Analysis
-
max time kernel
139s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
28-12-2023 05:12
General
-
Target
WEXTRACT.exe
-
Size
1.5MB
-
MD5
12382062c6abc23ebdf6aec25f383fa4
-
SHA1
9834dc9a4fd1f037c574c27a932c96d68409c882
-
SHA256
24b66c0d6f26f5de09b4cb7a2496bf87ad0ed9d45e846870dee70941b565bc3c
-
SHA512
6cd21a5803f7a90d3ea2b1c6a05def58e337773378c0aced7ac9d3538fa1f9a539b4c992bbe7655aa052abd88cde1bc8475a3a780187ac25edba89ba5806f55c
-
SSDEEP
49152:/I4a/fuUWyY2dhl3pmcmVFSD2TDi+SyEU/6QB4:wx/GUxmVoJvyR/6R
Malware Config
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Extracted
redline
grome
77.91.124.86:19084
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Mystic stealer payload 6 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Executes dropped EXE 15 IoCs
-
Loads dropped DLL 31 IoCs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies Internet Explorer settings 1 TTPs 64 IoCs
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 6 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 13 IoCs
-
Suspicious use of FindShellTrayWindow 12 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 26 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\WEXTRACT.exe"C:\Users\Admin\AppData\Local\Temp\WEXTRACT.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rw4YT03.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rw4YT03.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nf4rn60.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nf4rn60.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5NS8xD0.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5NS8xD0.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6dg6UC8.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6dg6UC8.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7ct2pQ14.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7ct2pQ14.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\FJ4OU94.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\FJ4OU94.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kK0yG24.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kK0yG24.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Hm09Ej.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Hm09Ej.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4ew995pG.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4ew995pG.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"1⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Ro9432.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Ro9432.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 2683⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1rs14bk1.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1rs14bk1.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\qP5Qb44.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\qP5Qb44.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit1⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:N"2⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:R" /E2⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:N"2⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:R" /E2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"2⤵
