Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
08-01-2024 20:48
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d6069cb7acd4675b324603f2adc3e83fa7fa1829e73052a8d62a10f3d99a8200.exe
Resource
win7-20231215-en
windows7-x64
14 signatures
150 seconds
Behavioral task
behavioral2
Sample
d6069cb7acd4675b324603f2adc3e83fa7fa1829e73052a8d62a10f3d99a8200.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
14 signatures
150 seconds
General
-
Target
d6069cb7acd4675b324603f2adc3e83fa7fa1829e73052a8d62a10f3d99a8200.exe
-
Size
639KB
-
MD5
92346d27eabac81e606d7153397e64e2
-
SHA1
fd2b60f3663a6ffe24db4d8bd4d244bfd7e0ecaa
-
SHA256
d6069cb7acd4675b324603f2adc3e83fa7fa1829e73052a8d62a10f3d99a8200
-
SHA512
446b3f391e6f55bd1fb69969e74c42ba298bd06ab9509130e639da3e03f2720fa753921a1aec5c8e7732928d125a97a9ae2e0a2dbe7b705c1e183ab8a41c3063
-
SSDEEP
12288:EMrWy90u8xoCoUCnq8yr2b2VmLKGQDzLfTf/1TW:ay9817x2wG+zHBW
Malware Config
Extracted
Family
smokeloader
Version
2022
C2
http://77.91.68.29/fks/
rc4.i32
rc4.i32
Signatures
-
Detect Mystic stealer payload 6 IoCs
resource yara_rule behavioral1/memory/2720-50-0x0000000000400000-0x0000000000433000-memory.dmp mystic_family behavioral1/memory/2720-51-0x0000000000400000-0x0000000000433000-memory.dmp mystic_family behavioral1/memory/2720-49-0x0000000000400000-0x0000000000433000-memory.dmp mystic_family behavioral1/memory/2720-53-0x0000000000400000-0x0000000000433000-memory.dmp mystic_family behavioral1/memory/2720-67-0x0000000000400000-0x0000000000433000-memory.dmp mystic_family behavioral1/memory/2720-55-0x0000000000400000-0x0000000000433000-memory.dmp mystic_family -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" AppLaunch.exe -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Executes dropped EXE 4 IoCs
pid Process 2072 ao8cz88.exe 1372 1Og26XL6.exe 2760 2cS3266.exe 2596 3dQ39Aq.exe -
Loads dropped DLL 11 IoCs
pid Process 2220 d6069cb7acd4675b324603f2adc3e83fa7fa1829e73052a8d62a10f3d99a8200.exe 2072 ao8cz88.exe 2072 ao8cz88.exe 2072 ao8cz88.exe 1372 1Og26XL6.exe 2072 ao8cz88.exe 2072 ao8cz88.exe 2760 2cS3266.exe 2220 d6069cb7acd4675b324603f2adc3e83fa7fa1829e73052a8d62a10f3d99a8200.exe 2220 d6069cb7acd4675b324603f2adc3e83fa7fa1829e73052a8d62a10f3d99a8200.exe 2596 3dQ39Aq.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" d6069cb7acd4675b324603f2adc3e83fa7fa1829e73052a8d62a10f3d99a8200.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ao8cz88.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1372 set thread context of 2668 1372 1Og26XL6.exe 30 PID 2760 set thread context of 2720 2760 2cS3266.exe 33 -
Program crash 1 IoCs
pid pid_target Process procid_target 2572 2720 WerFault.exe 33 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3dQ39Aq.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3dQ39Aq.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3dQ39Aq.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2596 3dQ39Aq.exe 2596 3dQ39Aq.exe 2668 AppLaunch.exe 2668 AppLaunch.exe 1240 Process not Found 1240 Process not Found 1240 Process not Found 1240 Process not Found 1240 Process not Found 1240 Process not Found 1240 Process not Found 1240 Process not Found 1240 Process not Found 1240 Process not Found 1240 Process not Found 1240 Process not Found 1240 Process not Found 1240 Process not Found 1240 Process not Found 1240 Process not Found 1240 Process not Found 1240 Process not Found 1240 Process not Found 1240 Process not Found 1240 Process not Found 1240 Process not Found 1240 Process not Found 1240 Process not Found 1240 Process not Found 1240 Process not Found 1240 Process not Found 1240 Process not Found 1240 Process not Found 1240 