Analysis
-
max time kernel
0s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
31-12-2023 05:43
Static task
static1
Behavioral task
behavioral1
Sample
2a7a53a25f11a4e0b70f19e1a49d5229.exe
Resource
win7-20231215-en
General
-
Target
2a7a53a25f11a4e0b70f19e1a49d5229.exe
-
Size
1.9MB
-
MD5
2a7a53a25f11a4e0b70f19e1a49d5229
-
SHA1
e832b847396ad164a1d3af7745a3d68da4c5631f
-
SHA256
356b0cafa50b44b352ff1f95515b81af4ef5a5269343d8c459306b8d3261a58d
-
SHA512
cfad611e542f36acf94b4cfb6f54daec7c42cba48c5f3b761ee09bc02bc79889da262f887592aea9e24436a489894f7211d8378cf1b038378303824166b6667e
-
SSDEEP
49152:9gm6jSI2tM+C2a3EzO079E4dcjmlxcoe8TeOkw80AtNkJs8tX0SN+gSD1h:y1oe+Cr3gO+W4qmfVK3wTsNohi51h
Malware Config
Extracted
vidar
40
706
https://lenak513.tumblr.com/
-
profile_id
706
Extracted
smokeloader
pub5
Extracted
nullmixer
http://watira.xyz/
Extracted
smokeloader
2020
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
Signatures
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Vidar Stealer 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1560-127-0x0000000004A50000-0x0000000004AED000-memory.dmp family_vidar behavioral1/memory/1560-129-0x0000000000400000-0x0000000002CBE000-memory.dmp family_vidar behavioral1/memory/1560-237-0x0000000000400000-0x0000000002CBE000-memory.dmp family_vidar -
Executes dropped EXE 1 IoCs
Processes:
setup_installer.exepid process 2640 setup_installer.exe -
Loads dropped DLL 4 IoCs
Processes:
setup_installer.exepid process 2444 2640 setup_installer.exe 2640 setup_installer.exe 2640 setup_installer.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process 776 2696 WerFault.exe 2420 1560 WerFault.exe 49b64a222d62322.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
description pid process target process PID 2444 wrote to memory of 2640 2444 setup_installer.exe PID 2444 wrote to memory of 2640 2444 setup_installer.exe PID 2444 wrote to memory of 2640 2444 setup_installer.exe PID 2444 wrote to memory of 2640 2444 setup_installer.exe PID 2444 wrote to memory of 2640 2444 setup_installer.exe PID 2444 wrote to memory of 2640 2444 setup_installer.exe PID 2444 wrote to memory of 2640 2444 setup_installer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2a7a53a25f11a4e0b70f19e1a49d5229.exe"C:\Users\Admin\AppData\Local\Temp\2a7a53a25f11a4e0b70f19e1a49d5229.exe"1⤵PID:2444
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2640
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 49b64a222d62322.exe1⤵PID:3028
-
C:\Users\Admin\AppData\Local\Temp\7zS05AC4D06\49b64a222d62322.exe49b64a222d62322.exe2⤵PID:1560
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1560 -s 9523⤵
- Program crash
PID:2420
-
C:\Users\Admin\AppData\Local\Temp\7zS05AC4D06\e2651aae101285.exe"C:\Users\Admin\AppData\Local\Temp\7zS05AC4D06\e2651aae101285.exe" -a1⤵PID:1260
-
C:\Users\Admin\AppData\Local\Temp\7zS05AC4D06\d128da868eace63.exed128da868eace63.exe1⤵PID:1504
-
C:\Users\Admin\AppData\Local\Temp\7zS05AC4D06\671e9c9b76adcf6.exe671e9c9b76adcf6.exe1⤵PID:1556
-
C:\Users\Admin\AppData\Local\Temp\7zS05AC4D06\e2651aae101285.exee2651aae101285.exe1⤵PID:1360
-
C:\Users\Admin\AppData\Local\Temp\7zS05AC4D06\49b456537.exe49b456537.exe1⤵PID:848
