Analysis

  • max time kernel
    0s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-12-2023 05:43

General

  • Target

    2a7a53a25f11a4e0b70f19e1a49d5229.exe

  • Size

    1.9MB

  • MD5

    2a7a53a25f11a4e0b70f19e1a49d5229

  • SHA1

    e832b847396ad164a1d3af7745a3d68da4c5631f

  • SHA256

    356b0cafa50b44b352ff1f95515b81af4ef5a5269343d8c459306b8d3261a58d

  • SHA512

    cfad611e542f36acf94b4cfb6f54daec7c42cba48c5f3b761ee09bc02bc79889da262f887592aea9e24436a489894f7211d8378cf1b038378303824166b6667e

  • SSDEEP

    49152:9gm6jSI2tM+C2a3EzO079E4dcjmlxcoe8TeOkw80AtNkJs8tX0SN+gSD1h:y1oe+Cr3gO+W4qmfVK3wTsNohi51h

Malware Config

Extracted

Family

nullmixer

C2

http://watira.xyz/

Extracted

Family

smokeloader

Botnet

pub5

Extracted

Family

vidar

Version

40

Botnet

706

C2

https://lenak513.tumblr.com/

Attributes
  • profile_id

    706

Extracted

Family

smokeloader

Version

2020

C2

http://aucmoney.com/upload/

http://thegymmum.com/upload/

http://atvcampingtrips.com/upload/

http://kuapakualaman.com/upload/

http://renatazarazua.com/upload/

http://nasufmutlu.com/upload/

rc4.i32
rc4.i32

Signatures

  • NullMixer

    NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

  • PrivateLoader

    PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • Vidar Stealer 2 IoCs
  • ASPack v2.12-2.42 2 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2a7a53a25f11a4e0b70f19e1a49d5229.exe
    "C:\Users\Admin\AppData\Local\Temp\2a7a53a25f11a4e0b70f19e1a49d5229.exe"
    1⤵
      PID:8
      • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
        "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
        2⤵
          PID:4248
      • C:\Users\Admin\AppData\Local\Temp\7zS89051867\setup_install.exe
        "C:\Users\Admin\AppData\Local\Temp\7zS89051867\setup_install.exe"
        1⤵
          PID:2416
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 544
            2⤵
            • Program crash
            PID:316
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c 671e9c9b76adcf6.exe
            2⤵
              PID:980
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c 49b456537.exe
              2⤵
                PID:2232
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c e2651aae101285.exe
                2⤵
                  PID:3376
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c d128da868eace63.exe
                  2⤵
                    PID:1740
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c c3fd6c993b4.exe
                    2⤵
                      PID:2464
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c 49b64a222d62322.exe
                      2⤵
                        PID:4608
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c 49f7436351.exe
                        2⤵
                          PID:1040
                      • C:\Users\Admin\AppData\Local\Temp\7zS89051867\49b456537.exe
                        49b456537.exe
                        1⤵
                          PID:4600
                        • C:\Users\Admin\AppData\Local\Temp\7zS89051867\e2651aae101285.exe
                          "C:\Users\Admin\AppData\Local\Temp\7zS89051867\e2651aae101285.exe" -a
                          1⤵
                            PID:4616
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2424 -ip 2424
                            1⤵
                              PID:4404
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 824
                              1⤵
                              • Program crash
                              PID:3436
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2424 -ip 2424
                              1⤵
                                PID:2656
                              • C:\Windows\SysWOW64\WerFault.exe
                                C:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 824
                                1⤵
                                • Program crash
                                PID:4436
                              • C:\Windows\SysWOW64\WerFault.exe
                                C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2416 -ip 2416
                                1⤵
                                  PID:112
                                • C:\Windows\SysWOW64\WerFault.exe
                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2424 -ip 2424
                                  1⤵
                                    PID:4200
                                  • C:\Windows\SysWOW64\WerFault.exe
                                    C:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 876
                                    1⤵
                                    • Program crash
                                    PID:4588
                                  • C:\Windows\SysWOW64\WerFault.exe
                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2424 -ip 2424
                                    1⤵
                                      PID:2616
                                    • C:\Windows\SysWOW64\WerFault.exe
                                      C:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 884
                                      1⤵
                                      • Program crash
                                      PID:396
                                    • C:\Users\Admin\AppData\Local\Temp\7zS89051867\49f7436351.exe
                                      49f7436351.exe
                                      1⤵
                                        PID:5048
                                      • C:\Windows\SysWOW64\WerFault.exe
                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2424 -ip 2424
                                        1⤵
                                          PID:5008
                                        • C:\Windows\SysWOW64\WerFault.exe
                                          C:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 992
                                          1⤵
                                          • Program crash
                                          PID:4520
                                        • C:\Users\Admin\AppData\Local\Temp\7zS89051867\d128da868eace63.exe
                                          d128da868eace63.exe
                                          1⤵
                                            PID:4448
                                          • C:\Windows\SysWOW64\WerFault.exe
                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2424 -ip 2424
                                            1⤵
                                              PID:4812
                                            • C:\Windows\SysWOW64\WerFault.exe
                                              C:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 1084
                                              1⤵
                                              • Program crash
                                              PID:940
                                            • C:\Users\Admin\AppData\Local\Temp\7zS89051867\c3fd6c993b4.exe
                                              c3fd6c993b4.exe
                                              1⤵
                                                PID:3152
                                              • C:\Users\Admin\AppData\Local\Temp\7zS89051867\e2651aae101285.exe
                                                e2651aae101285.exe
                                                1⤵
                                                  PID:1004
                                                • C:\Users\Admin\AppData\Local\Temp\7zS89051867\671e9c9b76adcf6.exe
                                                  671e9c9b76adcf6.exe
                                                  1⤵
                                                    PID:4888
                                                  • C:\Users\Admin\AppData\Local\Temp\7zS89051867\49b64a222d62322.exe
                                                    49b64a222d62322.exe
                                                    1⤵
                                                      PID:2424
                                                    • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
                                                      "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
                                                      1⤵
                                                        PID:5080

