Overview

overview

10

Static

static

3

e6ea98b046...1).exe

windows10-2004-x64

10

e6ea98b046...1).exe

windows7-x64

10

e6ea98b046...1).exe

windows10-1703-x64

10

e6ea98b046...1).exe

windows10-2004-x64

10

e6ea98b046...1).exe

windows11-21h2-x64

10

setup_installer.exe

windows10-1703-x64

10

setup_installer.exe

windows7-x64

10

setup_installer.exe

windows10-1703-x64

10

setup_installer.exe

windows10-2004-x64

10

setup_installer.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    1214s
  • max time network
    1202s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-03-2024 21:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e6ea98b046b11a35efa0ac1243f6190ff4d4247a35784e65a9feaaf4918ae779 (copy 1).exe

  • Size

    1.5MB

  • MD5

    269d7e74e4b21a2fc0e66907c77fc0bc

  • SHA1

    fc09525a2f93bf089d0b02c5220e7ee452e64747

  • SHA256

    e6ea98b046b11a35efa0ac1243f6190ff4d4247a35784e65a9feaaf4918ae779

  • SHA512

    e0a257ed553383a06267c124b8d72215d6f155ae02ab6d327258c621835957c39e5567c012777fa80f087e578b9a2e1519ead076948b79b1145103826db4bdd0

  • SSDEEP

    24576:Eg5ks+W8y6AFZexyuCkfHGFV01gUSvriQMbOyK2jYR2J11RaLNBDj:EgrHa0ZAhIVQFSv2LtwRG11R+F

Score
10/10
nullmixerprivateloaderriseprosmokeloaderpub6aspackv2backdoordropperevasionloaderspywarestealertrojan

Malware Config

Extracted

Family

nullmixer

C2

http://wxkeww.xyz/

Extracted

Family

smokeloader

Botnet

pub6

Extracted

Family

smokeloader

Version

2020

C2

http://conceitosseg.com/upload/

http://integrasidata.com/upload/

http://ozentekstil.com/upload/

http://finbelportal.com/upload/

http://telanganadigital.com/upload/
rc4.i32
rc4.i32

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs
    evasiontrojan
  • NullMixer

    NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

    droppernullmixer
  • PrivateLoader

    PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    loaderprivateloader
  • RisePro

    RisePro stealer is an infostealer distributed by PrivateLoader.

    stealerrisepro
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • ASPack v2.12-2.42 4 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 8 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\e6ea98b046b11a35efa0ac1243f6190ff4d4247a35784e65a9feaaf4918ae779 (copy 1).exe
    "C:\Users\Admin\AppData\Local\Temp\e6ea98b046b11a35efa0ac1243f6190ff4d4247a35784e65a9feaaf4918ae779 (copy 1).exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4160
    • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
      "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1132
      • C:\Users\Admin\AppData\Local\Temp\7zSC64C9AD8\setup_install.exe
        "C:\Users\Admin\AppData\Local\Temp\7zSC64C9AD8\setup_install.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:3612
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c karotima_1.exe
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4392
          • C:\Users\Admin\AppData\Local\Temp\7zSC64C9AD8\karotima_1.exe
            karotima_1.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            PID:4228
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c karotima_2.exe
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2244
          • C:\Users\Admin\AppData\Local\Temp\7zSC64C9AD8\karotima_2.exe
            karotima_2.exe
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Checks SCSI registry key(s)
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            PID:2424
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 500
          4⤵
          • Program crash
          PID:1468
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3612 -ip 3612
    1⤵
      PID:4956
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4240 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:1496
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3704 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
        1⤵
          PID:5076
        • C:\Users\Admin\AppData\Roaming\cadvwfb
          C:\Users\Admin\AppData\Roaming\cadvwfb
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks SCSI registry key(s)
          • Suspicious behavior: MapViewOfSection
          PID:4564

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\7zSC64C9AD8\karotima_1.exe
          Filesize

          264KB

          MD5

          e8f08290fd3050de98353ede4caf1b2e

          SHA1

          667ca5b0dd0d6e1f84960deb4c039e3e0fd1de43

          SHA256

          31ff975b3fd3d0d41825b70c4c36d497e9f167c23644f810eb1bf2323ffc8d08

          SHA512

          59ffc29e550154ed77b00a29717ba6c6337ef91af16de364815d5f68b3847811835362c9fa95b4cd19356d4729af68de3ca8cccafa96d2d1092e0f57f0d6efbf

