Analysis
-
max time kernel
0s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
03-01-2024 09:53
Static task
static1
General
-
Target
2ccaeaf721c1ae29a84714ee5aca4f02.exe
-
Size
5.7MB
-
MD5
2ccaeaf721c1ae29a84714ee5aca4f02
-
SHA1
c6b1a42e7dcf10aa81f76e8a9ea18b1ca1fd9037
-
SHA256
088559f2192fe04ad85f83e1a3ac931f2bdbb5a88b4146154858d00c40b4b551
-
SHA512
c00750ec16ac21a640f2e39952dede04bb975ae276f8a4ca30c78e6c8c2783d8eb4dabc499588b7f72c35cd16737f8abf871f48188271d8a8c6c1f740be09aa9
-
SSDEEP
98304:xmCvLUBsgU0L6mf8dNC1hmxxQwZ6xYQ2TZy+O1tkEdTBGg8VWzVw:xPLUCgUkJYxxUV25+tkJg+WzW
Malware Config
Extracted
nullmixer
http://marisana.xyz/
Extracted
vidar
40
706
https://lenak513.tumblr.com/
-
profile_id
706
Extracted
smokeloader
pub6
Extracted
smokeloader
2020
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
Signatures
-
Detect ZGRat V1 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4588-102-0x00000000007B0000-0x0000000000FD6000-memory.dmp family_zgrat_v1 -
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Vidar Stealer 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4832-123-0x0000000000400000-0x000000000334B000-memory.dmp family_vidar behavioral2/memory/4832-111-0x0000000003460000-0x00000000034FD000-memory.dmp family_vidar behavioral2/memory/4832-137-0x0000000000400000-0x000000000334B000-memory.dmp family_vidar -
Processes:
resource yara_rule behavioral2/memory/4588-102-0x00000000007B0000-0x0000000000FD6000-memory.dmp themida -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 14 ipinfo.io 15 ipinfo.io -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 3176 2852 WerFault.exe setup_install.exe 3452 2276 WerFault.exe f9a302645.exe 4572 4832 WerFault.exe b001a8f56.exe -
Amadey 6 IoCs
amadey_bot.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zSC14A5A27\setup_install.exe amadey_bot C:\Users\Admin\AppData\Local\Temp\7zSC14A5A27\setup_install.exe amadey_bot behavioral2/memory/4832-123-0x0000000000400000-0x000000000334B000-memory.dmp amadey_bot behavioral2/memory/2852-114-0x0000000000400000-0x0000000000C7F000-memory.dmp amadey_bot C:\Users\Admin\AppData\Local\Temp\7zSC14A5A27\setup_install.exe amadey_bot behavioral2/memory/4832-137-0x0000000000400000-0x000000000334B000-memory.dmp amadey_bot -
Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs. 3 IoCs
test.
Processes:
resource yara_rule behavioral2/memory/4832-123-0x0000000000400000-0x000000000334B000-memory.dmp INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs behavioral2/memory/4832-111-0x0000000003460000-0x00000000034FD000-memory.dmp INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs behavioral2/memory/4832-137-0x0000000000400000-0x000000000334B000-memory.dmp INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2ccaeaf721c1ae29a84714ee5aca4f02.exe"C:\Users\Admin\AppData\Local\Temp\2ccaeaf721c1ae29a84714ee5aca4f02.exe"1⤵PID:1052
-
C:\Users\Admin\AppData\Local\Temp\7zSC14A5A27\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zSC14A5A27\setup_install.exe"2⤵PID:2852
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 79d822fc709e78.exe3⤵PID:3584
-
C:\Users\Admin\AppData\Local\Temp\7zSC14A5A27\79d822fc709e78.exe79d822fc709e78.exe4⤵PID:1548
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 5883⤵
- Program crash
PID:3176 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c b001a8f56.exe3⤵PID:1732
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 2d7080268fee447.exe3⤵PID:1900
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c f9a302645.exe3⤵PID:3424
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 3d0c613fcb2403.exe3⤵PID:1920
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c e9e6055abb695524.exe3⤵PID:1148
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 20383e5a9a4c5112.exe3⤵PID:3508
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 27ce46284501.exe3⤵PID:4964
-
C:\Users\Admin\AppData\Local\Temp\7zSC14A5A27\2d7080268fee447.exe2d7080268fee447.exe1⤵PID:2392
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2852 -ip 28521⤵PID:2020
-
C:\Users\Admin\AppData\Local\Temp\7zSC14A5A27\e9e6055abb695524.exe"C:\Users\Admin\AppData\Local\Temp\7zSC14A5A27\e9e6055abb695524.exe" -a1⤵PID:4464
-
C:\Users\Admin\AppData\Local\Temp\7zSC14A5A27\20383e5a9a4c5112.exe20383e5a9a4c5112.exe1⤵PID:1104
-
C:\Users\Admin\AppData\Local\Temp\7zSC14A5A27\27ce46284501.exe27ce46284501.exe1⤵PID:4588
-
C:\Users\Admin\AppData\Local\Temp\7zSC14A5A27\3d0c613fcb2403.exe3d0c613fcb2403.exe1⤵PID:676
-
C:\Users\Admin\AppData\Local\Temp\7zSC14A5A27\f9a302645.exef9a302645.exe1⤵PID:2276
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2276 -s 3722⤵
- Program crash
PID:3452
-
C:\Users\Admin\AppData\Local\Temp\7zSC14A5A27\e9e6055abb695524.exee9e6055abb695524.exe1⤵PID:1084
-
C:\Users\Admin\AppData\Local\Temp\7zSC14A5A27\b001a8f56.exeb001a8f56.exe1⤵PID:4832
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4832 -s 15762⤵
- Program crash
PID:4572
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2276 -ip 22761⤵PID:4240
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4832 -ip 48321⤵PID:4852
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
381KB
MD56cba3fc79f15b2fa16466518feb8ccfd
SHA16780744b3d026db256a160e969e82fe45bf2b0fb
SHA256d247da9cc2437b73bd5c06a1c7269564838c6c81af3cbec25a13d9e88186f119
SHA512e070cf1661d4027e075b5a9fea318ad02f6935229dc3e4307913dc5a08d9a7554db29eabede38e7a9d8ac33ba1aa84aa24f7dba0275a9b920bb11368d3e7452e
-
Filesize
92KB
MD58457a6a66e87533e9deab3979c868266
SHA16b8cdda8e73323e91ad3b0181f516ca4897b23a5
SHA25641f63e586bb2b67408d43ab6849fcfd1d1f7b19571eeae1d6be043c5b2fc702f
SHA51200e4c39df83f6f55fa6132b98d9f09c84d2c66e1173b73d2876d1a50803d237a248e7605ab2ba23eebf5e77b9ce7604f795cfc460f0bb5f3f06334394ab4baec
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e