Analysis
-
max time kernel
0s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
30-12-2023 21:40
Static task
static1
Behavioral task
behavioral1
Sample
1d4d551922a91f2ca3099cac602bb170.exe
Resource
win7-20231215-en
General
-
Target
1d4d551922a91f2ca3099cac602bb170.exe
-
Size
3.3MB
-
MD5
1d4d551922a91f2ca3099cac602bb170
-
SHA1
70066afd233c024e95e81a4991e0ffcaffdc4eaa
-
SHA256
e4d07054a1bf665d9cd3a59192a7343c456f63fad3e248deab2a4cc721e85f22
-
SHA512
780b5e569a233244a53d82e96e727a70d2c095e7f0112bfc4aab15155f3b8ef4e6621e19d93edd1bf04a45248c31aed76e34c25ebc0a079866d01a193765b0b2
-
SSDEEP
98304:y+R3v/22NuSarPKR1ox2TJIemiB26Arrk:y4F7azK8IZUnrw
Malware Config
Extracted
vidar
40.1
706
https://eduarroma.tumblr.com/
-
profile_id
706
Extracted
nullmixer
http://hsiens.xyz/
Extracted
smokeloader
2020
http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/
Extracted
gozi
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Vidar Stealer 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1728-169-0x00000000002E0000-0x000000000037D000-memory.dmp family_vidar behavioral1/memory/1728-178-0x0000000000400000-0x0000000002D17000-memory.dmp family_vidar behavioral1/memory/1728-306-0x0000000000400000-0x0000000002D17000-memory.dmp family_vidar -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zS0F1C0636\libcurlpp.dll aspack_v212_v242 -
Executes dropped EXE 1 IoCs
Processes:
setup_installer.exepid process 496 setup_installer.exe -
Loads dropped DLL 4 IoCs
Processes:
1d4d551922a91f2ca3099cac602bb170.exesetup_installer.exepid process 3032 1d4d551922a91f2ca3099cac602bb170.exe 496 setup_installer.exe 496 setup_installer.exe 496 setup_installer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 6 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process 2372 2740 WerFault.exe 1204 1728 WerFault.exe Thu1292a34e8c7.exe 112 1204 WerFault.exe WerFault.exe 2444 496 WerFault.exe setup_installer.exe 796 764 WerFault.exe Thu12bdb3e13710e08.exe 2140 2444 WerFault.exe WerFault.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Runs regedit.exe 1 IoCs
Processes:
regedit.exepid process 2756 regedit.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
1d4d551922a91f2ca3099cac602bb170.exedescription pid process target process PID 3032 wrote to memory of 496 3032 1d4d551922a91f2ca3099cac602bb170.exe setup_installer.exe PID 3032 wrote to memory of 496 3032 1d4d551922a91f2ca3099cac602bb170.exe setup_installer.exe PID 3032 wrote to memory of 496 3032 1d4d551922a91f2ca3099cac602bb170.exe setup_installer.exe PID 3032 wrote to memory of 496 3032 1d4d551922a91f2ca3099cac602bb170.exe setup_installer.exe PID 3032 wrote to memory of 496 3032 1d4d551922a91f2ca3099cac602bb170.exe setup_installer.exe PID 3032 wrote to memory of 496 3032 1d4d551922a91f2ca3099cac602bb170.exe setup_installer.exe PID 3032 wrote to memory of 496 3032 1d4d551922a91f2ca3099cac602bb170.exe setup_installer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1d4d551922a91f2ca3099cac602bb170.exe"C:\Users\Admin\AppData\Local\Temp\1d4d551922a91f2ca3099cac602bb170.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:496 -
