Analysis
-
max time kernel
0s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
30-12-2023 10:50
Static task
static1
General
-
Target
166f2bc8f7949c714210d8b0aad0e30f.exe
-
Size
2.5MB
-
MD5
166f2bc8f7949c714210d8b0aad0e30f
-
SHA1
3a17e35120b1b6d9af676331288f7763b2a38252
-
SHA256
568b3a7273ccbb1436e42dd90f0541d7dc0da2a97944381ad0b31d7d437c4908
-
SHA512
144f45e98c9fede9067aabcc2a3af50603ce4cb519a06bfb94f6b93d47a6c5c70231278af240c9e7532b7b04c7c1670747b650f8e4e1f056401058784c7d8da6
-
SSDEEP
49152:xcBFuWMmtRozSLa2D5nPv2UdgCn8mhTRxtVxOmD2hiiAjIoUpD9ywFbG0J1k8ji:xu6KzlV6ozTFODDFoQRywFbG0J1kOi
Malware Config
Extracted
nullmixer
http://sornx.xyz/
Extracted
vidar
40.1
706
https://eduarroma.tumblr.com/
-
profile_id
706
Extracted
smokeloader
2020
http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Vidar Stealer 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3888-116-0x00000000026C0000-0x000000000275D000-memory.dmp family_vidar behavioral2/memory/3888-132-0x0000000000400000-0x0000000002408000-memory.dmp family_vidar behavioral2/memory/3888-187-0x0000000000400000-0x00000000004A1000-memory.dmp family_vidar -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zS0C377777\libcurlpp.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS0C377777\libstdc++-6.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS0C377777\libcurl.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS0C377777\libstdc++-6.dll aspack_v212_v242 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process 3308 1548 WerFault.exe 1500 3568 WerFault.exe Fri1176b8db38.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\166f2bc8f7949c714210d8b0aad0e30f.exe"C:\Users\Admin\AppData\Local\Temp\166f2bc8f7949c714210d8b0aad0e30f.exe"1⤵PID:960
-
C:\Users\Admin\AppData\Local\Temp\7zS0C377777\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS0C377777\setup_install.exe"2⤵PID:1548
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1548 -ip 15481⤵PID:1780
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 5921⤵
- Program crash
PID:3308
-
C:\Users\Admin\AppData\Local\Temp\is-NCSFH.tmp\Fri11a911b057a2.tmp"C:\Users\Admin\AppData\Local\Temp\is-NCSFH.tmp\Fri11a911b057a2.tmp" /SL5="$4022A,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS0C377777\Fri11a911b057a2.exe"1⤵PID:1032
-
C:\Users\Admin\AppData\Local\Temp\7zS0C377777\Fri1175f1621969d3.exeFri1175f1621969d3.exe1⤵PID:2128
-
C:\Users\Admin\AppData\Local\Temp\7zS0C377777\Fri11a96e43aca.exeFri11a96e43aca.exe1⤵PID:3004
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"1⤵PID:2276
-
C:\Users\Admin\AppData\Local\Temp\7zS0C377777\Fri1176b8db38.exeFri1176b8db38.exe1⤵PID:3568
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3568 -s 3722⤵
- Program crash
PID:1500
-
C:\Users\Admin\AppData\Local\Temp\7zS0C377777\Fri11c461e39d53e65a0.exeFri11c461e39d53e65a0.exe1⤵PID:4932
-
C:\Users\Admin\AppData\Local\Temp\7zS0C377777\Fri11797508851.exeFri11797508851.exe1⤵PID:3220
-
C:\Users\Admin\AppData\Local\Temp\7zS0C377777\Fri1189d7c3d50d.exeFri1189d7c3d50d.exe1⤵PID:3888
-
C:\Users\Admin\AppData\Local\Temp\7zS0C377777\Fri1125717cea.exeFri1125717cea.exe1⤵PID:2668
-
C:\Users\Admin\AppData\Local\Temp\7zS0C377777\Fri11a911b057a2.exeFri11a911b057a2.exe1⤵PID:3000
-
C:\Users\Admin\AppData\Local\Temp\7zS0C377777\Fri11c82c0f30e.exeFri11c82c0f30e.exe1⤵PID:2776
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri1175f1621969d3.exe1⤵PID:1840
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri11c461e39d53e65a0.exe1⤵PID:1884
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri11a96e43aca.exe1⤵PID:4656
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri11c82c0f30e.exe1⤵PID:1432
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri11a911b057a2.exe1⤵PID:1692
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri1189d7c3d50d.exe1⤵PID:3768
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri1125717cea.exe1⤵PID:2160
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri1176b8db38.exe1⤵PID:3588
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri11797508851.exe1⤵PID:4548
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"1⤵PID:5072
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3568 -ip 35681⤵PID:4196
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵PID:4264
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
218KB
MD5d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
Filesize
54KB
MD5e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
Filesize
113KB
MD59aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
Filesize
647KB
MD55e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
Filesize
381KB
MD58c52cb7d2c933acaf76979363f53ee84
SHA171f8633ca1f81cb294c844df0b865e2b99cd4b30
SHA256f7b2c27ff29a312c1621540340a01ef0524fd2df7edbd073882472df34071927
SHA512e74940e36916d130457a6bbf24ea4f76515e51e132a49876f0d208783e57d31d8e84c15d9fc1d5d36ffc7d3bc6907d85985dc95dd63ab6625a6aa0b7ffd72b49
-
Filesize
69KB
MD51e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
92KB
MD52923cff584cffb6b0a21412a3106d153
SHA114d2cc2016b7ed357324ea8e9d9600186a949469
SHA256082425a3f530395fd900a8a440ce6eb4de341ed6480da4785bf94e0a49d28423
SHA5128ee45c99ddf4941bb0343eea6588df7fa6f30394ea8b6e789b4f60a65c6b2f4c3ca78b37df3b38a50683b13dbecec051de35e8d861ead675cba3cf17897fb03d