Overview

overview

10

Static

static

3

WEXTRACT.exe

windows7-x64

10

WEXTRACT.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-01-2024 23:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    WEXTRACT.exe

  • Size

    427KB

  • MD5

    be982f88b4dc59376512980069e223e6

  • SHA1

    0e410efd5f98f96ae5cea91ea60a827db48bdb11

  • SHA256

    17c7cc079465da191a8ed1512b8088b869415f5bc5bccf3eb72b0820b7f35619

  • SHA512

    b763f0235689765d1aceefc76925cc6b714630e1760b6e221b378263e9019e18f5f2002bcbb242ce1016efbc0ff79d7645c3025e7b7a6f27daba02552377a197

  • SSDEEP

    6144:K2y+bnr+Bp0yN90QEF6VvTOaAJL63hsjz+7Ha3th4oIrfwXxp3DMgZtyXs2bBub9:+MrZy90KdIJLUxstfWfwXxpzMg+RQ9

Score
10/10
mysticsmokeloaderbackdoorpersistencestealertrojan

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Signatures

  • Detect Mystic stealer payload 4 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Executes dropped EXE 5 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Program crash 3 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\WEXTRACT.exe
    "C:\Users\Admin\AppData\Local\Temp\WEXTRACT.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1920
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0143080.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0143080.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4664
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b5299161.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b5299161.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:184
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
            PID:220
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 184 -s 608
            4⤵
            • Program crash
            PID:624
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            4⤵
              PID:3836
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              4⤵
                PID:3052
          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c2304229.exe
            C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c2304229.exe
            2⤵
            • Executes dropped EXE
            PID:4832
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4376 -ip 4376
          1⤵
            PID:460
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 584
            1⤵
            • Program crash
            PID:4972
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            1⤵
            • Checks SCSI registry key(s)
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            PID:116
          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8638369.exe
            C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8638369.exe
            1⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:4376
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 184 -ip 184
            1⤵
              PID:4864
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3836 -s 540
              1⤵
              • Program crash
              PID:1444
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3836 -ip 3836
              1⤵
                PID:5084
              • C:\Users\Admin\AppData\Roaming\dbtsrss
                C:\Users\Admin\AppData\Roaming\dbtsrss
                1⤵
                • Executes dropped EXE
                PID:1968

              Network

              MITRE ATT&CK Matrix ATT&CK v13

              Initial Access

              Execution

              Persistence

              Boot or Logon Autostart Execution

              1
              T1547

              Registry Run Keys / Startup Folder

              1
              T1547.001

              Privilege Escalation

              Boot or Logon Autostart Execution

              1
              T1547

              Registry Run Keys / Startup Folder

              1
              T1547.001

              Defense Evasion

              Modify Registry

              1
              T1112

              Credential Access

              Discovery

              Query Registry

              2
              T1012

              Peripheral Device Discovery

              1
              T1120

              System Information Discovery

              1
              T1082

              Lateral Movement

              Collection

              Exfiltration

              Command and Control

              Impact

              Resource Development

              Reconnaissance

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0143080.exe
                Filesize

                325KB

                MD5

                6d3e807bc5b1075951cb02aee1040ce4

                SHA1

                e46b8731eb240af658cd92f869b9c4c48255d572

                SHA256

                3044994d68ed802e317cd4395ed588a0928dd006e4359ff907691fdcfd3b45f7

                SHA512

                b2bccf1135ef7a8d0adfeaa158933e730206e0cbf3920ffab0a8aad0eda01d6c14ac176bf0215bcb0e77385b6f5562fb1ddb7e87a8acb8cfdb3290dd1800ea2f

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8638369.exe
                Filesize

                166KB

                MD5

                6b3b5578bfce84e4564382d8dcb84c88

                SHA1

                fbe695d073f9bf1c4480f0da2e75de798d58deba

                SHA256

                48eab4277fff7669eb09844dd2d5de7a5edc2a487a6a4ef9b540785fff1bc9c1

                SHA512

                c4b48b40fdb6ebdbfd4cd6c42a4ce34c8a5d4e74163eda9cb197e7bad1a2d2bb80653b1ecb47dbb4ad106e1570663945de22301623aceef70c802354091957f8

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b5299161.exe
                Filesize

                276KB

                MD5

                12d4bca9bbb0cd07025f3dcaed7eb23a

                SHA1

                ac51d5a3e131b07440e63d4e1d28ac29431aebf3

                SHA256

                f50a9e7dc019f9e0e7505636e2616867326662af461b34f43946263301fa6ee1

                SHA512

                9630feebdd23900b7db614d5edce27d17511036c439f754116cc2ddb84e5950b62c2a7ff3dfab9abb6ab6f5f9e6f2db4a883a9ad987de8db14f4a2a78da3099d

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b5299161.exe
                Filesize

                92KB

                MD5

                d845d020c5a9a23417739a81c3deeb01

                SHA1

                93f4623b3c5bec52cf7ed03a5efc4747bc6f8c11

                SHA256

                ddfba974503d3e2cb2be859fda19971e571c4df9167f9b8ccc66bcab35583fe1

                SHA512

                7013ff4c2649e44fa26ddbd3f218951fdc187c9137cd4e77bbff03e83c2bbf4b55c7cebae21ffcc3987a3ea7674cc065224712989a98d817fbb7574f4c1b73f6

                Download Submit
              • C:\Users\Admin\AppData\Roaming\dbtsrss
                Filesize

                101KB

                MD5

                89d41e1cf478a3d3c2c701a27a5692b2

                SHA1

                691e20583ef80cb9a2fd3258560e7f02481d12fd

                SHA256

                dc5ac8d4d6d5b230ab73415c80439b4da77da1cfde18214ef601897f661abdac

                SHA512

                5c9658f6ca0d8d067bfc76072c438ac13daa12d8c1fef33369e1bc36a592d160a2bdb22b4f3eed73e8670bb65107a4134e18e6dc604897a80cc0768769f475dc

                Download Submit
              • C:\Users\Admin\AppData\Roaming\dbtsrss
                Filesize

                65KB

                MD5

                dd33a5e42a605baf20ef30022c8e8868

                SHA1

                0fa579d7d8b1f9ae272aca6bee4a4662b48a8865

                SHA256

                0bc834f9566101f894bd2daeb923b9545e6faff9eeab332e5310a5ec638b69a5

                SHA512

                20b047c81db3c8db1df14a888f4001f85fa3be79ec2b30086045aec1e4b6ee4d8dc02a9cd4c2ebf96e7fee86b56bbfc042d16e206a74a34455a8588988ed1063

                Download Submit
              • memory/116-15-0x0000000000400000-0x0000000000409000-memory.dmp
                Filesize

                36KB

                Download
              • memory/116-14-0x0000000000400000-0x0000000000409000-memory.dmp
                Filesize

                36KB

                Download
              • memory/116-28-0x0000000000400000-0x0000000000409000-memory.dmp
                Filesize

                36KB

                Download
              • memory/3504-27-0x0000000002410000-0x0000000002426000-memory.dmp
                Filesize

                88KB

                Download
              • memory/3836-23-0x0000000000400000-0x0000000000428000-memory.dmp
                Filesize

                160KB

                Download
              • memory/3836-19-0x0000000000400000-0x0000000000428000-memory.dmp
                Filesize

                160KB

                Download
              • memory/3836-20-0x0000000000400000-0x0000000000428000-memory.dmp
                Filesize

                160KB

                Download
              • memory/3836-21-0x0000000000400000-0x0000000000428000-memory.dmp
                Filesize

                160KB

                Download