Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
27-03-2024 00:57
General
-
Target
e063dcb77a9d10b2a1eafc8af5e2a122.exe
-
Size
5.7MB
-
MD5
e063dcb77a9d10b2a1eafc8af5e2a122
-
SHA1
65116078fd279a40a6807f2b5db6633b69b4dbd4
-
SHA256
96ec0b44a4d0f2fa0dac3e5dccd700a6360f04ff4a44a8fbda6b5509ba6358f7
-
SHA512
064115d06a61ef08c10c0a5c17fa27a539ccc73400f368392b0791a6f4ed40bd4a39a348bb94678a02f492d2dd1011174214add471cc48b48a896e867b93be02
-
SSDEEP
98304:yDA+zXfW3hs4QBYP0P43lTcyDUDuUdNG65uLp9/KASx5IYM1EmCsrh3tJ7hyde4f:y/vWxrPyGeDuOudhSaYo1xP7hyde8
Malware Config
Extracted
nullmixer
http://watira.xyz/
Extracted
vidar
40
706
https://lenak513.tumblr.com/
-
profile_id
706
Extracted
smokeloader
pub5
Extracted
smokeloader
2020
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
Signatures
-
Detect ZGRat V1 1 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs
-
NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Vidar Stealer 3 IoCs
-
ASPack v2.12-2.42 3 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 12 IoCs
-
Loads dropped DLL 6 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 3 IoCs
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 4 IoCs
-
Checks SCSI registry key(s) 3 TTPs 12 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies data under HKEY_USERS 19 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 45 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 19 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 55 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e063dcb77a9d10b2a1eafc8af5e2a122.exe"C:\Users\Admin\AppData\Local\Temp\e063dcb77a9d10b2a1eafc8af5e2a122.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS033E2E07\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS033E2E07\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 38a72d1941.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS033E2E07\38a72d1941.exe38a72d1941.exe5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 2e80f89eab2.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS033E2E07\2e80f89eab2.exe2e80f89eab2.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c dc56b88fa7bd64.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS033E2E07\dc56b88fa7bd64.exedc56b88fa7bd64.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 10406⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c b7816bfa03.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS033E2E07\b7816bfa03.exeb7816bfa03.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c d8209827f876d25.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS033E2E07\d8209827f876d25.exed8209827f876d25.exe5⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 72a3df5b6765f57.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS033E2E07\72a3df5b6765f57.exe72a3df5b6765f57.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS033E2E07\72a3df5b6765f57.exe"C:\Users\Admin\AppData\Local\Temp\7zS033E2E07\72a3df5b6765f57.exe" -a6⤵
- Executes dropped EXE
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ae53a1dbd6.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS033E2E07\ae53a1dbd6.exeae53a1dbd6.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Checks computer location settings
