Analysis

  • max time kernel
    155s
  • max time network
    164s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-12-2023 05:58

General

  • Target

    2aedfa0dfb06ef02b268ec62486e6f80.exe

  • Size

    4.0MB

  • MD5

    2aedfa0dfb06ef02b268ec62486e6f80

  • SHA1

    0e998e4a93dd1fd666aece318b77d9f1756d9c17

  • SHA256

    bd175fda8c98a44237f8da7e02e48f6aaf00365bec2e7e38b7b42414bd888d95

  • SHA512

    f5db800199bed799c593b779909364727824ed22076939e10fba0bd83b8dbecf772de34e9d7c9a083cbf734a52a8056b2c38817e52890bfae2f9a5e8dff1979f

  • SSDEEP

    98304:y8DDoeOv58eCbmQKYSA/tEcDtXH0QdCbu1Vq7qd9tknkPzg:y8Poe6G0YSAzJBdCbCVqGntknE8

Malware Config

Extracted

Family

nullmixer

C2

http://watira.xyz/

Extracted

Family

smokeloader

Botnet

pub5

Signatures

  • NullMixer

    NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

  • PrivateLoader

    PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • ASPack v2.12-2.42 3 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 9 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies data under HKEY_USERS 18 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2aedfa0dfb06ef02b268ec62486e6f80.exe
    "C:\Users\Admin\AppData\Local\Temp\2aedfa0dfb06ef02b268ec62486e6f80.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1880
    • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
      "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:904
      • C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\setup_install.exe
        "C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\setup_install.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1620
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4960
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
            5⤵
              PID:4872
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c Tue166801dd1c.exe
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4668
            • C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue166801dd1c.exe
              Tue166801dd1c.exe
              5⤵
              • Executes dropped EXE
              PID:2504
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c Tue168468791c.exe
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4940
            • C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue168468791c.exe
              Tue168468791c.exe
              5⤵
              • Executes dropped EXE
              PID:4652
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c Tue16dbd9f0964.exe
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:3208
            • C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue16dbd9f0964.exe
              Tue16dbd9f0964.exe
              5⤵
              • Executes dropped EXE
              PID:1948
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c Tue1643024cec44eb6.exe
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2608
            • C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue1643024cec44eb6.exe
              Tue1643024cec44eb6.exe
              5⤵
              • Executes dropped EXE
              • Checks SCSI registry key(s)
              • Suspicious behavior: EnumeratesProcesses
              PID:5088
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c Tue16fdfa6cf2ae0.exe
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:352
            • C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue16fdfa6cf2ae0.exe
              Tue16fdfa6cf2ae0.exe
              5⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:648
              • C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue16fdfa6cf2ae0.exe
                "C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue16fdfa6cf2ae0.exe" -a
                6⤵
                • Executes dropped EXE
                PID:3484
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c Tue1619562504c6402.exe
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4568
            • C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue1619562504c6402.exe
              Tue1619562504c6402.exe
              5⤵
              • Executes dropped EXE
              PID:3744
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c Tue16c3a7ed6a67.exe
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1292
            • C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue16c3a7ed6a67.exe
              Tue16c3a7ed6a67.exe
              5⤵
              • Executes dropped EXE
              PID:2812
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c Tue16b2aff6f6632f.exe
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4968
            • C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue16b2aff6f6632f.exe
              Tue16b2aff6f6632f.exe
              5⤵
              • Executes dropped EXE
              PID:3560
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c Tue165b45f01bf.exe
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:3888
            • C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue165b45f01bf.exe
              Tue165b45f01bf.exe
              5⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:1644
    • C:\Windows\system32\dwm.exe
      "dwm.exe"
      1⤵
      • Checks SCSI registry key(s)
      • Enumerates system info in registry
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:4512

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue1619562504c6402.exe

      Filesize

      631KB

      MD5

      64be7ccaa252abfd99ecf77bc8cce4d5

      SHA1

      9a9633c3cd6b394d149982021e008da3ceb64be0

      SHA256

      d9e8d0bdac5bc0b2a4958536474496fcaaf964d135cd1fe49d1e566b6640199c

      SHA512

      392782e14a78c1c157ee2935990805b13e0db39cd7629be7c880fe05c078c36a5807fb36e70320e6997399be88e85b8c51272fa51a48863bf2ea99c669e32de2

    • C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue1643024cec44eb6.exe

      Filesize

      262KB

      MD5

      6e40b89081774de12a74f2ac50390614

      SHA1

      c450e401fe8da4dae21c804d3c311e3ffc5ec825

      SHA256

      db0161ec8bdde73cce38b6f7047e37f59f3ac8adfe95611ec1171491f17c011d

      SHA512

      6d86256a42a8d77f17b6b09e947ff922a0edf833695b7d1de912ac1178aeb6c4b18b644f36d7d2a77c7a57c1e0bb7aca7f0a73bfe37c92c236fd1efebfd45313

