Analysis
-
max time kernel
1s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
30-12-2023 02:19
Static task
static1
Behavioral task
behavioral1
Sample
0b6b2968e8f090b22bc47abab70c4dd0.exe
Resource
win7-20231129-en
General
-
Target
0b6b2968e8f090b22bc47abab70c4dd0.exe
-
Size
5.7MB
-
MD5
0b6b2968e8f090b22bc47abab70c4dd0
-
SHA1
216f0ada991deb26c4607dd142ea5f0176484cc0
-
SHA256
cf8a60b5e39660a02d37d4d5f1d28e392427c1da05142d4a651cd1c267d07cc1
-
SHA512
8598904d81f4ee2a31e9c3a9e2634b69b1a2cd61f92f679c2fa52ee302eef1524045adfd4fb3f5176218c5a53ace6263ac8a1c19952a9083b3339484e0468037
-
SSDEEP
98304:yfa/a9mJY8p/79aJYpiPSnfCyg0+UA/bJMfcvPA5L2wvpvnSALNl5UL5nXSCC333:ymY+/BdsKnar0SWmIL2EqSNl5klZoZ
Malware Config
Extracted
nullmixer
http://marisana.xyz/
Extracted
smokeloader
pub6
Extracted
vidar
40
706
https://lenak513.tumblr.com/
-
profile_id
706
Signatures
-
Detect ZGRat V1 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2728-112-0x00000000009C0000-0x00000000011E6000-memory.dmp family_zgrat_v1 -
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Vidar Stealer 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3548-123-0x0000000003420000-0x00000000034BD000-memory.dmp family_vidar behavioral2/memory/2728-117-0x0000000076F40000-0x0000000077030000-memory.dmp family_vidar behavioral2/memory/3548-129-0x0000000000400000-0x000000000334B000-memory.dmp family_vidar -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zS0B74ED07\libcurl.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS0B74ED07\libcurlpp.dll aspack_v212_v242 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0b6b2968e8f090b22bc47abab70c4dd0.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation 0b6b2968e8f090b22bc47abab70c4dd0.exe -
Executes dropped EXE 1 IoCs
Processes:
setup_installer.exepid process 1968 setup_installer.exe -
Processes:
resource yara_rule behavioral2/memory/2728-112-0x00000000009C0000-0x00000000011E6000-memory.dmp themida -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 12 ipinfo.io 18 ipinfo.io -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3216 2196 WerFault.exe setup_install.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
0b6b2968e8f090b22bc47abab70c4dd0.exedescription pid process target process PID 2180 wrote to memory of 1968 2180 0b6b2968e8f090b22bc47abab70c4dd0.exe setup_installer.exe PID 2180 wrote to memory of 1968 2180 0b6b2968e8f090b22bc47abab70c4dd0.exe setup_installer.exe PID 2180 wrote to memory of 1968 2180 0b6b2968e8f090b22bc47abab70c4dd0.exe setup_installer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b6b2968e8f090b22bc47abab70c4dd0.exe"C:\Users\Admin\AppData\Local\Temp\0b6b2968e8f090b22bc47abab70c4dd0.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
PID:1968 -
C:\Users\Admin\AppData\Local\Temp\7zS0B74ED07\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS0B74ED07\setup_install.exe"3⤵PID:2196
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 79d822fc709e78.exe4⤵PID:3812
-
C:\Users\Admin\AppData\Local\Temp\7zS0B74ED07\79d822fc709e78.exe79d822fc709e78.exe5⤵PID:544
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 5524⤵
- Program crash
PID:3216 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c b001a8f56.exe4⤵PID:2324
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 2d7080268fee447.exe4⤵PID:4152
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c f9a302645.exe4⤵PID:3376
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3d0c613fcb2403.exe4⤵PID:1304