C:\Users\Admin\AppData\Local\Temp\7zS0F1C0636\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS0F1C0636\setup_install.exe"3⤵PID:2740
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 496 -s 3403⤵
- Program crash
PID:2444 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2444 -s 6244⤵
- Program crash
PID:2140
-
C:\Users\Admin\AppData\Local\Temp\7zS0F1C0636\Thu129287bed6aee7d37.exe"C:\Users\Admin\AppData\Local\Temp\7zS0F1C0636\Thu129287bed6aee7d37.exe"1⤵PID:692
-
C:\Users\Admin\AppData\Local\Temp\7zS0F1C0636\Thu12fc09d4538e825.exe"C:\Users\Admin\AppData\Local\Temp\7zS0F1C0636\Thu12fc09d4538e825.exe" -a1⤵PID:1964
-
C:\Users\Admin\AppData\Local\Temp\7zS0F1C0636\Thu12bdb3e13710e08.exeThu12bdb3e13710e08.exe1⤵PID:764
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 764 -s 4682⤵
- Program crash
PID:796
-
C:\Users\Admin\AppData\Local\Temp\7zS0F1C0636\Thu1292a34e8c7.exeThu1292a34e8c7.exe1⤵PID:1728
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1728 -s 9562⤵
- Program crash
PID:1204 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 6043⤵
- Program crash
PID:112
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2740 -s 4241⤵
- Program crash
PID:2372
-
C:\Users\Admin\AppData\Local\Temp\7zS0F1C0636\Thu12a736a81a0d80.exeThu12a736a81a0d80.exe1⤵PID:2908
-
C:\Users\Admin\AppData\Local\Temp\7zS0F1C0636\Thu12fa34d54ce.exeThu12fa34d54ce.exe1⤵PID:1756
-
C:\Users\Admin\AppData\Local\Temp\7zS0F1C0636\Thu1229846e873eb.exeThu1229846e873eb.exe1⤵PID:2568
-
C:\Users\Admin\AppData\Local\Temp\7zS0F1C0636\Thu129287bed6aee7d37.exeThu129287bed6aee7d37.exe1⤵PID:2888
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"1⤵PID:1984
-
C:\Users\Admin\AppData\Local\Temp\7zS0F1C0636\Thu12fc09d4538e825.exeThu12fc09d4538e825.exe1⤵PID:1940
-
C:\Users\Admin\AppData\Local\Temp\7zS0F1C0636\Thu12133a64f6944.exeThu12133a64f6944.exe1⤵PID:1716
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu12a736a81a0d80.exe1⤵PID:2248
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu1229846e873eb.exe1⤵PID:2648
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu12bdb3e13710e08.exe1⤵PID:2128
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu12133a64f6944.exe1⤵PID:2712
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu1292a34e8c7.exe1⤵PID:2652
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu129287bed6aee7d37.exe1⤵PID:2612
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu12fa34d54ce.exe1⤵PID:2588
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu12fc09d4538e825.exe1⤵PID:1780
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"1⤵PID:2856
-
C:\Users\Admin\AppData\Local\Temp\6AD4.exeC:\Users\Admin\AppData\Local\Temp\6AD4.exe1⤵PID:2556
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:2164
-
C:\Users\Admin\AppData\Local\Temp\35gguag95im5q_1.exe/suac3⤵PID:3044
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\SysWOW64\regedit.exe"4⤵
- Runs regedit.exe
PID:2756 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /CREATE /SC ONLOGON /TN "Windows Update Check - 0x1BB70478" /TR "C:\PROGRA~3\JAVAUP~1\35GGUA~1.EXE" /RL HIGHEST4⤵
