Analysis
-
max time kernel
142s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
22-08-2024 10:25
General
-
Target
setup_installer.exe
-
Size
3.4MB
-
MD5
4b03c39108e3dc0e225ca17b2e60dbf3
-
SHA1
93c03382407478f1deb2c352fb09a06ddaf45427
-
SHA256
d54475a4d379b330858efba292a1b9c791155ecb8b86461e3edffd2e32afcd0a
-
SHA512
3f49a1cb00160681e5750d7821dc55e54207616ed4f9987827a2cc9dd09aecabab0b117a4120b4d1b925fd40827e2f01992ede1b7315889e67c6beea0b1bda3c
-
SSDEEP
98304:x2CvLUBsgz3n5nSgTlZuRF/7G4Mf7GJAr3ZPEfZMF:x/LUCgz3n5nSulZuGGJ23VExM
Malware Config
Extracted
privateloader
http://37.0.10.214/proxies.txt
http://37.0.10.244/server.txt
http://wfsdragon.ru/api/setStats.php
37.0.10.237
Extracted
nullmixer
http://hsiens.xyz/
Extracted
redline
pub2
185.92.73.84:80
Signatures
-
NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
-
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
-
SectopRAT payload 2 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Vidar Stealer 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
ASPack v2.12-2.42 3 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 10 IoCs
-
Loads dropped DLL 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 14 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 18 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 57 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS0C2F2ED7\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS0C2F2ED7\setup_install.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue202c0b0c44.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS0C2F2ED7\Tue202c0b0c44.exeTue202c0b0c44.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS0C2F2ED7\Tue202c0b0c44.exe"C:\Users\Admin\AppData\Local\Temp\7zS0C2F2ED7\Tue202c0b0c44.exe" -a5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue206edc34cf4.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS0C2F2ED7\Tue206edc34cf4.exeTue206edc34cf4.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks SCSI registry key(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 3645⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue20b0ce91e160.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS0C2F2ED7\Tue20b0ce91e160.exeTue20b0ce91e160.exe4⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue200a01e55ccea5b.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS0C2F2ED7\Tue200a01e55ccea5b.exeTue200a01e55ccea5b.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 8325⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 8685⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 8845⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 8925⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 9925⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 10725⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 14885⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 15445⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 18085⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 15885⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 15525⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 15925⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue2019d28f9486.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS0C2F2ED7\Tue2019d28f9486.exeTue2019d28f9486.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue20357017b9f2cf.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS0C2F2ED7\Tue20357017b9f2cf.exeTue20357017b9f2cf.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue206f1d53d40be40.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS0C2F2ED7\Tue206f1d53d40be40.exeTue206f1d53d40be40.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue2073e57b595420b4a.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS0C2F2ED7\Tue2073e57b595420b4a.exeTue2073e57b595420b4a.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 532 -s 5603⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 532 -ip 5321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4436 -ip 44361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4456 -ip 44561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4456 -ip 44561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4456 -ip 44561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4456 -ip 44561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4456 -ip 44561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4456 -ip 44561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4456 -ip 44561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4456 -ip 44561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4456 -ip 44561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4456 -ip 44561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4456 -ip 44561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4456 -ip 44561⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
539KB
MD5613e731bf142f930168c17047b0a88e1
SHA100c7ae3e6771415167e7ab0e5a21297d733fb9dc
SHA2562dea53f68ee05019e21760591436ce11b2eee72c2a334e086f597ae8c24a303c
SHA5126cda3d2a2bdf707f9daec11ebb6ceebce85a1deb9f8e248174f962b985d49caba0198eb3259120c0269fc6f42c6ec6add206a51b4560d9c3176517f6814e7a79
-
Filesize
300KB
MD5953d93e24956822e11d1ff9e433731d4
SHA13f45bcca182046fa8957821089d804200227985d
SHA256f4eb31de9302b29f94e951cd77159b29ad6f36dc48dff1df573d13be632a0c16
SHA512c3791ebb2a90a82c4b937b58daa979a6e33d14606a5e89f398d56c8093d6582c76287576486c9292f0af00f7c7823147ef9d3993f47bb582b6f91c6fd9461137
-
Filesize
56KB
MD5c0d18a829910babf695b4fdaea21a047
SHA1236a19746fe1a1063ebe077c8a0553566f92ef0f
SHA25678958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98
SHA512cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823
-
Filesize
1.7MB
MD505a0baf55450d99cb0fa0ee652e2cd0c
SHA1e7334de04c18c241a091c3327cdcd56e85cc6baf
SHA2564cfbdd8acdc923beeca12d94f06d2f1632765434a2087df7ac803c254a0adf9c
SHA512b6d1fc00d7b076068b0879fa4d29b68d3054b5fca24edd5852077bf34d37c43e79cb74fda9c45014610b317d57d70369a3e197784c04bc3c6eac5e1ea9a64fff
-
Filesize
197KB
MD55dd05fecd86da1a812a1e1045aa5b3e2
SHA17916763ae91dc1ae73e45dd13b33ef45f7911769
SHA2569975bc95574a3f0547e79befa7065239653088d3f84841cdcdf75017ba903a09
SHA512709151d96485a13281ee44bc3e768da5ed500c3f41eebcf1274a3a6e9730a101c24d9bc240eece5416bba994baf193934a66b3d6ba467e8386a8ee23ad5a386e
-
Filesize
78KB
MD59ec54823bf8214095594aeef509153b6
SHA1e5e20d4d959df24958c4f8ec029950cd094a611d
SHA2567b04c1fb8c6d2a22de787b8a223e3f8159cc28bff82b204d23b675b1f55899cf
SHA512b6195cad810665e32c881fb24b29620c278b3afed4ce056c306707a0aa5915c335ff185c6567041f562c17f7e61bfc59d756be487a33cb3a205b589c3085503a
-
Filesize
8KB
MD55fbf56cf05175a08ebbfd3ab8c29ab9e
SHA17412ee83a7568b1f6024ba4e1277e298d76e8738
SHA25605942fe67632d7cb440fd1f31bd55cfc8416bdab4da6ed8d84e8d3fd16c3f5d6
SHA512dfb6a263fe313880e47d9eb85dd43c37a7ed44b403354ecba80c0cb0253f913670295217e243677ed38676e23542694cfc1700659e370f92e8d2434cdf95c62a
-
Filesize
900KB
MD50a0d22f1c9179a67d04166de0db02dbb
SHA1106e55bd898b5574f9bd33dac9f3c0b95cecd90d
SHA256a59457fbfaf3d1b2e17463d0ffd50680313b1905aff69f13694cfc3fffd5a4ac
SHA5128abf8dc0da25c0fdbaa1ca39db057db80b9a135728fed9cd0f45b0f06d5652cee8d309b92e7cb953c0c4e8b38ffa2427c33f4865f1eb985a621316f9eb187b8b
-
Filesize
218KB
MD5d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
Filesize
54KB
MD5e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
Filesize
113KB
MD59aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
Filesize
647KB
MD55e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
Filesize
69KB
MD51e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
Filesize
2.1MB
MD50e64ef80b1985958635dbf7185c1bddb
SHA1e31c71461242e664f9b23c8b3bf5f5968dd530eb
SHA256175019e8af381eecc895a880496ba7da48ba456805518ef91bc14d48bef6d533
SHA512c2e9ed9c9112a4a96829da570a2171eab1a9f971a81d43ec39d641df3fadd5345e5d0940d5b785504bdc5bebb312fcc0500f9c7781222477ff2172ecbea2d974
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
100KB
-
Filesize
140KB
-
Filesize
1.1MB
-
Filesize
152KB
-
Filesize
1.5MB
-
Filesize
572KB
-
Filesize
1.5MB
-
Filesize
572KB
-
Filesize
152KB
-
Filesize
572KB
-
Filesize
56KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
572KB
-
Filesize
152KB
-
Filesize
1.5MB
-
Filesize
100KB
-
Filesize
152KB
-
Filesize
572KB
-
Filesize
40.9MB
-
Filesize
5.6MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
144KB
-
Filesize
6.1MB
-
Filesize
136KB
-
Filesize
172KB
-
Filesize
32KB
-
Filesize
104KB
-
Filesize
40.8MB
-
Filesize
41.1MB
-
Filesize
360KB
-
Filesize
408KB
-
Filesize
652KB
-
Filesize
6.5MB
-
Filesize
104KB
-
Filesize
120KB
-
Filesize
200KB
-
Filesize
40KB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
304KB
-
Filesize
136KB
-
Filesize
600KB
-
Filesize
68KB
-
Filesize
56KB
-
Filesize
80KB
-
Filesize
104KB
-
Filesize
32KB
-
Filesize
3.3MB
-
Filesize
408KB
-
Filesize
6.2MB
-
Filesize
216KB