Overview

overview

10

Static

static

3

8d437876e8...66.exe

windows7-x64

10

8d437876e8...66.exe

windows10-2004-x64

10

setup_installer.exe

windows7-x64

10

setup_installer.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/02/2024, 20:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    setup_installer.exe

  • Size

    1.5MB

  • MD5

    8d59acc208fe2bac950c8de93d64db21

  • SHA1

    f8c1928e249aa58d6c6ca59aa0620cb4592de6e9

  • SHA256

    e3dbeabb39f8e35d1c610edb4eb2bcc0b11f41d2feda8dd3f0b4a044b91b6004

  • SHA512

    afe93b0e99f63cc3e039f085b0ebbbb81dc50ccab38e47ad69e32c951f075e143fe1c832210a089db23a5130fabe2f14277d5678d02068bb6607ea31051d32f9

  • SSDEEP

    49152:xcBoCpZgu2el38OEwJ84vLRaBtIl9mT/uzxnTgMuG0V:xWZ2els9CvLUBsKG9ju

Score
10/10
nullmixerprivateloaderriseprosmokeloaderpub6aspackv2backdoordropperevasionloaderstealertrojan

Malware Config

Extracted

Family

nullmixer

C2

http://marisana.xyz/

Extracted

Family

smokeloader

Botnet

pub6

Extracted

Family

smokeloader

Version

2020

C2

http://conceitosseg.com/upload/

http://integrasidata.com/upload/

http://ozentekstil.com/upload/

http://finbelportal.com/upload/

http://telanganadigital.com/upload/
rc4.i32
rc4.i32

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs
    evasiontrojan
  • NullMixer

    NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

    droppernullmixer
  • PrivateLoader

    PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    loaderprivateloader
  • RisePro

    RisePro stealer is an infostealer distributed by PrivateLoader.

    stealerrisepro
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • ASPack v2.12-2.42 8 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 8 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
    "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3216
    • C:\Users\Admin\AppData\Local\Temp\7zS09C88467\setup_install.exe
      "C:\Users\Admin\AppData\Local\Temp\7zS09C88467\setup_install.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:3800
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c karotima_2.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4520
        • C:\Users\Admin\AppData\Local\Temp\7zS09C88467\karotima_2.exe
          karotima_2.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks SCSI registry key(s)
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          PID:4592
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 416
            5⤵
            • Program crash
            PID:3508
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c karotima_1.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4888
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3800 -s 428
        3⤵
        • Program crash
        PID:3056
  • C:\Users\Admin\AppData\Local\Temp\7zS09C88467\karotima_1.exe
    karotima_1.exe
    1⤵
    • Modifies Windows Defender Real-time Protection settings
    • Executes dropped EXE
    PID:1508
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3800 -ip 3800
    1⤵
      PID:3052
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4592 -ip 4592
      1⤵
        PID:1528

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\7zS09C88467\karotima_1.exe
        Filesize

        69KB

        MD5

        46811a6831e4c8b73597f86eec55d3a9

        SHA1

        b4aabd1e01d7c34a8fceaf889b4e0c76b26f8df0

        SHA256

        981a9a6914ffac0c8bbe995de916c15f049f8806b79a4853ed434fc63daa8627

        SHA512

        c713ae20314475f6b6368e335a093c06580a1221537fac5a8eb239deff2735b52ee98e8111118c2447c52da47c0b09a23b78c7f832b8eacd558ead855bd0fcab

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7zS09C88467\karotima_1.txt
        Filesize

        121KB

        MD5

        e9778a997be867d0c45e28db7a45165f

        SHA1

        e1598afe75b3b2c7af65b60d73830e68d1c7f910

        SHA256

        3ba0c7c8ef44b72957e93aff81aa446f5557f58978b4099297ed2615ade65231

        SHA512

        0dbde5ba681269c7bc203af1f3c2bf104f4b65350ac48f4472bdea1e03bd42dbd7283f42ccf6ef8518c1a363a0192130dcded037825357b9b2202951c3791123

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7zS09C88467\karotima_2.exe
        Filesize

        117KB

        MD5

        f2c30eba1009a9fa2802fb0626d25012

        SHA1

        f13f4a7fad84fe5ca5314458185f3db9cc452a11

        SHA256

        ff476e8635480bdec7137d8456ab56c1c4960c8c7d979c7caea46c4c9f4fcd05

        SHA512

        77e1d0d5ab6209c1a94c1ca7ab4c9c8d9b4b600773b68e4f3ff9e11ef3f8379650386df41960dc1da94f71f9622295c3d32d11463fb58b6988ccbaef00ed86f7

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7zS09C88467\karotima_2.txt
        Filesize