Process not Found 1240 Process not Found 1240 Process not Found 1240 Process not Found 1240 Process not Found 1240 Process not Found 1240 Process not Found 1240 Process not Found 1240 Process not Found 1240 Process not Found 1240 Process not Found 1240 Process not Found 1240 Process not Found 1240 Process not Found 1240 Process not Found 1240 Process not Found 1240 Process not Found 1240 Process not Found 1240 Process not Found 1240 Process not Found 1240 Process not Found 1240 Process not Found 1240 Process not Found 1240 Process not Found 1240 Process not Found 1240 Process not Found 1240 Process not Found 1240 Process not Found 1240 Process not Found 1240 Process not Found 1240 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2596 3dQ39Aq.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2668 AppLaunch.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2220 wrote to memory of 2072 2220 d6069cb7acd4675b324603f2adc3e83fa7fa1829e73052a8d62a10f3d99a8200.exe 28 PID 2220 wrote to memory of 2072 2220 d6069cb7acd4675b324603f2adc3e83fa7fa1829e73052a8d62a10f3d99a8200.exe 28 PID 2220 wrote to memory of 2072 2220 d6069cb7acd4675b324603f2adc3e83fa7fa1829e73052a8d62a10f3d99a8200.exe 28 PID 2220 wrote to memory of 2072 2220 d6069cb7acd4675b324603f2adc3e83fa7fa1829e73052a8d62a10f3d99a8200.exe 28 PID 2220 wrote to memory of 2072 2220 d6069cb7acd4675b324603f2adc3e83fa7fa1829e73052a8d62a10f3d99a8200.exe 28 PID 2220 wrote to memory of 2072 2220 d6069cb7acd4675b324603f2adc3e83fa7fa1829e73052a8d62a10f3d99a8200.exe 28 PID 2220 wrote to memory of 2072 2220 d6069cb7acd4675b324603f2adc3e83fa7fa1829e73052a8d62a10f3d99a8200.exe 28 PID 2072 wrote to memory of 1372 2072 ao8cz88.exe 29 PID 2072 wrote to memory of 1372 2072 ao8cz88.exe 29 PID 2072 wrote to memory of 1372 2072 ao8cz88.exe 29 PID 2072 wrote to memory of 1372 2072 ao8cz88.exe 29 PID 2072 wrote to memory of 1372 2072 ao8cz88.exe 29 PID 2072 wrote to memory of 1372 2072 ao8cz88.exe 29 PID 2072 wrote to memory of 1372 2072 ao8cz88.exe 29 PID 1372 wrote to memory of 2668 1372 1Og26XL6.exe 30 PID 1372 wrote to memory of 2668 1372 1Og26XL6.exe 30 PID 1372 wrote to memory of 2668 1372 1Og26XL6.exe 30 PID 1372 wrote to memory of 2668 1372 1Og26XL6.exe 30 PID 1372 wrote to memory of 2668 1372 1Og26XL6.exe 30 PID 1372 wrote to memory of 2668 1372 1Og26XL6.exe 30 PID 1372 wrote to memory of 2668 1372 1Og26XL6.exe 30 PID 1372 wrote to memory of 2668 1372 1Og26XL6.exe 30 PID 1372 wrote to memory of 2668 1372 1Og26XL6.exe 30 PID 1372 wrote to memory of 2668 1372 1Og26XL6.exe 30 PID 1372 wrote to memory of 2668 1372 1Og26XL6.exe 30 PID 1372 wrote to memory of 2668 1372 1Og26XL6.exe 30 PID 2072 wrote to memory of 2760 2072 ao8cz88.exe 31 PID 2072 wrote to memory of 2760 2072 ao8cz88.exe 31 PID 2072 wrote to memory of 2760 2072 ao8cz88.exe 31 PID 2072 wrote to memory of 2760 2072 ao8cz88.exe 31 PID 2072 wrote to memory of 2760 2072 ao8cz88.exe 31 PID 2072 wrote to memory of 2760 2072 ao8cz88.exe 31 PID 2072 wrote to memory of 2760 2072 ao8cz88.exe 31 PID 2760 wrote to memory of 2992 2760 2cS3266.exe 32 PID 2760 wrote to memory of 2992 2760 2cS3266.exe 32 PID 2760 wrote to memory of 2992 2760 2cS3266.exe 32 PID 2760 wrote to memory of 2992 2760 2cS3266.exe 32 PID 2760 wrote to memory of 2992 2760 2cS3266.exe 32 PID 2760 wrote to memory of 2992 2760 2cS3266.exe 32 PID 2760 wrote to memory of 2992 2760 2cS3266.exe 32 PID 2760 wrote to memory of 2720 2760 2cS3266.exe 33 PID 2760 wrote to memory of 2720 2760 2cS3266.exe 33 PID 2760 wrote to memory of 2720 2760 2cS3266.exe 33 PID 2760 wrote to memory of 2720 2760 2cS3266.exe 33 PID 2760 wrote to memory of 2720 2760 