Overview

overview

10

Static

static

3

c9705afcbe...d2.exe

windows7-x64

10

c9705afcbe...d2.exe

windows10-2004-x64

10

setup_installer.exe

windows7-x64

10

setup_installer.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-03-2024 19:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    setup_installer.exe

  • Size

    1.5MB

  • MD5

    d9ff1676cb62a8cd8cf24bb2c5a3d8e3

  • SHA1

    d8f2ccdf1e3feb18f726ccd35f8f80611a8b019e

  • SHA256

    abe3c1a4d337159c98b15959921d18f0f28add956f482c703cb5609c2656c630

  • SHA512

    215812b82cf4e5c00132538d4f1e3447294633ae08d9626d85730d99ba9e401a3f9843890f82506fd45c57b89ebda51c3efa7ef4c0f29ddea175c8a32f181e5a

  • SSDEEP

    24576:xcVkKSkXCeomdCFDWHp/7F82BzWTpEPY/RQ5DsvLwcaBhdZIl9mToWznWFJpJYqu:xcB3CpZgu2BCFEwJ84vLRaBtIl9mTo8/

Score
10/10
nullmixersmokeloaderpub6aspackv2backdoordropperevasiontrojan

Malware Config

Extracted

Family

nullmixer

C2

http://wxkeww.xyz/

Extracted

Family

smokeloader

Botnet

pub6

Extracted

Family

smokeloader

Version

2020

C2

http://conceitosseg.com/upload/

http://integrasidata.com/upload/

http://ozentekstil.com/upload/

http://finbelportal.com/upload/

http://telanganadigital.com/upload/
rc4.i32
rc4.i32

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs
    evasiontrojan
  • NullMixer

    NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

    droppernullmixer
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • ASPack v2.12-2.42 5 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
    "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2296
    • C:\Users\Admin\AppData\Local\Temp\7zS8F858E67\setup_install.exe
      "C:\Users\Admin\AppData\Local\Temp\7zS8F858E67\setup_install.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:4860
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c karotima_1.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2236
        • C:\Users\Admin\AppData\Local\Temp\7zS8F858E67\karotima_1.exe
          karotima_1.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          PID:4476
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c karotima_2.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4176
        • C:\Users\Admin\AppData\Local\Temp\7zS8F858E67\karotima_2.exe
          karotima_2.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks SCSI registry key(s)
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          PID:4184
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4184 -s 396
            5⤵
            • Program crash
            PID:5068
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 504
        3⤵
        • Program crash
        PID:1368
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4860 -ip 4860
    1⤵
      PID:4516
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4184 -ip 4184
      1⤵
        PID:464

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\7zS8F858E67\karotima_1.txt
        Filesize

        1.0MB

        MD5

        9108ad5775c76cccbb4eadf02de24f5d

        SHA1

        82996bc4f72b3234536d0b58630d5d26bcf904b0

        SHA256

        c9d5525b2f2b76087121039ee1c23ed35508e60f653479722ec64ea3a064878e

        SHA512

        19021a28555bba1fe1bdcdc8845f1bcadebd256c7db02b9329d6b44ae01a123a00e162cc34a97ba51f088cafa6f54ab1de8f82f771ac54b94a3a796f84f73362

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7zS8F858E67\karotima_2.txt
        Filesize

        201KB

        MD5

        7e3cb6bf4000e17ada2121b84b63ddc1

        SHA1

        3d9d09e4603b89913b0eca604021df3c49b4aa31

        SHA256

        439c74d75423ffb0071e342f248c48567f50f50e1f836ae119f5db1387147188

        SHA512

        0989ca525843ca03ebfb32b1f000307e7be9674b7453c7a8724f2206028e9ecc04b9f2ef130639858041d37a2b7a11d7e9b1e23197f22bb0e95f9d6f75291ebf

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7zS8F858E67\libcurl.dll
        Filesize

        218KB

        MD5

        d09be1f47fd6b827c81a4812b4f7296f

        SHA1

        028ae3596c0790e6d7f9f2f3c8e9591527d267f7

        SHA256

        0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

        SHA512

        857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7zS8F858E67\libcurlpp.dll
        Filesize

        54KB

        MD5

        e6e578373c2e416289a8da55f1dc5e8e

        SHA1

        b601a229b66ec3d19c2369b36216c6f6eb1c063e

        SHA256

        43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

        SHA512

        9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7zS8F858E67\libgcc_s_dw2-1.dll
        Filesize

        113KB

        MD5

        9aec524b616618b0d3d00b27b6f51da1

        SHA1

        64264300801a353db324d11738ffed876550e1d3

        SHA256

        59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

        SHA512

        0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7zS8F858E67\libstdc++-6.dll
        Filesize

        583KB

        MD5

        f183843e1870b3e25ddc04e5a715a927

        SHA1

        4eda935ad92cccba72fc5ddc1d2f4ef206055e40

        SHA256

        0b2430a607745753fed9a54ade7007d646ec04d3c0f249d1797bf2d0d337c740

        SHA512

        b9a4acaf926fb24726be6a23423c37441a643947cd1d801707a9a6976d75f80538aefdec6fa56181e46e4ba9f19178ec42ffa6a9c46ad800088c6e30ebb841c0

