Analysis
-
max time kernel
158s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
13-03-2024 04:55
General
-
Target
setup_installer.exe
-
Size
2.8MB
-
MD5
4d46716f0ef0e114e9fff397776305a4
-
SHA1
a70c7939f02fd3c8e3527ab77d2db8408967df27
-
SHA256
06c4ad5c9179a15a9d1ddab83ec6c9a3d34b9f61a76c4260ca9c4357112ab004
-
SHA512
6f02cbedf212da31682accc18279c8e5c8809f47425a1c2aef2af09c691a3e8036c4db6b1fc59d47390590b77e850d128408a0cb34dfbb921247f3a9c2a55d94
-
SSDEEP
49152:xcBnkJJWNstJVyOy6NaPmQNVIIDdmDi+yboKFoUW952b1l/EwJ84vLRaBtIl9mTH:xLJJ9tJVyOyFPmQgoMO+ybXA5g1lcCvg
Malware Config
Extracted
nullmixer
http://watira.xyz/
Extracted
smokeloader
pub5
Extracted
vidar
39.7
706
https://shpak125.tumblr.com/
-
profile_id
706
Extracted
smokeloader
2020
http://conceitosseg.com/upload/
http://integrasidata.com/upload/
http://ozentekstil.com/upload/
http://finbelportal.com/upload/
http://telanganadigital.com/upload/
Signatures
-
NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Vidar Stealer 5 IoCs
-
ASPack v2.12-2.42 4 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 11 IoCs
-
Loads dropped DLL 9 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Modifies data under HKEY_USERS 26 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 9 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS43A09818\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS43A09818\setup_install.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sonia_1.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS43A09818\sonia_1.exesonia_1.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS43A09818\sonia_1.exe"C:\Users\Admin\AppData\Local\Temp\7zS43A09818\sonia_1.exe" -a5⤵
- Executes dropped EXE
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sonia_2.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS43A09818\sonia_2.exesonia_2.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sonia_3.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS43A09818\sonia_3.exesonia_3.exe4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1104 -s 11565⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sonia_4.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS43A09818\sonia_4.exesonia_4.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sonia_5.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS43A09818\sonia_5.exesonia_5.exe4⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sonia_6.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS43A09818\sonia_6.exesonia_6.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Compatto.rtf5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^jvMDwkwydQdmnxGPmMOjYlbIlopECWXOZojRKCmISYgoKPYfXOyLKoMeYraSevCxTCAdoOyWjyxqVfYxlTHNQkrRvpTHpGGccUgofIipJpnFNMuJyYIpPPDHnITYVnMGn$" Oggi.rtf7⤵
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Triste.exe.comTriste.exe.com n7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Triste.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Triste.exe.com n8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 307⤵
- Runs ping.exe
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sonia_7.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS43A09818\sonia_7.exesonia_7.exe4⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 5443⤵
- Program crash
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3644 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:81⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2624 -ip 26241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1104 -ip 11041⤵
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
478B
MD5b96b1288ce038869fb15d4353f760613
SHA15a6f01cb0546a6dd4ae1e90279aaa82bdd672b60
SHA2562c1458ecd2cc31a6d798a1c6396926cb99a66481832f774dbdbc19594ff9bd40
SHA51236a72a5cac8b1aaa395d9efc2fc79b4525e408c57cebaaf2f00c1ba5b51bc08ee22e5676055cdcc961197c05e41d020c8d74b0d95426095d1a5b04fb14d3b04e
-
Filesize
7KB
MD52159edf39246faecd80a5bb1638b0212
SHA144930f0fe67b06a73c57ff56976894632890aa6b
SHA2568dec7534543bc983bcd6965539e3d26de768775ac117a108b545a5b4e3bb3614
SHA51249b34aab60b12e98da6f521adf6d4c3ced8245df327a84b8c39d096fc26916ed95ddc212fb05558cf801213e62b5c40cba6cd5cde321f4d23af8bd7e54694a33
-
Filesize
872KB
MD5916c4387e392f4f3c300d18dc396b739
SHA1c7b480305599093ed6f88f5d8597fc5facc7cb3e
SHA256d574f83fc092c037db7625e3b2dbe16a4898f9e8ec187c3a5744c699bdb5b75e
