Overview

overview

10

Static

static

3

60d52e13d4...5f.exe

windows7-x64

7

60d52e13d4...5f.exe

windows10-2004-x64

10

setup_installer.exe

windows7-x64

10

setup_installer.exe

windows10-2004-x64

10

Resubmissions

16-01-2024 20:48

240116-zlfnwabcc6 3

16-01-2024 20:42

240116-zhex6sadbp 10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-01-2024 20:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    60d52e13d49f75155b26c170f5a2ec5f.exe

  • Size

    1.5MB

  • MD5

    60d52e13d49f75155b26c170f5a2ec5f

  • SHA1

    cf6a04d46a3408780e413c3d11dbea4c11571883

  • SHA256

    3bc711bf1d32038cdcbbc7ff61228d50e05612cc33a8dcb271d6202f90ae4c6e

  • SHA512

    ceca0427a8305f4f913d5c7dcc2bc11380cbbc7e49ff97e6fd501e82c8ade94e2e67f926f66ef12ef3dd882466a577fdb3d77e9b00a9c96968795cd05d7345e6

  • SSDEEP

    24576:Eg5soYT1zAoaJ2sw5TCVUPCSHmHscNLx07XiNkvV+yhYL0xs5yDxa5/AAp93Ru6:EgboUJwJCV4CSFcNLwyNQkyhYLQL1GH1

Score
10/10
nullmixerprivateloaderriseprosmokeloaderpub6aspackv2backdoordropperevasionloaderstealertrojan

Malware Config

Extracted

Family

nullmixer

C2

http://marisana.xyz/

Extracted

Family

smokeloader

Botnet

pub6

Extracted

Family

smokeloader

Version

2020

C2

http://conceitosseg.com/upload/

http://integrasidata.com/upload/

http://ozentekstil.com/upload/

http://finbelportal.com/upload/

http://telanganadigital.com/upload/
rc4.i32
rc4.i32

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs
    evasiontrojan
  • NullMixer

    NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

    droppernullmixer
  • PrivateLoader

    PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    loaderprivateloader
  • RisePro

    RisePro stealer is an infostealer distributed by PrivateLoader.

    stealerrisepro
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • ASPack v2.12-2.42 7 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 7 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\60d52e13d49f75155b26c170f5a2ec5f.exe
    "C:\Users\Admin\AppData\Local\Temp\60d52e13d49f75155b26c170f5a2ec5f.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1976
    • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
      "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4812
      • C:\Users\Admin\AppData\Local\Temp\7zSCC2B4767\setup_install.exe
        "C:\Users\Admin\AppData\Local\Temp\7zSCC2B4767\setup_install.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:4408
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c karotima_1.exe
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3596
          • C:\Users\Admin\AppData\Local\Temp\7zSCC2B4767\karotima_1.exe
            karotima_1.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            PID:1756
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c karotima_2.exe
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:5004
          • C:\Users\Admin\AppData\Local\Temp\7zSCC2B4767\karotima_2.exe
            karotima_2.exe
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Checks SCSI registry key(s)
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            PID:1036
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 396
              6⤵
              • Program crash
              PID:4948
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 432
          4⤵
          • Program crash
          PID:4316
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 4408 -ip 4408
    1⤵
      PID:4792
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1036 -ip 1036
      1⤵
        PID:4992

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\7zSCC2B4767\karotima_1.exe
        Filesize

        109KB

        MD5

        2607a8cac4451d20af94d7b70f058056

        SHA1

        dec650d9b1d155a8fac0c3817c7be247d78a8d72

        SHA256

        ac97afe7f7313c0c2a43debf281c923d15b402910ed5c879fb9c68eff443cf2b

        SHA512

        30c7c2b467e9225d2e580f86d6b9a0673f9ef733aa7b2c04f0e5ee10898b1f7b1bb99a82a98564f4a620d10a67159f7aafb5ad33bced35cf880fa1046fa0d122

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7zSCC2B4767\karotima_1.txt
        Filesize

