Analysis
-
max time kernel
0s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
30-12-2023 02:19
Static task
static1
Behavioral task
behavioral1
Sample
0b6b2968e8f090b22bc47abab70c4dd0.exe
Resource
win7-20231129-en
General
-
Target
0b6b2968e8f090b22bc47abab70c4dd0.exe
-
Size
5.7MB
-
MD5
0b6b2968e8f090b22bc47abab70c4dd0
-
SHA1
216f0ada991deb26c4607dd142ea5f0176484cc0
-
SHA256
cf8a60b5e39660a02d37d4d5f1d28e392427c1da05142d4a651cd1c267d07cc1
-
SHA512
8598904d81f4ee2a31e9c3a9e2634b69b1a2cd61f92f679c2fa52ee302eef1524045adfd4fb3f5176218c5a53ace6263ac8a1c19952a9083b3339484e0468037
-
SSDEEP
98304:yfa/a9mJY8p/79aJYpiPSnfCyg0+UA/bJMfcvPA5L2wvpvnSALNl5UL5nXSCC333:ymY+/BdsKnar0SWmIL2EqSNl5klZoZ
Malware Config
Extracted
smokeloader
pub6
Extracted
vidar
40
706
https://lenak513.tumblr.com/
-
profile_id
706
Extracted
smokeloader
2020
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
Signatures
-
Detect ZGRat V1 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2152-135-0x0000000001210000-0x0000000001A36000-memory.dmp family_zgrat_v1 -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Vidar Stealer 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1240-143-0x0000000003350000-0x00000000033ED000-memory.dmp family_vidar behavioral1/memory/1240-144-0x0000000000400000-0x000000000334B000-memory.dmp family_vidar behavioral1/memory/1240-269-0x0000000000400000-0x000000000334B000-memory.dmp family_vidar -
Executes dropped EXE 1 IoCs
Processes:
setup_installer.exepid process 1916 setup_installer.exe -
Loads dropped DLL 4 IoCs
Processes:
0b6b2968e8f090b22bc47abab70c4dd0.exesetup_installer.exepid process 2984 0b6b2968e8f090b22bc47abab70c4dd0.exe 1916 setup_installer.exe 1916 setup_installer.exe 1916 setup_installer.exe -
Processes:
resource yara_rule behavioral1/memory/2152-135-0x0000000001210000-0x0000000001A36000-memory.dmp themida -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 38 api.db-ip.com 39 api.db-ip.com 4 ipinfo.io 14 ipinfo.io -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process 2880 2796 WerFault.exe 2592 1240 WerFault.exe b001a8f56.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
0b6b2968e8f090b22bc47abab70c4dd0.exedescription pid process target process PID 2984 wrote to memory of 1916 2984 0b6b2968e8f090b22bc47abab70c4dd0.exe setup_installer.exe PID 2984 wrote to memory of 1916 2984 0b6b2968e8f090b22bc47abab70c4dd0.exe setup_installer.exe PID 2984 wrote to memory of 1916 2984 0b6b2968e8f090b22bc47abab70c4dd0.exe setup_installer.exe PID 2984 wrote to memory of 1916 2984 0b6b2968e8f090b22bc47abab70c4dd0.exe setup_installer.exe PID 2984 wrote to memory of 1916 2984 0b6b2968e8f090b22bc47abab70c4dd0.exe setup_installer.exe PID 2984 wrote to memory of 1916 2984 0b6b2968e8f090b22bc47abab70c4dd0.exe setup_installer.exe PID 2984 wrote to memory of 1916 2984 0b6b2968e8f090b22bc47abab70c4dd0.exe setup_installer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b6b2968e8f090b22bc47abab70c4dd0.exe"C:\Users\Admin\AppData\Local\Temp\0b6b2968e8f090b22bc47abab70c4dd0.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1916
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 2d7080268fee447.exe1⤵PID:2800
-
C:\Users\Admin\AppData\Local\Temp\7zSC7752636\2d7080268fee447.exe2d7080268fee447.exe2⤵PID:2960
-
C:\Users\Admin\AppData\Local\Temp\7zSC7752636\20383e5a9a4c5112.exe20383e5a9a4c5112.exe1⤵PID:1152
-
C:\Users\Admin\AppData\Local\Temp\7zSC7752636\b001a8f56.exeb001a8f56.exe1⤵PID:1240
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1240 -s 9562⤵
- Program crash
PID:2592
-
C:\Users\Admin\AppData\Local\Temp\7zSC7752636\e9e6055abb695524.exe"C:\Users\Admin\AppData\Local\Temp\7zSC7752636\e9e6055abb695524.exe" -a1⤵PID:2828
-
C:\Users\Admin\AppData\Local\Temp\7zSC7752636\27ce46284501.exe27ce46284501.exe1⤵PID:2152
-
C:\Users\Admin\AppData\Local\Temp\7zSC7752636\79d822fc709e78.exe79d822fc709e78.exe1⤵PID:2808
-
C:\Users\Admin\AppData\Local\Temp\7zSC7752636\f9a302645.exef9a302645.exe1⤵PID:2336
-
C:\Users\Admin\AppData\Local\Temp\7zSC7752636\e9e6055abb695524.exee9e6055abb695524.exe1⤵PID:2764
-
C:\Users\Admin\AppData\Local\Temp\7zSC7752636\3d0c613fcb2403.exe3d0c613fcb2403.exe1⤵PID:1056
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 79d822fc709e78.exe1⤵PID:2940
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2796 -s 4161⤵
- Program crash
PID:2880
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c b001a8f56.exe1⤵PID:2936
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c f9a302645.exe1⤵PID:2576
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3d0c613fcb2403.exe1⤵PID:2504
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c e9e6055abb695524.exe1⤵PID:2476
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 20383e5a9a4c5112.exe1⤵PID:2452
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 27ce46284501.exe1⤵PID:1964
-
C:\Users\Admin\AppData\Local\Temp\7zSC7752636\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zSC7752636\setup_install.exe"1⤵PID:2796
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
21KB
MD5a752dbb95598b6270756534e5a489792
SHA1a1a40379c178af37c2f6985dfc6ca79d71ff8ee1
SHA25667807ab0b40497b17fd753c3d2f9623bd4bfea3148510b2ccb768d08f8a73193
SHA512f75d5e13d850ac15e371c518efe1066e624cdef6a3e4dffc0d61dcda5270942942f7a4e5664ee7298142b4535df56a1c527661f65531c6dd9a3b33c4e90307a9
-
Filesize
40B
MD55bda86c200ce3cb2d69c723a5e33ee7f
SHA13ae6b41ddd271eae3225285844afba2a67f6664a
SHA25674db2527f5f87d5916b041b6a45fb9b0f650c756f13f295344c9c1e6778b6d27
SHA5127485c29cef947a0b16b6b58a524f3e656e73215bfe225c980616669f7d5690d1b8fa193efd61c374304d0eff85fcea7aef7352b7d9c08953dc8e11507a0a8148
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e