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c e9e6055abb695524.exe4⤵PID:4944
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 20383e5a9a4c5112.exe4⤵PID:3784
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 27ce46284501.exe4⤵PID:2648
-
C:\Users\Admin\AppData\Local\Temp\7zS0B74ED07\27ce46284501.exe27ce46284501.exe1⤵PID:2728
-
C:\Users\Admin\AppData\Local\Temp\7zS0B74ED07\b001a8f56.exeb001a8f56.exe1⤵PID:3548
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2196 -ip 21961⤵PID:3240
-
C:\Users\Admin\AppData\Local\Temp\7zS0B74ED07\e9e6055abb695524.exe"C:\Users\Admin\AppData\Local\Temp\7zS0B74ED07\e9e6055abb695524.exe" -a1⤵PID:5004
-
C:\Users\Admin\AppData\Local\Temp\7zS0B74ED07\2d7080268fee447.exe2d7080268fee447.exe1⤵PID:4536
-
C:\Users\Admin\AppData\Local\Temp\7zS0B74ED07\f9a302645.exef9a302645.exe1⤵PID:1180
-
C:\Users\Admin\AppData\Local\Temp\7zS0B74ED07\3d0c613fcb2403.exe3d0c613fcb2403.exe1⤵PID:1976
-
C:\Users\Admin\AppData\Local\Temp\7zS0B74ED07\e9e6055abb695524.exee9e6055abb695524.exe1⤵PID:1184
-
C:\Users\Admin\AppData\Local\Temp\7zS0B74ED07\20383e5a9a4c5112.exe20383e5a9a4c5112.exe1⤵PID:3552
-
C:\Windows\system32\WerFaultSecure.exe"C:\Windows\system32\WerFaultSecure.exe" -protectedcrash -p 4940 -i 4940 -h 504 -j 508 -s 520 -d 43641⤵PID:5040
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
218KB
MD5d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
Filesize
54KB
MD5e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
Filesize
32KB
MD551b67160269ef5a1e6c0ab2ed6426ef6
SHA15b958a2c248a7f83110b50aa097b43db9ed8e26d
SHA25621ebbc581c060da3ed032643250b13fede7d593b99783aef44b6b5f554a45511
SHA51210a6cc16cfb098e3cb32f0d96311f33dc9a1ac46155170b8f5eada41a36cbfa6fe6b00ff65211eda18b3965d86d127407f1cf4ad84f816b34b2345c496bb738e
-
Filesize
69KB
MD51e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
Filesize
365KB
MD586b49d73977a0c16444827b7e707a04f
SHA13e346786cbb339548eb7c7688bb0716d8353f291
SHA2563ccd8d12972f120f4fce32210dd6afe793536bef049bfece303851d457540827
SHA5127de58669a50e5bc1eb41ec1aebe229adbf3aedd37434cb22f4bc34488ef39dae89ffe3b138a1d051cd7c9f4366458e8e8632f48494a8c70583a1b168696a1996
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
410KB
MD5e34a32d947191b4349114f21025d9a6b
SHA1a1a3484c1b893126a0b8de6340bf28c18fd0e953
SHA256ebec2c8424f0f8490551e81162a364e7b395e32a3705b1d18ddbf46c195d1105
SHA512872d9e6d9fdb67099b852dfd2168bf3476f50e2186dac2d053d8d853a65694fd5f0f587cb3ca7766254321f8d4588409e565b974c772fb5b7b99ec6a94e78649
-
Filesize
1024KB
MD5e66948ebeb735a7c04f31d7c15c52218
SHA14f9303fb1f681c5ca43c3c528555c5aa0ee3776b
SHA2561a218c13da3233bc4fe428496f708c41b0e4a324a142d06a0892b401ad778f74
SHA512868675c16a843bd5d5951d21af5db3835a99fde040af287a9c8f171ed5507a4c15d5408511ab8a8dbcee4cd09a5343e9d8ff3ebce1dd9789a335e2434079100c
-
Filesize
898KB
MD5027a4c327eb70a6d215ac25ad2db2190
SHA1bca81908c676bba1f5d1ae8275dc2e2c2e1e2d7f
SHA2567e237e4568b58a061a8c1a1f22f32fa449d856c8904502c59c834bda39bec9f6
SHA512c869bfa136a45974e958fd89cdc59789e6a59b67f29f2c9d851487e01276eb9559f1385417439b870447286aeaa3a10c38fec00cb2624ff6a3c4e4fc71cd7ffc
-
Filesize
1.5MB
MD5626f9d0d6499c9e1016ec4245fdbfee4
SHA1c45e1ae57da311a76f1dd0e1cfe6b3e27e5dc9db
SHA2562612ca965f952e5ac4d1237e5abb6f59fe7271a6f269390040fef18ad3ecf68d
SHA51220b7f9fa8119ba2f222257cbe7a609c38dba06b3ba428c5a4d2613504a12dde9861d7a41fe876098060f378290a1f403f4e4828daa09def215dc03cf361468d5