Overview

overview

10

Static

static

3

5d2d3d4eae...cf.exe

windows7-x64

10

5d2d3d4eae...cf.exe

windows10-2004-x64

10

setup_installer.exe

windows7-x64

10

setup_installer.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-01-2024 13:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    setup_installer.exe

  • Size

    1.5MB

  • MD5

    809a01f9f80afe2081251cbcce41fa48

  • SHA1

    380d9b99d017b6718ab7aa920be4daff7c834d8f

  • SHA256

    10bfb74c0beea903b2294bc99094436d5e1f8be9e421173a14d6fd0a2e32d45f

  • SHA512

    3b3f7bd7bfdc1fd26364bdb88d37d4c80d84fb50189244e8a91ddf50ebc90088053d7576c5bfd8b996c3116ebeadb3fa02e39479f06a6ca0a44d2d46620acd26

  • SSDEEP

    24576:xcVkKSKXCeomdCFDWHp/7F8264vIYiEPY/RQ5DsvLwcaBhdZIl9mT9CWWznWRWvv:xcBlCpZgu2jmEwJ84vLRaBtIl9mT9CWM

Score
10/10
nullmixerprivateloaderriseprosmokeloaderpub6aspackv2backdoordropperevasionloaderstealertrojan

Malware Config

Extracted

Family

nullmixer

C2

http://wxkeww.xyz/

Extracted

Family

smokeloader

Botnet

pub6

Extracted

Family

smokeloader

Version

2020

C2

http://conceitosseg.com/upload/

http://integrasidata.com/upload/

http://ozentekstil.com/upload/

http://finbelportal.com/upload/

http://telanganadigital.com/upload/
rc4.i32
rc4.i32

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs
    evasiontrojan
  • NullMixer

    NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

    droppernullmixer
  • PrivateLoader

    PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    loaderprivateloader
  • RisePro

    RisePro stealer is an infostealer distributed by PrivateLoader.

    stealerrisepro
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • ASPack v2.12-2.42 6 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
    "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1940
    • C:\Users\Admin\AppData\Local\Temp\7zS497D3807\setup_install.exe
      "C:\Users\Admin\AppData\Local\Temp\7zS497D3807\setup_install.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1096
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c karotima_2.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3732
        • C:\Users\Admin\AppData\Local\Temp\7zS497D3807\karotima_2.exe
          karotima_2.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks SCSI registry key(s)
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          PID:3572
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3572 -s 396
            5⤵
            • Program crash
            PID:2280
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c karotima_1.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1888
        • C:\Users\Admin\AppData\Local\Temp\7zS497D3807\karotima_1.exe
          karotima_1.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          PID:1280
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1096 -s 504
        3⤵
        • Program crash
        PID:4916
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1096 -ip 1096
    1⤵
      PID:4752
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3572 -ip 3572
      1⤵
        PID:1444

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\7zS497D3807\karotima_1.exe
        Filesize

        64KB

        MD5

        30c503e2033b3f5faaa4170aefe2639d

        SHA1

        0dc846ef9adf0b0addcb62b3ed6e0146581f73ac

        SHA256

        586737a7e7dd058740d28ff60e5fb4aea260fbe83788e97bebd1123cfe2d1960

        SHA512

        af094095a4b5f5249de6d1497d932ac222b10d1d7e2e2c02fc034412056698b53736904b522ac3d963e104bdba32c23a4ce5d1b152fea44ad2af79114cb09710

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7zS497D3807\karotima_1.txt
        Filesize

        191KB

        MD5

        1413d200aae128e7a1a8590dca39200d

        SHA1

        0ac703cf49cf2668a5b3d425ced5bb969ca31389

        SHA256

        1852aca1d00cd82df21b584ce75fd54dfe4bfd75093f41599c2c26aa630629ca

        SHA512

        47fc1710b357abc9a90cedb3b1139fbc61559c71bbb015398f5093853bc55189ec9c3615b0520c41dc1a38afb481eb9a47d52bd980d972a81ed20c5978284feb

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7zS497D3807\karotima_2.exe
        Filesize