        133KB

        MD5

        0fa6d652faba69fa48e25d2e3d38907d

        SHA1

        9548303a88da6d97e9a5e0f362112f11b1df902a

        SHA256

        12b0fc144ee495fbb6cdbb014745eaa0a79fbdb3ce590a7cc1070a57e2f45237

        SHA512

        0168499c78e42c3107c7f147455d0a25999e8c7ce590ecb9141061e5c85c739a304f247a170715ef21c1447cfe31fc7a07cbe0918f91f0ce891d27fa82269f48

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7zS09C88467\libcurl.dll
        Filesize

        218KB

        MD5

        d09be1f47fd6b827c81a4812b4f7296f

        SHA1

        028ae3596c0790e6d7f9f2f3c8e9591527d267f7

        SHA256

        0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

        SHA512

        857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7zS09C88467\libcurl.dll
        Filesize

        172KB

        MD5

        57ebe0cda7c5ba688d9a5e0dde8f6f10

        SHA1

        cd70081c65e714493fd5081c413e39b5b69f4781

        SHA256

        dbc4d593c5f6eb960127015db7b5c36c5f7b86d53c59e2f766e64ae8ec200dc3

        SHA512

        268f3778e19627b874825270001f96a08e20c7fccaa86e3bbec77e270ac0a46fce419a72da0eea93f531cf3fb524b41bcc3a09ec2957d8bd6686ad2e64c3697b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7zS09C88467\libcurlpp.dll
        Filesize

        54KB

        MD5

        e6e578373c2e416289a8da55f1dc5e8e

        SHA1

        b601a229b66ec3d19c2369b36216c6f6eb1c063e

        SHA256

        43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

        SHA512

        9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7zS09C88467\libgcc_s_dw2-1.dll
        Filesize

        113KB

        MD5

        9aec524b616618b0d3d00b27b6f51da1

        SHA1

        64264300801a353db324d11738ffed876550e1d3

        SHA256

        59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

        SHA512

        0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7zS09C88467\libstdc++-6.dll
        Filesize

        227KB

        MD5

        950212cf995962afa31805e29a2c335a

        SHA1

        10f1066a6ff3057622ee6e80e4ff8e7b8e722ccc

        SHA256

        ce0cd7b669462fdd5fa346ab70f9bbd84362b76de69543797c108799972c0a63

        SHA512

        0c50c341f0ef38f8037424b2b26899d164c639c53ff7086e843440bcf65b47ad41708005c884fdc7f1b358380fa4a5a2e905a615c6f35ec7a46bbafdd69c6260

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7zS09C88467\libstdc++-6.dll
        Filesize

        251KB

        MD5

        f434807d194473c49fcf5b4be119d425

        SHA1

        37a960442238ad32f00d1f8cf9455e5fc46b0c73

        SHA256

        4aa03089849ae3a240703932619ec139bac7db9c84c1d465e2a60c3d5105d272

        SHA512

        b61344e2c4d70dac564022d87c13fb17a1b5e3e8e0d892fdd1b2baac131caa560822f8e883132079205a91174af8b3960164c96052812e826cf7d8c38f06e661

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7zS09C88467\libwinpthread-1.dll
        Filesize

        69KB

        MD5

        1e0d62c34ff2e649ebc5c372065732ee

        SHA1

        fcfaa36ba456159b26140a43e80fbd7e9d9af2de

        SHA256

        509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

        SHA512

        3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7zS09C88467\setup_install.exe
        Filesize

        4KB

        MD5

        bebe3ed7d354f81a491d6ec43297eb8b

        SHA1

        791e27cfc4350cf8d1a194ea3235d405f08e1e1b

        SHA256

        46b8018592eb099012b27d56d4971acc3fbf5a70fd80216fff5f0d769fae3e56

        SHA512

        9fe3c05f6b1fee183a3207e4df5d134f1adecf06e0ca325240c5c6a6cdcb73041c5f446c2be2b5eace2cb844ed796c89bd1436a59063aab03961a80be7db59c9

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7zS09C88467\setup_install.exe
        Filesize

        254KB

        MD5

        eba6d2a8ab830c478284972f5ff5b90f

        SHA1

        b1ffaaa2b0651668fa7fe7c3053851072d8d6de7

        SHA256

        200f136623ba02381a0b2ddc0748a3a5c566bd4fef6baf902bc39b5ce4b0f86c

        SHA512

        73da075c3f89e0ca779852b45bae47180e398ee613340f9716f35c34d70238552d65a0a5224b2d558367e9e38d2e6513eee64cc640017f783a3b56f5d5bd6915

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7zS09C88467\setup_install.exe
        Filesize

