Analysis
-
max time kernel
149s -
max time network
164s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
28-12-2023 05:55
General
-
Target
c9705afcbe13766eedfe83cd901a1cd2.exe
-
Size
1.5MB
-
MD5
c9705afcbe13766eedfe83cd901a1cd2
-
SHA1
5f0a179c3a72744d8e7d16aedebaf5c000b2c019
-
SHA256
e270a47e3c09fe00dd072297302d96b830682e18214cb7410be4d56f6feb0dd0
-
SHA512
d34efb1d0f2ef24e277914e292cc09e753f4ca0e9e6189d7163e9932062f4fe2259b180a29ed9d2d5fa3486b3f4e1f2c7e40cf11b7a385562f72534b35f3a53e
-
SSDEEP
24576:Eg5Qr587v2TIC7sQpnVBf9QQMfcflspnr1+dReMQfOtzan2WnbSXqmndlLMV44gT:EgirovmIm/VhMfcfepnPfgJWn2fPLI6T
Malware Config
Extracted
nullmixer
http://wxkeww.xyz/
Extracted
smokeloader
pub6
Extracted
smokeloader
2020
http://conceitosseg.com/upload/
http://integrasidata.com/upload/
http://ozentekstil.com/upload/
http://finbelportal.com/upload/
http://telanganadigital.com/upload/
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs
-
NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Executes dropped EXE 5 IoCs
-
Loads dropped DLL 32 IoCs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Modifies system certificate store 2 TTPs 4 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SendNotifyMessage 2 IoCs
-
Suspicious use of WriteProcessMemory 57 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c9705afcbe13766eedfe83cd901a1cd2.exe"C:\Users\Admin\AppData\Local\Temp\c9705afcbe13766eedfe83cd901a1cd2.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS0971DBA6\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS0971DBA6\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2960 -s 3724⤵
- Loads dropped DLL
- Program crash
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c karotima_2.exe1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS0971DBA6\karotima_2.exekarotima_2.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\AppData\Local\Temp\7zS0971DBA6\karotima_1.exekarotima_1.exe1⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c karotima_1.exe1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskeng.exetaskeng.exe {E7ACB9F6-CC09-4FF5-BF01-7ECF31101041} S-1-5-21-1268429524-3929314613-1992311491-1000:XBTLDBHN\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\drhwadfC:\Users\Admin\AppData\Roaming\drhwadf2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 1243⤵
- Loads dropped DLL
- Program crash
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
382KB
MD57110c62cfeae8451d0a91eed0266edde
SHA193cbbd558cf954afac40f49e12805ba344413b9d
SHA2564ec22ac35fdc138395f500f6fd0355a0026aa156497f0556e5f5ccca6eaf4312
SHA51224729e031ac35bf15d792b3d3510b89c86cb338201e46b5a16f20006a8f645dffa9add158c55caf595a2fa7877ec95a07da3f1bf60c81add1204771c137c419f
-
Filesize
201KB
MD57e3cb6bf4000e17ada2121b84b63ddc1
SHA13d9d09e4603b89913b0eca604021df3c49b4aa31
SHA256439c74d75423ffb0071e342f248c48567f50f50e1f836ae119f5db1387147188
SHA5120989ca525843ca03ebfb32b1f000307e7be9674b7453c7a8724f2206028e9ecc04b9f2ef130639858041d37a2b7a11d7e9b1e23197f22bb0e95f9d6f75291ebf
-
Filesize
92KB
MD5d772d6902200f5d4599a9b27d0d8f9e6
SHA1564eefb3fabe655b2fb51f492959b158cb20e12d
SHA2567bf11639663306b53a7fe0e3826d12f03e1dda7b1fb3abaa758e3281d35f8e17
SHA5126682d79a013129aceba9cde75a82f0444a28d30bfbd1c4656d7e3774b469283027a780362657c908c991f9b5939db32792e6713a323667ab763a95b3f3e23d36
-
Filesize
84KB
-
Filesize
4.6MB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
36KB
-
Filesize
4.6MB
-
Filesize
36KB
-
Filesize
4.6MB
-
Filesize
1024KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
572KB
-
Filesize
572KB
-
Filesize
572KB
-
Filesize
152KB
-
Filesize
152KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
152KB
-
Filesize
1.1MB
-
Filesize
152KB
-
Filesize
572KB
-
Filesize
1.5MB
-
Filesize
140KB
-
Filesize
152KB
-
Filesize
100KB
-
Filesize
1.1MB
-
Filesize
1.5MB
-
Filesize
1.1MB
-
Filesize
100KB
-
Filesize
1.5MB
-
Filesize
572KB