SHA5129166b8ff071f067bbd31f39c2201285dc1c2096c693849006554a8ca0201b8d43b2ad0c786b5bb4bdfe897870d0609bc6011aaf8baee1456a473045ea9189584
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
703KB
MD57fa88f5686ca445f2a90cb05d761975f
SHA11ffd9e0375a825deb059121951ce81844f97d527
SHA25694b01919c10661d96e0f8ccf05e143b76d94cae3dafc0e5cc7998d22b060ad1a
SHA512379cd229c1a5af95ab3a67943338879e0ef7fc971a51a56ad68997b38a8de69f6694e8e4dc497f174dee46740efd35f580258b29b5ac385c2ae8c837a6d94460
-
Filesize
218KB
MD5d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
Filesize
54KB
MD5e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
Filesize
113KB
MD59aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
Filesize
647KB
MD55e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
Filesize
69KB
MD51e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
Filesize
287KB
MD5f067ca4e599dc56f13ff3144fe928e02
SHA180c73006bd0698894e60f36005d2cd9d002ac6e9
SHA256622fbeff10d455986088a15a44fa3d39c6353dcf1235986d1cde06df5d968c23
SHA512bcc8273d7c20e7395b3f2e22ca43692034912c92097085834b8a7350c878300faa6af52eb5e539581bae03016d6ef827f70f99a82938e6fb186521d3ad243cd1
-
Filesize
56KB
MD5c0d18a829910babf695b4fdaea21a047
SHA1236a19746fe1a1063ebe077c8a0553566f92ef0f
SHA25678958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98
SHA512cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823
-
Filesize
326KB
MD5149bdf01964f2c62ea21b2eb86f7fdca
SHA1b648f67ce5718ba2d82b003c1d92b7006151ac82
SHA256886a957df2ff12c151388b562f42fe773aa882e99ee0008c4289da70092bba93
SHA5126e9f64a657f649f27ad5ad222ddd937490222d5f4c10382de19d5fe6eff3c91c3ce3ef78b8ddf4959bc6d8018f0b2b3ecbd32e8fdc1321bce285b9fd3d4f80c2
-
Filesize
663KB
MD5042765a08c102c16d62a5e180f426b61
SHA1dfee7b100effd30dbe57cb09174b1a055c56d735
SHA2561e1876fcc6205b59c4bb80033de32dc133953f28cd603d07fc367dcb877ff46a
SHA5120cde23d99bcaea24501ca7dd0dbb91876b6f6c7d223cd91a670dcba8f89a9e346c09d0f1c43113440d5e71fee3a9473eca27230a9b19830a7f92eafb7322f5a7
-
Filesize
170KB
MD5fa595cebce68c02fd46ada1fe8c737b4
SHA18b6a06173339d171ea2011f128b274b7649bd439
SHA25617232aff76e3b361355b110d77cc1e2942f2b004485706f38995db15808f7d4a
SHA51236cb2d5edce78419134939a8293bee2bd6ab34a2ae14f77eac2b815dd3cfc7834f88d573af63d0a8a7167dce69e7f8f5237fe73029e66deb571d22471dbc40fb
-
Filesize
1.1MB
MD59db9ef06359cce014baef96fa69b5a7c
SHA1614c739b69be9a3914a9ca9548245ed2c97ceb63
SHA25650df788859ce3024e9018f60f7c04aa43c191de7b1578fdbebc7478898d5cd8d
SHA5129d80f7b815d56a10179c164580672a2947e130321c21037747d10859e5540fa55daa1b495e48e6b41c7df51ef9567743912a2d4b1ffa9a843f3fc34d2803e583
-
Filesize
882KB
MD5fb9c80b52aee624e19d016c13d56ade0
SHA19d9361947d673cca9155d12d56d6f23d20f164a2
SHA2564363307739b80f6e418170a049b1a4c52e0405161f18588a8330a849ac4a9a62
SHA512c358cef29d681aca0fb4d3d0de64dbc712cded98a1b70f5f93c654c02e3f399b2ac23419801f6fbb6ab6210c1854a14eb5a6b1ce3cbea927118decaf30a93210
-
Filesize
239KB
MD54b22d93b15716c78574359822631a650
SHA12e5ad91cd4de7b91a21beaebb1b138a0e302433a
SHA256a14fbc80257bbb603ac8cb0694f2587e60e2be4c4e79d39e7945d986b02c37b8
SHA51285703a351512f040194225b069b803a6d266a08c956ec7ccb544833f82a661eaf0cb2d37696c97e4a79f2f7242ed68b2166f8c105bb476f6cecdc1df1818eb29
-
Filesize
1.6MB
MD54f3387277ccbd6d1f21ac5c07fe4ca68
SHA1e16506f662dc92023bf82def1d621497c8ab5890
SHA256767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA5129da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219
-
Filesize
772KB
-
Filesize
1024KB
-
Filesize
628KB
-
Filesize
772KB
-
Filesize
628KB
-
Filesize
24KB
-
Filesize
144KB
-
Filesize
24KB
-
Filesize
10.8MB
-
Filesize
200KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
4KB
-
Filesize
1.5MB
-
Filesize
152KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
152KB
-
Filesize
140KB
-
Filesize
572KB
-
Filesize
1.5MB
-
Filesize
100KB
-
Filesize
1.1MB
-
Filesize
152KB
-
Filesize
152KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.1MB
-
Filesize
152KB
-
Filesize
572KB
-
Filesize
1.5MB
-
Filesize
572KB
-
Filesize
572KB
-
Filesize
572KB
-
Filesize
100KB
-
Filesize
1.5MB
-
Filesize
572KB
-
Filesize
100KB
-
Filesize
1.1MB
-
Filesize
140KB
-
Filesize
572KB
-
Filesize
1.5MB
-
Filesize
100KB
-
Filesize
84KB
-
Filesize
432KB
-
Filesize
36KB
-
Filesize
432KB
-
Filesize
1024KB
-
Filesize
36KB