                                                      Network

                                                      MITRE ATT&CK Enterprise v15

                                                      Replay Monitor

                                                      Loading Replay Monitor...

                                                      Downloads

                                                      • C:\Users\Admin\AppData\Local\Temp\7zS89051867\libcurl.dll

                                                        Filesize

                                                        92KB

                                                        MD5

                                                        0151c5c4a0ebf14b04ddf243564436d6

                                                        SHA1

                                                        5bcaf3f5bbcf6229483686d585b1106071b60c4d

                                                        SHA256

                                                        84fd229f8269a62e61267c8f71d91e25b9ff4f82dfdbb56083c050e2b223e0ab

                                                        SHA512

                                                        520080e496be6bb744c41e7549b6f250797742245d5bc2097a471be66962ed7ce468c8e076042375a6f443b392a85f19a0e5392638bc14bd08bd405744560d04

                                                      • C:\Users\Admin\AppData\Local\Temp\7zS89051867\libcurlpp.dll

                                                        Filesize

                                                        54KB

                                                        MD5

                                                        e6e578373c2e416289a8da55f1dc5e8e

                                                        SHA1

                                                        b601a229b66ec3d19c2369b36216c6f6eb1c063e

                                                        SHA256

                                                        43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

                                                        SHA512

                                                        9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

                                                      • C:\Users\Admin\AppData\Local\Temp\7zS89051867\libwinpthread-1.dll

                                                        Filesize

                                                        69KB

                                                        MD5

                                                        1e0d62c34ff2e649ebc5c372065732ee

                                                        SHA1

                                                        fcfaa36ba456159b26140a43e80fbd7e9d9af2de

                                                        SHA256

                                                        509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

                                                        SHA512

                                                        3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

                                                      • C:\Users\Admin\AppData\Local\Temp\7zS89051867\setup_install.exe

                                                        Filesize

                                                        64KB

                                                        MD5

                                                        8cd41712b4ee8858a7c605b9c9221084

                                                        SHA1

                                                        a167b6b16c1b5a41d6b42d0e0def89e64cd380d9

                                                        SHA256

                                                        908f4c202959096b5ac4c598751281d56f89e53611154b53623fa3e4528bf1a1

                                                        SHA512

                                                        36a50ba4c5aba491c9f47ed4d4d76d74eabfe24b2bb7c74857aaa3c5b0ec837f3fdc0a27182625c59e86f41a96cc2004d636afa3935b930b7e4b450ec215e475

                                                      • C:\Users\Admin\AppData\Local\Temp\7zS89051867\setup_install.exe

                                                        Filesize

                                                        149KB

                                                        MD5

                                                        eb35d08c7ded3e85418436417d804d4e

                                                        SHA1

                                                        0c9ecc27f7be84757583a7b70555f79dd6bccb56

                                                        SHA256

                                                        0efd18a06e63eab10353809ade6812012fe1171cf8aae81be8b2c67af3827b23

                                                        SHA512

                                                        97e14c3d7221432ff2a5633f30f73b50ec3c205ad0a58df28b5c53155c13f0bd42f3c3f47883c4cf9315069b5f0fb7ee107880bf18dafb1f6d883f8790752634

                                                      • C:\Users\Admin\AppData\Local\Temp\7zS89051867\setup_install.exe

                                                        Filesize

                                                        1.3MB

                                                        MD5

                                                        c5abe3656921fd39c96095b1466665ba

                                                        SHA1

                                                        9cd53bc80295469264a67f0ddce28a2995b8c9e0

                                                        SHA256

                                                        9bb4b973e6397b54ba211c5bcb24dc1bdf093d0ce3d87fb69e43393ea85ee6de

                                                        SHA512

                                                        6080524ad8c7851fa397ca56287035b1f57ef4685b100c94404dbe2b9492c780911813f0eccfca3f71b90f7e7b5b9b87587fb07da3a3b9cefc90936692d45315

