Overview

overview

10

Static

static

3

7a31dc882e...d5.exe

windows7-x64

10

7a31dc882e...d5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-01-2024 12:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7a31dc882ea1b0e7a8ffebcd21059cd5.exe

  • Size

    1.9MB

  • MD5

    7a31dc882ea1b0e7a8ffebcd21059cd5

  • SHA1

    38ebd858eb6e5e540b5900c97e77a9f3ff92e421

  • SHA256

    28a96de1e3a6ac6f0105145b7155ebc1eafb9d1885d09c84b65ffd60e9b8951f

  • SHA512

    eca9ee232b660e3e8244a61e8a7b8e6e63499849cc3ab2a07941e032142ef89d46a4c7a219b32c811b36245ebb0ddda5313b475590e6f478df6ee2f7571bde6a

  • SSDEEP

    49152:xcBmEwJ84vLRaBtIl9mVzZxa8jQtrpR7Js2Q7D85Qvr5S:xECvLUBsg+8UttFJ9zQVS

Score
10/10
nullmixerprivateloadersmokeloadervidar706pub6aspackv2backdoordropperloaderstealertrojan

Malware Config

Extracted

Family

nullmixer

C2

http://marisana.xyz/

Extracted

Family

smokeloader

Botnet

pub6

Extracted

Family

vidar

Version

40

Botnet

706

C2

https://lenak513.tumblr.com/

Attributes
  • profile_id

    706

Extracted

Family

smokeloader

Version

2020

C2

http://aucmoney.com/upload/

http://thegymmum.com/upload/

http://atvcampingtrips.com/upload/

http://kuapakualaman.com/upload/

http://renatazarazua.com/upload/

http://nasufmutlu.com/upload/
rc4.i32
rc4.i32

Signatures

  • NullMixer

    NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

    droppernullmixer
  • PrivateLoader

    PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    loaderprivateloader
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Vidar Stealer 5 IoCs
    stealer
  • ASPack v2.12-2.42 3 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 9 IoCs
  • Loads dropped DLL 6 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 9 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies data under HKEY_USERS 62 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 18 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 45 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\7a31dc882ea1b0e7a8ffebcd21059cd5.exe
    "C:\Users\Admin\AppData\Local\Temp\7a31dc882ea1b0e7a8ffebcd21059cd5.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4524
    • C:\Users\Admin\AppData\Local\Temp\7zSCA16C577\setup_install.exe
      "C:\Users\Admin\AppData\Local\Temp\7zSCA16C577\setup_install.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2632
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c 743bcecceb1.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1588
        • C:\Users\Admin\AppData\Local\Temp\7zSCA16C577\743bcecceb1.exe
          743bcecceb1.exe
          4⤵
          • Executes dropped EXE
          • Checks SCSI registry key(s)
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          PID:3628
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c c6e27365696.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2996
        • C:\Users\Admin\AppData\Local\Temp\7zSCA16C577\c6e27365696.exe
          c6e27365696.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:5040
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c 62b647d434837.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3812
        • C:\Users\Admin\AppData\Local\Temp\7zSCA16C577\62b647d434837.exe
          62b647d434837.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:3992
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c 3aeaaa7282b14785.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2800
        • C:\Users\Admin\AppData\Local\Temp\7zSCA16C577\3aeaaa7282b14785.exe
          3aeaaa7282b14785.exe
          4⤵
          • Executes dropped EXE
          PID:3940
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c f2b619b03.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2332
        • C:\Users\Admin\AppData\Local\Temp\7zSCA16C577\f2b619b03.exe
          f2b619b03.exe
          4⤵
          • Executes dropped EXE
          PID:5080
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c 2f9772a9fa1a504.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3652
        • C:\Users\Admin\AppData\Local\Temp\7zSCA16C577\2f9772a9fa1a504.exe
          2f9772a9fa1a504.exe
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:3264
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c 9a1258ee22.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:544
        • C:\Users\Admin\AppData\Local\Temp\7zSCA16C577\9a1258ee22.exe
          9a1258ee22.exe
          4⤵
          • Executes dropped EXE
          PID:364
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2632 -s 544
        3⤵
        • Program crash
        PID:436
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2632 -ip 2632
    1⤵
      PID:4408
    • C:\Users\Admin\AppData\Local\Temp\7zSCA16C577\2f9772a9fa1a504.exe
      "C:\Users\Admin\AppData\Local\Temp\7zSCA16C577\2f9772a9fa1a504.exe" -a
      1⤵
      • Executes dropped EXE
      PID:3196
    • C:\Windows\system32\dwm.exe
      "dwm.exe"
      1⤵
      • Checks SCSI registry key(s)
      • Enumerates system info in registry
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:4284
    • C:\Windows\system32\dwm.exe
      "dwm.exe"
      1⤵
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:1004
    • C:\Windows\system32\dwm.exe
      "dwm.exe"
      1⤵
        PID:2488
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3628 -ip 3628
        1⤵
          PID:508
        • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
          "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
          1⤵
          • Modifies data under HKEY_USERS
          • Suspicious use of SetWindowsHookEx
          PID:1356
        • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
          "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
          1⤵
            PID:3904

