Overview

overview

10

Static

static

3

91cc08eaa2...3b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-11-2023 18:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    91cc08eaa2d516fe6b48ecf473dac67146c347e939a09646e1e141008e82003b.exe

  • Size

    652KB

  • MD5

    f4e05067b330b3af02bcbe478c14dc70

  • SHA1

    dac73148c5ee4176574c51e7429f482a21c0dde6

  • SHA256

    91cc08eaa2d516fe6b48ecf473dac67146c347e939a09646e1e141008e82003b

  • SHA512

    4ee5ff2a6f0150d39968122d2e25cd68839f3f8c085df3a0b11ea2d16a5be583160c38b3d5236b904b50a9657c4f23922eb171ef7819a846c8326bb899228a2d

  • SSDEEP

    12288:EMray90Q5kgF6ABsLF4lZV1xX4dZdXprV8qT7zSrawUGcE3b6QfYBctEQ48:+yb5ku6m6YDvX4dZxJV3v2awUO3b6gt

Score
10/10
mysticsmokeloaderbackdoorevasionpersistencestealertrojan

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Signatures

  • Detect Mystic stealer payload 4 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\91cc08eaa2d516fe6b48ecf473dac67146c347e939a09646e1e141008e82003b.exe
    "C:\Users\Admin\AppData\Local\Temp\91cc08eaa2d516fe6b48ecf473dac67146c347e939a09646e1e141008e82003b.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2824
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\XP3ZS95.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\XP3ZS95.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2744
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ct04Vl5.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ct04Vl5.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2828
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3180
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Uo6408.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Uo6408.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:3100
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
            PID:2348
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2348 -s 540
              5⤵
              • Program crash
              PID:1196
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3LC43Hg.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3LC43Hg.exe
        2⤵
        • Executes dropped EXE
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        PID:1968
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2348 -ip 2348
      1⤵
        PID:3912

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Create or Modify System Process

      1
      T1543

      Windows Service

      1
      T1543.003

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Privilege Escalation

      Create or Modify System Process

      1
      T1543

      Windows Service

      1
      T1543.003

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Defense Evasion

      Modify Registry

      2
      T1112

      Impair Defenses

      1
      T1562

      Disable or Modify Tools

      1
      T1562.001

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      Peripheral Device Discovery

      1
      T1120

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3LC43Hg.exe
        Filesize

        31KB

        MD5

        16634b87b4b7ce5c0f7890a3e346872a

        SHA1

        83b847720559d7df3ea5012a02b3fdd7e237453c

        SHA256

        0d6b117dd39fa10e7222511eb6b8cd523697afd628578dcdec9afe07a7981102

        SHA512

        de83082d9df19f62f39bc622ce9aa4dde4434f2cb587689e6a98162b4b71e170bbebad31c29b075f4ca77963c500e91e1f0b59519a5a99408f60701afcc041f7

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3LC43Hg.exe
        Filesize

        31KB

        MD5

        16634b87b4b7ce5c0f7890a3e346872a

        SHA1

        83b847720559d7df3ea5012a02b3fdd7e237453c

        SHA256

        0d6b117dd39fa10e7222511eb6b8cd523697afd628578dcdec9afe07a7981102

        SHA512

        de83082d9df19f62f39bc622ce9aa4dde4434f2cb587689e6a98162b4b71e170bbebad31c29b075f4ca77963c500e91e1f0b59519a5a99408f60701afcc041f7

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\XP3ZS95.exe
        Filesize

        528KB

        MD5

        90f8d6aa2d0ac143af8b2325da31d0f1

        SHA1

        dded159f748c5b6981b65d9cc17eb38821018a71

        SHA256

        559ef6d007b8d5f9e158db0a3cc1874510f3dcbfc70d9616684a1fb0eb874410

        SHA512

        a1efb35396faa1dced8e63d6a93ad1b9764921662bc1005e523fb465735818972c68ad7caa0dfb30d481190f57acd8f880cc197df72eaddd6c9c7ac5ca401816

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\XP3ZS95.exe
        Filesize

