nullmixer | bc10525a0911ba2c9c472e9d7130242e9f4c2c97bb0fce53bc4b97e42f8a2b36

Analysis

max time kernel
0s
max time network
149s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
09/01/2024, 18:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e9b89f25e9e8d52c313f26e0429068d8.exe
Size

2.6MB
MD5

e9b89f25e9e8d52c313f26e0429068d8
SHA1

6b9509635732c7fff640d65911e5a32a01573d4a
SHA256

bc10525a0911ba2c9c472e9d7130242e9f4c2c97bb0fce53bc4b97e42f8a2b36
SHA512

a1902f04df52cfb0c0fa696beb1fcb69cf6e8eb97e223db2c13524e1057717bdad1552612abfa875e6ec74732bcf44af0d9bf75a4621a081fed7735a3302da74
SSDEEP

49152:xcBbPkZVi7iKiF8cUvFyPOtPe3ri/lkmc6dHHpt/KyfI1KV1byEwJ84vLRaBtIly:x7ri7ixZUvFyPcPe3rlwpLfTV1tCvLUZ

Score

10^/10

nullmixer smokeloader pub5 aspackv2 backdoor dropper trojan

Malware Config

Extracted

Family

nullmixer

http://lotzini.xyz/

Extracted

Family

smokeloader

Botnet

pub5

Extracted

Family

smokeloader

Version

2020

http://conceitosseg.com/upload/

http://integrasidata.com/upload/

http://ozentekstil.com/upload/

http://finbelportal.com/upload/

http://telanganadigital.com/upload/

rc4.i32

Signatures

NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
dropper nullmixer

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1832	1960	rUNdlL32.eXe	21

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

ASPack v2.12-2.42 9 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0006000000014de9-54.dat	aspack_v212_v242
behavioral1/files/0x0006000000014de9-53.dat	aspack_v212_v242
behavioral1/files/0x0006000000014de9-52.dat	aspack_v212_v242
behavioral1/files/0x0006000000014b31-50.dat	aspack_v212_v242
behavioral1/files/0x0006000000014b31-49.dat	aspack_v212_v242
behavioral1/files/0x00070000000149f5-44.dat	aspack_v212_v242
behavioral1/files/0x00070000000149f5-43.dat	aspack_v212_v242
behavioral1/files/0x0007000000014abe-42.dat	aspack_v212_v242
behavioral1/files/0x0006000000014de9-36.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
2568	setup_install.exe

Loads dropped DLL 8 IoCs

pid	Process
2364	e9b89f25e9e8d52c313f26e0429068d8.exe
2364	e9b89f25e9e8d52c313f26e0429068d8.exe
2364	e9b89f25e9e8d52c313f26e0429068d8.exe
2568	setup_install.exe
2568	setup_install.exe
2568	setup_install.exe
2568	setup_install.exe
2568	setup_install.exe

Unexpected DNS network traffic destination 3 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	134.119.176.26
Destination IP	134.119.176.26
Destination IP	134.119.176.26

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	ipinfo.io
7	ipinfo.io
21	api.db-ip.com
24	api.db-ip.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process
2256	2568	WerFault.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 2568	2364	e9b89f25e9e8d52c313f26e0429068d8.exe	41
PID 2364 wrote to memory of 2568	2364	e9b89f25e9e8d52c313f26e0429068d8.exe	41
PID 2364 wrote to memory of 2568	2364	e9b89f25e9e8d52c313f26e0429068d8.exe	41
PID 2364 wrote to memory of 2568	2364	e9b89f25e9e8d52c313f26e0429068d8.exe	41
PID 2364 wrote to memory of 2568	2364	e9b89f25e9e8d52c313f26e0429068d8.exe	41
PID 2364 wrote to memory of 2568	2364	e9b89f25e9e8d52c313f26e0429068d8.exe	41
PID 2364 wrote to memory of 2568	2364	e9b89f25e9e8d52c313f26e0429068d8.exe	41

C:\Users\Admin\AppData\Local\Temp\e9b89f25e9e8d52c313f26e0429068d8.exe
"C:\Users\Admin\AppData\Local\Temp\e9b89f25e9e8d52c313f26e0429068d8.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Users\Admin\AppData\Local\Temp\7zSC39AFA26\setup_install.exe
  "C:\Users\Admin\AppData\Local\Temp\7zSC39AFA26\setup_install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2568

C:\Users\Admin\AppData\Local\Temp\7zSC39AFA26\sahiba_4.exe
sahiba_4.exe
1⤵
PID:2912

C:\Users\Admin\AppData\Local\Temp\7zSC39AFA26\sahiba_1.exe
"C:\Users\Admin\AppData\Local\Temp\7zSC39AFA26\sahiba_1.exe" -a
1⤵
PID:1320

C:\Windows\SysWOW64\rundll32.exe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
PID:2432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2568 -s 408
1⤵
- Program crash
PID:2256

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:1212

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
PID:1832

C:\Users\Admin\AppData\Local\Temp\7zSC39AFA26\sahiba_6.exe
sahiba_6.exe
1⤵
PID:2176