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\7zSCA16C577\2f9772a9fa1a504.exe
            Filesize

            56KB

            MD5

            3263859df4866bf393d46f06f331a08f

            SHA1

            5b4665de13c9727a502f4d11afb800b075929d6c

            SHA256

            9dcacda3913e30cafd92c909648b5bffde14b8e39e6adbfb15628006c0d4d3c2

            SHA512

            58205110a017f5d73dd131fefb1e3bbbcc670ed0c645aeefebe5281579c7b1dceffa56671cd7b186554bdb81710e21018ed0d7088a27517dfc5e48d6d3578cf6

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\7zSCA16C577\3aeaaa7282b14785.exe
            Filesize

            631KB

            MD5

            a6b572db00b94224d6637341961654cb

            SHA1

            9f0dbcce0496fede379ce4ecbfc2aa2afbb8ee8c

            SHA256

            91ef165ad61d09dfda345f827b8ff78a18a3e40d8e12454cdb494d1555af7656

            SHA512

            39ad03d8645a3a90b770b4fe05c43c2dadfc8b80277688ec01597bc0cda6b3fafe9e158f72ebc7db4ce98605f44fe3eacda6573f9e32e01bda0ad66efc17274c

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\7zSCA16C577\62b647d434837.exe
            Filesize

            165KB

            MD5

            5f6f8e5a5e6ba53f8f785b575573451d

            SHA1

            97b99adefc3ecca6be60c882b563853091f586ef

            SHA256

            6f8a7657b62f79b148d6b930641ef70eb0d8bc909377439819a0db601ca1c0d8

            SHA512

            ff6491641fc985bd03421e8565b36322017da9a647015bcc399b3ca73c675749d3e22eee5e437283b22b6a05240f6bd1bf8eddc0ef3be233fd8c40fe82fead05

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\7zSCA16C577\743bcecceb1.exe
            Filesize

            312KB

            MD5

            ca31229dcd5ab0f1447ce772677f5f3e

            SHA1

            656eb7349db31d657d96978e5e3a358f8a055016

            SHA256

            865a53db7342b0ddd8e0762acab2906e9cb2695eae0eb3035b58e8af5fdb248d

            SHA512

            245439c54f167b757fa9737c863ef3f99e93bf6d107d63a029d866b736f73228c69d67bcb99690b9906dc06beb08f33b36aacc483c3b61cb2f6090c806e86691

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\7zSCA16C577\9a1258ee22.exe
            Filesize

            649KB

            MD5

            76ad7237cb514008311358f5bbc92b6b

            SHA1

            370aee74f6713913db081f88bfef33f8ea437410

            SHA256

            942878ae21bf55029e648ed216f40ecfd4b61e6b581cd1a2f82fdcd20feb3a10

            SHA512

            0f89a59f59c4a8d153442a90f2e4f0eb7ac153af9f65c585259729425deb73e2859c1c9d48e5505ecb7f5686136aa0171e689227fa0b940236bc1c775621602e

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\7zSCA16C577\c6e27365696.exe
            Filesize

            8KB

            MD5

            bf78562d81291113d7664f8b10b38019

            SHA1

            7c1e6b7a9abcf1f96eb79ffdc7ea1831ad7f7889

            SHA256

            aa18f5ee23ba9686522956203b349217aebdc2c921471db1a89d4bc16d699251

            SHA512

            c94ac906daf9ca91983c58d353984b1b84334d7fa57581b32fd029b0db582ca00ef67f5ef0a1fc0fd624aa30d220503e5f1b70617a303712b2f5886ab5672f36

