Overview

overview

10

Static

static

3

5b181ab9f4...b1.exe

windows7-x64

10

5b181ab9f4...b1.exe

windows10-2004-x64

10

setup_installer.exe

windows7-x64

10

setup_installer.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-01-2024 11:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    setup_installer.exe

  • Size

    3.0MB

  • MD5

    366e37b1124e87c837cd54b2b8227de2

  • SHA1

    fc626d56504d3f23afe3eb83522909b0e45d4b24

  • SHA256

    d15a05b695c66f6445f5f8862b336496f04609111e70f0c3387ff93d9b59648c

  • SHA512

    478416c0ee70d009ec48102e298557dc029ae9c7b83b2f73b5e29aff9643555a7e379dce94d26aaa61089158df32770afd042a585dcebce4cf748e30cd012a21

  • SSDEEP

    49152:xcBmBfXGrhtAVkVolNXA1PM5FYIDl/ekaE9i1IhZDaEwJ84vLRaBtIl9mTBoEV2:xxOrhFVolNXcS9R/eLWi1KDxCvLUBsKU

Score
10/10
nullmixersmokeloadervidar706pub6aspackv2backdoordropperevasionstealertrojanupx

Malware Config

Extracted

Family

nullmixer

C2

http://motiwa.xyz/

Extracted

Family

vidar

Version

39.4

Botnet

706

C2

https://sergeevih43.tumblr.com/

Attributes
  • profile_id

    706

Extracted

Family

smokeloader

Botnet

pub6

Extracted

Family

smokeloader

Version

2020

C2

http://ppcspb.com/upload/

http://mebbing.com/upload/

http://twcamel.com/upload/

http://howdycash.com/upload/

http://lahuertasonora.com/upload/

http://kpotiques.com/upload/
rc4.i32
rc4.i32

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs
    evasiontrojan
  • NullMixer

    NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

    droppernullmixer
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Nirsoft 3 IoCs
  • Vidar Stealer 3 IoCs
    stealer
  • ASPack v2.12-2.42 4 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 8 IoCs
  • Loads dropped DLL 7 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 4 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
    "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:552
    • C:\Users\Admin\AppData\Local\Temp\7zS822C1A47\setup_install.exe
      "C:\Users\Admin\AppData\Local\Temp\7zS822C1A47\setup_install.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2968
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c arnatic_5.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4892
        • C:\Users\Admin\AppData\Local\Temp\7zS822C1A47\arnatic_5.exe
          arnatic_5.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          PID:1860
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c arnatic_4.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3256
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c arnatic_3.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1052
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c arnatic_2.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1552
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c arnatic_1.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1420
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 544
        3⤵
        • Program crash
        PID:5016
  • C:\Users\Admin\AppData\Local\Temp\7zS822C1A47\arnatic_2.exe
    arnatic_2.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:3152
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3152 -s 412
      2⤵
      • Program crash
      PID:1884
  • C:\Users\Admin\AppData\Local\Temp\7zS822C1A47\arnatic_1.exe
    arnatic_1.exe
    1⤵
    • Executes dropped EXE
    PID:1864
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1864 -s 1060
      2⤵
      • Program crash
      PID:2908
  • C:\Users\Admin\AppData\Local\Temp\7zS822C1A47\arnatic_4.exe
    arnatic_4.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:2164
    • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
      C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      2⤵
      • Executes dropped EXE
      PID:3376
    • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
      C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:632
  • C:\Users\Admin\AppData\Local\Temp\7zS822C1A47\arnatic_3.exe
    arnatic_3.exe
    1⤵
    • Checks computer location settings
    • Executes dropped EXE
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4916
    • C:\Windows\SysWOW64\rUNdlL32.eXe
      "C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\axhub.dll",axhub
      2⤵
        PID:1360
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 600
          3⤵
          • Program crash
          PID:2960
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2968 -ip 2968
      1⤵
        PID:4384
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1360 -ip 1360
        1⤵
          PID:4676
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1864 -ip 1864
          1⤵
            PID:1668
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3152 -ip 3152
            1⤵
              PID:4904
            • C:\Windows\servicing\TrustedInstaller.exe
              C:\Windows\servicing\TrustedInstaller.exe
              1⤵
              • Loads dropped DLL
              PID:1360