        173KB

        MD5

        a266b94e81a2e5914366289dc93db42f

        SHA1

        a82ec52e3d4524722c9308be9acb3c31dcee10cb

        SHA256

        6e90cd9d3f52bd6f1384e0a3239c497b2595a0828651b9cc44a26e423f313b03

        SHA512

        9e3ad63009329aa6c971d7a0b9b6bbc55b42d06ee707b8b2388d2d5728160b8ea03510387e36a9c58f723bef1f1d7dc8a41434b0697cc1b3b9dc9e6872600ea2

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\CC4F.tmp
        Filesize

        174KB

        MD5

        cdd6b95c616d4223b5a050ec3e4a00f0

        SHA1

        e0b085b352260e7fcc2e274823da1d2e5143c2f0

        SHA256

        4cfa52f1deb10a3810c3a654b6daaee45f400c0d7ff813f980bf88a90fec2d24

        SHA512

        1d369172a2b63125cb516c60a42fc8f18118106b185bf37b98cad71db4fe9d9e5afbff3388952841f9e8d32df1d8886441a7498d0de466b928cb57f6b41a3694

        Download Submit

      • C:\Users\Admin\AppData\Roaming\tfadigv
        Filesize

        316KB

        MD5

        d5d26315089f6ac8d34c4c83186e06ee

        SHA1

        c6b7d3bc78348ed51345e0ecae4230f4b9dab60f

        SHA256

        40382600b229205c57529f73d807fa693f8ecb692c0fa6582112e4a232b4af83

        SHA512

        edb7593edfc86e4cc2be91e07d21a5af24147f26c2a4a723a1f13cd4e70d44377581e08ad2b2605a089ddb26882c834445f3577168919efdcb9c1a8d115bd539

        Download Submit

      • memory/3424-73-0x0000000001280000-0x0000000001295000-memory.dmp

        Filesize

        84KB

        Download

      • memory/3800-60-0x0000000000400000-0x000000000051E000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/3800-49-0x0000000000400000-0x000000000051E000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/3800-46-0x000000006FE40000-0x000000006FFC6000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/3800-52-0x0000000000400000-0x000000000051E000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/3800-45-0x000000006FE40000-0x000000006FFC6000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/3800-43-0x000000006FE40000-0x000000006FFC6000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/3800-41-0x0000000064940000-0x0000000064959000-memory.dmp

        Filesize

        100KB

        Download

      • memory/3800-37-0x000000006B440000-0x000000006B4CF000-memory.dmp

        Filesize

        572KB

        Download

      • memory/3800-53-0x0000000000400000-0x000000000051E000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/3800-62-0x000000006B440000-0x000000006B4CF000-memory.dmp

        Filesize

        572KB

        Download

      • memory/3800-65-0x000000006FE40000-0x000000006FFC6000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/3800-64-0x000000006EB40000-0x000000006EB63000-memory.dmp

        Filesize

        140KB

        Download

      • memory/3800-63-0x0000000064940000-0x0000000064959000-memory.dmp

        Filesize

        100KB

        Download

      • memory/3800-61-0x000000006B280000-0x000000006B2A6000-memory.dmp

        Filesize

        152KB

        Download

      • memory/3800-47-0x000000006B280000-0x000000006B2A6000-memory.dmp

        Filesize

        152KB

        Download

      • memory/3800-50-0x0000000000400000-0x000000000051E000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/3800-39-0x000000006B440000-0x000000006B4CF000-memory.dmp

        Filesize

        572KB

        Download

      • memory/3800-42-0x000000006FE40000-0x000000006FFC6000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/3800-44-0x0000000000ED0000-0x0000000000F5F000-memory.dmp

        Filesize

        572KB

        Download

      • memory/3800-48-0x000000006B280000-0x000000006B2A6000-memory.dmp

        Filesize

        152KB

        Download

      • memory/3800-54-0x0000000000400000-0x000000000051E000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/3800-22-0x0000000000400000-0x000000000051E000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/3800-51-0x0000000000400000-0x000000000051E000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/3800-40-0x000000006FE40000-0x000000006FFC6000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/3800-38-0x000000006B440000-0x000000006B4CF000-memory.dmp

        Filesize

        572KB

        Download

      • memory/3800-36-0x000000006B280000-0x000000006B2A6000-memory.dmp

        Filesize

        152KB

        Download

      • memory/4592-67-0x0000000000630000-0x0000000000730000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/4592-69-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

        Download

      • memory/4592-76-0x0000000000400000-0x000000000046A000-memory.dmp

        Filesize

        424KB

        Download

      • memory/4592-68-0x00000000005E0000-0x00000000005E9000-memory.dmp

        Filesize

        36KB

        Download