General

  • Target

    505337287dea213362a7634f55120c21485f425b

  • Size

    1.9MB

  • Sample

    241110-tjdhvazhla

  • MD5

    72b4806a451235e858b56cabbbb64532

  • SHA1

    505337287dea213362a7634f55120c21485f425b

  • SHA256

    e632a6469a39fac016c283b2efdd43d406bee10209f240d6fd22816cef8da457

  • SHA512

    a5bd597a92b07ce6838de5b86b2d949b1dcb54519e7a6da5b0f57a06ef3b4a103cd4b7dd625825bc2d31fecad0ca92f7c058c9274fab5bbccf115743fddc611a

  • SSDEEP

    49152:LgFJZ0lvGFVCyP7uohkW4bRanRrwstCl9NIgHW:sFJeZGFVd7uohGcRntCl9NIg2

Malware Config

Extracted

Family

nullmixer

C2

http://wxkeww.xyz/

Targets

    • Target

      sample

    • Size

      1.9MB

    • MD5

      37f4e96b9d4799bfe8818b957f654229

    • SHA1

      d7e7653a5fde002d157fc0463f00793444f2cec1

    • SHA256

      46d3b897f34528a04f869085b798098868c84c8f6385e86776f11c5f0b4fa698

    • SHA512

      afaa78eb55a51e1554664806b36f5391aae411e8303c3cacd7ae65883bd9f024804c072bb1b04d7e4568fac043a2a083751c3542ae07b9954fbd9498956e446c

    • SSDEEP

      49152:EgFHZKlJGLroKP9Skhuee5zanTfw+tCXHXIg+J:JFHoLGLrd9SkhQiTTtCXHXIgy

    • Modifies Windows Defender Real-time Protection settings

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

    • Nullmixer family

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    • Privateloader family

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • Target

      setup_installer.exe

    • Size

      1.9MB

    • MD5

      b2f70eb858dfaec80293b9b64e3f27e4

    • SHA1

      eef1eddd4cd6f35a9af2f7b8da646bc30d7a1e5a

    • SHA256

      b1914ff05df9f8bb2945b6a426ab944b9847686b50f7137f3e04d045966c05ff

    • SHA512

      367068e5b12ac20014cff3defc4c62b5fad4064e133da621a68ea9d31f2baeb3c8f2c5ab0c3cd6cd6a163b09a4e8142ac28db2fdbbd8a29c5aa1dc8fbcbfd324

    • SSDEEP

      49152:xcBxvy10E+QMWcLctpCOOeWAbaW44EwJ84vLRaBtIl9mTI+MAYs:xU4MWcApaeW9FvCvLUBsKITds

    • Modifies Windows Defender Real-time Protection settings

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

    • Nullmixer family

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks