Analysis
-
max time kernel
151s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
28/02/2024, 23:18
General
-
Target
ad1ca7ff685a17765d86adb4105b7bd7.exe
-
Size
5.7MB
-
MD5
ad1ca7ff685a17765d86adb4105b7bd7
-
SHA1
96291cf1ce155f393919965359de528b2d661186
-
SHA256
3b15547e53d7254ec42974dc5a1d7b72cffd722a41114944b5606a845be7b76d
-
SHA512
6645b29c759d1fb015c1999d12f119d3f379fbabd9d643ea8da0851cf7ab680f0fa5de7dab075df0165bf16e55a2f01405794d57c5911fa68c5e068ce200d5ee
-
SSDEEP
98304:x7CvLUBsgSqm9iwNZOmcJ9sTqEQxvTNDagiE6ixeZKjG/RrkIk8lfYhlB:xALUCghwNZvWDOTBKjgd/lf2H
Malware Config
Extracted
cryptbot
lysuht78.top
morisc07.top
-
payload_url
http://damysa10.top/download.php?file=lv.exe
Extracted
smokeloader
pub6
Extracted
smokeloader
2020
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
Extracted
vidar
40
706
https://lenak513.tumblr.com/
-
profile_id
706
Extracted
nullmixer
http://marisana.xyz/
Signatures
-
CryptBot
A C++ stealer distributed widely in bundle with other software.
-
CryptBot payload 3 IoCs
-
Detect ZGRat V1 3 IoCs
-
NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Vidar Stealer 3 IoCs
-
ASPack v2.12-2.42 3 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 10 IoCs
-
Loads dropped DLL 7 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 3 IoCs
Detects Themida, an advanced Windows software protection system.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 8 IoCs
-
Checks SCSI registry key(s) 3 TTPs 9 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies data under HKEY_USERS 26 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 17 IoCs
-
Suspicious use of WriteProcessMemory 58 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad1ca7ff685a17765d86adb4105b7bd7.exe"C:\Users\Admin\AppData\Local\Temp\ad1ca7ff685a17765d86adb4105b7bd7.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS882C5AC7\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS882C5AC7\setup_install.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun236aabe3fc741.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS882C5AC7\Sun236aabe3fc741.exeSun236aabe3fc741.exe4⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun23678302d9cc50b1.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS882C5AC7\Sun23678302d9cc50b1.exeSun23678302d9cc50b1.exe4⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 6125⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 6965⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 7245⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 7085⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 13485⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 12125⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun232280136fb70b5f.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS882C5AC7\Sun232280136fb70b5f.exeSun232280136fb70b5f.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun23f281f9641a0538.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS882C5AC7\Sun23f281f9641a0538.exeSun23f281f9641a0538.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun232020b2df9f.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS882C5AC7\Sun232020b2df9f.exeSun232020b2df9f.exe4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3744 -s 8325⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun23e42c6c4f807.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS882C5AC7\Sun23e42c6c4f807.exeSun23e42c6c4f807.exe4⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun23ccd14b1f.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS882C5AC7\Sun23ccd14b1f.exeSun23ccd14b1f.exe4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun235f9cc50c9.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS882C5AC7\Sun235f9cc50c9.exeSun235f9cc50c9.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS882C5AC7\Sun235f9cc50c9.exe"C:\Users\Admin\AppData\Local\Temp\7zS882C5AC7\Sun235f9cc50c9.exe" -a5⤵
- Executes dropped EXE
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1080 -s 5643⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1080 -ip 10801⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3324 -ip 33241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3744 -ip 37441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3324 -ip 33241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3324 -ip 33241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3324 -ip 33241⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3324 -ip 33241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3324 -ip 33241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3324 -ip 33241⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3324 -ip 33241⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 3324 -ip 33241⤵