        90KB

        MD5

        adfb48b7096ce5448d960a28561b2dc3

        SHA1

        23d7a157d25b5c23f115bcb3abdcae908d87b8d8

        SHA256

        de0e49cea4349f4d973d0f8542840859db54a482090399f88a729cc68aee13dd

        SHA512

        c0b1c713591933fd7cadf875eeea8c8cc353bf408bbd5cf60f31105b7a4fe961fb6113f5669b867665116d46977ecae8ae1b185ce55aad88d57fc1fb76ff2cdb

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7zSCC2B4767\karotima_2.exe
        Filesize

        116KB

        MD5

        9c5bbcd3726f4d593682678a1345fbbb

        SHA1

        9ea8978710d45d94f612b44227f77707cfbc5642

        SHA256

        94e37de6383833f35f2fa12cad0961fcc2df4f4a3b9cfa45cf544aa14cba3267

        SHA512

        4ff0f7b9613431c9520db0cf9b02dc4996e97dc06933969a8b5c0f756c53e26230818addac7160ba95b8e59f8cc9ed1bc2f0576363e96fc52fbffd758ed84a7f

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7zSCC2B4767\karotima_2.txt
        Filesize

        51KB

        MD5

        57c09b240380a0d21604d3e97ebaa7f8

        SHA1

        2a29817fa34e49e81a86c7de093a7fe575068bfd

        SHA256

        8d024618091bf96789b1ff49f8424c13a4b3669254f48f31f4ec3f0991c0aa58

        SHA512

        81ae44ef2534e7d2c94493779f02c0e56ebbce18110df7887eca194f6e0c049a466bc49ea1fb871d2af6ba5fe574ca43ee73484cf4b43261a0068aec4b226a85

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7zSCC2B4767\libcurl.dll
        Filesize

        218KB

        MD5

        d09be1f47fd6b827c81a4812b4f7296f

        SHA1

        028ae3596c0790e6d7f9f2f3c8e9591527d267f7

        SHA256

        0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

        SHA512

        857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7zSCC2B4767\libcurlpp.dll
        Filesize

        54KB

        MD5

        e6e578373c2e416289a8da55f1dc5e8e

        SHA1

        b601a229b66ec3d19c2369b36216c6f6eb1c063e

        SHA256

        43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

        SHA512

        9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7zSCC2B4767\libgcc_s_dw2-1.dll
        Filesize

        113KB

        MD5

        9aec524b616618b0d3d00b27b6f51da1

        SHA1

        64264300801a353db324d11738ffed876550e1d3

        SHA256

        59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

        SHA512

        0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7zSCC2B4767\libgcc_s_dw2-1.dll
        Filesize

        80KB

        MD5

        ff35c36eda5e2a08a7dc441aeb01146f

        SHA1

        d1e0532e455d84faffd853daf7fa4c1256948ca6

        SHA256

        8f8d1f6561087ca7452a6fc4a6b6f4db92fcf1c587372fcb6cf8c371adcac77b

        SHA512

        32d6d4fd74fd57e2302483109e48019f8a4bdc46a9eefacb17c70248248bc077ae1b072a8878e09be7aef7b826796f1bd0878d5574f560662baaabf4a81435b3

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7zSCC2B4767\libstdc++-6.dll
        Filesize

        331KB

        MD5

        a970919f7b9ec08d200ee35aa432f316

        SHA1

        8110f052040299eadcbe076f7e63cb10cce78cb2

        SHA256

        6317b6799b2ffc943b2f48901d036d84549909998245de658f03bac011d7c4f6

        SHA512

        23828e1fe275b94203341175a7990ec198c17a86d6b3c43e90c085a1f60e1451aa3f54d1cf2507210443627c022b689b3f98bf5ef9cc920ba103d0134034c963

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7zSCC2B4767\libstdc++-6.dll
        Filesize

        515KB

        MD5

        a5687e82ca8242640b120b731a601312

        SHA1

        d0677734387329abf164f5c2deb3494f623bd6fb

        SHA256

        6019b0d3ca07d34b5b7931e9f69fd8fa7ddbb1feea2b5c929e1b0692e0a638d0

        SHA512

        5f939955af353725542d0cb5f141dfa91140f47ad5b1c8300c5e45b277986e5dcdc90cef34ca553193d5c89f98ab2dde8279ed95f1a9893e911d2a7808303481

