Overview

overview

10

Static

static

3

8d437876e8...66.exe

windows7-x64

10

8d437876e8...66.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-12-2023 20:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8d437876e8f8d2d06f3eea7872e19366.exe

  • Size

    1.5MB

  • MD5

    8d437876e8f8d2d06f3eea7872e19366

  • SHA1

    1602c0b6f1526a7b65fcb1815c9fdf8dbfe68681

  • SHA256

    a11aef5350475e61ecbe2372af59768d8b41178d70ed4ce9ee04d4feb5179a9e

  • SHA512

    d675a1ebe62ccd66f925a1098d44c825ed0b27a1c038734250d58f88143ed3d97a9179f308ab637cdc03021c2df29dca1e5824dc30b7b37ced89a552a5368095

  • SSDEEP

    49152:EgeYWTMp+nJJ1RzFVml3ySsB+cmeKQMSlmwcTYC:Jbijm3ySsBkSQX

Score
10/10
nullmixersmokeloaderpub6aspackv2backdoordropperevasiontrojan

Malware Config

Extracted

Family

nullmixer

C2

http://marisana.xyz/

Extracted

Family

smokeloader

Botnet

pub6

Extracted

Family

smokeloader

Version

2020

C2

http://conceitosseg.com/upload/

http://integrasidata.com/upload/

http://ozentekstil.com/upload/

http://finbelportal.com/upload/

http://telanganadigital.com/upload/
rc4.i32
rc4.i32

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs
    evasiontrojan
  • NullMixer

    NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

    droppernullmixer
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • ASPack v2.12-2.42 4 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 8 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\8d437876e8f8d2d06f3eea7872e19366.exe
    "C:\Users\Admin\AppData\Local\Temp\8d437876e8f8d2d06f3eea7872e19366.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2008
    • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
      "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2876
      • C:\Users\Admin\AppData\Local\Temp\7zSC3BB7D57\setup_install.exe
        "C:\Users\Admin\AppData\Local\Temp\7zSC3BB7D57\setup_install.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2072
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 2072 -ip 2072
    1⤵
      PID:4120
    • C:\Users\Admin\AppData\Local\Temp\7zSC3BB7D57\karotima_1.exe
      karotima_1.exe
      1⤵
      • Modifies Windows Defender Real-time Protection settings
      • Executes dropped EXE
      PID:4156
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 440
      1⤵
      • Program crash
      PID:4712
    • C:\Users\Admin\AppData\Local\Temp\7zSC3BB7D57\karotima_2.exe
      karotima_2.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:2316
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2316 -s 424
        2⤵
        • Program crash
        PID:3016
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c karotima_2.exe
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:624
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c karotima_1.exe
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:4588
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2316 -ip 2316
      1⤵
        PID:316

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\7zSC3BB7D57\libcurlpp.dll
        Filesize

        54KB

        MD5

        e6e578373c2e416289a8da55f1dc5e8e

        SHA1

        b601a229b66ec3d19c2369b36216c6f6eb1c063e

        SHA256

        43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

        SHA512

        9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7zSC3BB7D57\setup_install.exe
        Filesize

        92KB

        MD5

        7cc94e079aec3631a7922e007fd83f68

        SHA1

        c2377791bbbeb81e475c0d60dfe325f60959bca2

        SHA256

        d85247262e308a3f2ce9f7f1511872dd8c64e1a164ea790f7b8c589484ac5383

        SHA512

        8c01310dba9dcb571910b88a990d138c29238678179d9b24b3fd1919d9e5584ecb1ab4e8fe31b8378e5936fde5ad50c387c83571b76a997a56aaaba768cbca53

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7zSC3BB7D57\setup_install.exe
        Filesize

        290KB

        MD5

        0754e79a9afd9ad08a26f68844f0242f

        SHA1

        f56e81928d78549f804bc2f85f394d1f59069ae1

        SHA256

        d58f14aeb638ffa98c4adada312bd2301dde0e211e1e2fce57d19c7ba2508bf9

        SHA512

        c1e5378766a61783172022c00fab6c931d0b28750b8373c268d89bff2ae84f989c765b4110f04401c54571ae83c8aded7e7f30e0120a521dc2567bdb71b42be1

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
        Filesize

        382KB

        MD5

        23f70e3517b16c34e47a5f1cd5909bb1

        SHA1

        aa4f9a24820afa770ef32bc9383d4c8b195aea5e

        SHA256

        34ef4f7c5b214f454678df6c0404c3f166ba9d90d3f5814e3b28952c44d1ffd1

        SHA512

        953f031d14b0fe999fbe0303c54135fbdf5e4d3a4c3eb78a8ffc1dc1a92a3e99fcffcb6fabbe1632f60e232cd6dc739ec416fb51b86187be5807ff23f43caa0d

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
        Filesize

        897KB

        MD5

        a6b2adf7c5aa7bcf5191bf5b282066e7

        SHA1

        124349a3ec5d855cdfdee2ece9c6eb49fd541760

        SHA256

        c2e4d7c50125d54e501b6b39470ebf19be5bab96f5fd740f51fbdfe8eb7ae27a

        SHA512

        3182492ea6accfb75bbc8d42af3063f6127fb659bfd443d2cecf2d7e8bd0eaf96f21a877997faa8ac41423500f8d1ed3e0cef04adb35f787e2ceb8829bb8cff2

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
        Filesize

        894KB

        MD5

        93503365fc38f4662bf5e0236ab1bf15

        SHA1

        bc57c3e591d1ab9ae35003783b9d07e3319cbb30

        SHA256

        4ce0eaa9f3cf7bca6f22f26d519ac2959831ff1f06beb81ec3e9a609170eb15d

        SHA512

        160a9bf69c2ef9bd3698782f0e84a8a7f05a84f09b0db1586e6be2c48561aed5bd6b5e63bd373b2ddf93a955809dd4f6613475693eb9406c895e85fcb6f4f330

        Download Submit

      • C:\Users\Admin\AppData\Roaming\vggrhse
        Filesize

        316KB

        MD5

        d5d26315089f6ac8d34c4c83186e06ee

        SHA1

        c6b7d3bc78348ed51345e0ecae4230f4b9dab60f

        SHA256

        40382600b229205c57529f73d807fa693f8ecb692c0fa6582112e4a232b4af83

        SHA512

        edb7593edfc86e4cc2be91e07d21a5af24147f26c2a4a723a1f13cd4e70d44377581e08ad2b2605a089ddb26882c834445f3577168919efdcb9c1a8d115bd539

        Download Submit

      • memory/2072-78-0x000000006EB40000-0x000000006EB63000-memory.dmp

        Filesize

        140KB

        Download

      • memory/2072-51-0x000000006B440000-0x000000006B4CF000-memory.dmp

        Filesize

        572KB

        Download

      • memory/2072-58-0x000000006FE40000-0x000000006FFC6000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/2072-61-0x000000006B280000-0x000000006B2A6000-memory.dmp

        Filesize

        152KB

        Download

      • memory/2072-66-0x0000000000400000-0x000000000051E000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/2072-67-0x0000000000400000-0x000000000051E000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/2072-73-0x0000000000400000-0x000000000051E000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/2072-74-0x000000006B280000-0x000000006B2A6000-memory.dmp

        Filesize

        152KB

        Download

      • memory/2072-76-0x0000000064940000-0x0000000064959000-memory.dmp

        Filesize

        100KB

        Download

      • memory/2072-77-0x000000006FE40000-0x000000006FFC6000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/2072-57-0x000000006FE40000-0x000000006FFC6000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/2072-75-0x000000006B440000-0x000000006B4CF000-memory.dmp

        Filesize

        572KB

        Download

      • memory/2072-65-0x0000000000400000-0x000000000051E000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/2072-64-0x0000000000400000-0x000000000051E000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/2072-63-0x0000000000400000-0x000000000051E000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/2072-34-0x0000000000400000-0x000000000051E000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/2072-48-0x000000006B280000-0x000000006B2A6000-memory.dmp

        Filesize

        152KB

        Download

      • memory/2072-53-0x0000000000EB0000-0x0000000000F3F000-memory.dmp

        Filesize

        572KB

        Download

      • memory/2072-62-0x0000000000400000-0x000000000051E000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/2072-60-0x000000006B280000-0x000000006B2A6000-memory.dmp

        Filesize

        152KB

        Download

      • memory/2072-59-0x000000006FE40000-0x000000006FFC6000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/2072-55-0x000000006FE40000-0x000000006FFC6000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/2072-54-0x0000000064940000-0x0000000064959000-memory.dmp

        Filesize

        100KB

        Download

      • memory/2072-50-0x000000006B440000-0x000000006B4CF000-memory.dmp

        Filesize

        572KB

        Download

      • memory/2072-52-0x000000006B440000-0x000000006B4CF000-memory.dmp

        Filesize

        572KB

        Download

      • memory/2316-79-0x0000000000660000-0x0000000000760000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2316-80-0x00000000004B0000-0x00000000004B9000-memory.dmp

        Filesize

        36KB

        Download

      • memory/2316-89-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

        Download

      • memory/2316-82-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

        Download

      • memory/3500-86-0x0000000002F30000-0x0000000002F45000-memory.dmp

        Filesize

        84KB

        Download