        197KB

        MD5

        8b0364fc111c0ecca221078df96f0ea4

        SHA1

        2220f47d09b9568cf8f81839606ac67e6bf57e6e

        SHA256

        781dbabc4b656eef05e1645f1441d96d7f70b5276b5b56cf67dabf3a9fb966ca

        SHA512

        75725ba754a0a557bbb7d56bb617f1ca70d609b4220e356b950f97549f3277c4828e6836fb4921a2f6e2eccb140a1f36b2f356a2ed328e6ea56a9803c0e266e8

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7zS497D3807\karotima_2.txt
        Filesize

        208KB

        MD5

        b23e879a72e30496c3d7e57d19572025

        SHA1

        b27c35c4adbec04b983d711d24a9e15f124a7513

        SHA256

        8c6044a57b7d997cd31e9511e464695dff917b669d0489d015930f462be4d9a4

        SHA512

        c0f7862b7a9661ff5b03573e3907201ffd41ca20eab5e8695196ec44809e122c04d26733341052b54ace80f5203c1e6a2ec11e302ff665330787961e05c91f6c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7zS497D3807\libcurl.dll
        Filesize

        218KB

        MD5

        d09be1f47fd6b827c81a4812b4f7296f

        SHA1

        028ae3596c0790e6d7f9f2f3c8e9591527d267f7

        SHA256

        0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

        SHA512

        857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7zS497D3807\libcurlpp.dll
        Filesize

        54KB

        MD5

        e6e578373c2e416289a8da55f1dc5e8e

        SHA1

        b601a229b66ec3d19c2369b36216c6f6eb1c063e

        SHA256

        43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

        SHA512

        9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7zS497D3807\libgcc_s_dw2-1.dll
        Filesize

        113KB

        MD5

        9aec524b616618b0d3d00b27b6f51da1

        SHA1

        64264300801a353db324d11738ffed876550e1d3

        SHA256

        59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

        SHA512

        0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7zS497D3807\libstdc++-6.dll
        Filesize

        126KB

        MD5

        4c21069b791b591e9b294f16d3be0ada

        SHA1

        14ae1a438b593c5411946ad44ae4825a4f6dfa8f

        SHA256

        3dd1b6de12fb806a09dbaf8b5a7727605b09d623f3f813a2bc85b649ee40eb41

        SHA512

        67c2b730f19955e2a6809cb92e2a1ed5c244f84377ad2a5b5cc08f640e52d3c601ac06b70033c397eb30b7cf54fd7121c0a2310fbb1e8a89e044859fbfecd2ac

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7zS497D3807\libstdc++-6.dll
        Filesize

        203KB

        MD5

        8b6509497cc4b475353f2d8880b59bf5

        SHA1

        91239ec219c28f292ebf662eab8c51b594181482

        SHA256

        c1caa7acdc961b67d131f9a22478f3b872df796d55e523b073dddce21a336543

        SHA512

        579652310ff03f6307f54d9b86c9dc809e69ae9020543dfd29a2079f67556e27d12d4d227dbee8dfe399beefb0aa0876d6a03e0170b0f3fc50a76e71d71db098

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7zS497D3807\libwinpthread-1.dll
        Filesize

        69KB

        MD5

        1e0d62c34ff2e649ebc5c372065732ee

        SHA1

        fcfaa36ba456159b26140a43e80fbd7e9d9af2de

        SHA256

        509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

        SHA512

        3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7zS497D3807\setup_install.exe
        Filesize

        287KB

        MD5

        893a5ef3e35ac2843dafb6d23083b268

        SHA1

        49162feb77b47fc86ca4ebb6d3d44d94ea1bd40b

        SHA256

        cd27e27f0abe2a3dc63c15c0426d7296e20207bbdc9ad1b7206281ebf21b02d9

        SHA512

        d51dc80f0d920058a3de5c41edaf53e38b31237624df6ee966898da331630d69832d607302ac55bbe092feeb617d85147df11ff04ee7b02a981a480ae365ac5f

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7zS497D3807\setup_install.exe
        Filesize

        252KB

        MD5

        fa81edfb353c91d36e8a73c5ad7f6d4a

        SHA1

        8c149fc9efe4632323d9725f7e3111e06e75e318

        SHA256

        037f514138abd4ce8420cd2bb59d64bcea92b2a7e82dbed17d34fcadeb7bebed

        SHA512

        952ce2e976105484abb573185b8122ef0ca79715ace627f66bbd51194e35441a95f83a44cb0138efd3be140f24c1049fa2b84734026d3af4e8434288f7cc0dd0

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\CC4F.tmp
        Filesize

        304KB

        MD5

        2a9f785f55c48c3c83eed54fadca7638

        SHA1

        da65dd6bc13890e11cecf0cb6727d13554a43669

        SHA256

        7869f6e2811e3a29c59bd6ff75cfbf91d27c3eddc6569154f1b331e9e1da5d0e

        SHA512

        67d72e1f9e7894fdc95c3bfc4cb1165f6911bb6f730d5ffb7637030c0ef72d40eccb32b754c6ccf520d3ace561c7e52c454b5dd381fb7a7da092897ef4f53204

        Download Submit

      • C:\Users\Admin\AppData\Roaming\hbubewb
        Filesize

        228KB

        MD5

        d8f47fa4b3b38d8ee48b334ad37d82e3

        SHA1

        54e02c180d29f2463adab18f688986cba7fee4c9

        SHA256

        9fac7b2d11f5ae799e04bd5f751cec1175b11eb4888e4c322ad7ff31a28214d3

        SHA512

        ba2248784b8ca2314c77f412c3de963b3c4194f6728448331ee883bb161a16799fddc47112c40ab589a7ed76887b1a446dfbb885f4c7975e8bee4a336c355034

        Download Submit

      • memory/1096-40-0x000000006B440000-0x000000006B4CF000-memory.dmp

        Filesize

        572KB

        Download

      • memory/1096-46-0x000000006B280000-0x000000006B2A6000-memory.dmp

        Filesize

        152KB

        Download

      • memory/1096-50-0x0000000000400000-0x000000000051E000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/1096-49-0x0000000000400000-0x000000000051E000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/1096-45-0x000000006B280000-0x000000006B2A6000-memory.dmp

        Filesize

        152KB

        Download

      • memory/1096-44-0x000000006FE40000-0x000000006FFC6000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/1096-42-0x000000006FE40000-0x000000006FFC6000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/1096-41-0x000000006FE40000-0x000000006FFC6000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/1096-52-0x0000000000400000-0x000000000051E000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/1096-37-0x0000000064940000-0x0000000064959000-memory.dmp

        Filesize

        100KB

        Download

      • memory/1096-36-0x000000006B440000-0x000000006B4CF000-memory.dmp

        Filesize

        572KB

        Download

      • memory/1096-48-0x0000000000400000-0x000000000051E000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/1096-33-0x000000006B440000-0x000000006B4CF000-memory.dmp

        Filesize

        572KB

        Download

      • memory/1096-58-0x0000000000400000-0x000000000051E000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/1096-59-0x0000000064940000-0x0000000064959000-memory.dmp

        Filesize

        100KB

        Download

      • memory/1096-51-0x0000000000400000-0x000000000051E000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/1096-60-0x000000006B440000-0x000000006B4CF000-memory.dmp

        Filesize

        572KB

        Download

      • memory/1096-62-0x000000006EB40000-0x000000006EB63000-memory.dmp

        Filesize

        140KB

        Download

      • memory/1096-63-0x000000006FE40000-0x000000006FFC6000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/1096-61-0x000000006B280000-0x000000006B2A6000-memory.dmp

        Filesize

        152KB

        Download

      • memory/1096-47-0x0000000000400000-0x000000000051E000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/1096-43-0x000000006FE40000-0x000000006FFC6000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/1096-22-0x0000000000400000-0x000000000051E000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/1096-35-0x000000006B280000-0x000000006B2A6000-memory.dmp

        Filesize

        152KB

        Download

      • memory/1096-38-0x000000006B440000-0x000000006B4CF000-memory.dmp

        Filesize

        572KB

        Download

      • memory/1096-39-0x000000006FE40000-0x000000006FFC6000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/3476-71-0x0000000002540000-0x0000000002555000-memory.dmp

        Filesize

        84KB

        Download

      • memory/3572-70-0x0000000000400000-0x0000000002B7D000-memory.dmp

        Filesize

        39.5MB

        Download

      • memory/3572-65-0x0000000002D60000-0x0000000002E60000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/3572-74-0x0000000000400000-0x0000000002B7D000-memory.dmp

        Filesize

        39.5MB

        Download

      • memory/3572-66-0x0000000002C90000-0x0000000002C99000-memory.dmp

        Filesize

        36KB

        Download