    • C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue165b45f01bf.exe

      Filesize

      8KB

      MD5

      45a47d815f2291bc7fc0112d36aaad83

      SHA1

      db1dc02b2d64c4c3db89b5df3124dd87d43059d5

      SHA256

      416e63fb614101d5644592d5f589f358f8d5a41dd6812a717cbf05470864ac6f

      SHA512

      a7d98145cf949a42ace2da725a22847ad814a28137d32b0b220430b91c89aabed7144b85f20c2fd9a1a02f5b92520bf5f0afbe8202028f9832cbc29c2a9e776e

    • C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue166801dd1c.exe

      Filesize

      557KB

      MD5

      e8dd2c2b42ddc701b1e2c34cc1fe99b1

      SHA1

      c3751581986d6cada60747843792d286fd671657

      SHA256

      835443a1038ad5e0a4dde2451baa95b529f049362955d57daf0b5921729a4f17

      SHA512

      e179b3b4c2f24d089566630c6ee0421418fe17aa4195dc9b04f471665094ce3a4b3ed29da7b6829b7484fa3e785abd343a1cf7abc556f6f5b5403a92b16a970d

    • C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue168468791c.exe

      Filesize

      241KB

      MD5

      5866ab1fae31526ed81bfbdf95220190

      SHA1

      75a5e08b3b9ad2dff35dfbbb3ffe8d983c2be25f

      SHA256

      9e1a149370efe9814bf2cbd87acfcfa410d1769efd86a9722da4373d6716d22e

      SHA512

      8d99ab09e84e4ef309da34be94946cbfcffeb1c0ca49e2452deb738d801e551062ebb134f1b99a9baf03003a8e720d525521ce09aeac341d3cba3fcfbc618fb5

    • C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue16b2aff6f6632f.exe

      Filesize

      1.4MB

      MD5

      0191b0583174ce0d1d8dc75601e4d056

      SHA1

      ec3cbf979a5df64903cb7a825aa640d82075d839

      SHA256

      01d11314c2c047a01b4159aa32b9afa3f3b7e3fc3b3ea46476c85346f3887949

      SHA512

      d24f647615a63291854de256e210c6e02f12619f85e694a9027e1969d708c415cf6234a43fae9376bf5788a5f27973ccf159e89b32fc54ab313ba0d720740e70

    • C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue16c3a7ed6a67.exe

      Filesize

      152KB

      MD5

      14f5b34619838749e514ad17e69443ea

      SHA1

      98e8019077163dc3f42e48c7aba48b312cb6eef7

      SHA256

      92c43f1a70140426e05b5164d986dca73bf041dc5dae80bd47244cb695d7c0ac

      SHA512

      4889cb4a7b64fc0536b4de62d5901c526e4a570f40d7c4addeacadb83b89e4284567a3256fd59cca01dbc06a2ebcadaa7ff05fd0573632b23a0a977404d1a162

    • C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue16dbd9f0964.exe

      Filesize

      279KB

      MD5

      af23965c3e2673940b70f436bb45f766

      SHA1

      ccc8b03ea8c568f1b333458cff3f156898fc29f7

      SHA256

      e6271d738fc78602abc8916fb4742638b2b4c4205882f6db24eb361694c67503

      SHA512

      f0202e3ed32b9e69785bb50551b5143fe69298dead3c9a3d539cc6c6768f70f8263f074f912d1de5decb122bc365b7645428c0d10040f6f15a41f3a5ac0a4611

