Analysis

  • max time kernel
    2s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    26-12-2023 13:16

General

  • Target

    718b5089505fed92d1a44dc0dbeb36dc.exe

  • Size

    2.8MB

  • MD5

    718b5089505fed92d1a44dc0dbeb36dc

  • SHA1

    f4afe14c1b392514350f4495c44f998d3f19128f

  • SHA256

    df872b0b7c336241db1a1ff9e83100d6ffb2b898a46c0c7b37a47dcbd002b056

  • SHA512

    4c9d292125343b5b7edfe0051454fff957c040fd822e9b9d32f6a94d654dae778ca6fcb1e269adcb83363b3ade2893ae2ae63558f2906185ed67298c841bc807

  • SSDEEP

    49152:xcBszOxu3gCpbwOXh+1b4yFjErlsV6SP5iWyZ9KFFdZyZmj9MJ0yEwJ84vLRaBtf:xSizpbwOxKb4y8sVwWyZ0aZw9zCvLUBN

Malware Config

Extracted

Family

nullmixer

C2

http://watira.xyz/

Extracted

Family

vidar

Version

39.7

Botnet

706

C2

https://shpak125.tumblr.com/

Attributes
  • profile_id

    706

Extracted

Family

smokeloader

Botnet

pub5

Extracted

Family

smokeloader

Version

2020

C2

http://conceitosseg.com/upload/

http://integrasidata.com/upload/

http://ozentekstil.com/upload/

http://finbelportal.com/upload/

http://telanganadigital.com/upload/

rc4.i32
rc4.i32

Signatures

  • NullMixer

    NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • Vidar Stealer 4 IoCs
  • ASPack v2.12-2.42 5 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Executes dropped EXE 10 IoCs
  • Loads dropped DLL 35 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\718b5089505fed92d1a44dc0dbeb36dc.exe
    "C:\Users\Admin\AppData\Local\Temp\718b5089505fed92d1a44dc0dbeb36dc.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2380
    • C:\Users\Admin\AppData\Local\Temp\7zSC4958226\setup_install.exe
      "C:\Users\Admin\AppData\Local\Temp\7zSC4958226\setup_install.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2820
  • C:\Users\Admin\AppData\Local\Temp\7zSC4958226\sonia_4.exe
    sonia_4.exe
    1⤵
    • Executes dropped EXE
    PID:2596
  • C:\Users\Admin\AppData\Local\Temp\7zSC4958226\sonia_7.exe
    sonia_7.exe
    1⤵
    • Executes dropped EXE
    PID:2924
  • C:\Users\Admin\AppData\Local\Temp\7zSC4958226\sonia_3.exe
    sonia_3.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    PID:816
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 816 -s 952
      2⤵
      • Program crash
      PID:1328
  • C:\Users\Admin\AppData\Local\Temp\7zSC4958226\sonia_5.exe
    sonia_5.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    PID:1676
  • C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c cmd < Compatto.rtf
    1⤵
      PID:2704
      • C:\Windows\SysWOW64\cmd.exe
        cmd
        2⤵
        • Loads dropped DLL
        PID:2080
        • C:\Windows\SysWOW64\findstr.exe
          findstr /V /R "^jvMDwkwydQdmnxGPmMOjYlbIlopECWXOZojRKCmISYgoKPYfXOyLKoMeYraSevCxTCAdoOyWjyxqVfYxlTHNQkrRvpTHpGGccUgofIipJpnFNMuJyYIpPPDHnITYVnMGn$" Oggi.rtf
          3⤵
            PID:2296
          • C:\Windows\SysWOW64\PING.EXE
            ping 127.0.0.1 -n 30
            3⤵
            • Runs ping.exe
            PID:1724
          • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Triste.exe.com
            Triste.exe.com n
            3⤵
            • Executes dropped EXE
            PID:3012
      • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Triste.exe.com
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Triste.exe.com n
        1⤵
          PID:688
          • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe
            C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe
            2⤵
              PID:628
          • C:\Users\Admin\AppData\Local\Temp\7zSC4958226\sonia_6.exe
            sonia_6.exe
            1⤵
            • Executes dropped EXE
            • Loads dropped DLL
            PID:680
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 408
            1⤵
            • Program crash
            PID:1492
          • C:\Users\Admin\AppData\Local\Temp\7zSC4958226\sonia_1.exe
            "C:\Users\Admin\AppData\Local\Temp\7zSC4958226\sonia_1.exe" -a
            1⤵
            • Executes dropped EXE
            • Loads dropped DLL
            PID:2800
          • C:\Users\Admin\AppData\Local\Temp\7zSC4958226\sonia_2.exe
            sonia_2.exe
            1⤵
            • Executes dropped EXE
            • Loads dropped DLL
            PID:1440
          • C:\Users\Admin\AppData\Local\Temp\7zSC4958226\sonia_1.exe
            sonia_1.exe
            1⤵
            • Executes dropped EXE
            • Loads dropped DLL
            PID:1208
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c sonia_7.exe
            1⤵
            • Loads dropped DLL
            PID:1060
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c sonia_6.exe
            1⤵
            • Loads dropped DLL
            PID:1596
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c sonia_5.exe
            1⤵
            • Loads dropped DLL
            PID:2504
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c sonia_4.exe
            1⤵
            • Loads dropped DLL
            PID:2092
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c sonia_3.exe
            1⤵
            • Loads dropped DLL
            PID:2468
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c sonia_2.exe
            1⤵
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2176
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c sonia_1.exe
            1⤵
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2892