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7zSCC2B4767\libwinpthread-1.dll
        Filesize

        69KB

        MD5

        1e0d62c34ff2e649ebc5c372065732ee

        SHA1

        fcfaa36ba456159b26140a43e80fbd7e9d9af2de

        SHA256

        509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

        SHA512

        3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7zSCC2B4767\setup_install.exe
        Filesize

        225KB

        MD5

        3be2ec877b0db877ea2504204d72fa72

        SHA1

        4dc491181470dd40cb27974476b19cea7bc9e91c

        SHA256

        a49a80dbdd675913a20f149700588f87d8dd6e087c8a9fd27e138ba613f929ca

        SHA512

        2830db61bd69664d5db295ed646fcc2351772fe2ead87792332005e6b2012eaa519e027ce633ae1e40988f346fac66908ce053e083d93c23f1e37321b90dfff7

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7zSCC2B4767\setup_install.exe
        Filesize

        196KB

        MD5

        6334389e6858501ad6904cd35ea8ce17

        SHA1

        20bf1f074bafe717ef9e336827449d22b992584c

        SHA256

        087600115d7b488657249bba1a1379717def337e2ace766b9cfa48b510ad79bf

        SHA512

        d878e3c5353d4674e70435d03e4839c847e1990944d5df4164451566073f68e8e8163614ed79f653fc6f89c3764141744cd0323e2e474d4657d03a30682bbf85

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7zSCC2B4767\setup_install.exe
        Filesize

        287KB

        MD5

        3b51df78ffa71e3932aad06f0526e1db

        SHA1

        1d21bab4761467fcaaf12c8bb237cb679e0e704d

        SHA256

        5a773cc52816f6b01c91700e47aa9e7d1dd96875c29bb37493c5185658a05f61

        SHA512

        866cf8acc56c61e9acc44e9b4194e60d3f0813a02f46a292b06d0545dc87ec3c94bca7a82c3515a98ccc4753e6e7ffc3d3c9a69b62e5434ac79a73e3aade1525

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\CC4F.tmp
        Filesize

        351KB

        MD5

        fe69df390bfd5f585fd63fb1fc2b1f33

        SHA1

        527cc0f61753201055c8d1d03b5805c8c24f8784

        SHA256

        9dcb00bbafb356eac33a5bcb3d13107cc2a990b5927040a14bd46134d101efe9

        SHA512

        a87fb79c9e45e21eca2fe5da498742b0a382707a1ac75669a4279f9fa96d517e2ac281a3e7211f7213ab6cbcfbbb17f3faafb9b048c4dc8b3605938c64c83047

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
        Filesize

        619KB

        MD5

        034a20609e6ec5d5f7ab66c151e9ed2f

        SHA1

        bf3d5123764c7f24afa36349ccaadd2d537d8bb5

        SHA256

        3bbd56d41fb81dbf34ad736c9bdabea9ff222f78a205a8d8bbaa1c0b4c85a215

        SHA512

        affca597030fa82be3036188efda9e2f17c71c76541acd751be5bda9ce22d454d955d29ddcc5298b73eb4b372d7a9253b4222fa1e04b265c934a772b0ce1eaf6

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
        Filesize

        315KB

        MD5

        a051fc0638280ff1d25bcb2bf3adf313

        SHA1

        ef998b0cf762addcfe2c7d8f54faef42f0026506

        SHA256

        572d65d64890f1498332c7d9602be69b683627dc1c59710dbf15825685cf1c69

        SHA512

        cbf38fbb788ec7248d291044829238f97029d490f18e696194d164c703feb34d479fd81d265bdf1fde2cdd3174c576877893824db7a7134895d0db58e80ed24d

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
        Filesize

        349KB

        MD5

        04a501179188b1f2b71ddb0dc6dd1863

        SHA1

        e553f70c681ee78b70887feeb68b2447adacfa83

        SHA256

        c1dfbcd347fe9f8245515d305b878821d15c32d9672368709493093887519e38

        SHA512

        8e4effe9c2fe3fc9ec0449b592def553a71f68888b47954d74efaa6024f9cb02ac011c7b2905f5495f48f675f68761f6300b717d3112ed2c8670d07fe4fb6c94

        Download Submit

      • C:\Users\Admin\AppData\Roaming\fwceujv
        Filesize

        238KB

        MD5

        fcd0f1b48eccb2fc312068010c8cb7d7

        SHA1

        3e0ac2b9c04d2238a37e3602e2b4d14d749b93d8

        SHA256

        8e9313037e41416a4d9af48b077cfa68457a5c716b164c6b40dfcd43b0775ea8

        SHA512

        e79e8b30567d391e02a7db111991903522cdeac3ab0216ae78d65be5294e79c6e9794fe2113976d0536c0dcecc05762d355edf3967d8c3682e4a0242b720af6b

        Download Submit

      • memory/1036-79-0x0000000000940000-0x0000000000949000-memory.dmp

        Filesize

        36KB

        Download

      • memory/1036-83-0x0000000000400000-0x00000000008A5000-memory.dmp

        Filesize

        4.6MB

        Download

      • memory/1036-78-0x0000000000950000-0x0000000000A50000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1036-87-0x0000000000400000-0x00000000008A5000-memory.dmp

        Filesize

        4.6MB

        Download

      • memory/3420-84-0x00000000027F0000-0x0000000002805000-memory.dmp

        Filesize

        84KB

        Download

      • memory/4408-76-0x000000006FE40000-0x000000006FFC6000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/4408-73-0x000000006B440000-0x000000006B4CF000-memory.dmp

        Filesize

        572KB

        Download

      • memory/4408-74-0x000000006B280000-0x000000006B2A6000-memory.dmp

        Filesize

        152KB

        Download

      • memory/4408-71-0x0000000000400000-0x000000000051E000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/4408-59-0x000000006B280000-0x000000006B2A6000-memory.dmp

        Filesize

        152KB

        Download

      • memory/4408-57-0x000000006FE40000-0x000000006FFC6000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/4408-55-0x000000006FE40000-0x000000006FFC6000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/4408-54-0x000000006FE40000-0x000000006FFC6000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/4408-53-0x000000006FE40000-0x000000006FFC6000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/4408-52-0x0000000064940000-0x0000000064959000-memory.dmp

        Filesize

        100KB

        Download

      • memory/4408-51-0x000000006B440000-0x000000006B4CF000-memory.dmp

        Filesize

        572KB

        Download

      • memory/4408-49-0x000000006B280000-0x000000006B2A6000-memory.dmp

        Filesize

        152KB

        Download

      • memory/4408-47-0x000000006B440000-0x000000006B4CF000-memory.dmp

        Filesize

        572KB

        Download

      • memory/4408-75-0x000000006EB40000-0x000000006EB63000-memory.dmp

        Filesize

        140KB

        Download

      • memory/4408-72-0x0000000064940000-0x0000000064959000-memory.dmp

        Filesize

        100KB

        Download

      • memory/4408-60-0x0000000000400000-0x000000000051E000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/4408-63-0x0000000000400000-0x000000000051E000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/4408-62-0x0000000000400000-0x000000000051E000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/4408-64-0x0000000000400000-0x000000000051E000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/4408-65-0x0000000000400000-0x000000000051E000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/4408-61-0x0000000000400000-0x000000000051E000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/4408-58-0x000000006B280000-0x000000006B2A6000-memory.dmp

        Filesize

        152KB

        Download

      • memory/4408-56-0x000000006FE40000-0x000000006FFC6000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/4408-50-0x000000006B440000-0x000000006B4CF000-memory.dmp

        Filesize

        572KB

        Download

      • memory/4408-48-0x000000006B440000-0x000000006B4CF000-memory.dmp

        Filesize

        572KB

        Download

      • memory/4408-34-0x0000000000400000-0x000000000051E000-memory.dmp

        Filesize

        1.1MB

        Download