    • C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\Tue16fdfa6cf2ae0.exe

      Filesize

      56KB

      MD5

      c0d18a829910babf695b4fdaea21a047

      SHA1

      236a19746fe1a1063ebe077c8a0553566f92ef0f

      SHA256

      78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98

      SHA512

      cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823

    • C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\libcurl.dll

      Filesize

      218KB

      MD5

      d09be1f47fd6b827c81a4812b4f7296f

      SHA1

      028ae3596c0790e6d7f9f2f3c8e9591527d267f7

      SHA256

      0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

      SHA512

      857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

    • C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\libcurlpp.dll

      Filesize

      54KB

      MD5

      e6e578373c2e416289a8da55f1dc5e8e

      SHA1

      b601a229b66ec3d19c2369b36216c6f6eb1c063e

      SHA256

      43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

      SHA512

      9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

    • C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\libgcc_s_dw2-1.dll

      Filesize

      113KB

      MD5

      9aec524b616618b0d3d00b27b6f51da1

      SHA1

      64264300801a353db324d11738ffed876550e1d3

      SHA256

      59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

      SHA512

      0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

    • C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\libstdc++-6.dll

      Filesize

      647KB

      MD5

      5e279950775baae5fea04d2cc4526bcc

      SHA1

      8aef1e10031c3629512c43dd8b0b5d9060878453

      SHA256

      97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

      SHA512

      666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

    • C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\libwinpthread-1.dll

      Filesize

      69KB

      MD5

      1e0d62c34ff2e649ebc5c372065732ee

      SHA1

      fcfaa36ba456159b26140a43e80fbd7e9d9af2de

      SHA256

      509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

      SHA512

      3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

    • C:\Users\Admin\AppData\Local\Temp\7zS8835AC58\setup_install.exe

      Filesize

      2.1MB

      MD5

      2de1749b1fdd76fd0e056846bf27400f

      SHA1

      4d5b5fcd89041b9f421dc73ed7c30a0095b2793d

      SHA256

      f1f6a614b3029ce49862618e880557c3736d57fabd56b55bb352dd37247773e0

      SHA512

      06fbf2a155b49de0e1203247d12337c8841b81c890da821f7dc3eb9824dab06a7f331705dd37e31265cc88ea79161aa0c3af5e0fb45c105707f35eda37953bdf

    • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

      Filesize

      3.9MB

      MD5

      168c8427a56ee01d0a79504e3dcbd3b2

      SHA1

      6cddb30ed601bd45d14a0ec04be1aa6fe1fddde1

      SHA256

      962c871c4fc7f41cecd20d3dfc5bba758b1995afaf8ccd2cde99fc81d2c975cf

      SHA512

      95c952a79c2ebb4ca2ed30e213620b6feafcea10bdb785ea2274f8163f763cbb3b1ab2c084aefd044b360963ab287617896ec81a66598abce1dca79d5236fde0

    • memory/1620-64-0x0000000064940000-0x0000000064959000-memory.dmp

      Filesize

      100KB

    • memory/1620-84-0x0000000000400000-0x000000000051B000-memory.dmp

      Filesize

      1.1MB

    • memory/1620-72-0x000000006B280000-0x000000006B2A6000-memory.dmp

      Filesize

      152KB

    • memory/1620-69-0x000000006FE40000-0x000000006FFC6000-memory.dmp

      Filesize

      1.5MB

    • memory/1620-71-0x000000006FE40000-0x000000006FFC6000-memory.dmp

      Filesize

      1.5MB

    • memory/1620-70-0x000000006FE40000-0x000000006FFC6000-memory.dmp

      Filesize

      1.5MB

    • memory/1620-68-0x000000006FE40000-0x000000006FFC6000-memory.dmp

      Filesize

      1.5MB

    • memory/1620-67-0x000000006B440000-0x000000006B4CF000-memory.dmp

      Filesize

      572KB

    • memory/1620-66-0x000000006B440000-0x000000006B4CF000-memory.dmp

      Filesize

      572KB

    • memory/1620-65-0x000000006B440000-0x000000006B4CF000-memory.dmp

      Filesize

      572KB

    • memory/1620-63-0x000000006FE40000-0x000000006FFC6000-memory.dmp

      Filesize

      1.5MB

    • memory/1620-61-0x000000006B280000-0x000000006B2A6000-memory.dmp

      Filesize

      152KB

    • memory/1620-56-0x000000006B440000-0x000000006B4CF000-memory.dmp

      Filesize

      572KB

    • memory/1620-73-0x000000006B280000-0x000000006B2A6000-memory.dmp

      Filesize

      152KB

    • memory/1620-86-0x000000006B440000-0x000000006B4CF000-memory.dmp

      Filesize

      572KB

    • memory/1620-87-0x000000006EB40000-0x000000006EB63000-memory.dmp

      Filesize

      140KB

    • memory/1620-88-0x000000006B280000-0x000000006B2A6000-memory.dmp

      Filesize

      152KB

    • memory/1620-106-0x0000000064940000-0x0000000064959000-memory.dmp

      Filesize

      100KB

    • memory/1620-91-0x000000006FE40000-0x000000006FFC6000-memory.dmp

      Filesize

      1.5MB

    • memory/1620-105-0x000000006B280000-0x000000006B2A6000-memory.dmp

      Filesize

      152KB

    • memory/1644-89-0x0000000000800000-0x0000000000808000-memory.dmp

      Filesize

      32KB

    • memory/1644-108-0x000000001B3B0000-0x000000001B3B2000-memory.dmp

      Filesize

      8KB

    • memory/2812-104-0x00000000008A0000-0x00000000008A6000-memory.dmp

      Filesize

      24KB

    • memory/2812-103-0x00000000002E0000-0x000000000030C000-memory.dmp

      Filesize

      176KB

    • memory/5088-107-0x00000000001C0000-0x00000000001C9000-memory.dmp

      Filesize

      36KB