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • \Users\Admin\AppData\Local\Temp\7zSC4958226\libcurl.dll

            Filesize

            218KB

            MD5

            d09be1f47fd6b827c81a4812b4f7296f

            SHA1

            028ae3596c0790e6d7f9f2f3c8e9591527d267f7

            SHA256

            0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

            SHA512

            857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

          • \Users\Admin\AppData\Local\Temp\7zSC4958226\libcurlpp.dll

            Filesize

            54KB

            MD5

            e6e578373c2e416289a8da55f1dc5e8e

            SHA1

            b601a229b66ec3d19c2369b36216c6f6eb1c063e

            SHA256

            43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

            SHA512

            9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

          • \Users\Admin\AppData\Local\Temp\7zSC4958226\libgcc_s_dw2-1.dll

            Filesize

            113KB

            MD5

            9aec524b616618b0d3d00b27b6f51da1

            SHA1

            64264300801a353db324d11738ffed876550e1d3

            SHA256

            59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

            SHA512

            0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

          • \Users\Admin\AppData\Local\Temp\7zSC4958226\libstdc++-6.dll

            Filesize

            647KB

            MD5

            5e279950775baae5fea04d2cc4526bcc

            SHA1

            8aef1e10031c3629512c43dd8b0b5d9060878453

            SHA256

            97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

            SHA512

            666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

          • \Users\Admin\AppData\Local\Temp\7zSC4958226\libwinpthread-1.dll

            Filesize

            69KB

            MD5

            1e0d62c34ff2e649ebc5c372065732ee

            SHA1

            fcfaa36ba456159b26140a43e80fbd7e9d9af2de

            SHA256

            509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

            SHA512

            3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

          • \Users\Admin\AppData\Local\Temp\7zSC4958226\setup_install.exe

            Filesize

            290KB

            MD5

            b4a67b6fec9465dd0ec68dd89161871b

            SHA1

            96e7f9107283b6bb16a32cfcef54cee69f60fd12

            SHA256

            44bca303abba91a91aae37648d0ed6de6fac5260be3e28eb1a2decd7a6f01aff

            SHA512

            a7f6c7832537e9a693f672416cfe5e1e3de7d2fd13a6078976154f75d542fdaaf00e417e7e65b7e5609c30807ba99e969f6dbc42229c1e6e3ddbfd5aed5f2565

          • \Users\Admin\AppData\Local\Temp\7zSC4958226\setup_install.exe

            Filesize

            94KB

            MD5

            8dd627e3bf524f445114ab78b075f31e

            SHA1

            6b273b5e9e528d0629e45e28239c8f56bee42469

            SHA256

            91794d66023b7104370d8efabb5c7638c6d4ce4a1cdb070b71142f421d6b3f2c

            SHA512

            6b1c66bab60a9fb3affe2fcf7b5cec5dbc0f784f11884a78659fcb2a25350cedc989ef8bcadbc2700b959d3dd0e7f29570a10eb16febfc6c1efe229135d70c02