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 0c1a94348.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS033E2E07\0c1a94348.exe0c1a94348.exe5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 3726⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1172 -s 5484⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1172 -ip 11721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2016 -ip 20161⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\ujwujbbC:\Users\Admin\AppData\Roaming\ujwujbb1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4920 -s 3682⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4920 -ip 49201⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
361KB
MD5a508b5d5aa6d99b8c3d838e8ddfa2094
SHA19dd372c7b65f4b95a7f5fe1bc8a86417eaa5223a
SHA2566978e86b3708438492944ecfa2fb06001c0372905fa1f820d145437546a2dc70
SHA5122383cb732a895b34b0a36259ec550b2a62c4cda138127845744935fca74228525024d6153b3d244fb60443663d08276c8e63fde0bd6f237340828e27b2478068
-
Filesize
65KB
MD58965870f63cc489d68d0000e851e6990
SHA188b6cacc868ae000009690cd436973e53104cbd6
SHA2564a8b9025fbb285e2e1d288d7a419a6eaba80b795b37b45519b79e8675f095900
SHA5121e094ff6342909b61eec0be222b3bc5455105443ba22978da8ab16901f1425b802bf9dd0dccf38072a274f6f1d6789c81f0a9c1cb6dfb21a500243d4cabc97d8
-
Filesize
71KB
MD5b52ca7e5a395a8a6a191f72816f93636
SHA18ed966dcb999855313d2b3b342f9428fdcd757bf
SHA25665572f0c44ea1975c70cd35a4436cc6c8ad949b0197c2a271a248adad11ef024
SHA5124e2bcae47b457ca83e740e380eb0c29ff8d49309183390839668eda01a80fec346caf95d07f01beef0d552bcc678b4eeed3ef3d8436a449a4bd9f7c00f4ac389
-
Filesize
388KB
MD53dc860d994b09cb4f389e8c11c990644
SHA1888f2bd677925899cc25f3e3451e3bae20a22998
SHA2568e8b5f6b5fd7924171196ee45a0544f4eb4a4db9cde83e0e52b68dea0fc261cd
SHA512f4955c4c2c51f753aa02b9487dd4faf11a846e0e830a504fa809d5c0a747239bd79a8f4b8ff61c7b15a4989a6ec64b5c25703b78e44177eae78cc9787f318635
-
Filesize
1.8MB
MD5dd3952a7c7ca00160e0143423fde16d8
SHA17b2f3022058ebc1de3b96037d20f881cb07e70e9
SHA2563d582c734d4041427843e722490da75133dec1aa538678d5c6093566d8e0f7f7
SHA512f1f971e5a95cd3d9282a2fdb4e272f1888c864019a45d48aa6fc61124a64af913e5dc3c3d76c3cc4769141b58299459f539972b0ea02c6d8edf60281763d9ff8
-
Filesize
56KB
MD5c0d18a829910babf695b4fdaea21a047
SHA1236a19746fe1a1063ebe077c8a0553566f92ef0f
SHA25678958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98
SHA512cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823
-
Filesize
1.6MB
MD50965da18bfbf19bafb1c414882e19081
SHA1e4556bac206f74d3a3d3f637e594507c30707240
SHA2561cdddf182f161ab789edfcc68a0706d0b8412a9ba67a3f918fe60fab270eabff
SHA512fe4702a2fde36b4fb0015ad7d3e2169a1ccbf5e29d7edef40f104ed47661b4b0365b13b1913e9f4e0ab7bc9ac542ee86c02a802a13567dfd0b8f5485a5be829b
-
Filesize
1.3MB
MD5770f01af27079f33a51abf8c9201838f
SHA1635506c1ef6fa198d775b9ec1c9aaad3d1482c13
SHA2563c97dfe2ecd4448ef349ba1da627278bf840051e08c26519bfb6b638890937bc
SHA5123aa5d523581b1d70814c52ad24acfafb46dbce86d172294d6c0a58d5da0327747701f77820e9cb372c87d232c918e30e2d1a705a6c3d79443c37c21742204267
-
Filesize
8KB
MD583cc20c8d4dd098313434b405648ebfd
SHA159b99c73776d555a985b2f2dcc38b826933766b3
SHA256908b275d6fc2f20e9d04e8609a9d994f7e88a429c3eb0a55d99ca1c681e17ec8
SHA512e00009e1f322a1fe6e24f88a1cc722acf3094569174e7c58ebf06f75f50a7735dcebf3e493886bbdc87593345adc8bb7b6f2daca2e64618f276075a0bb46bb8c
-
Filesize
241KB
MD55866ab1fae31526ed81bfbdf95220190
SHA175a5e08b3b9ad2dff35dfbbb3ffe8d983c2be25f
SHA2569e1a149370efe9814bf2cbd87acfcfa410d1769efd86a9722da4373d6716d22e
SHA5128d99ab09e84e4ef309da34be94946cbfcffeb1c0ca49e2452deb738d801e551062ebb134f1b99a9baf03003a8e720d525521ce09aeac341d3cba3fcfbc618fb5
-
Filesize
680KB
MD5f37b83a7fc53ef8567b329a98c9f6eda
SHA1950e3be3be673528d6a09c0982b63492795536b9