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
545KB
MD5b263646fc9dfbff2558bb5e330b48e61
SHA1c1cd91f487a98c7922679a04a33d3630b3db47a5
SHA2560708a945dbedae8edabae345919dd47efb76fb5ece0d6e982d3b54619a343383
SHA5126aa67d81a8ac7e4daccfec4210bb80580c36925411483aea5177b7597c80f2478a3b9b8d6282ea391b60a1ed36d5b323d7b9b7f4b7bd9357b44814e587b4719f
-
Filesize
134KB
MD5483880ba80a2fc0cfc0103c897543b44
SHA1d9ee01bed102c1ce69332c9fdc49ac309ae6e713
SHA2561f6609769e5cbce42924022eb8dbf76c2dde57b41565fa81beb89ca004021b05
SHA5121aa9c896a41ab5ae72682253359e404980062c575bf0d0be7cc878383d0e9f52e6ed6e5dc39852ac3dc4f59653ad95b07953f7fe14d224ae9157e4419145a919
-
Filesize
56KB
MD53263859df4866bf393d46f06f331a08f
SHA15b4665de13c9727a502f4d11afb800b075929d6c
SHA2569dcacda3913e30cafd92c909648b5bffde14b8e39e6adbfb15628006c0d4d3c2
SHA51258205110a017f5d73dd131fefb1e3bbbcc670ed0c645aeefebe5281579c7b1dceffa56671cd7b186554bdb81710e21018ed0d7088a27517dfc5e48d6d3578cf6
-
Filesize
558KB
MD5110b3f8d1cebc76a3c0170cbe218fc38
SHA1f05973114d0f3d7918f70c003ce48b476d9aa1a9
SHA2562cb645cb092bfd2dc3847c07e85a6d3129f3fb680f656a850e53bc3ddb571540
SHA512fbffe2ccbedece36856fb7a7323d987fb79f257f92ec734a322af9da6909a3b7aeaf2714fedcdafb2bea53fd4cc0593c9733b73ca2470c5f88d7a0b96e026e70
-
Filesize
631KB
MD594f06bfbb349287c89ccc92ac575123f
SHA134e36e640492423d55b80bd5ac3ddb77b6b9e87c
SHA256d05cb3a734aaa9d090be20fbaeddf8069a829fa78c44dd8378a2350c1510e1fc
SHA512c8a5362f9a35737ac04b6e0c48371aa60e64adf1157e16191691ac4dccb8dbaac261b516ebb89fc84ba741616ea1ca888a4a180ef2cf89ca04ebdc7768ea0fbb
-
Filesize
178KB
MD55047ea0e0f5d4514de21dd313e18a1f2
SHA1381b35ebb965ae1207eb07316d39d3900697386f
SHA25696821702d11d1809f17217bd7444f56a402d4e95c5fdae3aaf5bbda05ae1f70d
SHA512aadefcd1530d5a5ffbaf383333497f8ac9ea511befed3c008b2706a9acb04c73633c4a6a5611e154a3d27ccd3d5fd0a7539a67f5aaafbb09afeeffe569badde1
-
Filesize
241KB
MD55866ab1fae31526ed81bfbdf95220190
SHA175a5e08b3b9ad2dff35dfbbb3ffe8d983c2be25f
SHA2569e1a149370efe9814bf2cbd87acfcfa410d1769efd86a9722da4373d6716d22e
SHA5128d99ab09e84e4ef309da34be94946cbfcffeb1c0ca49e2452deb738d801e551062ebb134f1b99a9baf03003a8e720d525521ce09aeac341d3cba3fcfbc618fb5
-
Filesize
4.5MB
MD5dff0d8276a2098e3c01ec63c166bf933
SHA1cde921ef5852519fc299440be121bfaea9c7ddf0
SHA256b6f6e4cfebeb92be2a843b938437b34bb0575c0a3d79da16923c3d47493e3a5b
SHA512c5a1548d29052a862c338e457d462b8e2d7c430aa2ce604579346c6ac32fc8034f82c3100bff18596776775a741a602c6a30a0804a1df31126bffa01c9d8f730
-
Filesize
832KB
MD5da90909f770bf3d10658098b3b407a1c
SHA15b2d1e19486daccc5d61cbe9ce57497c2d90318c
SHA256b7f7372dbddeae2a82be06b909c7ab94787bf1445d99047e34b3060d0894b656
SHA5129887a73901f798fb9f3b6a0d8ebaefdf2c8385b759059bddf57343338b0cc5a4c83b6a1983d00a5802906da9c35fe3c73cef84c78fe34b9600d806008c5508be
-
Filesize
218KB
MD5d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
Filesize
54KB
MD5e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
Filesize
113KB
MD59aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
Filesize
647KB
MD55e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
Filesize
69KB
MD51e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
Filesize
2.1MB
MD56855292af7971bb50c0957fe13b68915
SHA124527b127a43f9486279f7c384f202fbd60cfbd9
SHA2569e7032a840e8776802cf7c5c1af58810afdb5ab53bdc9e91142248620087e0cc
SHA512d92c0da0b4438c257c61eb372d7362b450d68ed46545e18f8f18def12a477401fe6be58448ab818048f18317d629c8931f740cbccfbb69aa4d945f918569a447
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
100KB
-
Filesize
572KB
-
Filesize
152KB
-
Filesize
1.5MB
-
Filesize
572KB
-
Filesize
100KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
572KB
-
Filesize
1.1MB
-
Filesize
152KB
-
Filesize
152KB
-
Filesize
572KB
-
Filesize
152KB
-
Filesize
140KB
-
Filesize
572KB
-
Filesize
572KB
-
Filesize
960KB
-
Filesize
6.1MB
-
Filesize
960KB
-
Filesize
1.0MB
-
Filesize
6.4MB
-
Filesize
960KB
-
Filesize
960KB
-
Filesize
960KB
-
Filesize
6.4MB
-
Filesize
960KB
-
Filesize
960KB
-
Filesize
72KB
-
Filesize
960KB
-
Filesize
240KB
-
Filesize
8KB
-
Filesize
960KB
-
Filesize
960KB
-
Filesize
960KB
-
Filesize
304KB
-
Filesize
960KB
-
Filesize
64KB
-
Filesize
120KB
-
Filesize
10.8MB
-
Filesize
160KB
-
Filesize
88KB
-
Filesize
41.1MB
-
Filesize
640KB
-
Filesize
1024KB
-
Filesize
640KB
-
Filesize
7.7MB
-
Filesize
6.2MB
-
Filesize
216KB
-
Filesize
64KB
-
Filesize
3.3MB
-
Filesize
64KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
136KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
120KB
-
Filesize
628KB
-
Filesize
628KB
-
Filesize
41.1MB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
36KB
-
Filesize
40.7MB
-
Filesize
40.7MB