Analysis
-
max time kernel
0s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
09/01/2024, 18:45
Static task
static1
Behavioral task
behavioral1
Sample
e9b89f25e9e8d52c313f26e0429068d8.exe
Resource
win7-20231129-en
General
-
Target
e9b89f25e9e8d52c313f26e0429068d8.exe
-
Size
2.6MB
-
MD5
e9b89f25e9e8d52c313f26e0429068d8
-
SHA1
6b9509635732c7fff640d65911e5a32a01573d4a
-
SHA256
bc10525a0911ba2c9c472e9d7130242e9f4c2c97bb0fce53bc4b97e42f8a2b36
-
SHA512
a1902f04df52cfb0c0fa696beb1fcb69cf6e8eb97e223db2c13524e1057717bdad1552612abfa875e6ec74732bcf44af0d9bf75a4621a081fed7735a3302da74
-
SSDEEP
49152:xcBbPkZVi7iKiF8cUvFyPOtPe3ri/lkmc6dHHpt/KyfI1KV1byEwJ84vLRaBtIly:x7ri7ixZUvFyPcPe3rlwpLfTV1tCvLUZ
Malware Config
Extracted
nullmixer
http://lotzini.xyz/
Extracted
smokeloader
pub5
Extracted
smokeloader
2020
http://conceitosseg.com/upload/
http://integrasidata.com/upload/
http://ozentekstil.com/upload/
http://finbelportal.com/upload/
http://telanganadigital.com/upload/
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1832 1960 rUNdlL32.eXe 21 -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
resource yara_rule behavioral1/files/0x0006000000014de9-54.dat aspack_v212_v242 behavioral1/files/0x0006000000014de9-53.dat aspack_v212_v242 behavioral1/files/0x0006000000014de9-52.dat aspack_v212_v242 behavioral1/files/0x0006000000014b31-50.dat aspack_v212_v242 behavioral1/files/0x0006000000014b31-49.dat aspack_v212_v242 behavioral1/files/0x00070000000149f5-44.dat aspack_v212_v242 behavioral1/files/0x00070000000149f5-43.dat aspack_v212_v242 behavioral1/files/0x0007000000014abe-42.dat aspack_v212_v242 behavioral1/files/0x0006000000014de9-36.dat aspack_v212_v242 -
Executes dropped EXE 1 IoCs
pid Process 2568 setup_install.exe -
Loads dropped DLL 8 IoCs
pid Process 2364 e9b89f25e9e8d52c313f26e0429068d8.exe 2364 e9b89f25e9e8d52c313f26e0429068d8.exe 2364 e9b89f25e9e8d52c313f26e0429068d8.exe 2568 setup_install.exe 2568 setup_install.exe 2568 setup_install.exe 2568 setup_install.exe 2568 setup_install.exe -
Unexpected DNS network traffic destination 3 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 134.119.176.26 Destination IP 134.119.176.26 Destination IP 134.119.176.26 -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 5 ipinfo.io 7 ipinfo.io 21 api.db-ip.com 24 api.db-ip.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process 2256 2568 WerFault.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2364 wrote to memory of 2568 2364 e9b89f25e9e8d52c313f26e0429068d8.exe 41 PID 2364 wrote to memory of 2568 2364 e9b89f25e9e8d52c313f26e0429068d8.exe 41 PID 2364 wrote to memory of 2568 2364 e9b89f25e9e8d52c313f26e0429068d8.exe 41 PID 2364 wrote to memory of 2568 2364 e9b89f25e9e8d52c313f26e0429068d8.exe 41 PID 2364 wrote to memory of 2568 2364 e9b89f25e9e8d52c313f26e0429068d8.exe 41 PID 2364 wrote to memory of 2568 2364 e9b89f25e9e8d52c313f26e0429068d8.exe 41 PID 2364 wrote to memory of 2568 2364 e9b89f25e9e8d52c313f26e0429068d8.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\e9b89f25e9e8d52c313f26e0429068d8.exe"C:\Users\Admin\AppData\Local\Temp\e9b89f25e9e8d52c313f26e0429068d8.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Users\Admin\AppData\Local\Temp\7zSC39AFA26\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zSC39AFA26\setup_install.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2568
-
-
C:\Users\Admin\AppData\Local\Temp\7zSC39AFA26\sahiba_4.exesahiba_4.exe1⤵PID:2912
-
C:\Users\Admin\AppData\Local\Temp\7zSC39AFA26\sahiba_1.exe"C:\Users\Admin\AppData\Local\Temp\7zSC39AFA26\sahiba_1.exe" -a1⤵PID:1320
-
C:\Windows\SysWOW64\rundll32.exerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main1⤵PID:2432
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2568 -s 4081⤵