SHA256ca93a0673ef2a90a3c21599ace407201bb1855d4b91c6977b68861c79717c0b0
SHA51209c13877a4b3d6fb125ce795b1e5733de5e08897da6ad819d4d2a26bb95e62be4dc2586cb2a3f64995222870753428755c953f6486948e7b38740d8a7e519110
-
Filesize
697KB
MD5fcce864840d6700d71a8d68668d7a538
SHA1fef82b13a6565e5da4eaf24ce6566c513c6a58fd
SHA2560d017311cfc1554b76481b6b0d40d1c150c1a0aedcda302f513c01de0b1f4e4c
SHA5123f01d5cd486b3394c46896f0d2c9eed1e6e1825c15e729ab357105d562fc0b73e7a7ab69f56107ae3e6941acff5dec43c3bbdda023909723c47547ea2d51d740
-
Filesize
218KB
MD5d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
Filesize
54KB
MD5e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
Filesize
113KB
MD59aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
Filesize
647KB
MD55e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
Filesize
69KB
MD51e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
Filesize
2.8MB
MD57811f7e840af1df8d1dd288d90ee3beb
SHA16fbd856300128200dfa813f398e8a99ef86fe9ac
SHA256ba98edfd14b5af8573b1e7fa780bdde79f0cd421f98e1d31c0f4902fd2ec1df0
SHA5124fd1ebb56aa96fe5d918cd16c9f238dc321168cd4c6eb5155f6d25e48334c20b17b126a07a8ef9fb3ab6ec887669f3394e26b51ec201b20b93f1407631b662b3
-
Filesize
2.2MB
MD5c75b103da60a574872f7d296fefd917f
SHA1ebc558f523218b1c92fde1df5797b4a1cc00e388
SHA2568387b9849d461ce07a1c143d3034ac3d03c75c220e61c82018527d1b6f458698
SHA51287446c408189dc6e237eb5bd7687defa4447e47b2857e8435ce1ac591a8ffdbd322c8177335114dbf59f2e8109a8f174e9f0e76f5a96cee8006b5f85cfd7d9d1
-
Filesize
1.6MB
MD5ec3c7e6b3c07a5dc7e30e37b2e682b09
SHA125869700ebedbe2bb38d7ec909c4c6e340578d8e
SHA256738cfa8c1a71e7107f121614cefb2d53471bbc8724b593f247426156bb90fd10
SHA512be646f9aa4b672d538f9510b3b2c07a2f8775d8a01f66e7ef5fa3e85eba3b0a8331e3d397b39dd8eca1e1ac48b4b620fa503d75b70c9c4b12c974356bed08333
-
Filesize
5.7MB
MD50a7b9a3a120d129f53edd0c6fa2564b2
SHA1062f9ab3533df764cebb4df4e09c15b0a154a977
SHA256c767c0c438dd1a2bfb6d14e35c30b24971b9a2db90748177ee23959b7b6b22ed
SHA512fbe42dc44812899e32a09012dd5c590f8fc298aac84ae0e140ab2b53e398707c708267aae6210dc3bad6559859ad0b0ef05dc74064a73586c2fb66903038d7eb
-
Filesize
3.1MB
MD5400fd4c207646229e1f38ba4cf6a824e
SHA10739859b9827dde01e142a97e805d112b99e7126
SHA2569b5fdccccae1d34bae42ee4c32adb78c61b647fc16eb525e21d9e95b434ef498
SHA51211e251513edb304f6ca786717128f5478d7b5b6658e8dd636464ffeced3d5f3527250c55384f774b8e26bbd46a5b0512d418ea4e30b946c9c4ece3ee197063f9
-
Filesize
1.5MB
-
Filesize
100KB
-
Filesize
152KB
-
Filesize
1.5MB
-
Filesize
572KB
-
Filesize
152KB
-
Filesize
572KB
-
Filesize
8.5MB
-
Filesize
152KB
-
Filesize
100KB
-
Filesize
1.5MB
-
Filesize
572KB
-
Filesize
1.5MB
-
Filesize
572KB
-
Filesize
140KB
-
Filesize
152KB
-
Filesize
572KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
47.3MB
-
Filesize
1024KB
-
Filesize
628KB
-
Filesize
47.3MB
-
Filesize
7.7MB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
184KB
-
Filesize
136KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
32KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
960KB
-
Filesize
960KB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
304KB
-
Filesize
1.0MB
-
Filesize
960KB
-
Filesize
960KB
-
Filesize
8KB
-
Filesize
8.1MB
-
Filesize
960KB
-
Filesize
960KB
-
Filesize
960KB
-
Filesize
960KB
-
Filesize
8.1MB
-
Filesize
6.1MB
-
Filesize
960KB
-
Filesize
960KB
-
Filesize
960KB
-
Filesize
960KB
-
Filesize
960KB
-
Filesize
960KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
47.0MB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
47.0MB
-
Filesize
47.0MB