Analysis
-
max time kernel
0s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
27-12-2023 03:28
Static task
static1
Behavioral task
behavioral1
Sample
a0e87c4b9483fae95f6f57946023d3e7.exe
Resource
win7-20231215-en
General
-
Target
a0e87c4b9483fae95f6f57946023d3e7.exe
-
Size
2.8MB
-
MD5
a0e87c4b9483fae95f6f57946023d3e7
-
SHA1
993ab6ddf0f3dfa349ef7ad4e3a44d0fc2a15a0a
-
SHA256
bb7dead4d3da28e16ef45d0019cd42bbd3c4e3454c3042867e7f64aee2439912
-
SHA512
95979bbfb68d50223fa05e35a7fa6552a30889a07327347d8a6d03a80fc8d92bbcd4f7456431aceb7fc43acc784610d196e2d002baee9278c762e45852ee69b1
-
SSDEEP
49152:EgGeCFEEIxWoH57jp49GfCZHw7DhSZ2eGIxy2FKVqrZix9zSlbtcUw5:JHCG+0Zja9sCZzZnGWdF+wZixpebeU8
Malware Config
Extracted
nullmixer
http://watira.xyz/
Extracted
vidar
39.7
706
https://shpak125.tumblr.com/
-
profile_id
706
Extracted
smokeloader
pub5
Extracted
smokeloader
2020
http://conceitosseg.com/upload/
http://integrasidata.com/upload/
http://ozentekstil.com/upload/
http://finbelportal.com/upload/
http://telanganadigital.com/upload/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Vidar Stealer 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2896-159-0x00000000004E0000-0x00000000005E0000-memory.dmp family_vidar behavioral1/memory/1984-158-0x000000001AE10000-0x000000001AE90000-memory.dmp family_vidar behavioral1/memory/1436-157-0x0000000000400000-0x00000000004C0000-memory.dmp family_vidar behavioral1/memory/1436-156-0x00000000021F0000-0x000000000228D000-memory.dmp family_vidar behavioral1/memory/1436-301-0x0000000000400000-0x00000000004C0000-memory.dmp family_vidar -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\7zSC5997A26\setup_install.exe aspack_v212_v242 \Users\Admin\AppData\Local\Temp\7zSC5997A26\setup_install.exe aspack_v212_v242 -
Executes dropped EXE 1 IoCs
Processes:
setup_installer.exepid process 2396 setup_installer.exe -
Loads dropped DLL 4 IoCs
Processes:
a0e87c4b9483fae95f6f57946023d3e7.exesetup_installer.exepid process 2104 a0e87c4b9483fae95f6f57946023d3e7.exe 2396 setup_installer.exe 2396 setup_installer.exe 2396 setup_installer.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ipinfo.io 7 ipinfo.io 31 api.db-ip.com 32 api.db-ip.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process 952 2716 WerFault.exe 2904 1436 WerFault.exe sahiba_3.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
a0e87c4b9483fae95f6f57946023d3e7.exedescription pid process target process PID 2104 wrote to memory of 2396 2104 a0e87c4b9483fae95f6f57946023d3e7.exe setup_installer.exe PID 2104 wrote to memory of 2396 2104 a0e87c4b9483fae95f6f57946023d3e7.exe setup_installer.exe PID 2104 wrote to memory of 2396 2104 a0e87c4b9483fae95f6f57946023d3e7.exe setup_installer.exe PID 2104 wrote to memory of 2396 2104 a0e87c4b9483fae95f6f57946023d3e7.exe setup_installer.exe PID 2104 wrote to memory of 2396 2104 a0e87c4b9483fae95f6f57946023d3e7.exe setup_installer.exe PID 2104 wrote to memory of 2396 2104 a0e87c4b9483fae95f6f57946023d3e7.exe setup_installer.exe PID 2104 wrote to memory of 2396 2104 a0e87c4b9483fae95f6f57946023d3e7.exe setup_installer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a0e87c4b9483fae95f6f57946023d3e7.exe"C:\Users\Admin\AppData\Local\Temp\a0e87c4b9483fae95f6f57946023d3e7.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2396
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sahiba_5.exe1⤵PID:1704
-
C:\Users\Admin\AppData\Local\Temp\7zSC5997A26\sahiba_5.exesahiba_5.exe2⤵PID:1984
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Compatto.rtf1⤵PID:2864
-
C:\Windows\SysWOW64\cmd.execmd2⤵PID:488
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^jvMDwkwydQdmnxGPmMOjYlbIlopECWXOZojRKCmISYgoKPYfXOyLKoMeYraSevCxTCAdoOyWjyxqVfYxlTHNQkrRvpTHpGGccUgofIipJpnFNMuJyYIpPPDHnITYVnMGn$" Oggi.rtf3⤵PID:1056
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 303⤵
- Runs ping.exe
PID:1088 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Triste.exe.comTriste.exe.com n3⤵PID:308
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Triste.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Triste.exe.com n4⤵PID:1304
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exeC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe5⤵PID:2484
-
C:\Users\Admin\AppData\Local\Temp\7zSC5997A26\sahiba_7.exesahiba_7.exe1⤵PID:1628
-
C:\Users\Admin\AppData\Local\Temp\7zSC5997A26\sahiba_3.exesahiba_3.exe1⤵PID:1436
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 9642⤵
- Program crash
PID:2904
-
C:\Users\Admin\AppData\Local\Temp\7zSC5997A26\sahiba_1.exe"C:\Users\Admin\AppData\Local\Temp\7zSC5997A26\sahiba_1.exe" -a1⤵PID:2000
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2716 -s 4161⤵
- Program crash
PID:952
-
C:\Users\Admin\AppData\Local\Temp\7zSC5997A26\sahiba_8.exesahiba_8.exe1⤵PID:1028
-
C:\Users\Admin\AppData\Local\Temp\7zSC5997A26\sahiba_6.exesahiba_6.exe1⤵PID:2928
-
C:\Users\Admin\AppData\Local\Temp\7zSC5997A26\sahiba_4.exesahiba_4.exe1⤵PID:1820
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sahiba_8.exe1⤵PID:2124
-
C:\Users\Admin\AppData\Local\Temp\7zSC5997A26\sahiba_2.exesahiba_2.exe1⤵PID:2896
-
C:\Users\Admin\AppData\Local\Temp\7zSC5997A26\sahiba_1.exesahiba_1.exe1⤵PID:2780
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sahiba_7.exe1⤵PID:2668
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sahiba_6.exe1⤵PID:1416
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sahiba_4.exe1⤵PID:2572
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sahiba_3.exe1⤵PID:288
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sahiba_2.exe1⤵PID:796
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sahiba_1.exe1⤵PID:500
-
C:\Users\Admin\AppData\Local\Temp\7zSC5997A26\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zSC5997A26\setup_install.exe"1⤵PID:2716
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
382KB
MD51aa73f76e15a9a8c7255cb9611b4b2ca
SHA17718f384523ddb84ac52eead8c3b14f5f80aa6d6
SHA2564c97ce65c393e5c917cf8704d9b35e0e034a75e5a7baa8326c534a7bedba04fe
SHA512f582003e4af18edca96ce2e4b6fae9187c245586dc1782e2af1ec1ebffc4e222a5b11627270dc8c57102d6e489f3bacd299caaa2cfe3c05ec26583bbddef398d
-
Filesize
93KB
MD59b44481728f8fd6894874cf9171e81f1
SHA1e36f10ea66dbf472629b73ed98595a850c9045a8
SHA256d56b2405d390856b7641ad6777e8cfb7722757547e41407ecbd54ca32c047ada
SHA512cd6c7f72637c29c2da1292d45baf8438bb10429f6730e483e78da5f7572639f6018076081b709e0547c16571374385e7c13261bce5d2b92c6e864a38f816c7c5
-
Filesize
287KB
MD52374477610c8c4f47a83a5ba028abb59
SHA1ac155fea47dfaa9f6e8a8e8f20c9b5442e0683b9
SHA2565fa7c251a656ab30e3814be14132bfa4a7320c405d6b632f24240b91e6ecb8ea
SHA512ee38567e57f7ada3117831ee416a2bc6395cf75032f0592ffe29db246a73d144b4c1419bb666d8e1950d0e0a79236dbc2c2e2109bca8d3f15496498934dea990
-
Filesize
92KB
MD5974260c778328260996faa74824f1cef
SHA1ed5aab39b5e9f3c3f70054d2bbbce74570a92c91
SHA256a0e68d77cbc879c51b341c087507fdf4762a9a1071632f9cf6fd4f77ceae6262
SHA512065540d192593af6eb21eb43ce1d13309c8a11623be0843525294836b0227a74e443585eb0214a918cb1587309e1f8eaaa311227493e3d29f5920bc56e80cee8
-
Filesize
1.4MB
MD53fccbfccf160a096f24e2aec7ca8e815
SHA13db913dfc6184f8f62b3053f6d2f55eb903bc7a0
SHA2569d8c7d28012ce58e8cc85c0763f45e05471fc69ca4a98955b7a70a3e0589a352
SHA5123e3557b5f65a24cda49031b66cf0cec4ed419d4301963f3f7f78755228e0efa3d75635e07ed23e33e071e16318ad95457823f65ff07df42726134233207f2823
-
Filesize
92KB
MD5d772d6902200f5d4599a9b27d0d8f9e6
SHA1564eefb3fabe655b2fb51f492959b158cb20e12d
SHA2567bf11639663306b53a7fe0e3826d12f03e1dda7b1fb3abaa758e3281d35f8e17
SHA5126682d79a013129aceba9cde75a82f0444a28d30bfbd1c4656d7e3774b469283027a780362657c908c991f9b5939db32792e6713a323667ab763a95b3f3e23d36
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e