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\7zSCA16C577\f2b619b03.exe
            Filesize

            241KB

            MD5

            5866ab1fae31526ed81bfbdf95220190

            SHA1

            75a5e08b3b9ad2dff35dfbbb3ffe8d983c2be25f

            SHA256

            9e1a149370efe9814bf2cbd87acfcfa410d1769efd86a9722da4373d6716d22e

            SHA512

            8d99ab09e84e4ef309da34be94946cbfcffeb1c0ca49e2452deb738d801e551062ebb134f1b99a9baf03003a8e720d525521ce09aeac341d3cba3fcfbc618fb5

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\7zSCA16C577\libcurl.dll
            Filesize

            218KB

            MD5

            d09be1f47fd6b827c81a4812b4f7296f

            SHA1

            028ae3596c0790e6d7f9f2f3c8e9591527d267f7

            SHA256

            0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

            SHA512

            857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\7zSCA16C577\libcurlpp.dll
            Filesize

            54KB

            MD5

            e6e578373c2e416289a8da55f1dc5e8e

            SHA1

            b601a229b66ec3d19c2369b36216c6f6eb1c063e

            SHA256

            43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

            SHA512

            9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\7zSCA16C577\libgcc_s_dw2-1.dll
            Filesize

            113KB

            MD5

            9aec524b616618b0d3d00b27b6f51da1

            SHA1

            64264300801a353db324d11738ffed876550e1d3

            SHA256

            59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

            SHA512

            0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\7zSCA16C577\libstdc++-6.dll
            Filesize

            647KB

            MD5

            5e279950775baae5fea04d2cc4526bcc

            SHA1

            8aef1e10031c3629512c43dd8b0b5d9060878453

            SHA256

            97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

            SHA512

            666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\7zSCA16C577\libwinpthread-1.dll
            Filesize

            69KB

            MD5

            1e0d62c34ff2e649ebc5c372065732ee

            SHA1

            fcfaa36ba456159b26140a43e80fbd7e9d9af2de

            SHA256

            509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

            SHA512

            3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\7zSCA16C577\setup_install.exe
            Filesize

            4.2MB

            MD5

            a002887520541f37f1b182856dd6ab7d

            SHA1

            e352c82608132fd5c09a3b33cb3386d06bc702a0

            SHA256

            b5f59efe6b0a0f207940166d338da8c9cc701b90680fda614f4d83aba011c6b8

            SHA512

            4a8d2a0010a7b8b74662227ed679aab5bca07d6fbf47895408d010d45e20fa04d1cee1d41d53179a694750a7988356fb26dd3a92279d4533756dbba80126871e

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\7zSCA16C577\setup_install.exe
            Filesize

            3.6MB

            MD5

            94ab6caeb3850d8002f4b6247ceaf210

            SHA1

            8d0c59a45ff3fc221d33ff83e667810d713e2f21

            SHA256

            ce799c10e408c5f5a9c90a84d804c3f4d5d64b324676a6933132827d59894163

            SHA512

            425cb2d1985174773a8f71b7dc8481b05c15f2b424ad775ef95cf75fd922b6c43b4eb10ab5cd36b70946493daad4c0625b97e5f357ed1eb9189b01655f230e4b

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\7zSCA16C577\setup_install.exe
            Filesize

            2.3MB

            MD5

            3cb7629310fadac11fa446285bd9cc53

            SHA1

            a7e3d4528bbce3dde330bfdacddb02a1027f7c59

            SHA256

            dea06db418eef8b2a2dbb01457b8ff8c2962ca4ef29e06d0d75c2fb65ed7ad69

            SHA512

            f600e2aff4572c6a6afdee33b44a550d5f1a8160bfe15f5c0be5e627720a73dd1b7d267f53c594d941f63edb975ca48aac475830b7a3bcf32d046ec6864c31b3

            Download Submit

          • memory/364-112-0x0000000000400000-0x00000000004A1000-memory.dmp

            Filesize

            644KB

            Download

          • memory/364-94-0x0000000000400000-0x0000000000958000-memory.dmp

            Filesize

            5.3MB

            Download

          • memory/364-93-0x0000000000AB0000-0x0000000000BB0000-memory.dmp

            Filesize

            1024KB

            Download

          • memory/364-92-0x0000000000BB0000-0x0000000000C4D000-memory.dmp

            Filesize

            628KB

            Download

          • memory/364-113-0x0000000000BB0000-0x0000000000C4D000-memory.dmp

            Filesize

            628KB

            Download

          • memory/2632-37-0x000000006FE40000-0x000000006FFC6000-memory.dmp

            Filesize

            1.5MB

            Download

          • memory/2632-96-0x0000000064940000-0x0000000064959000-memory.dmp

            Filesize

            100KB

            Download

          • memory/2632-34-0x0000000001100000-0x000000000118F000-memory.dmp

            Filesize

            572KB

            Download

          • memory/2632-40-0x000000006FE40000-0x000000006FFC6000-memory.dmp

            Filesize

            1.5MB

            Download

          • memory/2632-41-0x000000006B280000-0x000000006B2A6000-memory.dmp

            Filesize

            152KB

            Download

          • memory/2632-31-0x000000006B440000-0x000000006B4CF000-memory.dmp

            Filesize

            572KB

            Download

          • memory/2632-30-0x000000006B440000-0x000000006B4CF000-memory.dmp

            Filesize

            572KB

            Download

          • memory/2632-33-0x000000006B440000-0x000000006B4CF000-memory.dmp

            Filesize

            572KB

            Download

          • memory/2632-100-0x000000006FE40000-0x000000006FFC6000-memory.dmp

            Filesize

            1.5MB

            Download

          • memory/2632-98-0x000000006B440000-0x000000006B4CF000-memory.dmp

            Filesize

            572KB

            Download

          • memory/2632-39-0x000000006FE40000-0x000000006FFC6000-memory.dmp

            Filesize

            1.5MB

            Download

          • memory/2632-38-0x0000000064940000-0x0000000064959000-memory.dmp

            Filesize

            100KB

            Download

          • memory/2632-99-0x000000006EB40000-0x000000006EB63000-memory.dmp

            Filesize

            140KB

            Download

          • memory/2632-36-0x000000006FE40000-0x000000006FFC6000-memory.dmp

            Filesize

            1.5MB

            Download

          • memory/2632-97-0x000000006B280000-0x000000006B2A6000-memory.dmp

            Filesize

            152KB

            Download

          • memory/2632-95-0x0000000000400000-0x000000000071E000-memory.dmp

            Filesize

            3.1MB

            Download

          • memory/2632-32-0x000000006B280000-0x000000006B2A6000-memory.dmp

            Filesize

            152KB

            Download

          • memory/2632-42-0x000000006B280000-0x000000006B2A6000-memory.dmp

            Filesize

            152KB

            Download

          • memory/3424-114-0x0000000002EE0000-0x0000000002EF6000-memory.dmp

            Filesize

            88KB

            Download

          • memory/3628-90-0x0000000000400000-0x0000000000904000-memory.dmp

            Filesize

            5.0MB

            Download

          • memory/3628-91-0x0000000000B30000-0x0000000000C30000-memory.dmp

            Filesize

            1024KB

            Download

          • memory/3628-89-0x00000000001C0000-0x00000000001C9000-memory.dmp

            Filesize

            36KB

            Download

          • memory/3628-115-0x0000000000400000-0x0000000000904000-memory.dmp

            Filesize

            5.0MB

            Download

          • memory/3992-82-0x00000000009A0000-0x00000000009A6000-memory.dmp

            Filesize

            24KB

            Download

          • memory/3992-85-0x0000000000BC0000-0x0000000000BE2000-memory.dmp

            Filesize

            136KB

            Download

          • memory/3992-86-0x00000000009B0000-0x00000000009B6000-memory.dmp

            Filesize

            24KB

            Download

          • memory/3992-102-0x00007FFEE93D0000-0x00007FFEE9E91000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/3992-81-0x00007FFEE93D0000-0x00007FFEE9E91000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/3992-80-0x00000000003E0000-0x0000000000410000-memory.dmp

            Filesize

            192KB

            Download

          • memory/3992-88-0x0000000000C10000-0x0000000000C20000-memory.dmp

            Filesize

            64KB

            Download

          • memory/5040-84-0x000000001B8B0000-0x000000001B8C0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/5040-83-0x00007FFEE93D0000-0x00007FFEE9E91000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/5040-74-0x0000000000CE0000-0x0000000000CE8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/5040-116-0x000000001B8B0000-0x000000001B8C0000-memory.dmp

            Filesize

            64KB

            Download