Overview

overview

10

Static

static

3

60f7542fc3...93.exe

windows7-x64

10

60f7542fc3...93.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-08-2024 22:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    60f7542fc38ff540ec252c590d3e4695bbf314fa991352bde0239e64d8584b93.exe

  • Size

    1.5MB

  • MD5

    2579624b4433d4e5fddaa989c46b89d4

  • SHA1

    fce2a5a4a930df71e23608f1468f010a9a27a0a1

  • SHA256

    60f7542fc38ff540ec252c590d3e4695bbf314fa991352bde0239e64d8584b93

  • SHA512

    67506e89565a06a49ce6056bc7b53ec44691e09662de24fdd11a12a8dde747c46c5bbf8b866cc1099cefe5916804b738c9c9c7e648c436ad9861c73461037957

  • SSDEEP

    24576:xcVkKSxXCeomdCFDWHp/7F82t+YSyfEPY/RQ5DsvLwcaBhdZIl9mTMPCwWznW5Nm:xcBiCpZgu2odcEwJ84vLRaBtIl9mTerA

Score
10/10
nullmixerprivateloaderaspackv2discoverydropperevasionloadertrojan

Malware Config

Extracted

Family

nullmixer

C2

http://wxkeww.xyz/

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs
    evasiontrojan
  • NullMixer

    NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

    droppernullmixer
  • PrivateLoader

    PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    loaderprivateloader
  • ASPack v2.12-2.42 4 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 9 IoCs
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\60f7542fc38ff540ec252c590d3e4695bbf314fa991352bde0239e64d8584b93.exe
    "C:\Users\Admin\AppData\Local\Temp\60f7542fc38ff540ec252c590d3e4695bbf314fa991352bde0239e64d8584b93.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1652
    • C:\Users\Admin\AppData\Local\Temp\7zS47606947\setup_install.exe
      "C:\Users\Admin\AppData\Local\Temp\7zS47606947\setup_install.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4936
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c karotima_1.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4476
        • C:\Users\Admin\AppData\Local\Temp\7zS47606947\karotima_1.exe
          karotima_1.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:3880
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c karotima_2.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2976
        • C:\Users\Admin\AppData\Local\Temp\7zS47606947\karotima_2.exe
          karotima_2.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Checks SCSI registry key(s)
          PID:2316
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2316 -s 380
            5⤵
            • Program crash
            PID:1112
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4936 -s 500
        3⤵
        • Program crash
        PID:2192
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4936 -ip 4936
    1⤵
      PID:2308
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2316 -ip 2316
      1⤵
        PID:1084

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\7zS47606947\karotima_1.exe
        Filesize

        1.0MB

        MD5

        9108ad5775c76cccbb4eadf02de24f5d

        SHA1

        82996bc4f72b3234536d0b58630d5d26bcf904b0

        SHA256

        c9d5525b2f2b76087121039ee1c23ed35508e60f653479722ec64ea3a064878e

        SHA512

        19021a28555bba1fe1bdcdc8845f1bcadebd256c7db02b9329d6b44ae01a123a00e162cc34a97ba51f088cafa6f54ab1de8f82f771ac54b94a3a796f84f73362

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7zS47606947\karotima_2.txt
        Filesize

        189KB

        MD5

        cfeef9fb1902eaa5ad2306d7b1c6a2ae

        SHA1

        55951c93482438fc0acda4b069088abdff9e0871

        SHA256

        0222eb6132b627074df73fb2ae2584431c0012599681b00aa3eb0e63c99d7ee6

        SHA512

        37381e29878487fbf718d1d0133b020a496fd45b901ece39e45bcb52e4b1444ee9128087d98925407c445ec8d10b45bf3bde96ad863a58b48b8eb05e7186c65a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7zS47606947\libcurl.dll
        Filesize

        218KB

        MD5

        d09be1f47fd6b827c81a4812b4f7296f

        SHA1

        028ae3596c0790e6d7f9f2f3c8e9591527d267f7

        SHA256

        0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

        SHA512

        857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7zS47606947\libcurlpp.dll
        Filesize

        54KB

        MD5

        e6e578373c2e416289a8da55f1dc5e8e

        SHA1

        b601a229b66ec3d19c2369b36216c6f6eb1c063e

        SHA256

        43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

        SHA512

        9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7zS47606947\libgcc_s_dw2-1.dll
        Filesize