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\7zS822C1A47\libcurl.dll
              Filesize

              218KB

              MD5

              d09be1f47fd6b827c81a4812b4f7296f

              SHA1

              028ae3596c0790e6d7f9f2f3c8e9591527d267f7

              SHA256

              0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

              SHA512

              857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\7zS822C1A47\libcurlpp.dll
              Filesize

              54KB

              MD5

              e6e578373c2e416289a8da55f1dc5e8e

              SHA1

              b601a229b66ec3d19c2369b36216c6f6eb1c063e

              SHA256

              43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

              SHA512

              9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\7zS822C1A47\libgcc_s_dw2-1.dll
              Filesize

              113KB

              MD5

              9aec524b616618b0d3d00b27b6f51da1

              SHA1

              64264300801a353db324d11738ffed876550e1d3

              SHA256

              59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

              SHA512

              0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\7zS822C1A47\libstdc++-6.dll
              Filesize

              647KB

              MD5

              5e279950775baae5fea04d2cc4526bcc

              SHA1

              8aef1e10031c3629512c43dd8b0b5d9060878453

              SHA256

              97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

              SHA512

              666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\7zS822C1A47\libwinpthread-1.dll
              Filesize

              69KB

              MD5

              1e0d62c34ff2e649ebc5c372065732ee

              SHA1

              fcfaa36ba456159b26140a43e80fbd7e9d9af2de

              SHA256

              509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

              SHA512

              3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\7zS822C1A47\setup_install.exe
              Filesize

              290KB

              MD5

              cda5b5ad65e20393f983916f30aece36

              SHA1

              484c630a3d15f5f8434237b64b507cd1884334fc

              SHA256

              7018da5ef7f6717c844f4db072ea5cda223afc9d203e02d475c12a0acbe0ddc6

              SHA512

              d7abc1b2aff79e3b0b42b0d657dff9e295568403c9153053a6474f6cdbaf8e3c9b80a866b9055d763d352c837bfac93385ed192d5179d1dd4023442b74534324

              Download Submit

            • C:\Users\Admin\AppData\Roaming\ibatvfa
              Filesize

              345KB

              MD5

              229e129cb65abb59aee47023fd4ba78b

              SHA1

              5e48301c9ddb9e5cd43609cd921156f2f704d3cf

              SHA256

              1ef9030b2f335579a0607e2eb2a4306bd3ae2070eda8a29416bc7e83e8357407

              SHA512

              ec22a9c2e6c9c8d41097ecb8bfcf5c476a15757ef7820c029646219fd2c1137088b2a0bf571f2d484ea209f79e3402f3caeddf31a91cecd107d00f865f450f8c