                                                      • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

                                                        Filesize

                                                        93KB

                                                        MD5

                                                        9b44481728f8fd6894874cf9171e81f1

                                                        SHA1

                                                        e36f10ea66dbf472629b73ed98595a850c9045a8

                                                        SHA256

                                                        d56b2405d390856b7641ad6777e8cfb7722757547e41407ecbd54ca32c047ada

                                                        SHA512

                                                        cd6c7f72637c29c2da1292d45baf8438bb10429f6730e483e78da5f7572639f6018076081b709e0547c16571374385e7c13261bce5d2b92c6e864a38f816c7c5

                                                      • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

                                                        MD5

                                                        d41d8cd98f00b204e9800998ecf8427e

                                                        SHA1

                                                        da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                        SHA256

                                                        e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                        SHA512

                                                        cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                      • memory/2416-42-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                        Filesize

                                                        572KB

                                                      • memory/2416-102-0x0000000064940000-0x0000000064959000-memory.dmp

                                                        Filesize

                                                        100KB

                                                      • memory/2416-47-0x0000000064940000-0x0000000064959000-memory.dmp

                                                        Filesize

                                                        100KB

                                                      • memory/2416-41-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                                        Filesize

                                                        152KB

                                                      • memory/2416-52-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                                        Filesize

                                                        152KB

                                                      • memory/2416-44-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                        Filesize

                                                        572KB

                                                      • memory/2416-45-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                        Filesize

                                                        1.5MB

                                                      • memory/2416-46-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                        Filesize

                                                        572KB

                                                      • memory/2416-101-0x0000000000400000-0x00000000006E2000-memory.dmp

                                                        Filesize

                                                        2.9MB

                                                      • memory/2416-53-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                                        Filesize

                                                        152KB

                                                      • memory/2416-103-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                                        Filesize

                                                        152KB

                                                      • memory/2416-48-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                        Filesize

                                                        1.5MB

                                                      • memory/2416-49-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                        Filesize

                                                        1.5MB

                                                      • memory/2416-50-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                        Filesize

                                                        1.5MB

                                                      • memory/2416-43-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                        Filesize

                                                        572KB

                                                      • memory/2416-51-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                        Filesize

                                                        1.5MB

                                                      • memory/2416-107-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                        Filesize

                                                        1.5MB

                                                      • memory/2416-105-0x000000006EB40000-0x000000006EB63000-memory.dmp

                                                        Filesize

                                                        140KB

                                                      • memory/2416-104-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                        Filesize

                                                        572KB

                                                      • memory/2424-110-0x0000000002EA0000-0x0000000002FA0000-memory.dmp

                                                        Filesize

                                                        1024KB

                                                      • memory/2424-111-0x0000000004950000-0x00000000049ED000-memory.dmp

                                                        Filesize

                                                        628KB

                                                      • memory/2424-106-0x0000000000400000-0x0000000002CBE000-memory.dmp

                                                        Filesize

                                                        40.7MB

                                                      • memory/3152-100-0x0000000000400000-0x0000000002C62000-memory.dmp

                                                        Filesize

                                                        40.4MB

                                                      • memory/3152-97-0x0000000002DC0000-0x0000000002DC9000-memory.dmp

                                                        Filesize

                                                        36KB

                                                      • memory/3152-109-0x0000000002F10000-0x0000000003010000-memory.dmp

                                                        Filesize

                                                        1024KB

                                                      • memory/3408-114-0x00000000012B0000-0x00000000012C6000-memory.dmp

                                                        Filesize

                                                        88KB

                                                      • memory/4600-96-0x0000000002AE0000-0x0000000002B02000-memory.dmp

                                                        Filesize

                                                        136KB

                                                      • memory/4600-113-0x00007FFDCEFE0000-0x00007FFDCFAA1000-memory.dmp

                                                        Filesize

                                                        10.8MB

                                                      • memory/4600-98-0x0000000001210000-0x0000000001216000-memory.dmp

                                                        Filesize

                                                        24KB

                                                      • memory/4600-108-0x000000001B6D0000-0x000000001B6E0000-memory.dmp

                                                        Filesize

                                                        64KB

                                                      • memory/4600-92-0x00000000011F0000-0x00000000011F6000-memory.dmp

                                                        Filesize

                                                        24KB

                                                      • memory/4600-88-0x00007FFDCEFE0000-0x00007FFDCFAA1000-memory.dmp

                                                        Filesize

                                                        10.8MB

                                                      • memory/4600-85-0x0000000000920000-0x0000000000950000-memory.dmp

                                                        Filesize

                                                        192KB

                                                      • memory/5048-93-0x00007FFDCEFE0000-0x00007FFDCFAA1000-memory.dmp

                                                        Filesize

                                                        10.8MB

                                                      • memory/5048-95-0x00000000027A0000-0x00000000027B0000-memory.dmp

                                                        Filesize

                                                        64KB

                                                      • memory/5048-91-0x00000000007B0000-0x00000000007B8000-memory.dmp

                                                        Filesize

                                                        32KB

                                                      • memory/5048-115-0x00000000027A0000-0x00000000027B0000-memory.dmp

                                                        Filesize

                                                        64KB