        113KB

        MD5

        9aec524b616618b0d3d00b27b6f51da1

        SHA1

        64264300801a353db324d11738ffed876550e1d3

        SHA256

        59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

        SHA512

        0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7zS47606947\libstdc++-6.dll
        Filesize

        647KB

        MD5

        5e279950775baae5fea04d2cc4526bcc

        SHA1

        8aef1e10031c3629512c43dd8b0b5d9060878453

        SHA256

        97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

        SHA512

        666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7zS47606947\libwinpthread-1.dll
        Filesize

        69KB

        MD5

        1e0d62c34ff2e649ebc5c372065732ee

        SHA1

        fcfaa36ba456159b26140a43e80fbd7e9d9af2de

        SHA256

        509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

        SHA512

        3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7zS47606947\setup_install.exe
        Filesize

        287KB

        MD5

        f7e01b4e78a35a05c96cfbfceb857c54

        SHA1

        fed788895a5d5823cb5253362858e0c201ea6c79

        SHA256

        ec3e8a76df18ff7b5701c089ed5c1fd31dd3d34bd5d63080b6e3b1848c106e40

        SHA512

        c8276e0cc0320e35dcdca15992696ef9730b7a2fd2823a6a587d6b174715f269e87fae8fe9aa9102026817059f0c5ed89c74264c8ad9da2c11a11b78221352fd

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\CC4F.tmp
        Filesize

        1.6MB

        MD5

        4f3387277ccbd6d1f21ac5c07fe4ca68

        SHA1

        e16506f662dc92023bf82def1d621497c8ab5890

        SHA256

        767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

        SHA512

        9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

        Download Submit

      • memory/2316-78-0x0000000000400000-0x0000000002B74000-memory.dmp

        Filesize

        39.5MB

        Download

      • memory/4936-54-0x0000000000400000-0x000000000051E000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/4936-47-0x000000006FE40000-0x000000006FFC6000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/4936-52-0x0000000000400000-0x000000000051E000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/4936-56-0x0000000000400000-0x000000000051E000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/4936-39-0x0000000000720000-0x00000000007AF000-memory.dmp

        Filesize

        572KB

        Download

      • memory/4936-40-0x000000006494A000-0x000000006494F000-memory.dmp

        Filesize

        20KB

        Download

      • memory/4936-55-0x0000000000400000-0x000000000051E000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/4936-57-0x0000000000400000-0x000000000051E000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/4936-41-0x0000000064940000-0x0000000064959000-memory.dmp

        Filesize

        100KB

        Download

      • memory/4936-53-0x0000000000400000-0x000000000051E000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/4936-51-0x000000006B280000-0x000000006B2A6000-memory.dmp

        Filesize

        152KB

        Download

      • memory/4936-50-0x000000006B280000-0x000000006B2A6000-memory.dmp

        Filesize

        152KB

        Download

      • memory/4936-49-0x000000006FE40000-0x000000006FFC6000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/4936-48-0x000000006FE40000-0x000000006FFC6000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/4936-46-0x000000006FE40000-0x000000006FFC6000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/4936-44-0x000000006B440000-0x000000006B4CF000-memory.dmp

        Filesize

        572KB

        Download

      • memory/4936-43-0x000000006B440000-0x000000006B4CF000-memory.dmp

        Filesize

        572KB

        Download

      • memory/4936-45-0x000000006B440000-0x000000006B4CF000-memory.dmp

        Filesize

        572KB

        Download

      • memory/4936-42-0x000000006FE40000-0x000000006FFC6000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/4936-35-0x000000006B440000-0x000000006B4CF000-memory.dmp

        Filesize

        572KB

        Download

      • memory/4936-73-0x000000006B440000-0x000000006B4CF000-memory.dmp

        Filesize

        572KB

        Download

      • memory/4936-72-0x0000000064940000-0x0000000064959000-memory.dmp

        Filesize

        100KB

        Download

      • memory/4936-71-0x000000006FE40000-0x000000006FFC6000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/4936-70-0x000000006B280000-0x000000006B2A6000-memory.dmp

        Filesize

        152KB

        Download

      • memory/4936-69-0x0000000000400000-0x000000000051E000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/4936-68-0x000000006EB40000-0x000000006EB63000-memory.dmp

        Filesize

        140KB

        Download

      • memory/4936-33-0x000000006B280000-0x000000006B2A6000-memory.dmp

        Filesize

        152KB

        Download

      • memory/4936-22-0x0000000000400000-0x000000000051E000-memory.dmp

        Filesize

        1.1MB

        Download