Overview

overview

10

Static

static

3

NEAS.a4fab...20.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-11-2023 23:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.a4fab58cfff9ddd79c0d4cdfd8de4020.exe

  • Size

    643KB

  • MD5

    a4fab58cfff9ddd79c0d4cdfd8de4020

  • SHA1

    7326e468fcd49b5c381d5f188906ba94ed3ee0c5

  • SHA256

    a555775d27b965ad4eef2919173dda2965e9a9752c64abea96104b2905bf6fc9

  • SHA512

    f3fe80b2fc5795a74e885997eccfee1e8628c425aa525721280e834baf3c04d99b4f33e00d02971089980c089d423e0ebbf8a33c60dd42199a91e015e70157e9

  • SSDEEP

    12288:DMrIy901z3rVYOcLE89QaDJnxuUPFWJeeVbIgHSicWtr:fyGDrVXoJnxTdCeUIgbntr

Score
10/10
mysticsmokeloaderbackdoorevasionpersistencestealertrojan

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Signatures

  • Detect Mystic stealer payload 4 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.a4fab58cfff9ddd79c0d4cdfd8de4020.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.a4fab58cfff9ddd79c0d4cdfd8de4020.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4852
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\il2jT20.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\il2jT20.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2296
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Sl50iM6.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Sl50iM6.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2844
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3328
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2xh6846.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2xh6846.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2792
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
            PID:2608
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2608 -s 548
              5⤵
              • Program crash
              PID:5012
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3qc76cL.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3qc76cL.exe
        2⤵
        • Executes dropped EXE
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        PID:2984
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2608 -ip 2608
      1⤵
        PID:4960

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3qc76cL.exe
        Filesize

        30KB

        MD5

        c3c9d485fe15c1a8a6811d1d38134729

        SHA1

        a0900676463c1ff3a40fa6c8c97dd59a5ed7ff83

        SHA256

        129c6de8a7a40455bc7eae64d968434cbcf59ef3e680aef647287e440b28a5f1

        SHA512

        2c049b60a83ce98cd21b812db5d4fb6ed7fc2489f4ae7ec35799383d2784bc323a5931307fd4c822d0e42b55bfefbfdbbd836a3b064d8da16e32c79322a33aaf

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3qc76cL.exe
        Filesize

        30KB

        MD5

        c3c9d485fe15c1a8a6811d1d38134729

        SHA1

        a0900676463c1ff3a40fa6c8c97dd59a5ed7ff83

        SHA256

        129c6de8a7a40455bc7eae64d968434cbcf59ef3e680aef647287e440b28a5f1

        SHA512

        2c049b60a83ce98cd21b812db5d4fb6ed7fc2489f4ae7ec35799383d2784bc323a5931307fd4c822d0e42b55bfefbfdbbd836a3b064d8da16e32c79322a33aaf

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\il2jT20.exe
        Filesize

        518KB

        MD5

        4a6230d8764d0f059e0d4d3c1d647901

        SHA1

        12948e95eeed56029288b1b5f8c58efad4020a45

        SHA256

        cf3b571cb1eff66d4b4fe8e9f1e808323f5a5c7c9f0932f3cf5c14001213f87a

        SHA512

        97c258eaf1200c53ca8d728e288c26ffd9bf7df47f5534851e47c750037ae8c1b2607c52517d7bea2909c562b0fecd5d566cc8d1a2ae7ce1d1d3a71230bc4c4e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\il2jT20.exe
        Filesize

        518KB

        MD5

        4a6230d8764d0f059e0d4d3c1d647901

        SHA1

        12948e95eeed56029288b1b5f8c58efad4020a45

        SHA256

        cf3b571cb1eff66d4b4fe8e9f1e808323f5a5c7c9f0932f3cf5c14001213f87a

        SHA512

        97c258eaf1200c53ca8d728e288c26ffd9bf7df47f5534851e47c750037ae8c1b2607c52517d7bea2909c562b0fecd5d566cc8d1a2ae7ce1d1d3a71230bc4c4e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Sl50iM6.exe
        Filesize

        874KB

        MD5

        9eee364499677bcd3f52ac655db1097b

        SHA1

        d65d31912b259e60c71af9358b743f3e137c8936

        SHA256

        1ba694e249e4faca92ccce8670b5d6e2a5e6ac0d1f523220a91f75aab3d78155

        SHA512

        1364dece0df02e181c2feb9a3b9e559662945991d3919ae0c1db2fcc091de3ceb349dcf4e4921b904e265263e6a2cca9c83a6a914ca9544850f8d2bb2fe41678

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Sl50iM6.exe
        Filesize

        874KB

        MD5

        9eee364499677bcd3f52ac655db1097b

        SHA1

        d65d31912b259e60c71af9358b743f3e137c8936

        SHA256

        1ba694e249e4faca92ccce8670b5d6e2a5e6ac0d1f523220a91f75aab3d78155

        SHA512

        1364dece0df02e181c2feb9a3b9e559662945991d3919ae0c1db2fcc091de3ceb349dcf4e4921b904e265263e6a2cca9c83a6a914ca9544850f8d2bb2fe41678

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2xh6846.exe
        Filesize

        1.1MB

        MD5

        7e88670e893f284a13a2d88af7295317

        SHA1

        4bc0d76245e9d6ca8fe69daa23c46b2b8f770f1a

        SHA256

        d5e9e8612572f4586bc94b4475503558b7c4cd9329d3ade5b86f45018957deb9

        SHA512

        01541840ee2aa44de1f5f41bee31409560c481c10ed07d854239c0c9bdb648c86857a6a83a907e23f3b2865043b175689aa5f4f13fd0fd5f5444756b9ddfcdc2

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2xh6846.exe
        Filesize

        1.1MB

        MD5

        7e88670e893f284a13a2d88af7295317

        SHA1

        4bc0d76245e9d6ca8fe69daa23c46b2b8f770f1a

        SHA256

        d5e9e8612572f4586bc94b4475503558b7c4cd9329d3ade5b86f45018957deb9

        SHA512

        01541840ee2aa44de1f5f41bee31409560c481c10ed07d854239c0c9bdb648c86857a6a83a907e23f3b2865043b175689aa5f4f13fd0fd5f5444756b9ddfcdc2

        Download Submit

      • memory/2608-19-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2608-21-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2608-20-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2608-23-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2984-27-0x0000000000400000-0x0000000000409000-memory.dmp

        Filesize

        36KB

        Download

      • memory/2984-31-0x0000000000400000-0x0000000000409000-memory.dmp

        Filesize

        36KB

        Download

      • memory/3140-28-0x0000000003220000-0x0000000003236000-memory.dmp

        Filesize

        88KB

        Download

      • memory/3328-18-0x0000000073D80000-0x0000000074530000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3328-14-0x0000000000400000-0x000000000040A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/3328-33-0x0000000073D80000-0x0000000074530000-memory.dmp

        Filesize

        7.7MB

        Download