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\7zSC64C9AD8\karotima_1.txt
          Filesize

          457KB

          MD5

          4ede37ad1e7f4f1b8ce14056e851b59e

          SHA1

          cb3c62c70b924cd4f802264e3d08789f82f59bdf

          SHA256

          cfe0d0fd3d642ecd5b355fd44ced00660667ebd431bc44c5ee40a1b3b1a150f1

          SHA512

          078642ca94f645e5e298a4e8e25801ed8b10bc12e0fa8f4c8ddc81d10d32f36d679005aaab3b93363513bf3a7a523b1c72a72e9288e582b69225a98c48f362ef

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\7zSC64C9AD8\karotima_2.exe
          Filesize

          154KB

          MD5

          c1aa3f100d6a2f5b802301ac8beae8f1

          SHA1

          1b04854975b51525fbc5ec47a3554ed757f27e4d

          SHA256

          226f8810708124e701538bb24660452a0fb2e700d0400ff3fc555dc0c8e0b8a3

          SHA512

          69bad7b5855e3410d5c936b05c5f745c76b8106e8c7a2dc1f84c7e4c45bcbad812cd22145ecbc754b53a9538a2df72821fa52356b3446f49e53e190525a518b4

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\7zSC64C9AD8\karotima_2.txt
          Filesize

          222KB

          MD5

          80e74cf9f38c5712c6c2432a509c8bc7

          SHA1

          62ccdca04b3685728ce7f1a785cc01f3a3f3b3dc

          SHA256

          9ff44c4da853cdbe606d2cfe4d04b410c3ae603acf0f1d3f75195b6236e0e123

          SHA512

          d602cd95ad38cacae41b4848e72ac54ad81d287e1c825d68a088009512b14b5290a5a6c3032ebb2c91fecb5f743d519e92f1ccb27f5fe2841094a693d2b8de49

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\7zSC64C9AD8\libcurl.dll
          Filesize

          218KB

          MD5

          d09be1f47fd6b827c81a4812b4f7296f

          SHA1

          028ae3596c0790e6d7f9f2f3c8e9591527d267f7

          SHA256

          0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

          SHA512

          857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\7zSC64C9AD8\libcurlpp.dll
          Filesize

          54KB

          MD5

          e6e578373c2e416289a8da55f1dc5e8e

          SHA1

          b601a229b66ec3d19c2369b36216c6f6eb1c063e

          SHA256

          43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

          SHA512

          9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\7zSC64C9AD8\libgcc_s_dw2-1.dll
          Filesize

          113KB

          MD5

          9aec524b616618b0d3d00b27b6f51da1

          SHA1

          64264300801a353db324d11738ffed876550e1d3

          SHA256

          59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

          SHA512

          0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\7zSC64C9AD8\libstdc++-6.dll
          Filesize

          647KB

          MD5

          5e279950775baae5fea04d2cc4526bcc

          SHA1

          8aef1e10031c3629512c43dd8b0b5d9060878453

          SHA256

          97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

          SHA512

          666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\7zSC64C9AD8\libwinpthread-1.dll
          Filesize

          69KB

          MD5

          1e0d62c34ff2e649ebc5c372065732ee

          SHA1

          fcfaa36ba456159b26140a43e80fbd7e9d9af2de

          SHA256

          509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

          SHA512

          3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\7zSC64C9AD8\setup_install.exe
          Filesize

          290KB

          MD5

          118f130d93db3be4452ad8a0751509df

          SHA1

          4cac4b964784aadc7e6f41c21b854c668dca6981

          SHA256

          f7dec887c3345567ce86ce60cc8841a6a54eda35049811049debd1c5451656f4

          SHA512

          ec263d9cfc0a0324f8f79f6f6703f507d06f454cbc9964595a00d9606aae86c34920c8a10ef3d4413aceb85e33d731634200c0e7ee099b8a35baf8e69f46234f

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\CC4F.tmp
          Filesize

          1.3MB

          MD5

          628bf6370e602d27aecae8efc3abfef4

          SHA1

          15c4706a87e6b5188705e91de11ac6a4f0f3e7a0

          SHA256

          70deff442abb4680afbe6d36cc37c5a953ab5f62122154949669da23fdb6452e

          SHA512

          dce034b383d01e2174f9ca3e7a896db7757f18844da3df2998be8d78181aab358eb8475a632d49026e27bd5a844ec858a1522d9269c9ed71091a18b44598ee4b