- Program crash
PID:2256
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService1⤵PID:1212
-
C:\Windows\system32\rUNdlL32.eXerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main1⤵
- Process spawned unexpected child process
PID:1832
-
C:\Users\Admin\AppData\Local\Temp\7zSC39AFA26\sahiba_6.exesahiba_6.exe1⤵PID:2176
-
C:\Users\Admin\AppData\Local\Temp\7zSC39AFA26\sahiba_3.exesahiba_3.exe1⤵PID:1084
-
C:\Users\Admin\AppData\Local\Temp\7zSC39AFA26\sahiba_1.exesahiba_1.exe1⤵PID:1660
-
C:\Users\Admin\AppData\Local\Temp\7zSC39AFA26\sahiba_5.exesahiba_5.exe1⤵PID:1824
-
C:\Users\Admin\AppData\Local\Temp\7zSC39AFA26\sahiba_7.exesahiba_7.exe1⤵PID:1996
-
C:\Users\Admin\AppData\Local\Temp\7zSC39AFA26\sahiba_2.exesahiba_2.exe1⤵PID:3052
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sahiba_7.exe1⤵PID:2900
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sahiba_6.exe1⤵PID:2896
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sahiba_5.exe1⤵PID:2220
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sahiba_4.exe1⤵PID:2780
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sahiba_3.exe1⤵PID:2776
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sahiba_2.exe1⤵PID:2532
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sahiba_1.exe1⤵PID:2508
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
205KB
MD51fd88d32527f180f09f5843ebd181254
SHA13ab8a59167b2a0d266b774b36d9b08b0628d1532
SHA256ef6cf0a7a996c85da3e148d9bf2555ce6dbb9e44130e975ef3326954d2110d90
SHA51243e4305056a90d71e64b177b3d5b42fc1e084de6d2fb4bb4065a4d8227bf58c10de4958eb99ce3bfec30c011e581235d9cf4d9e87d4dd22e7b3cd07a1482fef0
-
Filesize
251KB
MD50d3e92f6e3d8c66214918e2477a822a7
SHA1010a32e54a85a3269cecc145a8f9913583247dd6
SHA256157051d890da354acaf52e756d55767593eb1abd8103807cd02d056d71b70025
SHA512becccf7bdae9a69f2dda4d0b5847f8c6a8d365dce4f42a03d323c65dd9fa9110e7d4f21bb037ac1ae82903befc1e8b2ebb30c68814d5458807da43a7b4ca3e41
-
Filesize
69KB
MD51e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
Filesize
287KB
MD5b107ead1f6283a5015291f05a95e2925
SHA12ccdbe2634ac6df52d3d92c3cbf050b1eba6a039
SHA2569d8516a59bc0e5dc78c032ae2ab2133eaa17055e76805d036df85c9384d542e9
SHA512d9dea1e930273896a7a87f81b9e1282064f8f620d3438d59136f59b4d7383430fc1c959184f1b4ae7d872573b97e423858ad3ec976a26bc09caeaa549ce7456a
-
Filesize
180KB
MD5c1af97f1c9acb439472f04b7d63f9a51
SHA1952c8a03f0308749c26d56fd44304c169d574a86
SHA25682553029a4fa1e1007b0fee2e00542333b8708ea23cabbea9d8111aeae3e5584
SHA512d5bcd7e77ed4c38c41ac6a18a67b0fcef3dff2b9c6397e2248fc2023a79186bac5d50fbd95a352fc85d10a7ee260cf98decbca999cc33f7ae027e55935a223cb
-
Filesize
218KB
MD5d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
Filesize
54KB
MD5e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
Filesize
113KB
MD59aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
Filesize
140KB
MD5a0136aa8229dc5215ca287e9f2564634
SHA1a85f235aab5e432f8a6f8074a674a7f3f820e7ad
SHA256e45b278e65d5c96d2aa1a5f767cc5229467affcdeb30da4420423460b12985b5
SHA5120cb6f4b3478b113c91f8acd0ae4a1d2629c0d64c22cde01db967305daf6ec10ba638f0920890c6c8e33bc34c425fef6d2311ec1f4cc0f6d56c6ba2bc8983d6b0
-
Filesize
203KB
MD5ce3d0c0ea44b1b8e1c5f63e8567b8b96
SHA139bfcc1479c81c5fc6cf9b01e264de1fbf30a7cd
SHA256c28a150f71363cdd682d040b1283c675832a9e1c4d7592b47e0aa28926bd86d1
SHA512beae61b94b48d8d69ed409aa2f6d95a179352e35fbe542561219e78694584f5bcbf804f954d21883ddf59b4cbffc0d250925bebaeb0c4afcd826e2e882a58af9
-
Filesize
126KB
MD509e231bff6b964d5c116388999352075
SHA19d78e701507ed783bb2c8eed9c70285731027c58
SHA25647aa2ed1ebc63f8e7e537f191bbff465fbd7c6c22b54de93bdd3997540c1ee1a
SHA512201a9a37f2dbc2f53b77ba03d2f9827c29653e1897c963591a8c6b683760db383e78dc152fe7439caa093b52983ed33951032577b3bb7a842525a82b4ea7b4ab