C:\Users\Admin\AppData\Local\Temp\7zSC39AFA26\sahiba_3.exe
sahiba_3.exe
1⤵
PID:1084

C:\Users\Admin\AppData\Local\Temp\7zSC39AFA26\sahiba_1.exe
sahiba_1.exe
1⤵
PID:1660

C:\Users\Admin\AppData\Local\Temp\7zSC39AFA26\sahiba_5.exe
sahiba_5.exe
1⤵
PID:1824

C:\Users\Admin\AppData\Local\Temp\7zSC39AFA26\sahiba_7.exe
sahiba_7.exe
1⤵
PID:1996

C:\Users\Admin\AppData\Local\Temp\7zSC39AFA26\sahiba_2.exe
sahiba_2.exe
1⤵
PID:3052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_7.exe
1⤵
PID:2900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_6.exe
1⤵
PID:2896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_5.exe
1⤵
PID:2220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_4.exe
1⤵
PID:2780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_3.exe
1⤵
PID:2776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_2.exe
1⤵
PID:2532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sahiba_1.exe
1⤵
PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zSC39AFA26\libcurl.dll

Filesize
205KB

MD5
1fd88d32527f180f09f5843ebd181254

SHA1
3ab8a59167b2a0d266b774b36d9b08b0628d1532

SHA256
ef6cf0a7a996c85da3e148d9bf2555ce6dbb9e44130e975ef3326954d2110d90

SHA512
43e4305056a90d71e64b177b3d5b42fc1e084de6d2fb4bb4065a4d8227bf58c10de4958eb99ce3bfec30c011e581235d9cf4d9e87d4dd22e7b3cd07a1482fef0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC39AFA26\libstdc++-6.dll

Filesize
251KB

MD5
0d3e92f6e3d8c66214918e2477a822a7

SHA1
010a32e54a85a3269cecc145a8f9913583247dd6

SHA256
157051d890da354acaf52e756d55767593eb1abd8103807cd02d056d71b70025

SHA512
becccf7bdae9a69f2dda4d0b5847f8c6a8d365dce4f42a03d323c65dd9fa9110e7d4f21bb037ac1ae82903befc1e8b2ebb30c68814d5458807da43a7b4ca3e41

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC39AFA26\libwinpthread-1.dll

Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC39AFA26\setup_install.exe

Filesize
287KB

MD5
b107ead1f6283a5015291f05a95e2925

SHA1
2ccdbe2634ac6df52d3d92c3cbf050b1eba6a039

SHA256
9d8516a59bc0e5dc78c032ae2ab2133eaa17055e76805d036df85c9384d542e9

SHA512
d9dea1e930273896a7a87f81b9e1282064f8f620d3438d59136f59b4d7383430fc1c959184f1b4ae7d872573b97e423858ad3ec976a26bc09caeaa549ce7456a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC39AFA26\setup_install.exe

Filesize
180KB

MD5
c1af97f1c9acb439472f04b7d63f9a51

SHA1
952c8a03f0308749c26d56fd44304c169d574a86

SHA256
82553029a4fa1e1007b0fee2e00542333b8708ea23cabbea9d8111aeae3e5584

SHA512
d5bcd7e77ed4c38c41ac6a18a67b0fcef3dff2b9c6397e2248fc2023a79186bac5d50fbd95a352fc85d10a7ee260cf98decbca999cc33f7ae027e55935a223cb

Download Submit
\Users\Admin\AppData\Local\Temp\7zSC39AFA26\libcurl.dll

Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
\Users\Admin\AppData\Local\Temp\7zSC39AFA26\libcurlpp.dll

Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
\Users\Admin\AppData\Local\Temp\7zSC39AFA26\libgcc_s_dw2-1.dll

Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
\Users\Admin\AppData\Local\Temp\7zSC39AFA26\libstdc++-6.dll

Filesize
140KB

MD5
a0136aa8229dc5215ca287e9f2564634

SHA1
a85f235aab5e432f8a6f8074a674a7f3f820e7ad

SHA256
e45b278e65d5c96d2aa1a5f767cc5229467affcdeb30da4420423460b12985b5

SHA512
0cb6f4b3478b113c91f8acd0ae4a1d2629c0d64c22cde01db967305daf6ec10ba638f0920890c6c8e33bc34c425fef6d2311ec1f4cc0f6d56c6ba2bc8983d6b0

Download Submit
\Users\Admin\AppData\Local\Temp\7zSC39AFA26\setup_install.exe

Filesize
203KB

MD5
ce3d0c0ea44b1b8e1c5f63e8567b8b96

SHA1
39bfcc1479c81c5fc6cf9b01e264de1fbf30a7cd

SHA256
c28a150f71363cdd682d040b1283c675832a9e1c4d7592b47e0aa28926bd86d1

SHA512
beae61b94b48d8d69ed409aa2f6d95a179352e35fbe542561219e78694584f5bcbf804f954d21883ddf59b4cbffc0d250925bebaeb0c4afcd826e2e882a58af9