              Download Submit

            • memory/632-124-0x0000000000400000-0x0000000000422000-memory.dmp

              Filesize

              136KB

              Download

            • memory/632-118-0x0000000000400000-0x0000000000422000-memory.dmp

              Filesize

              136KB

              Download

            • memory/1864-135-0x0000000000400000-0x000000000094A000-memory.dmp

              Filesize

              5.3MB

              Download

            • memory/1864-105-0x0000000002490000-0x000000000252D000-memory.dmp

              Filesize

              628KB

              Download

            • memory/1864-106-0x0000000000400000-0x000000000094A000-memory.dmp

              Filesize

              5.3MB

              Download

            • memory/1864-104-0x0000000000AF0000-0x0000000000BF0000-memory.dmp

              Filesize

              1024KB

              Download

            • memory/2968-103-0x000000006FE40000-0x000000006FFC6000-memory.dmp

              Filesize

              1.5MB

              Download

            • memory/2968-54-0x0000000000400000-0x000000000051E000-memory.dmp

              Filesize

              1.1MB

              Download

            • memory/2968-49-0x000000006FE40000-0x000000006FFC6000-memory.dmp

              Filesize

              1.5MB

              Download

            • memory/2968-48-0x000000006FE40000-0x000000006FFC6000-memory.dmp

              Filesize

              1.5MB

              Download

            • memory/2968-47-0x000000006FE40000-0x000000006FFC6000-memory.dmp

              Filesize

              1.5MB

              Download

            • memory/2968-46-0x0000000064940000-0x0000000064959000-memory.dmp

              Filesize

              100KB

              Download

            • memory/2968-45-0x000000006FE40000-0x000000006FFC6000-memory.dmp

              Filesize

              1.5MB

              Download

            • memory/2968-96-0x000000006B440000-0x000000006B4CF000-memory.dmp

              Filesize

              572KB

              Download

            • memory/2968-99-0x000000006B280000-0x000000006B2A6000-memory.dmp

              Filesize

              152KB

              Download

            • memory/2968-28-0x0000000000400000-0x000000000051E000-memory.dmp

              Filesize

              1.1MB

              Download

            • memory/2968-52-0x000000006B280000-0x000000006B2A6000-memory.dmp

              Filesize

              152KB

              Download

            • memory/2968-53-0x0000000000400000-0x000000000051E000-memory.dmp

              Filesize

              1.1MB

              Download

            • memory/2968-40-0x000000006B440000-0x000000006B4CF000-memory.dmp

              Filesize

              572KB

              Download

            • memory/2968-43-0x000000006B280000-0x000000006B2A6000-memory.dmp

              Filesize

              152KB

              Download

            • memory/2968-44-0x000000006B440000-0x000000006B4CF000-memory.dmp

              Filesize

              572KB

              Download

            • memory/2968-51-0x000000006B280000-0x000000006B2A6000-memory.dmp

              Filesize

              152KB

              Download

            • memory/2968-102-0x000000006EB40000-0x000000006EB63000-memory.dmp

              Filesize

              140KB

              Download

            • memory/2968-100-0x0000000064940000-0x0000000064959000-memory.dmp

              Filesize

              100KB

              Download

            • memory/2968-95-0x0000000000400000-0x000000000051E000-memory.dmp

              Filesize

              1.1MB

              Download

            • memory/2968-42-0x000000006B440000-0x000000006B4CF000-memory.dmp

              Filesize

              572KB

              Download

            • memory/2968-41-0x000000006B440000-0x000000006B4CF000-memory.dmp

              Filesize

              572KB

              Download

            • memory/2968-55-0x0000000000400000-0x000000000051E000-memory.dmp

              Filesize

              1.1MB

              Download

            • memory/2968-57-0x0000000000400000-0x000000000051E000-memory.dmp

              Filesize

              1.1MB

              Download

            • memory/2968-58-0x0000000000400000-0x000000000051E000-memory.dmp

              Filesize

              1.1MB

              Download

            • memory/2968-56-0x0000000000400000-0x000000000051E000-memory.dmp

              Filesize

              1.1MB

              Download

            • memory/2968-50-0x000000006FE40000-0x000000006FFC6000-memory.dmp

              Filesize

              1.5MB

              Download

            • memory/3152-111-0x0000000000A30000-0x0000000000B30000-memory.dmp

              Filesize

              1024KB

              Download

            • memory/3152-113-0x0000000000400000-0x00000000008F5000-memory.dmp

              Filesize

              5.0MB

              Download

            • memory/3152-112-0x0000000000940000-0x0000000000949000-memory.dmp

              Filesize

              36KB

              Download

            • memory/3152-139-0x0000000000400000-0x00000000008F5000-memory.dmp

              Filesize

              5.0MB

              Download

            • memory/3376-90-0x0000000000400000-0x000000000045B000-memory.dmp

              Filesize

              364KB

              Download

            • memory/3388-136-0x0000000003300000-0x0000000003316000-memory.dmp

              Filesize

              88KB

              Download