Analysis
-
max time kernel
0s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
29-12-2023 23:18
Static task
static1
Behavioral task
behavioral1
Sample
06b5e8e5108f700f733f029529489055.exe
Resource
win7-20231129-en
General
-
Target
06b5e8e5108f700f733f029529489055.exe
-
Size
3.4MB
-
MD5
06b5e8e5108f700f733f029529489055
-
SHA1
b36f6095b70c58a7f269e4561056b85a564dd3d1
-
SHA256
b255f6b269f178c5f63162e16c830cfc772e80ad18b50b62dbe7c5da156b3980
-
SHA512
06f72e584d6c76ca939dd27dfcda66a01914129cfa8bc86ab36ab72f836523294f0b30b8d64a8016d25e52b5393d80a4dc77eacbe662ab65d21851809730001a
-
SSDEEP
98304:x018QQd1K6KU/ctlh1OEFVPSTCvLUBsKa3:xk8QQfK6ZYlh1XVPTLUCKC
Malware Config
Extracted
nullmixer
http://razino.xyz/
Extracted
smokeloader
pub5
Extracted
vidar
39.4
706
https://sergeevih43.tumblr.com/
-
profile_id
706
Extracted
smokeloader
2020
http://ppcspb.com/upload/
http://mebbing.com/upload/
http://twcamel.com/upload/
http://howdycash.com/upload/
http://lahuertasonora.com/upload/
http://kpotiques.com/upload/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Nirsoft 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2944-254-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft -
Vidar Stealer 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1692-179-0x0000000000CF0000-0x0000000000D8D000-memory.dmp family_vidar behavioral1/memory/1692-180-0x0000000000400000-0x0000000000950000-memory.dmp family_vidar behavioral1/memory/1692-265-0x0000000000400000-0x0000000000950000-memory.dmp family_vidar -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\7zS06AC8226\setup_install.exe aspack_v212_v242 -
Executes dropped EXE 1 IoCs
Processes:
setup_install.exepid process 2124 setup_install.exe -
Loads dropped DLL 7 IoCs
Processes:
06b5e8e5108f700f733f029529489055.exesetup_install.exepid process 2656 06b5e8e5108f700f733f029529489055.exe 2656 06b5e8e5108f700f733f029529489055.exe 2656 06b5e8e5108f700f733f029529489055.exe 2124 setup_install.exe 2124 setup_install.exe 2124 setup_install.exe 2124 setup_install.exe -
Processes:
resource yara_rule behavioral1/memory/2944-254-0x0000000000400000-0x000000000045B000-memory.dmp upx -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 67 api.db-ip.com 14 ip-api.com 54 ipinfo.io 55 ipinfo.io 66 api.db-ip.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process 292 2124 WerFault.exe 1984 1692 WerFault.exe sotema_3.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
06b5e8e5108f700f733f029529489055.exedescription pid process target process PID 2656 wrote to memory of 2124 2656 06b5e8e5108f700f733f029529489055.exe setup_install.exe PID 2656 wrote to memory of 2124 2656 06b5e8e5108f700f733f029529489055.exe setup_install.exe PID 2656 wrote to memory of 2124 2656 06b5e8e5108f700f733f029529489055.exe setup_install.exe PID 2656 wrote to memory of 2124 2656 06b5e8e5108f700f733f029529489055.exe setup_install.exe PID 2656 wrote to memory of 2124 2656 06b5e8e5108f700f733f029529489055.exe setup_install.exe PID 2656 wrote to memory of 2124 2656 06b5e8e5108f700f733f029529489055.exe setup_install.exe PID 2656 wrote to memory of 2124 2656 06b5e8e5108f700f733f029529489055.exe setup_install.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\06b5e8e5108f700f733f029529489055.exe"C:\Users\Admin\AppData\Local\Temp\06b5e8e5108f700f733f029529489055.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Users\Admin\AppData\Local\Temp\7zS06AC8226\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS06AC8226\setup_install.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2124
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sotema_4.exe1⤵PID:2536
-
C:\Users\Admin\AppData\Local\Temp\7zS06AC8226\sotema_4.exesotema_4.exe2⤵PID:952
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵PID:2944
-
C:\Users\Admin\AppData\Local\Temp\is-E2JTR.tmp\sotema_7.tmp"C:\Users\Admin\AppData\Local\Temp\is-E2JTR.tmp\sotema_7.tmp" /SL5="$701F4,506127,422400,C:\Users\Admin\AppData\Local\Temp\7zS06AC8226\sotema_7.exe"1⤵PID:2756
-
C:\Windows\SysWOW64\rUNdlL32.eXe"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\axhub.dll",axhub1⤵PID:1308
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 4081⤵
- Program crash
PID:292
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService1⤵PID:452
-
C:\Users\Admin\AppData\Local\Temp\7zS06AC8226\sotema_3.exesotema_3.exe1⤵PID:1692
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 9642⤵
- Program crash
PID:1984
-
C:\Users\Admin\AppData\Local\Temp\7zS06AC8226\sotema_2.exesotema_2.exe1⤵PID:1096
-
C:\Users\Admin\AppData\Local\Temp\7zS06AC8226\sotema_7.exesotema_7.exe1⤵PID:1632
-
C:\Users\Admin\AppData\Local\Temp\7zS06AC8226\sotema_6.exesotema_6.exe1⤵PID:2988
-
C:\Users\Admin\AppData\Local\Temp\7zS06AC8226\sotema_5.exesotema_5.exe1⤵PID:2096
-
C:\Users\Admin\AppData\Local\Temp\7zS06AC8226\sotema_1.exesotema_1.exe1⤵PID:2980
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sotema_7.exe1⤵PID:2732
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sotema_6.exe1⤵PID:2864
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sotema_5.exe1⤵PID:1208
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sotema_3.exe1⤵PID:2512
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sotema_2.exe1⤵PID:2504
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sotema_1.exe1⤵PID:2480
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e