Overview

overview

10

Static

static

3

WEXTRACT.exe

windows7-x64

10

WEXTRACT.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-01-2024 23:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    WEXTRACT.exe

  • Size

    427KB

  • MD5

    be982f88b4dc59376512980069e223e6

  • SHA1

    0e410efd5f98f96ae5cea91ea60a827db48bdb11

  • SHA256

    17c7cc079465da191a8ed1512b8088b869415f5bc5bccf3eb72b0820b7f35619

  • SHA512

    b763f0235689765d1aceefc76925cc6b714630e1760b6e221b378263e9019e18f5f2002bcbb242ce1016efbc0ff79d7645c3025e7b7a6f27daba02552377a197

  • SSDEEP

    6144:K2y+bnr+Bp0yN90QEF6VvTOaAJL63hsjz+7Ha3th4oIrfwXxp3DMgZtyXs2bBub9:+MrZy90KdIJLUxstfWfwXxpzMg+RQ9

Score
10/10
mysticsmokeloaderbackdoorpersistencestealertrojan

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Signatures

  • Detect Mystic stealer payload 4 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Executes dropped EXE 5 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Program crash 3 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\WEXTRACT.exe
    "C:\Users\Admin\AppData\Local\Temp\WEXTRACT.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4936
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0143080.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0143080.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4496
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8638369.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8638369.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4268
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
          • Checks SCSI registry key(s)
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          PID:2012
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 156
          4⤵
          • Program crash
          PID:3552
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b5299161.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b5299161.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2728
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
            PID:4208
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 540
              5⤵
              • Program crash
              PID:4240
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 160
            4⤵
            • Program crash
            PID:1196
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c2304229.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c2304229.exe
        2⤵
        • Executes dropped EXE
        PID:1524
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4268 -ip 4268
      1⤵
        PID:732
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2728 -ip 2728
        1⤵
          PID:4468
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4208 -ip 4208
          1⤵
            PID:4436
          • C:\Users\Admin\AppData\Roaming\wtfddvi
            C:\Users\Admin\AppData\Roaming\wtfddvi
            1⤵
            • Executes dropped EXE
            PID:4384

          Network

          MITRE ATT&CK Matrix ATT&CK v13

          Initial Access

          Execution

          Persistence

          Boot or Logon Autostart Execution

          1
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Privilege Escalation

          Boot or Logon Autostart Execution

          1
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Defense Evasion

          Modify Registry

          1
          T1112

          Credential Access

          Discovery

          Query Registry

          2
          T1012

          Peripheral Device Discovery

          1
          T1120

          System Information Discovery

          1
          T1082

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Resource Development

          Reconnaissance

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c2304229.exe
            Filesize

            24KB

            MD5

            ae1128f8325cc4d45ed289c024b585e8

            SHA1

            66c7e968252d8bed88fe0d48f175253d098fe347

            SHA256

            eb349ba4b46439f870afa6be6d8e7929aa2aa7703dd05c06849243c7397e9106

            SHA512

            c6989844b3bcf937783c9a0d44a8a9ecdae4a89a9c6211f557cb7defc009a2aeeaa0a0f6d7126598fcb8958be51c1432be88a8bcbe27de8bf2404b76143d8b20

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0143080.exe
            Filesize

            325KB

            MD5

            6d3e807bc5b1075951cb02aee1040ce4

            SHA1

            e46b8731eb240af658cd92f869b9c4c48255d572

            SHA256

            3044994d68ed802e317cd4395ed588a0928dd006e4359ff907691fdcfd3b45f7

            SHA512

            b2bccf1135ef7a8d0adfeaa158933e730206e0cbf3920ffab0a8aad0eda01d6c14ac176bf0215bcb0e77385b6f5562fb1ddb7e87a8acb8cfdb3290dd1800ea2f

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8638369.exe
            Filesize

            166KB

            MD5

            6b3b5578bfce84e4564382d8dcb84c88

            SHA1

            fbe695d073f9bf1c4480f0da2e75de798d58deba

            SHA256

            48eab4277fff7669eb09844dd2d5de7a5edc2a487a6a4ef9b540785fff1bc9c1

            SHA512

            c4b48b40fdb6ebdbfd4cd6c42a4ce34c8a5d4e74163eda9cb197e7bad1a2d2bb80653b1ecb47dbb4ad106e1570663945de22301623aceef70c802354091957f8

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b5299161.exe
            Filesize

            276KB

            MD5

            12d4bca9bbb0cd07025f3dcaed7eb23a

            SHA1

            ac51d5a3e131b07440e63d4e1d28ac29431aebf3

            SHA256

            f50a9e7dc019f9e0e7505636e2616867326662af461b34f43946263301fa6ee1

            SHA512

            9630feebdd23900b7db614d5edce27d17511036c439f754116cc2ddb84e5950b62c2a7ff3dfab9abb6ab6f5f9e6f2db4a883a9ad987de8db14f4a2a78da3099d

            Download Submit
          • C:\Users\Admin\AppData\Roaming\wtfddvi
            Filesize

            101KB

            MD5

            89d41e1cf478a3d3c2c701a27a5692b2

            SHA1

            691e20583ef80cb9a2fd3258560e7f02481d12fd

            SHA256

            dc5ac8d4d6d5b230ab73415c80439b4da77da1cfde18214ef601897f661abdac

            SHA512

            5c9658f6ca0d8d067bfc76072c438ac13daa12d8c1fef33369e1bc36a592d160a2bdb22b4f3eed73e8670bb65107a4134e18e6dc604897a80cc0768769f475dc

            Download Submit
          • memory/2012-15-0x0000000000400000-0x0000000000409000-memory.dmp
            Filesize

            36KB

            Download
          • memory/2012-28-0x0000000000400000-0x0000000000409000-memory.dmp
            Filesize

            36KB

            Download
          • memory/2012-14-0x0000000000400000-0x0000000000409000-memory.dmp
            Filesize

            36KB

            Download
          • memory/3528-27-0x0000000003120000-0x0000000003136000-memory.dmp
            Filesize

            88KB

            Download
          • memory/4208-20-0x0000000000400000-0x0000000000428000-memory.dmp
            Filesize

            160KB

            Download
          • memory/4208-21-0x0000000000400000-0x0000000000428000-memory.dmp
            Filesize

            160KB

            Download
          • memory/4208-23-0x0000000000400000-0x0000000000428000-memory.dmp
            Filesize

            160KB

            Download
          • memory/4208-19-0x0000000000400000-0x0000000000428000-memory.dmp
            Filesize

            160KB

            Download