          • memory/628-331-0x0000000000090000-0x0000000000098000-memory.dmp

            Filesize

            32KB

          • memory/628-333-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

            Filesize

            4KB

          • memory/628-334-0x0000000000090000-0x0000000000098000-memory.dmp

            Filesize

            32KB

          • memory/628-337-0x0000000000090000-0x0000000000098000-memory.dmp

            Filesize

            32KB

          • memory/628-339-0x0000000000090000-0x0000000000098000-memory.dmp

            Filesize

            32KB

          • memory/816-146-0x0000000000680000-0x0000000000780000-memory.dmp

            Filesize

            1024KB

          • memory/816-347-0x0000000000680000-0x0000000000780000-memory.dmp

            Filesize

            1024KB

          • memory/816-148-0x0000000000400000-0x00000000004C0000-memory.dmp

            Filesize

            768KB

          • memory/816-147-0x0000000002270000-0x000000000230D000-memory.dmp

            Filesize

            628KB

          • memory/816-327-0x0000000000400000-0x00000000004C0000-memory.dmp

            Filesize

            768KB

          • memory/1212-246-0x0000000002DC0000-0x0000000002DD5000-memory.dmp

            Filesize

            84KB

          • memory/1440-145-0x0000000000400000-0x000000000046C000-memory.dmp

            Filesize

            432KB

          • memory/1440-247-0x0000000000400000-0x000000000046C000-memory.dmp

            Filesize

            432KB

          • memory/1440-144-0x0000000000250000-0x0000000000259000-memory.dmp

            Filesize

            36KB

          • memory/1440-149-0x00000000005C0000-0x00000000006C0000-memory.dmp

            Filesize

            1024KB

          • memory/2380-38-0x0000000003000000-0x000000000311D000-memory.dmp

            Filesize

            1.1MB

          • memory/2380-37-0x0000000003000000-0x000000000311D000-memory.dmp

            Filesize

            1.1MB

          • memory/2596-281-0x000007FEF5CF0000-0x000007FEF66DC000-memory.dmp

            Filesize

            9.9MB

          • memory/2596-143-0x000007FEF5CF0000-0x000007FEF66DC000-memory.dmp

            Filesize

            9.9MB

          • memory/2596-125-0x0000000000B30000-0x0000000000B56000-memory.dmp

            Filesize

            152KB

          • memory/2596-139-0x0000000000250000-0x000000000026E000-memory.dmp

            Filesize

            120KB

          • memory/2596-150-0x000000001AEB0000-0x000000001AF30000-memory.dmp

            Filesize

            512KB

          • memory/2820-73-0x0000000000400000-0x000000000051D000-memory.dmp

            Filesize

            1.1MB

          • memory/2820-55-0x000000006B440000-0x000000006B4CF000-memory.dmp

            Filesize

            572KB

          • memory/2820-61-0x000000006FE40000-0x000000006FFC6000-memory.dmp

            Filesize

            1.5MB

          • memory/2820-63-0x000000006FE40000-0x000000006FFC6000-memory.dmp

            Filesize

            1.5MB

          • memory/2820-65-0x000000006FE40000-0x000000006FFC6000-memory.dmp

            Filesize

            1.5MB

          • memory/2820-47-0x000000006B440000-0x000000006B4CF000-memory.dmp

            Filesize

            572KB

          • memory/2820-66-0x000000006FE40000-0x000000006FFC6000-memory.dmp

            Filesize

            1.5MB

          • memory/2820-69-0x000000006B280000-0x000000006B2A6000-memory.dmp

            Filesize

            152KB

          • memory/2820-70-0x0000000000400000-0x000000000051D000-memory.dmp

            Filesize

            1.1MB

          • memory/2820-72-0x0000000000400000-0x000000000051D000-memory.dmp

            Filesize

            1.1MB

          • memory/2820-60-0x000000006B440000-0x000000006B4CF000-memory.dmp

            Filesize

            572KB

          • memory/2820-74-0x0000000000400000-0x000000000051D000-memory.dmp

            Filesize

            1.1MB

          • memory/2820-75-0x0000000000400000-0x000000000051D000-memory.dmp

            Filesize

            1.1MB

          • memory/2820-54-0x0000000000400000-0x000000000051D000-memory.dmp

            Filesize

            1.1MB

          • memory/2820-321-0x0000000000400000-0x000000000051D000-memory.dmp

            Filesize

            1.1MB

          • memory/2820-323-0x000000006B440000-0x000000006B4CF000-memory.dmp

            Filesize

            572KB

          • memory/2820-324-0x000000006EB40000-0x000000006EB63000-memory.dmp

            Filesize

            140KB

          • memory/2820-325-0x0000000064940000-0x0000000064959000-memory.dmp

            Filesize

            100KB

          • memory/2820-56-0x000000006B440000-0x000000006B4CF000-memory.dmp

            Filesize

            572KB

          • memory/2820-326-0x000000006FE40000-0x000000006FFC6000-memory.dmp

            Filesize

            1.5MB

          • memory/2820-322-0x000000006B280000-0x000000006B2A6000-memory.dmp

            Filesize

            152KB

          • memory/2820-58-0x000000006B440000-0x000000006B4CF000-memory.dmp

            Filesize

            572KB

          • memory/2820-59-0x0000000064940000-0x0000000064959000-memory.dmp

            Filesize

            100KB

          • memory/2820-76-0x0000000000400000-0x000000000051D000-memory.dmp

            Filesize

            1.1MB

          • memory/2820-67-0x000000006B280000-0x000000006B2A6000-memory.dmp

            Filesize

            152KB

          • memory/2820-68-0x000000006B280000-0x000000006B2A6000-memory.dmp

            Filesize

            152KB

          • memory/2820-57-0x000000006B280000-0x000000006B2A6000-memory.dmp

            Filesize

            152KB