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2476 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.facebook.com/login1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1908 CREDAT:340995 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:948 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://store.steampowered.com/login/1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2800 CREDAT:275457 /prefetch:22⤵
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://twitter.com/i/flow/login1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2668 CREDAT:275457 /prefetch:22⤵
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://steamcommunity.com/openid/loginform/1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:312 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\6190.tmp\6191.tmp\6192.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7ct2pQ14.exe"1⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F1⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\system32\taskeng.exetaskeng.exe {6A8B1442-E540-49CE-A1DF-42A0AC1F62F6} S-1-5-21-2444714103-3190537498-3629098939-1000:DJLAPDMX\Admin:Interactive:[1]1⤵
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe2⤵
- Executes dropped EXE
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
344B
MD5288d9e1cd16ce9a7609aa08febfd6274
SHA19a544e1cfb0b1cd3809942298760f7f785a37f73
SHA256510a2a36376452018babd3dfdc9d51bbc6c1c76307386f656707a1688f76ff71
SHA512b2d59aebcbaf462dad31c6247515534b816ab401add85faed8035ece90a61761513c73b6df98ac719dc3859f3f0d0d7a40f23157e0d8bd0e2033921036a500b8
-
Filesize
344B
MD50116c39252ecdb083a41230faabe1b29
SHA19562d1536e8ab936755c56e4b9787d5adbee4ada
SHA2563280be57e21ec700b69708b06c3147027b76231f28e1717f35cfbe80d5a92494
SHA512cf97e44256114cb7d604d5a75b5937e33a6a1ce0908df5dd11b0ab97b79511dc871c763bfdc6733fb3732c8538f0aa4ccfe08a207ba8d8a50673d6a32a39866b
-
Filesize
344B
MD5cba01ab095b7026c4a21dacc4bcf7229
SHA127f0b3d570836036ce664a391bd5b2e07f04a16f
SHA256c56f13007e1a9398b603c59db7adaab88f5411f51b9319dfd1b61e507511d7ee
SHA512cd47ffd28436550ddfdc0ec7b8af677da3567da816c7f92d99f2c5156f47dc2b665dfc6361ecc0d911be72753e820536a8469999ddde46925799031ca853c128
-
Filesize
344B
MD54133b0d37498f617ef81b1c04a572c35
SHA1e90020d2ed0351f6241e4687a9401df3a02d931d
SHA256988e5222cb99cb21740e80ac1315ad48efe478972eebca66f7cf60d972a7a8cb
SHA512121306073a5f5c7a0b0b35d5f8e4b52f8727021121cab4d940946e86929db3b8f159ff681101b60a1711892d620258a06f5d4f6c4114940d443578218fa0cfbb
-
Filesize
344B
MD58be477e06ae000a7a8e99591e14d5acf
SHA1b1ada7ddd0df99c3d6ad5c6a69981f1d77de29e2
SHA256fa4b3db88d6e7aed6f21b6bb60a49d09eb785e7cf2900105b6dc53eedd42cd58
SHA5128aeec384b0085918201a01eace901b50126adf9fbe123de3d172c549e7a45ff534ff3b04881a5bb08ae29b74eff6ea92d88fdb8692c8abbc834320eb6f3e3c27
-
Filesize
344B
MD5fa078bbb8d1531d87a23f0b727462f13
SHA10aaf5f48c42025dee9a72b56d9803c308b8fb2f4
SHA2564ab2766822030a905bcd6865d9be56dbcd3cc287b54b873f087796811fb2fe27
SHA512577d323ffbd270c4bca4e2b46e16b3925534b6cd168886b8f6ccea70b7773916445a098fcb0daecf011895b567954635038b2d7db4c3f516433cf073164b0707
-
Filesize
344B
MD5359b5f79c18d4982f219b9e20a0c9f5c
SHA1994c2694c278a0bec59d97fef69b5be05915e6fb
SHA256b1375d929b0351f84f55a32a830f89880bdd832d951b563df6cbe19f7cd001b6
SHA512a35597529de2057af3a6c37dda468dda813eeea06778441df32dccafa45ce922c7a7fa1990e2db54a401c3d3d9f8c85b83fb91007bb61a0b0ee921d527f320d9
-
Filesize
344B
MD5c9fef4988052f46ada70f546c3348312
SHA127e6f6c92f723f761d40b3da2a7c6df786b24640