        528KB

        MD5

        90f8d6aa2d0ac143af8b2325da31d0f1

        SHA1

        dded159f748c5b6981b65d9cc17eb38821018a71

        SHA256

        559ef6d007b8d5f9e158db0a3cc1874510f3dcbfc70d9616684a1fb0eb874410

        SHA512

        a1efb35396faa1dced8e63d6a93ad1b9764921662bc1005e523fb465735818972c68ad7caa0dfb30d481190f57acd8f880cc197df72eaddd6c9c7ac5ca401816

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ct04Vl5.exe
        Filesize

        869KB

        MD5

        16845166d35dce3b8448951e5bae39a1

        SHA1

        4ecec929c2ffee9da37f8d286043fba01f7b012b

        SHA256

        357f0652da4463cca48b419ada2fb7f1455f9661636bb2aa0413537e5efaf06f

        SHA512

        eb3cf083503932f2b66daa7030f6bfb1e2ac37b3f5aa37f6ffbcbbc2fe5e184162cd94d6fec66542920845842e4d787b6038a0bfb0c71c9852fd513a24d0cbde

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ct04Vl5.exe
        Filesize

        869KB

        MD5

        16845166d35dce3b8448951e5bae39a1

        SHA1

        4ecec929c2ffee9da37f8d286043fba01f7b012b

        SHA256

        357f0652da4463cca48b419ada2fb7f1455f9661636bb2aa0413537e5efaf06f

        SHA512

        eb3cf083503932f2b66daa7030f6bfb1e2ac37b3f5aa37f6ffbcbbc2fe5e184162cd94d6fec66542920845842e4d787b6038a0bfb0c71c9852fd513a24d0cbde

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Uo6408.exe
        Filesize

        1.0MB

        MD5

        178f95576ac414f0543a919a98ac21da

        SHA1

        2abc8ab9b61c9e3615dfbaa9059e15f7c57eb27b

        SHA256

        a761e031c130c1308e0d02fe5eb0eeaff66e92e1a70a693a968f53bbb197ffd8

        SHA512

        f7ef1fb8f14bf799806d1eb8fe2835c20230c2234a64ed9ce22c8e5a1751bc74d4a27aece973c6becbefc04b82a3e3a8b5c42521235e0781dddd6fdac344baaa

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Uo6408.exe
        Filesize

        1.0MB

        MD5

        178f95576ac414f0543a919a98ac21da

        SHA1

        2abc8ab9b61c9e3615dfbaa9059e15f7c57eb27b

        SHA256

        a761e031c130c1308e0d02fe5eb0eeaff66e92e1a70a693a968f53bbb197ffd8

        SHA512

        f7ef1fb8f14bf799806d1eb8fe2835c20230c2234a64ed9ce22c8e5a1751bc74d4a27aece973c6becbefc04b82a3e3a8b5c42521235e0781dddd6fdac344baaa

        Download Submit
      • memory/1968-27-0x0000000000400000-0x0000000000409000-memory.dmp
        Filesize

        36KB

        Download
      • memory/1968-29-0x0000000000400000-0x0000000000409000-memory.dmp
        Filesize

        36KB

        Download
      • memory/2348-19-0x0000000000400000-0x0000000000434000-memory.dmp
        Filesize

        208KB

        Download
      • memory/2348-21-0x0000000000400000-0x0000000000434000-memory.dmp
        Filesize

        208KB

        Download
      • memory/2348-20-0x0000000000400000-0x0000000000434000-memory.dmp
        Filesize

        208KB

        Download
      • memory/2348-25-0x0000000000400000-0x0000000000434000-memory.dmp
        Filesize

        208KB

        Download
      • memory/3180-18-0x0000000073F30000-0x00000000746E0000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/3180-14-0x0000000000400000-0x000000000040A000-memory.dmp
        Filesize

        40KB

        Download
      • memory/3180-33-0x0000000073F30000-0x00000000746E0000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/3416-28-0x0000000002630000-0x0000000002646000-memory.dmp
        Filesize

        88KB

        Download