 wrote to memory of 2504 2820 setup_install.exe cmd.exe PID 2820 wrote to memory of 2504 2820 setup_install.exe cmd.exe PID 2820 wrote to memory of 2504 2820 setup_install.exe cmd.exe PID 2820 wrote to memory of 2504 2820 setup_install.exe cmd.exe PID 2820 wrote to memory of 2504 2820 setup_install.exe cmd.exe PID 2820 wrote to memory of 2504 2820 setup_install.exe cmd.exe PID 2820 wrote to memory of 2504 2820 setup_install.exe cmd.exe PID 2820 wrote to memory of 1596 2820 setup_install.exe cmd.exe PID 2820 wrote to memory of 1596 2820 setup_install.exe cmd.exe PID 2820 wrote to memory of 1596 2820 setup_install.exe cmd.exe PID 2820 wrote to memory of 1596 2820 setup_install.exe cmd.exe PID 2820 wrote to memory of 1596 2820 setup_install.exe cmd.exe PID 2820 wrote to memory of 1596 2820 setup_install.exe cmd.exe PID 2820 wrote to memory of 1596 2820 setup_install.exe cmd.exe PID 2820 wrote to memory of 1060 2820 setup_install.exe cmd.exe PID 2820 wrote to memory of 1060 2820 setup_install.exe cmd.exe PID 2820 wrote to memory of 1060 2820 setup_install.exe cmd.exe PID 2820 wrote to memory of 1060 2820 setup_install.exe cmd.exe PID 2820 wrote to memory of 1060 2820 setup_install.exe cmd.exe PID 2820 wrote to memory of 1060 2820 setup_install.exe cmd.exe PID 2820 wrote to memory of 1060 2820 setup_install.exe cmd.exe PID 2892 wrote to memory of 1208 2892 cmd.exe sonia_1.exe PID 2892 wrote to memory of 1208 2892 cmd.exe sonia_1.exe PID 2892 wrote to memory of 1208 2892 cmd.exe sonia_1.exe PID 2892 wrote to memory of 1208 2892 cmd.exe sonia_1.exe PID 2892 wrote to memory of 1208 2892 cmd.exe sonia_1.exe PID 2892 wrote to memory of 1208 2892 cmd.exe sonia_1.exe PID 2892 wrote to memory of 1208 2892 cmd.exe sonia_1.exe PID 2176 wrote to memory of 1440 2176 cmd.exe sonia_2.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\718b5089505fed92d1a44dc0dbeb36dc.exe"C:\Users\Admin\AppData\Local\Temp\718b5089505fed92d1a44dc0dbeb36dc.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Users\Admin\AppData\Local\Temp\7zSC4958226\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zSC4958226\setup_install.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2820
-
C:\Users\Admin\AppData\Local\Temp\7zSC4958226\sonia_4.exesonia_4.exe1⤵
- Executes dropped EXE
PID:2596
-
C:\Users\Admin\AppData\Local\Temp\7zSC4958226\sonia_7.exesonia_7.exe1⤵
- Executes dropped EXE
PID:2924
-
C:\Users\Admin\AppData\Local\Temp\7zSC4958226\sonia_3.exesonia_3.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:816 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 816 -s 9522⤵
- Program crash
PID:1328
-
C:\Users\Admin\AppData\Local\Temp\7zSC4958226\sonia_5.exesonia_5.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1676
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Compatto.rtf1⤵PID:2704
-
C:\Windows\SysWOW64\cmd.execmd2⤵
- Loads dropped DLL
PID:2080 -
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^jvMDwkwydQdmnxGPmMOjYlbIlopECWXOZojRKCmISYgoKPYfXOyLKoMeYraSevCxTCAdoOyWjyxqVfYxlTHNQkrRvpTHpGGccUgofIipJpnFNMuJyYIpPPDHnITYVnMGn$" Oggi.rtf3⤵PID:2296
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 303⤵
- Runs ping.exe
PID:1724 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Triste.exe.comTriste.exe.com n3⤵
- Executes dropped EXE
PID:3012
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Triste.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Triste.exe.com n1⤵PID:688
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exeC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe2⤵PID:628
-
C:\Users\Admin\AppData\Local\Temp\7zSC4958226\sonia_6.exesonia_6.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:680
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 4081⤵
- Program crash
PID:1492
-
C:\Users\Admin\AppData\Local\Temp\7zSC4958226\sonia_1.exe"C:\Users\Admin\AppData\Local\Temp\7zSC4958226\sonia_1.exe" -a1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2800
-
C:\Users\Admin\AppData\Local\Temp\7zSC4958226\sonia_2.exesonia_2.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1440
-
C:\Users\Admin\AppData\Local\Temp\7zSC4958226\sonia_1.exesonia_1.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1208
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sonia_7.exe1⤵
- Loads dropped DLL
PID:1060
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sonia_6.exe1⤵
- Loads dropped DLL
PID:1596
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sonia_5.exe1⤵
- Loads dropped DLL
PID:2504
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sonia_4.exe1⤵
- Loads dropped DLL
PID:2092
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sonia_3.exe1⤵
- Loads dropped DLL
PID:2468
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sonia_2.exe1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2176
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sonia_1.exe1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2892
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
218KB
MD5d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
Filesize
54KB
MD5e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
Filesize
113KB
MD59aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
Filesize
647KB
MD55e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
Filesize
69KB
MD51e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
Filesize
290KB
MD5b4a67b6fec9465dd0ec68dd89161871b
SHA196e7f9107283b6bb16a32cfcef54cee69f60fd12
SHA25644bca303abba91a91aae37648d0ed6de6fac5260be3e28eb1a2decd7a6f01aff
SHA512a7f6c7832537e9a693f672416cfe5e1e3de7d2fd13a6078976154f75d542fdaaf00e417e7e65b7e5609c30807ba99e969f6dbc42229c1e6e3ddbfd5aed5f2565
-
Filesize
94KB
MD58dd627e3bf524f445114ab78b075f31e
SHA16b273b5e9e528d0629e45e28239c8f56bee42469
SHA25691794d66023b7104370d8efabb5c7638c6d4ce4a1cdb070b71142f421d6b3f2c
SHA5126b1c66bab60a9fb3affe2fcf7b5cec5dbc0f784f11884a78659fcb2a25350cedc989ef8bcadbc2700b959d3dd0e7f29570a10eb16febfc6c1efe229135d70c02