Analysis
-
max time kernel
0s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
31-12-2023 05:43
Static task
static1
Behavioral task
behavioral1
Sample
2a7a53a25f11a4e0b70f19e1a49d5229.exe
Resource
win7-20231215-en
General
-
Target
2a7a53a25f11a4e0b70f19e1a49d5229.exe
-
Size
1.9MB
-
MD5
2a7a53a25f11a4e0b70f19e1a49d5229
-
SHA1
e832b847396ad164a1d3af7745a3d68da4c5631f
-
SHA256
356b0cafa50b44b352ff1f95515b81af4ef5a5269343d8c459306b8d3261a58d
-
SHA512
cfad611e542f36acf94b4cfb6f54daec7c42cba48c5f3b761ee09bc02bc79889da262f887592aea9e24436a489894f7211d8378cf1b038378303824166b6667e
-
SSDEEP
49152:9gm6jSI2tM+C2a3EzO079E4dcjmlxcoe8TeOkw80AtNkJs8tX0SN+gSD1h:y1oe+Cr3gO+W4qmfVK3wTsNohi51h
Malware Config
Extracted
nullmixer
http://watira.xyz/
Extracted
smokeloader
pub5
Extracted
vidar
40
706
https://lenak513.tumblr.com/
-
profile_id
706
Extracted
smokeloader
2020
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
Signatures
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Vidar Stealer 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2424-106-0x0000000000400000-0x0000000002CBE000-memory.dmp family_vidar behavioral2/memory/2424-111-0x0000000004950000-0x00000000049ED000-memory.dmp family_vidar -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zS89051867\libcurl.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS89051867\libcurlpp.dll aspack_v212_v242 -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 7 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 316 2416 WerFault.exe setup_install.exe 3436 2424 WerFault.exe 4436 2424 WerFault.exe 4588 2424 WerFault.exe 396 2424 WerFault.exe 4520 2424 WerFault.exe 940 2424 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2a7a53a25f11a4e0b70f19e1a49d5229.exe"C:\Users\Admin\AppData\Local\Temp\2a7a53a25f11a4e0b70f19e1a49d5229.exe"1⤵PID:8
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵PID:4248
-
C:\Users\Admin\AppData\Local\Temp\7zS89051867\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS89051867\setup_install.exe"1⤵PID:2416
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 5442⤵
- Program crash
PID:316 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 671e9c9b76adcf6.exe2⤵PID:980
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 49b456537.exe2⤵PID:2232
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c e2651aae101285.exe2⤵PID:3376
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c d128da868eace63.exe2⤵PID:1740
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c3fd6c993b4.exe2⤵PID:2464
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 49b64a222d62322.exe2⤵PID:4608
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 49f7436351.exe2⤵PID:1040
-
C:\Users\Admin\AppData\Local\Temp\7zS89051867\49b456537.exe49b456537.exe1⤵PID:4600
-
C:\Users\Admin\AppData\Local\Temp\7zS89051867\e2651aae101285.exe"C:\Users\Admin\AppData\Local\Temp\7zS89051867\e2651aae101285.exe" -a1⤵PID:4616
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2424 -ip 24241⤵PID:4404
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 8241⤵
- Program crash
PID:3436
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2424 -ip 24241⤵PID:2656
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 8241⤵
- Program crash
PID:4436
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2416 -ip 24161⤵PID:112
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2424 -ip 24241⤵PID:4200
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 8761⤵
- Program crash
PID:4588
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2424 -ip 24241⤵PID:2616
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 8841⤵
- Program crash
PID:396
-
C:\Users\Admin\AppData\Local\Temp\7zS89051867\49f7436351.exe49f7436351.exe1⤵PID:5048
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2424 -ip 24241⤵PID:5008
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 9921⤵
- Program crash
PID:4520
-
C:\Users\Admin\AppData\Local\Temp\7zS89051867\d128da868eace63.exed128da868eace63.exe1⤵PID:4448
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2424 -ip 24241⤵PID:4812
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 10841⤵
- Program crash
PID:940
-
C:\Users\Admin\AppData\Local\Temp\7zS89051867\c3fd6c993b4.exec3fd6c993b4.exe1⤵PID:3152
-
C:\Users\Admin\AppData\Local\Temp\7zS89051867\e2651aae101285.exee2651aae101285.exe1⤵PID:1004
-
C:\Users\Admin\AppData\Local\Temp\7zS89051867\671e9c9b76adcf6.exe671e9c9b76adcf6.exe1⤵PID:4888
-
C:\Users\Admin\AppData\Local\Temp\7zS89051867\49b64a222d62322.exe49b64a222d62322.exe1⤵PID:2424
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵PID:5080
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD50151c5c4a0ebf14b04ddf243564436d6
SHA15bcaf3f5bbcf6229483686d585b1106071b60c4d
SHA25684fd229f8269a62e61267c8f71d91e25b9ff4f82dfdbb56083c050e2b223e0ab
SHA512520080e496be6bb744c41e7549b6f250797742245d5bc2097a471be66962ed7ce468c8e076042375a6f443b392a85f19a0e5392638bc14bd08bd405744560d04
-
Filesize
54KB
MD5e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
Filesize
69KB
MD51e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
Filesize
64KB
MD58cd41712b4ee8858a7c605b9c9221084
SHA1a167b6b16c1b5a41d6b42d0e0def89e64cd380d9
SHA256908f4c202959096b5ac4c598751281d56f89e53611154b53623fa3e4528bf1a1
SHA51236a50ba4c5aba491c9f47ed4d4d76d74eabfe24b2bb7c74857aaa3c5b0ec837f3fdc0a27182625c59e86f41a96cc2004d636afa3935b930b7e4b450ec215e475
-
Filesize
149KB
MD5eb35d08c7ded3e85418436417d804d4e
SHA10c9ecc27f7be84757583a7b70555f79dd6bccb56
SHA2560efd18a06e63eab10353809ade6812012fe1171cf8aae81be8b2c67af3827b23
SHA51297e14c3d7221432ff2a5633f30f73b50ec3c205ad0a58df28b5c53155c13f0bd42f3c3f47883c4cf9315069b5f0fb7ee107880bf18dafb1f6d883f8790752634
-
Filesize
1.3MB
MD5c5abe3656921fd39c96095b1466665ba
SHA19cd53bc80295469264a67f0ddce28a2995b8c9e0
SHA2569bb4b973e6397b54ba211c5bcb24dc1bdf093d0ce3d87fb69e43393ea85ee6de
SHA5126080524ad8c7851fa397ca56287035b1f57ef4685b100c94404dbe2b9492c780911813f0eccfca3f71b90f7e7b5b9b87587fb07da3a3b9cefc90936692d45315
-
Filesize
93KB
MD59b44481728f8fd6894874cf9171e81f1
SHA1e36f10ea66dbf472629b73ed98595a850c9045a8
SHA256d56b2405d390856b7641ad6777e8cfb7722757547e41407ecbd54ca32c047ada
SHA512cd6c7f72637c29c2da1292d45baf8438bb10429f6730e483e78da5f7572639f6018076081b709e0547c16571374385e7c13261bce5d2b92c6e864a38f816c7c5
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e