Overview

overview

10

Static

static

3

d6069cb7ac...00.exe

windows7-x64

10

d6069cb7ac...00.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    07-01-2024 23:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d6069cb7acd4675b324603f2adc3e83fa7fa1829e73052a8d62a10f3d99a8200.exe

  • Size

    639KB

  • MD5

    92346d27eabac81e606d7153397e64e2

  • SHA1

    fd2b60f3663a6ffe24db4d8bd4d244bfd7e0ecaa

  • SHA256

    d6069cb7acd4675b324603f2adc3e83fa7fa1829e73052a8d62a10f3d99a8200

  • SHA512

    446b3f391e6f55bd1fb69969e74c42ba298bd06ab9509130e639da3e03f2720fa753921a1aec5c8e7732928d125a97a9ae2e0a2dbe7b705c1e183ab8a41c3063

  • SSDEEP

    12288:EMrWy90u8xoCoUCnq8yr2b2VmLKGQDzLfTf/1TW:ay9817x2wG+zHBW

Score
10/10
mysticsmokeloaderbackdoorevasionpersistencestealertrojan

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Signatures

  • Detect Mystic stealer payload 6 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 11 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 61 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d6069cb7acd4675b324603f2adc3e83fa7fa1829e73052a8d62a10f3d99a8200.exe
    "C:\Users\Admin\AppData\Local\Temp\d6069cb7acd4675b324603f2adc3e83fa7fa1829e73052a8d62a10f3d99a8200.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1328
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3dQ39Aq.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3dQ39Aq.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:2556
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ao8cz88.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ao8cz88.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2216
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    1⤵
    • Modifies Windows Defender Real-time Protection settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2196
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2cS3266.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2cS3266.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2720
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2632
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2632 -s 264
    1⤵
    • Program crash
    PID:2388
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Og26XL6.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Og26XL6.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1892

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ao8cz88.exe
    Filesize

    92KB

    MD5

    1002ab281b502f501115aa013c42c64f

    SHA1

    c185ee672900c0c55d70e5ca261c5182260dc54b

    SHA256

    80e4ad1301ccf3a7c71482c4fac235f806c18b04513589128d5b0aeefd7db073

    SHA512

    8d159557b6b4d0c1125ceb5e3588d2b53d1da0151ac4b40f7bf821f8b7d36b2c1353ba46b1fa402ecbe1df15296f0d61d6f57370da25b62296fb5dfcceb442f9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ao8cz88.exe
    Filesize

    95KB

    MD5

    a758e12906836cc139c2739b4e5d28a6

    SHA1

    44f5ed9e5b5f08258819649b830290b1cb4070fe

    SHA256

    8b851a0bba381fa340d4d626471b692535ae38866d4e23658692bf37d216441f

    SHA512

    2de9624a0f0d4abe323f22dfc66f7486e7554cffabadeac92af524d1ca0fd48dcdf4947e2bd31d5cc921835356637ed94881de1fac2945d38848938db8de6638

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Og26XL6.exe
    Filesize

    40KB

    MD5

    528221ae06f78f3c8080c7c583429a84

    SHA1

    1ff7b29fa5d24a8caeec25f910f484a1ea75e171

    SHA256

    3676400feeb8d8d84ad927c692ee3b734703d3b1abc4f84cc26668a761f0ab9c

    SHA512

    e29fc0a3e0b2864b9a8d5fcd26a3fa881c75dd525a70a0931aee18e24c12fe70d051d3c0eeae0fbfa997c7cf44a67c9951b7eeab96ba380d0521788eae5cfd36

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Og26XL6.exe
    Filesize

    16KB

    MD5

    f86b0a075e3ea46611aeae4e4a78373c

    SHA1

    30b10beeddf95d16a1a1a37be82d51925d91fa66

    SHA256

    9b27e8b1f5801e4a2d6ec516e94afb24769fd6af2a517547ed9717600cb47f61

    SHA512

    4dd80a4c2f49935bfad242149d4e4c110abfeaae00d38ea4493606435f540f5812a6f7d56996d93e91935a1d40b1f5c17b0f1f5414387d188ecf49064001108b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Og26XL6.exe
    Filesize

    4KB

    MD5

    63551b31efdaaaa20f56912377d36a27

    SHA1

    44ce9a0d031f1b02ac01b1c379841c7500cbcc2c

    SHA256

    1f68148d854bb7a8ad3444e28c3d068a595cfa471dd1a44ca4e173d0df863293

    SHA512

    4a67b820de3c72488d4b4dffaffc6348f9f9c9e43f3bbb233fa4fc655e7cccac81c2d00f4fd15818dd1fa465e41a5d1e761e5a95a40574c91302925764cd0238

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\ao8cz88.exe
    Filesize

    208KB

    MD5

    381b9579f1fbe7d6814fa0eee0565870

    SHA1

    9e3f9471b550ea01fcd193bf7a8ed9e820723d56

    SHA256

    10477ccbaee66eaa5e75bb6bccb44879ebd1b9e06663800cfc0ea15be2db4093

    SHA512

    f46a8657e021fbe285294ab5c94657aad466cf7f3f21442ebe7d0bd68a3e4ba0b0379c22c6cdc6cf04906b0c69967b8a5d7f632d8a01339f32427190f28cfa55

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP001.TMP\1Og26XL6.exe
    Filesize

    124KB

    MD5

    5e3528cd580eb7ebb36948a8664d25ae

    SHA1

    b5dfa79d58ffdf48f7de2086407a504d80f162ec

    SHA256

    8dff346bfafd3f15c5db227226df640784bca6b6dbecea5b2df79f2f8ea8757a

    SHA512

    a254eb2a35ca45d1b15d7c3445d7309154f3350f922019c64f061dec332907a3af5bc6b2580b23220dbf75ddf07a666c1eac9dbdcd3a47f7f1136cd8e28ee2e1

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP001.TMP\1Og26XL6.exe
    Filesize

    22KB

    MD5

    939cf05938ac1acee2f1131c9135d89e

    SHA1

    7564a35d0f9a51e7d8da70f11714b397546fafbe

    SHA256

    bf7801cf944c87d3eace9ab80b4f3614a44cd566fe799b9ef205d332c86eaacb

    SHA512

    d3a13fd96ed0674e1c3da2aec98c54496a602a12e39c4597eeb3b51b8dbe18adb11fed622d8e4db76b7faf14f09955d13991fd36e996e60f78fec15da824a422

    Download Submit

  • memory/1328-54-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/1376-66-0x0000000002E40000-0x0000000002E56000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2196-30-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2196-28-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2196-27-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2196-26-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2196-25-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2196-24-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2196-23-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2196-32-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2556-67-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2556-64-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2556-65-0x0000000000020000-0x0000000000029000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2632-51-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2632-42-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2632-43-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2632-44-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2632-45-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2632-46-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2632-47-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2632-49-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2632-63-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download