Analysis
-
max time kernel
276s -
max time network
1176s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
-
submitted
03-03-2024 21:57
General
-
Target
e6ea98b046b11a35efa0ac1243f6190ff4d4247a35784e65a9feaaf4918ae779 (copy 1).exe
-
Size
1.5MB
-
MD5
269d7e74e4b21a2fc0e66907c77fc0bc
-
SHA1
fc09525a2f93bf089d0b02c5220e7ee452e64747
-
SHA256
e6ea98b046b11a35efa0ac1243f6190ff4d4247a35784e65a9feaaf4918ae779
-
SHA512
e0a257ed553383a06267c124b8d72215d6f155ae02ab6d327258c621835957c39e5567c012777fa80f087e578b9a2e1519ead076948b79b1145103826db4bdd0
-
SSDEEP
24576:Eg5ks+W8y6AFZexyuCkfHGFV01gUSvriQMbOyK2jYR2J11RaLNBDj:EgrHa0ZAhIVQFSv2LtwRG11R+F
Malware Config
Extracted
nullmixer
http://wxkeww.xyz/
Extracted
smokeloader
pub6
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs
-
NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
ASPack v2.12-2.42 4 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 7 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e6ea98b046b11a35efa0ac1243f6190ff4d4247a35784e65a9feaaf4918ae779 (copy 1).exe"C:\Users\Admin\AppData\Local\Temp\e6ea98b046b11a35efa0ac1243f6190ff4d4247a35784e65a9feaaf4918ae779 (copy 1).exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS4C43DAA7\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS4C43DAA7\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c karotima_1.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS4C43DAA7\karotima_1.exekarotima_1.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c karotima_2.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS4C43DAA7\karotima_2.exekarotima_2.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 3046⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 5404⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4120 -ip 41201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4564 -ip 45641⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\CompressEnable.rm"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD59108ad5775c76cccbb4eadf02de24f5d
SHA182996bc4f72b3234536d0b58630d5d26bcf904b0
SHA256c9d5525b2f2b76087121039ee1c23ed35508e60f653479722ec64ea3a064878e
SHA51219021a28555bba1fe1bdcdc8845f1bcadebd256c7db02b9329d6b44ae01a123a00e162cc34a97ba51f088cafa6f54ab1de8f82f771ac54b94a3a796f84f73362
-
Filesize
222KB
MD580e74cf9f38c5712c6c2432a509c8bc7
SHA162ccdca04b3685728ce7f1a785cc01f3a3f3b3dc
SHA2569ff44c4da853cdbe606d2cfe4d04b410c3ae603acf0f1d3f75195b6236e0e123
SHA512d602cd95ad38cacae41b4848e72ac54ad81d287e1c825d68a088009512b14b5290a5a6c3032ebb2c91fecb5f743d519e92f1ccb27f5fe2841094a693d2b8de49
-
Filesize
218KB
MD5d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
Filesize
54KB
MD5e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
Filesize
113KB
MD59aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
Filesize
647KB
MD55e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
Filesize
69KB
MD51e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
Filesize
290KB
MD5118f130d93db3be4452ad8a0751509df
SHA14cac4b964784aadc7e6f41c21b854c668dca6981
SHA256f7dec887c3345567ce86ce60cc8841a6a54eda35049811049debd1c5451656f4
SHA512ec263d9cfc0a0324f8f79f6f6703f507d06f454cbc9964595a00d9606aae86c34920c8a10ef3d4413aceb85e33d731634200c0e7ee099b8a35baf8e69f46234f
-
Filesize
64KB
MD54d2b68d677ac73dcb65ee825768911d5
SHA1662ed4a8145efa1359dc1d4279f406d2cc394515
SHA2565ee8d225fa0aba9acc29fa615cf1615072bf0e5e7ec8e9cedfcbeb57ec5caa49
SHA512abbd76794f5e0916fb090d555f4d0f39a1ca7dff56590e505e1d1316e2aaaa530a50ca661da12166e151c15d42f7d56926fa0730c5ed68f71fc09483e9c93a08
-
Filesize
1.5MB
MD578418bfb23c7adf70828f675e990de49
SHA1534a26817c39972287abf166bb00c831440a1e57
SHA256b14218cb639c6afa35a66cf418035ce10475b53f5386896a44327fd48d8447c8
SHA5125df88e9bd4d241b69acba4499845e68286cd24fffed582864c24ad4c5d9bd47041c99ac32cc023c7a6dbe4cecaed39882274cbf4e12aedd5220c6e51075a8dd8
-
Filesize
112KB
MD549359ff70a57cb30642f19081a825517
SHA1e094c5f5f91c061f3670aa51ccbe0970830935b3
SHA256ad816a23ead14eb21c323da6fdb5b1d98979398827a36e4b026627db38972f1d
SHA5128844fd4b90b4cb820b07e900b72b321241b3e2285e783b4f12063c3515c90e2753fae7facfe144489bc39016191b317f344d43b28e63f7eb2d66ca322aecc51b
-
Filesize
93KB
MD5478a4a09f4f74e97335cd4d5e9da7ab5
SHA13c4f1dc52a293f079095d0b0370428ec8e8f9315
SHA256884b59950669842f3c45e6da3480cd9a553538b951fb155b435b48ff38683974
SHA512e96719663cd264132a8e1ea8c3f8a148c778a0c68caa2468ba47629393605b197dd9e00efad91f389de9fcc77b04981a0cf87f785f3c645cdc9e4ebd98060ca1
-
Filesize
444KB
-
Filesize
160KB
-
Filesize
2.2MB
-
Filesize
72KB
-
Filesize
68KB
-
Filesize
604KB
-
Filesize
368KB
-
Filesize
1.7MB
-
Filesize
176KB
-
Filesize
1.2MB
-
Filesize
72KB
-
Filesize
76KB
-
Filesize
92KB
-
Filesize
132KB
-
Filesize
72KB
-
Filesize
68KB
-
Filesize
140KB
-
Filesize
144KB
-
Filesize
68KB
-
Filesize
344KB
-
Filesize
96KB
-
Filesize
412KB
-
Filesize
192KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
992KB
-
Filesize
208KB
-
Filesize
2.7MB
-
Filesize
92KB
-
Filesize
96KB
-
Filesize
68KB
-
Filesize
92KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
116KB
-
Filesize
2.0MB
-
Filesize
16.7MB
-
Filesize
252KB
-
Filesize
132KB
-
Filesize
96KB
-
Filesize
68KB
-
Filesize
108KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
100KB
-
Filesize
140KB
-
Filesize
572KB
-
Filesize
152KB
-
Filesize
572KB
-
Filesize
1.1MB
-
Filesize
1.5MB
-
Filesize
152KB
-
Filesize
100KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
572KB
-
Filesize
1.1MB
-
Filesize
572KB
-
Filesize
572KB
-
Filesize
152KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
152KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1024KB
-
Filesize
36KB