SHA256993add292fc638abe88c0fc79ef12d319450ec871b86840261b7c48441f844b1
SHA51256699e548b634e8c08f9a015bd4efd4144a4742a82b15c994754aa71e810c4f3e7c32d7ad9fc19157ce5a7b1f8c90bd125936ec6f5519a4159f1ed175de05e7b
-
Filesize
344B
MD5847dcba30503ab3728aee6ece7e148e8
SHA135bae690966f7769645da526204f22a1375c3e90
SHA25688685dedd58ac28d18b3f1119b7845f0f32f1f11ad24001b28663091ff36d48e
SHA5120699d1d95319628d0754ecf10a0f0686e7c3df6ee962fe91eeba3a424e00a66daf96206b26e77d6e7548151df62e0a25c2f3db241cb416d94bc16882544ee45f
-
Filesize
344B
MD5f753b9e267a42696e7b96dc603fbbfa3
SHA16385aa4a274f73c154f9788cbe8e17185023ede1
SHA256e2ec25210f7c94f52cdd0136a5b3e37b58fadeb4c10ec13e97e1d20e12979e2f
SHA512c55b05bc6184178d0d070e2db15e045b84f34edf189b83d22a4fd4aa12e29ad2a00327cd7320cd64a1a9dbc85935cd3689000549770f3a666a052125f8c502d8
-
Filesize
344B
MD5e5b17031d6934e549c0e7cd109cf0a27
SHA1906da7308fa548e649c44f89a5777eaeb0dd888e
SHA256ae1eae5435d4a4d461493df0f0443548e7e38ec9539f35f0c559c1108f4522fc
SHA512953d645075a6287f43758af67961c4bf6f9336f53687de3d06892275c9df2469777ed990cb022a3eab4f1edacb69aa48c5dd3a0813a1d1cdebeced4088685584
-
Filesize
344B
MD5ca5ab47548a2adcc56c8be25f062f8c9
SHA18433dc5a26bb721a426640ad9198bdfba8fc1532
SHA2564adecd1e5619e0821c247f2ab9b8fba581ffde452d847afbdf76a0615cdab7ca
SHA512073490ac27d2f31d93c164886320162dd4e4b010ca4020abf2b3ffc30cabece9fd2594dcf6d7a172cfb8ca6a14e8f97504e31366e001163d1459015ad9e43de4
-
Filesize
344B
MD5bfb9686657a85da39986519aa6ada479
SHA1b914dfff9c3b006b90a43ab7e3eda9ab8328e29d
SHA2564077d329687a05dd7821e5d2cf4c886b6d11e8293aebad1a10eda6ac224a5da4
SHA512d4680fc59f2aecff6df4b79d9a709a5c483e102ec6c3a5a4812cff4ce09f96aa12951625b26c884a81c802c2b03ec2213005afec6775bfca202a8abd664582f2
-
Filesize
344B
MD50d5447b45cc1f2d703fdf16417feb634
SHA184f1fb854582813c0fdad6804f5189bfc9ff814a
SHA25693c156dd8a753d7c1abe858ae52c60e677c0b4c31cf35c0b684f80ee135e0130
SHA512b320aec95fb473fd56f5ae479b8b2e30d9f8e314a7d0f9168bd7f52fc971dd4abbf19993299911f7d1c0fd2f742a44b3a3e56ae5e17d810656b4dd696474a861
-
Filesize
344B
MD549f038d8c1591f7213f786b7961da790
SHA106fc055cb55ff8fbb9e26dd30751ef7d9c6f7424
SHA256b79bd7bad0a9ef96ee15a58e08a5b53ee697c9b111b5b03973e5ba91bd09eb3c
SHA512ab27b6754d8d6f03685407f0456af8f68b134872be41186d2c93cd64846d028df402e154cca8b0680aaaa6adebd69dd0a07552134ff29ee8edd2d433f0429592
-
Filesize
4KB
MD58cddca427dae9b925e73432f8733e05a
SHA11999a6f624a25cfd938eef6492d34fdc4f55dedc
SHA25689676a3fb8639d6531c525e5800ff4cc44d06d27ff5607922d27e390eb5b6e62
SHA51220fbee2886995c253e762f2bb814ad16890b0989deab4d92394363ef0060b96a634d87c380c7ba1b787a8ab312be968fed9329a729b4e0d64235a09e397db740
-
Filesize
923KB
MD5f2b9335f427340909c58e34ad5ba4695
SHA1d15e3d1d845044caa95203229409bff1d7eeff08
SHA256299101120b37964941ebb9532a247a182bf0b7056347f0f9e1726a1888423393
SHA5127f3244b79ddee22c22c38f8b3409bae1383b685b5eae5c770c436111b407ab8e7dd15fe8079c2138d85233156429d27af9683e147b6093a331bb5bf8a44ced5a
-
Filesize
1.4MB
MD5fb62038ce47da492e63bdf3792bcd369
SHA18e2219a8461fbc333268508b92e6576ebeaa4df0
SHA2567429f64766fcaac80460536e1439cd4b111fdf5607e0446ea407a6b065643fe4
SHA512c8b34d29263add49ed08c5b37809e46240c5436454da2e38387a1c73d22a71c152bc8a14d7007af656226b81c11d170605554b1f84935401015b2c486dc07cef
-
Filesize
88KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
4KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
36KB
-
Filesize
36KB