- Creates scheduled task(s)
PID:2608
-
C:\Users\Admin\AppData\Local\Temp\71B8.exeC:\Users\Admin\AppData\Local\Temp\71B8.exe1⤵PID:904
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
893KB
MD547d3388bcd67a5424e1f73abb38f8d16
SHA1f713f2df69b89f8ca42ccdb7e61bf6c160c29267
SHA256ed6b6c31ea3200151dcb0934291a3e6f8efd47c71195a468ef1feda8967a4023
SHA5120c53e0591d42b0bc1550f0b74e4845d7590ac444976a3054c30111e8478d61ed121fba8265ef61a1545fed39c3bf8bb5a7c4b27d6e89603893c8ec2e1163ace7
-
Filesize
1.1MB
MD52ea907fc431c1de6dd3574e1513e64ed
SHA178a5e507ef85eb2731a93792c0fb835f36fff094
SHA256608515e1f11bf0710007f6ea71ec36464f3142657c8075c6e3527b7a2b94e862
SHA512f7bdd4e3281a5bfc18d0d59c70d800a13c1272f8dd2306085b14a28b9e1f0ce3d1acafa83fab8b1f9f7ec07ec9393459e322ff6b593e2a12dd2d5e02f022d6a6
-
Filesize
1024KB
MD5ba71171deee238efa2be7959b036fdff
SHA173fc4dc3c679cd653270e3392ade3742b345a234
SHA2563385772012353749c04ec25024d8936c927b3a381bf3f6f18f49832d5c3707fa
SHA512ae89d6b2d6b1ae360c578cdeaa8ec2e895614c9d15cfcee6d65d940c79f1bce693ff717893404ce4097e3e90b81018aff37ecf6088bc204c6675c0d2bc181fa3
-
Filesize
69KB
MD51e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
Filesize
2.1MB
MD55da0bd6ce560f6c4e2aedfb8de6b14bf
SHA11daebfbe3f63ce4c917348f56116c705b33295a3
SHA256ae81d0494007f317502d165b830240e5923fb2ef669f726c7b4f6bdb6e1af1dc
SHA512616cceae489d7e89b469c0883b8b134b4275dc8344fd00c0f77f4f24081b48a0a2e3163e4fecc5342c25bff4db4f938f075c8d9cfb253a914a23752df43ba192
-
Filesize
1.9MB
MD5a5d0b1025f34b4f66c34e8e0cdc37491
SHA16f254f5626c34b2c148558fac8785c43e887f3b6
SHA256e4ffd175342f2dfb0c88bfd3f7cd41dd9f894795a0d3cf04b413fc652970d5a3
SHA512b54162a8bbdd532b546c3a8f8a06f7869ac8c0533d6ceca43a12fd9153e672000c016ad4d8e214ca4db67334bca0153859465341629f8577d5a445094222650d
-
Filesize
1.4MB
MD5622ecf83905cdff87255acaf7d923574
SHA17dfbdef78668ffe8cc8cd4c40bf3bc26d8a098f5
SHA256a80b53312dc742c7b91967a8ca76d5a9ed0faef31f217323c3aec2fa2fedfd1c
SHA51210ae2288b169e44a4c27fb5378d1ad1efc221356ee9ff1f12c66ec3beb72ebb13a7ca422682abef64740d52bb6bdffc21d330343f79c829b57cb2de9d56d6ded
-
Filesize
93KB
MD59b44481728f8fd6894874cf9171e81f1
SHA1e36f10ea66dbf472629b73ed98595a850c9045a8
SHA256d56b2405d390856b7641ad6777e8cfb7722757547e41407ecbd54ca32c047ada
SHA512cd6c7f72637c29c2da1292d45baf8438bb10429f6730e483e78da5f7572639f6018076081b709e0547c16571374385e7c13261bce5d2b92c6e864a38f816c7c5
-
Filesize
832KB
MD5196b530c61a5507af0b6083e709bb932
SHA10230d312c576dd7210eb57c5375ce1892b2e1d8b
SHA2563e6d4eaa17e4b0b53e58d394b568b3fe33cb493c5f6cfc7a07e09b274a5b4ca1
SHA512d7d4850cc36efb226e21e80455ef583709c9ab474e404c465aef82a51a21e79964572e4404f8696c65af510f22c9c61626be3b7fd81d9aa8b44beeddb0f46bf4
-
Filesize
624KB
MD5359ac7425c20b0cd75d6793e0363eae8
SHA10f8d92be7b5d73864aa6da89885a9b93bd531422
SHA2564cfe23ed5e1828a8682d583967cfdd0925712411fe0019cfe5969edc470fe6f1
SHA512952e5ddf26e8e5f73e4517ac6021a6c6bc7472a85682e93b299520b012e3efaf835cf2ec499251c331cfb32ecc0845e35bf1ccfe4f04f6c89ead71ee38adf962