2cS3266.exe 33 PID 2760 wrote to memory of 2720 2760 2cS3266.exe 33 PID 2760 wrote to memory of 2720 2760 2cS3266.exe 33 PID 2760 wrote to memory of 2720 2760 2cS3266.exe 33 PID 2760 wrote to memory of 2720 2760 2cS3266.exe 33 PID 2760 wrote to memory of 2720 2760 2cS3266.exe 33 PID 2760 wrote to memory of 2720 2760 2cS3266.exe 33 PID 2760 wrote to memory of 2720 2760 2cS3266.exe 33 PID 2760 wrote to memory of 2720 2760 2cS3266.exe 33 PID 2760 wrote to memory of 2720 2760 2cS3266.exe 33 PID 2220 wrote to memory of 2596 2220 d6069cb7acd4675b324603f2adc3e83fa7fa1829e73052a8d62a10f3d99a8200.exe 34 PID 2220 wrote to memory of 2596 2220 d6069cb7acd4675b324603f2adc3e83fa7fa1829e73052a8d62a10f3d99a8200.exe 34 PID 2220 wrote to memory of 2596 2220 d6069cb7acd4675b324603f2adc3e83fa7fa1829e73052a8d62a10f3d99a8200.exe 34 PID 2220 wrote to memory of 2596 2220 d6069cb7acd4675b324603f2adc3e83fa7fa1829e73052a8d62a10f3d99a8200.exe 34 PID 2220 wrote to memory of 2596 2220 d6069cb7acd4675b324603f2adc3e83fa7fa1829e73052a8d62a10f3d99a8200.exe 34 PID 2220 wrote to memory of 2596 2220 d6069cb7acd4675b324603f2adc3e83fa7fa1829e73052a8d62a10f3d99a8200.exe 34 PID 2220 wrote to memory of 2596 2220 d6069cb7acd4675b324603f2adc3e83fa7fa1829e73052a8d62a10f3d99a8200.exe 34 PID 2720 wrote to memory of 2572 2720 AppLaunch.exe 35 PID 2720 wrote to memory of 2572 2720 AppLaunch.exe 35 PID 2720 wrote to memory of 2572 2720 AppLaunch.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\d6069cb7acd4675b324603f2adc3e83fa7fa1829e73052a8d62a10f3d99a8200.exe"C:\Users\Admin\AppData\Local\Temp\d6069cb7acd4675b324603f2adc3e83fa7fa1829e73052a8d62a10f3d99a8200.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ao8cz88.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ao8cz88.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Og26XL6.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Og26XL6.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2668
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2cS3266.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2cS3266.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵PID:2992
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 2685⤵
- Program crash
PID:2572
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3dQ39Aq.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3dQ39Aq.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2596
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
31KB
MD56c37f769c720938dd2223863c71e961e
SHA132f2c9e51dd144da0023f4ef81fdc15e11fc02da
SHA2560d68b15aed1853a449c5baf28d7cb6249a18a47e3559010814b82b5fccc21caa
SHA5120cb767ca9faf107944e0dcd469750910df9b5df7d9ddae0d33dbe28f86bab57f37eadf1f2405296b19e03e884e6316528009bbc29ef2b0b78cbf722afaa286ee
-
Filesize
515KB
MD5a02e25299ae857551a4525647fc0533d
SHA172b43753b24d89b5383bfe1332dfec7413ddc00c
SHA256fb9efd950ddab810501c8d3c22736d03896ef860696c06631c988c618f5bcf4c
SHA51207877106f8540b38eda894fe7d67b1b99579bceee0d8e17e1fb191eabd95bdb45133509e6441e832dfe788132763aa2add4aef341b8f4f62fec2ddd3f5113dd0
-
Filesize
869KB
MD55f0632d60d00f8f6ab677ee7f8727416
SHA1ab4db63850568f0d3ea91e0c2665b59317fa22c9
SHA2567247d13084eea57e8d80d6fdb483bb8ec4ad8a96c846e9c1193390829daeb08d
SHA512254af7965a2d6662afa77650a79954bd754bc7727384bf7b4d60cae49c49c3bbc6173f4b461a3f1af5cafb5b83531a6ffe9660cd92ee3824f896f8861c76dbc9
-
Filesize
1.0MB
MD5a5a72ed79ae5e9780a11e88e6c6853c2
SHA19c59ba2bdb9066bedc108596ed94633c824edec8
SHA2564d29c049f541cf4cfc30160228c05c981a115b3890004fb839ff261b99b62051
SHA51284b85e7ce7701c18bffba0a76a289ab8f43dffaa77604d2c4e3682feb3dd8e937a70b00aba3213c5303d3ffa7bfc7e97008d39505087ace7c3cce9baac9b9d88