-
C:\Users\Admin\AppData\Local\Temp\7zS05AC4D06\49f7436351.exe49f7436351.exe1⤵PID:2996
-
C:\Users\Admin\AppData\Local\Temp\7zS05AC4D06\c3fd6c993b4.exec3fd6c993b4.exe1⤵PID:2896
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 671e9c9b76adcf6.exe1⤵PID:2872
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 49b456537.exe1⤵PID:2864
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c e2651aae101285.exe1⤵PID:2868
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c d128da868eace63.exe1⤵PID:2828
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c3fd6c993b4.exe1⤵PID:1592
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 49f7436351.exe1⤵PID:3016
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2696 -s 4081⤵
- Program crash
PID:776
-
C:\Users\Admin\AppData\Local\Temp\7zS05AC4D06\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS05AC4D06\setup_install.exe"1⤵PID:2696
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
69KB
MD51e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
Filesize
2.4MB
MD5302fc869c0280dcc7c2d5f9037f145b5
SHA1d5312f84f06eb9743eea9cc2a70d5a1b4cae978e
SHA25696486cd072c49dadd037b5759623d5ff9afcc29ab9ed621f304e506189b86133
SHA51257ac48a4e1a0d79d1e75b63f15a7f8d76bc6294abe9c1e21832738a915eb64b42237fcc4014753e652d8eacb223cc83aac2a22fe951d0fb45aa4a9a21bda6278
-
Filesize
381KB
MD5ce3f2b4ed7f6aba3906306552cfc1545
SHA1c7d742c63f5cd95955b259e6ebdc1bcc44365850
SHA25679e7d8f2016bfacef67f0f83a5ff9cb52c7bc23113e5c313c2e797da85da85d7
SHA5123503f55cdc79401fd76de0c48eadbe8cc764ddb16b2ed63a3506e1ff8d9045c88670fb24a3340a122977c869a415f85c16d090c8ffaa6f9ee4ecba7a5f5b935b
-
Filesize
92KB
MD5d772d6902200f5d4599a9b27d0d8f9e6
SHA1564eefb3fabe655b2fb51f492959b158cb20e12d
SHA2567bf11639663306b53a7fe0e3826d12f03e1dda7b1fb3abaa758e3281d35f8e17
SHA5126682d79a013129aceba9cde75a82f0444a28d30bfbd1c4656d7e3774b469283027a780362657c908c991f9b5939db32792e6713a323667ab763a95b3f3e23d36
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
3.4MB
MD554505a3a0ba8f4379f1dabead3711a26
SHA1c516fcbb3eebb05d2e818de0696ac65f50baaa6b
SHA2569e67a053b6761e2418586bc0d6dccb1f1d86baa05e46b37fc2735c57ce3f6e7d
SHA5122f184269bf358459de906f54c33280def6fbc54fd92b0cf5def05f85355631e03cbab62a0513232f56eeee39993b3e5c5a85c41d4be93cb8d62ac55e30602d66
-
Filesize
1.4MB
MD510d261cf02d9341bbd89952785830a3f
SHA1e9d3001c3805f2a6ef214ae24faf251866644e34
SHA25612006c24e9e356216842871acf8bd9f373ee024de50c2fc5150dab3a19fe86d1
SHA5121651da4af9053dada9b09c6bc3e8245614656d86a33312d2d09571f1cd3b783b2f00b71e5ca63ac43a145103c199776b848d1877038c995c25ff24d87e6966a4
-
Filesize
893KB
MD54f92cdcf9b3545d427cc9d75d5bb62e3
SHA178dcfe14d712a2212aeb2f31720947bd414a50e8
SHA25613e028df787dc990d8b3eb48c678d09ad5de777e3752ef0032a6c31b9a7be752
SHA512053739750c94b3bfa6c30a8fee2fa648ec80dd311ff58bc56255101afce557c06ae0a152710127b2cb4913749f881fec80645fd5fedc2c130c7fc1d512fb14cd
-
Filesize
1.9MB
MD5514f856967233888b92235662dee2d4a
SHA173d4ff7cbd1fe1f87f4ac3dfb58c247ed197d527
SHA25698c879d5cffd45d3ebefbece199ef1e9f885ce1cffc5799459b4f8156d9b45ca
SHA512dd4d2ee9068a97b3f8eeaefdd37b2557afb416e5553018e87617d889ca8f84d9bbd3ee3d599cc73121218370a22c6eeedbfd27d1fdd85b10c1798b7bf5471abe