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7zS8F858E67\libstdc++-6.dll
        Filesize

        518KB

        MD5

        a8b390a08fb5bf6c1f33a71291b9d04c

        SHA1

        6868a5eefd11b07f260a32cce8dbd7e6143d1890

        SHA256

        ce2705906f3dc516b17856c3fb37d6ebb35647f33e1f2f44f1c0b0698f7a87ef

        SHA512

        7ea45f94d253e27b2046c2808ee35323cb0afb4d2e447165e83d8b1eaa11fce634eee571837b939a7140d262bc45886558a636d0f3ce770997643f988aa5ef81

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7zS8F858E67\libwinpthread-1.dll
        Filesize

        69KB

        MD5

        1e0d62c34ff2e649ebc5c372065732ee

        SHA1

        fcfaa36ba456159b26140a43e80fbd7e9d9af2de

        SHA256

        509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

        SHA512

        3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7zS8F858E67\setup_install.exe
        Filesize

        287KB

        MD5

        117e1a64b0ccd2b5a68a3b5e65fb901b

        SHA1

        11b8fdef6a1f49d132d39bbad6fe9c6bbd7deb5a

        SHA256

        72a4d83686943a9436736bf25a88af512e83b6a8c984e83a64d18cac674e7e24

        SHA512

        035d7f48480198f16df3f2cb8d65f16d0df0bbf7f3a3b57f5dd5a485569e4f52446e993db264ab64053c44a6a1be8683287ae69166ff822a6410e345247ebdc7

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\CC4F.tmp
        Filesize

        1.6MB

        MD5

        4f3387277ccbd6d1f21ac5c07fe4ca68

        SHA1

        e16506f662dc92023bf82def1d621497c8ab5890

        SHA256

        767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

        SHA512

        9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

        Download Submit

      • memory/3392-71-0x00000000021A0000-0x00000000021B5000-memory.dmp

        Filesize

        84KB

        Download

      • memory/4184-70-0x0000000000400000-0x000000000089C000-memory.dmp

        Filesize

        4.6MB

        Download

      • memory/4184-65-0x00000000008A0000-0x00000000008A9000-memory.dmp

        Filesize

        36KB

        Download

      • memory/4184-64-0x00000000008B0000-0x00000000009B0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/4184-74-0x0000000000400000-0x000000000089C000-memory.dmp

        Filesize

        4.6MB

        Download

      • memory/4184-75-0x00000000008A0000-0x00000000008A9000-memory.dmp

        Filesize

        36KB

        Download

      • memory/4860-50-0x0000000000400000-0x000000000051E000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/4860-58-0x0000000000400000-0x000000000051E000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/4860-40-0x000000006B280000-0x000000006B2A6000-memory.dmp

        Filesize

        152KB

        Download

      • memory/4860-46-0x000000006B280000-0x000000006B2A6000-memory.dmp

        Filesize

        152KB

        Download

      • memory/4860-44-0x000000006FE40000-0x000000006FFC6000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/4860-52-0x0000000000400000-0x000000000051E000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/4860-51-0x0000000000400000-0x000000000051E000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/4860-49-0x0000000000400000-0x000000000051E000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/4860-48-0x0000000000400000-0x000000000051E000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/4860-47-0x0000000000400000-0x000000000051E000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/4860-45-0x000000006B280000-0x000000006B2A6000-memory.dmp

        Filesize

        152KB

        Download

      • memory/4860-42-0x000000006FE40000-0x000000006FFC6000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/4860-41-0x000000006FE40000-0x000000006FFC6000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/4860-43-0x000000006FE40000-0x000000006FFC6000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/4860-59-0x0000000064940000-0x0000000064959000-memory.dmp

        Filesize

        100KB

        Download

      • memory/4860-60-0x000000006B440000-0x000000006B4CF000-memory.dmp

        Filesize

        572KB

        Download

      • memory/4860-61-0x000000006B280000-0x000000006B2A6000-memory.dmp

        Filesize

        152KB

        Download

      • memory/4860-62-0x000000006EB40000-0x000000006EB63000-memory.dmp

        Filesize

        140KB

        Download

      • memory/4860-63-0x000000006FE40000-0x000000006FFC6000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/4860-39-0x000000006B440000-0x000000006B4CF000-memory.dmp

        Filesize

        572KB

        Download

      • memory/4860-31-0x000000006B440000-0x000000006B4CF000-memory.dmp

        Filesize

        572KB

        Download

      • memory/4860-36-0x000000006FE40000-0x000000006FFC6000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/4860-37-0x000000006B440000-0x000000006B4CF000-memory.dmp

        Filesize

        572KB

        Download

      • memory/4860-38-0x0000000064940000-0x0000000064959000-memory.dmp

        Filesize

        100KB

        Download

      • memory/4860-35-0x000000006B440000-0x000000006B4CF000-memory.dmp

        Filesize

        572KB

        Download

      • memory/4860-22-0x0000000000400000-0x000000000051E000-memory.dmp

        Filesize

        1.1MB

        Download