Overview

overview

10

Static

static

3

d6069cb7ac...00.exe

windows7-x64

10

d6069cb7ac...00.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    76s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-01-2024 23:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d6069cb7acd4675b324603f2adc3e83fa7fa1829e73052a8d62a10f3d99a8200.exe

  • Size

    639KB

  • MD5

    92346d27eabac81e606d7153397e64e2

  • SHA1

    fd2b60f3663a6ffe24db4d8bd4d244bfd7e0ecaa

  • SHA256

    d6069cb7acd4675b324603f2adc3e83fa7fa1829e73052a8d62a10f3d99a8200

  • SHA512

    446b3f391e6f55bd1fb69969e74c42ba298bd06ab9509130e639da3e03f2720fa753921a1aec5c8e7732928d125a97a9ae2e0a2dbe7b705c1e183ab8a41c3063

  • SSDEEP

    12288:EMrWy90u8xoCoUCnq8yr2b2VmLKGQDzLfTf/1TW:ay9817x2wG+zHBW

Score
10/10
mysticsmokeloaderbackdoorevasionpersistencestealertrojan

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Signatures

  • Detect Mystic stealer payload 4 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d6069cb7acd4675b324603f2adc3e83fa7fa1829e73052a8d62a10f3d99a8200.exe
    "C:\Users\Admin\AppData\Local\Temp\d6069cb7acd4675b324603f2adc3e83fa7fa1829e73052a8d62a10f3d99a8200.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:5620
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ao8cz88.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ao8cz88.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3480
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Og26XL6.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Og26XL6.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2644
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2500
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2cS3266.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2cS3266.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4356
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
            PID:3468
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3468 -s 540
              5⤵
              • Program crash
              PID:536
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3dQ39Aq.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3dQ39Aq.exe
        2⤵
        • Executes dropped EXE
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        PID:2416
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3468 -ip 3468
      1⤵
        PID:468

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3dQ39Aq.exe
        Filesize

        31KB

        MD5

        6c37f769c720938dd2223863c71e961e

        SHA1

        32f2c9e51dd144da0023f4ef81fdc15e11fc02da

        SHA256

        0d68b15aed1853a449c5baf28d7cb6249a18a47e3559010814b82b5fccc21caa

        SHA512

        0cb767ca9faf107944e0dcd469750910df9b5df7d9ddae0d33dbe28f86bab57f37eadf1f2405296b19e03e884e6316528009bbc29ef2b0b78cbf722afaa286ee

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ao8cz88.exe
        Filesize

        56KB

        MD5

        4cc23f10cd79ce8d276d84d3d1df0b6c

        SHA1

        877d42f2a3c8d80e986a7b2e86b3ce28019aec08

        SHA256

        6e48d32fc8e631ff0ef76f7cae6f2c7529d675d428f8fbac66b30a614e198430

        SHA512

        060e2139d3a2dfcd5825adb9774bb8795ca0ee270518d712d29b0276a4783f9378239b679cc01ae387a555b1185aed632fd700f638b3dbae95f175e555b7b36e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ao8cz88.exe
        Filesize

        44KB

        MD5

        3045908ebe17e7ca2902d8253d74c525

        SHA1

        1c27f518e51b52668d48a7e70d334ac95e3fbc73

        SHA256

        8025f9fe75fb478ae5468191932665ec593cd15010053d8d6f459ef2c0186483

        SHA512

        99199e2df3115b2d97cb0890ea64139b38a0c7eecdece6dfa008644029fb95fa2e1c40398a4c2108ab6532c36fb202546ef0d5cf7023b3fc3dd31c731f872016

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Og26XL6.exe
        Filesize

        274KB

        MD5

        fda3cb4f9d8f6e487e89ef9b7416c789

        SHA1

        779d51c95a99782ceb683a70aa5e2e0e28e0b7d9

        SHA256

        91fc146746cbdfd089940268766349909fdd8d279841b839306e0548217b3653

        SHA512

        9fe79dd528512f94c931ce51a9ffd888a38ec536f5f77c72c2edae94aa118039c5e8e2e4f375d58241b898bf31d2cca9f7bf071ccfa1631821f5d86225940f1a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Og26XL6.exe
        Filesize

        262KB

        MD5

        e0920ce92d5697cfc452ada9cc18dd96

        SHA1

        e58cf584696ad5ebbea0b460a963c13fbf04b2a8

        SHA256

        dfa8ee163222b52f024ac953529c3532e439a3ee8e6714f2425d5f0d6973357f

        SHA512

        9318e1d755a02c0766bb61644764c1de719996f5a46ba34be6055d03a0451ae0f86688f4d80258a1e5fe1d08941b9fd9a18c425151568c6773060074ca953614

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2cS3266.exe
        Filesize

        271KB

        MD5

        a04e9bd791f21b588caf0f0cf3867d27

        SHA1

        0c05c23a8f2780c2b951b26b3597abdf1fe61544

        SHA256

        76fbb174c408ec5d9f8b878774c96e3a0ee450be523d88275437f37cad09f7bf

        SHA512

        f4912b7ba2cda489b7d7828bda577ce70fd896dc6d0b2398b7bd56874ffbe6cf3e9df409e33f45ff84e2b690bd8ec76d885f360a3d742587320e951ada5f6e58

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2cS3266.exe
        Filesize

        284KB

        MD5

        362ab0116cf2904e3d0e6455e6df3e71

        SHA1

        5aea95de4e29dc05bc7603f71d0865eb95276dfd

        SHA256

        7b87a4fde0688e89deaa0abfce928526cc333eef75f8402d69ac2ca9fe6437c1

        SHA512

        558ff5d01e73cbaad90b6fe1509a7bc339bcdbc4d2c2a06f5674444c032197fc167b0dc67470c90c660bd8e679cf5d239061de6b6dd494713c6b8e74b58ed721

        Download Submit

      • memory/2416-27-0x0000000000400000-0x0000000000409000-memory.dmp

        Filesize

        36KB

        Download

      • memory/2416-29-0x0000000000400000-0x0000000000409000-memory.dmp

        Filesize

        36KB

        Download

      • memory/2500-14-0x0000000000400000-0x000000000040A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/2500-18-0x00000000749D0000-0x0000000075180000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2500-33-0x00000000749D0000-0x0000000075180000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3428-28-0x0000000002E30000-0x0000000002E46000-memory.dmp

        Filesize

        88KB

        Download

      • memory/3468-21-0x0000000000400000-0x0000000000433000-memory.dmp

        Filesize

        204KB

        Download

      • memory/3468-20-0x0000000000400000-0x0000000000433000-memory.dmp

        Filesize

        204KB

        Download

      • memory/3468-23-0x0000000000400000-0x0000000000433000-memory.dmp

        Filesize

        204KB

        Download

      • memory/3468-19-0x0000000000400000-0x0000000000433000-memory.dmp

        Filesize

        204KB

        Download