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\CC4F.tmp
          Filesize

          1.6MB

          MD5

          4f3387277ccbd6d1f21ac5c07fe4ca68

          SHA1

          e16506f662dc92023bf82def1d621497c8ab5890

          SHA256

          767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

          SHA512

          9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
          Filesize

          1.5MB

          MD5

          78418bfb23c7adf70828f675e990de49

          SHA1

          534a26817c39972287abf166bb00c831440a1e57

          SHA256

          b14218cb639c6afa35a66cf418035ce10475b53f5386896a44327fd48d8447c8

          SHA512

          5df88e9bd4d241b69acba4499845e68286cd24fffed582864c24ad4c5d9bd47041c99ac32cc023c7a6dbe4cecaed39882274cbf4e12aedd5220c6e51075a8dd8

          Download Submit

        • memory/2424-86-0x0000000000400000-0x0000000002B7B000-memory.dmp

          Filesize

          39.5MB

          Download

        • memory/2424-77-0x0000000002D70000-0x0000000002E70000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/2424-78-0x0000000004780000-0x0000000004789000-memory.dmp

          Filesize

          36KB

          Download

        • memory/2424-83-0x0000000000400000-0x0000000002B7B000-memory.dmp

          Filesize

          39.5MB

          Download

        • memory/3332-84-0x00000000023C0000-0x00000000023D5000-memory.dmp

          Filesize

          84KB

          Download

        • memory/3332-101-0x0000000002780000-0x0000000002795000-memory.dmp

          Filesize

          84KB

          Download

        • memory/3612-64-0x0000000000400000-0x000000000051E000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3612-74-0x0000000064940000-0x0000000064959000-memory.dmp

          Filesize

          100KB

          Download

        • memory/3612-60-0x0000000000400000-0x000000000051E000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3612-62-0x0000000000400000-0x000000000051E000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3612-65-0x0000000000400000-0x000000000051E000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3612-59-0x000000006B280000-0x000000006B2A6000-memory.dmp

          Filesize

          152KB

          Download

        • memory/3612-63-0x0000000000400000-0x000000000051E000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3612-61-0x0000000000400000-0x000000000051E000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3612-57-0x000000006FE40000-0x000000006FFC6000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3612-56-0x000000006FE40000-0x000000006FFC6000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3612-55-0x000000006FE40000-0x000000006FFC6000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3612-54-0x000000006FE40000-0x000000006FFC6000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3612-72-0x000000006B440000-0x000000006B4CF000-memory.dmp

          Filesize

          572KB

          Download

        • memory/3612-71-0x0000000000400000-0x000000000051E000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3612-73-0x000000006EB40000-0x000000006EB63000-memory.dmp

          Filesize

          140KB

          Download

        • memory/3612-58-0x000000006B280000-0x000000006B2A6000-memory.dmp

          Filesize

          152KB

          Download

        • memory/3612-75-0x000000006B280000-0x000000006B2A6000-memory.dmp

          Filesize

          152KB

          Download

        • memory/3612-76-0x000000006FE40000-0x000000006FFC6000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3612-53-0x000000006B440000-0x000000006B4CF000-memory.dmp

          Filesize

          572KB

          Download

        • memory/3612-51-0x000000006B440000-0x000000006B4CF000-memory.dmp

          Filesize

          572KB

          Download

        • memory/3612-52-0x0000000064940000-0x0000000064959000-memory.dmp

          Filesize

          100KB

          Download

        • memory/3612-50-0x000000006FE40000-0x000000006FFC6000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3612-49-0x000000006B440000-0x000000006B4CF000-memory.dmp

          Filesize

          572KB

          Download

        • memory/3612-47-0x000000006B280000-0x000000006B2A6000-memory.dmp

          Filesize

          152KB

          Download

        • memory/3612-41-0x000000006B440000-0x000000006B4CF000-memory.dmp

          Filesize

          572KB

          Download

        • memory/3612-34-0x0000000000400000-0x000000000051E000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/4564-98-0x0000000000400000-0x0000000002B7B000-memory.dmp

          Filesize

          39.5MB

          Download

        • memory/4564-95-0x0000000002DB0000-0x0000000002EB0000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/4564-102-0x0000000000400000-0x0000000002B7B000-memory.dmp

          Filesize

          39.5MB

          Download