Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
31-12-2023 05:29
General
-
Target
2a0a05bcae0114f543206ed1a81a8c69.exe
-
Size
1.5MB
-
MD5
2a0a05bcae0114f543206ed1a81a8c69
-
SHA1
0e6b17c5c3dcab55697b4589e8a239961fac9ed0
-
SHA256
d74a07eeb26faeed4799f582bcb3c22ba985cc7bf21685d3b6e37aa694a72d97
-
SHA512
5aaee090fc713af1add2a040bb6cfdde26650c6991249d7cfe94bfdb04e5a9a65f2ede7db317a2eb67e0763a097c997612fbef2c9829053e81bb6d9afe97f9cb
-
SSDEEP
49152:xcBECpZgu2Wk+EwJ84vLRaBtIl9mTXcRjt0S:xaZ2WOCvLUBsKsFt0S
Malware Config
Extracted
nullmixer
http://marisana.xyz/
Extracted
smokeloader
pub6
Extracted
smokeloader
2020
http://conceitosseg.com/upload/
http://integrasidata.com/upload/
http://ozentekstil.com/upload/
http://finbelportal.com/upload/
http://telanganadigital.com/upload/
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs
-
NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
ASPack v2.12-2.42 5 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 8 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2a0a05bcae0114f543206ed1a81a8c69.exe"C:\Users\Admin\AppData\Local\Temp\2a0a05bcae0114f543206ed1a81a8c69.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS846A4B57\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS846A4B57\setup_install.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c karotima_2.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS846A4B57\karotima_2.exekarotima_2.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c karotima_1.exe3⤵
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1320 -s 4443⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS846A4B57\karotima_1.exekarotima_1.exe1⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1320 -ip 13201⤵
-
C:\Users\Admin\AppData\Roaming\eifcwtuC:\Users\Admin\AppData\Roaming\eifcwtu1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
218KB
MD5d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
Filesize
92KB
MD50151c5c4a0ebf14b04ddf243564436d6
SHA15bcaf3f5bbcf6229483686d585b1106071b60c4d
SHA25684fd229f8269a62e61267c8f71d91e25b9ff4f82dfdbb56083c050e2b223e0ab
SHA512520080e496be6bb744c41e7549b6f250797742245d5bc2097a471be66962ed7ce468c8e076042375a6f443b392a85f19a0e5392638bc14bd08bd405744560d04
-
Filesize
54KB
MD5e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
Filesize
113KB
MD59aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
Filesize
69KB
MD51e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
Filesize
287KB
MD557bfe9fe09c69c1f1ca4d484db1ed84a
SHA17bc744a5980f08eaac7622387df0c061a967d5b6
SHA256e21ebd099758bc8552b9f1b8b8026a8b73857b299b1995273f4ce9c989a0c83b
SHA5123304e78c461e6e754af12e85c83039a06f92d2fa74e7430f31941b130560b77fc346a59235baab131308ece20e5db84c2a757bfb47a1319cbcc24b37edad0e38
-
Filesize
1.6MB
MD54f3387277ccbd6d1f21ac5c07fe4ca68
SHA1e16506f662dc92023bf82def1d621497c8ab5890
SHA256767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA5129da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219
-
Filesize
325KB
MD52adf1986be67af56f5bfe1b9b857bdaa
SHA14336779d7127ea074a561632bc838b94e460a0f1
SHA2561c83bfcca6d10cdb603db804212d2ff60a478cbdd3c8547636e733a1e2bae28d
SHA512c86ffccffdc0378bd5241ca8ebbb7b0ac94901feaa37f53757d290c8785d15bdb75c837e93e88c57e597cbacdb7d2ceac8af992091fee35e2934afbfcd2424f7
-
Filesize
1.1MB
-
Filesize
572KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
152KB
-
Filesize
152KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
572KB
-
Filesize
1.5MB
-
Filesize
100KB
-
Filesize
1.5MB
-
Filesize
572KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.5MB
-
Filesize
152KB
-
Filesize
572KB
-
Filesize
572KB
-
Filesize
1.1MB
-
Filesize
572KB
-
Filesize
152KB
-
Filesize
100KB
-
Filesize
1.1MB
-
Filesize
1.5MB
-
Filesize
1.1MB
-
Filesize
140KB
-
Filesize
1024KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
428KB
-
Filesize
36KB
-
Filesize
428KB
-
Filesize
1024KB
-
Filesize
36KB