Download Submit
\Users\Admin\AppData\Local\Temp\7zSC39AFA26\setup_install.exe

Filesize
126KB

MD5
09e231bff6b964d5c116388999352075

SHA1
9d78e701507ed783bb2c8eed9c70285731027c58

SHA256
47aa2ed1ebc63f8e7e537f191bbff465fbd7c6c22b54de93bdd3997540c1ee1a

SHA512
201a9a37f2dbc2f53b77ba03d2f9827c29653e1897c963591a8c6b683760db383e78dc152fe7439caa093b52983ed33951032577b3bb7a842525a82b4ea7b4ab

Download Submit
memory/864-155-0x0000000000DF0000-0x0000000000E3C000-memory.dmp

Filesize
304KB

Download
memory/864-154-0x0000000002270000-0x00000000022E1000-memory.dmp

Filesize
452KB

Download
memory/864-200-0x0000000002270000-0x00000000022E1000-memory.dmp

Filesize
452KB

Download
memory/864-152-0x0000000000DF0000-0x0000000000E3C000-memory.dmp

Filesize
304KB

Download
memory/1212-209-0x0000000000520000-0x0000000000591000-memory.dmp

Filesize
452KB

Download
memory/1212-206-0x0000000000520000-0x0000000000591000-memory.dmp

Filesize
452KB

Download
memory/1212-159-0x0000000000060000-0x00000000000AC000-memory.dmp

Filesize
304KB

Download
memory/1212-170-0x0000000000520000-0x0000000000591000-memory.dmp

Filesize
452KB

Download
memory/1212-162-0x0000000000520000-0x0000000000591000-memory.dmp

Filesize
452KB

Download
memory/1372-201-0x0000000003CE0000-0x0000000003CF5000-memory.dmp

Filesize
84KB

Download
memory/1824-130-0x000000001AE00000-0x000000001AE80000-memory.dmp

Filesize
512KB

Download
memory/1824-216-0x000007FEF5820000-0x000007FEF620C000-memory.dmp

Filesize
9.9MB

Download
memory/1824-128-0x000007FEF5820000-0x000007FEF620C000-memory.dmp

Filesize
9.9MB

Download
memory/1824-218-0x000000001AE00000-0x000000001AE80000-memory.dmp

Filesize
512KB

Download
memory/1824-322-0x000007FEF5820000-0x000007FEF620C000-memory.dmp

Filesize
9.9MB

Download
memory/1824-115-0x0000000000890000-0x00000000008CE000-memory.dmp

Filesize
248KB

Download
memory/1824-122-0x00000000003D0000-0x00000000003D6000-memory.dmp

Filesize
24KB

Download
memory/1824-127-0x0000000000410000-0x0000000000416000-memory.dmp

Filesize
24KB

Download
memory/1824-124-0x00000000003E0000-0x000000000040C000-memory.dmp

Filesize
176KB

Download
memory/2364-37-0x0000000002EF0000-0x000000000300E000-memory.dmp

Filesize
1.1MB

Download
memory/2364-39-0x0000000002EF0000-0x000000000300E000-memory.dmp

Filesize
1.1MB

Download
memory/2432-151-0x0000000002130000-0x0000000002231000-memory.dmp

Filesize
1.0MB

Download
memory/2432-153-0x0000000000300000-0x000000000035D000-memory.dmp

Filesize
372KB

Download
memory/2432-158-0x0000000000300000-0x000000000035D000-memory.dmp

Filesize
372KB

Download
memory/2568-48-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2568-74-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2568-61-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2568-60-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2568-57-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2568-56-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2568-69-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2568-70-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2568-72-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2568-51-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2568-73-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2568-63-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2568-210-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2568-62-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2568-46-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2568-75-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2568-215-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2568-76-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2568-67-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2568-68-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2568-214-0x000000006EB40000-0x000000006EB63000-memory.dmp

Filesize
140KB

Download
memory/2568-64-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2568-212-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2568-59-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2568-65-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2568-207-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2568-208-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2568-66-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2912-129-0x000007FEF5820000-0x000007FEF620C000-memory.dmp

Filesize
9.9MB

Download
memory/2912-114-0x0000000001100000-0x0000000001108000-memory.dmp

Filesize
32KB

Download
memory/2912-217-0x000007FEF5820000-0x000007FEF620C000-memory.dmp

Filesize
9.9MB

Download
memory/2912-144-0x0000000000DA0000-0x0000000000E20000-memory.dmp

Filesize
512KB

Download
memory/2912-243-0x0000000000DA0000-0x0000000000E20000-memory.dmp

Filesize
512KB

Download
memory/3052-132-0x0000000000250000-0x0000000000259000-memory.dmp

Filesize
36KB

Download
memory/3052-202-0x0000000000400000-0x0000000002B6E000-memory.dmp

Filesize
39.4MB

Download
memory/3052-143-0x0000000000400000-0x0000000002B6E000-memory.dmp

Filesize
39.4MB

Download
memory/3052-131-0x0000000002C60000-0x0000000002D60000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads