Overview

overview

10

Static

static

3

d6069cb7ac...00.exe

windows7-x64

10

d6069cb7ac...00.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    163s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-01-2024 20:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d6069cb7acd4675b324603f2adc3e83fa7fa1829e73052a8d62a10f3d99a8200.exe

  • Size

    639KB

  • MD5

    92346d27eabac81e606d7153397e64e2

  • SHA1

    fd2b60f3663a6ffe24db4d8bd4d244bfd7e0ecaa

  • SHA256

    d6069cb7acd4675b324603f2adc3e83fa7fa1829e73052a8d62a10f3d99a8200

  • SHA512

    446b3f391e6f55bd1fb69969e74c42ba298bd06ab9509130e639da3e03f2720fa753921a1aec5c8e7732928d125a97a9ae2e0a2dbe7b705c1e183ab8a41c3063

  • SSDEEP

    12288:EMrWy90u8xoCoUCnq8yr2b2VmLKGQDzLfTf/1TW:ay9817x2wG+zHBW

Score
10/10
mysticsmokeloaderbackdoorevasionpersistencestealertrojan

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Signatures

  • Detect Mystic stealer payload 4 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d6069cb7acd4675b324603f2adc3e83fa7fa1829e73052a8d62a10f3d99a8200.exe
    "C:\Users\Admin\AppData\Local\Temp\d6069cb7acd4675b324603f2adc3e83fa7fa1829e73052a8d62a10f3d99a8200.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2504
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ao8cz88.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ao8cz88.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2304
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Og26XL6.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Og26XL6.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4868
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4280
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2cS3266.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2cS3266.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:3480
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
            PID:4900
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 540
              5⤵
              • Program crash
              PID:3472
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            4⤵
              PID:3388
        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3dQ39Aq.exe
          C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3dQ39Aq.exe
          2⤵
          • Executes dropped EXE
          • Checks SCSI registry key(s)
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          PID:1100
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4900 -ip 4900
        1⤵
          PID:1808

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3dQ39Aq.exe
          Filesize

          31KB

          MD5

          6c37f769c720938dd2223863c71e961e

          SHA1

          32f2c9e51dd144da0023f4ef81fdc15e11fc02da

          SHA256

          0d68b15aed1853a449c5baf28d7cb6249a18a47e3559010814b82b5fccc21caa

          SHA512

          0cb767ca9faf107944e0dcd469750910df9b5df7d9ddae0d33dbe28f86bab57f37eadf1f2405296b19e03e884e6316528009bbc29ef2b0b78cbf722afaa286ee

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ao8cz88.exe
          Filesize

          103KB

          MD5

          eb0fe3e473ed4ec4e54e3df654e96383

          SHA1

          78083e30fb3b7516f8a705270127e3289970563b

          SHA256

          fdc603baa17c8a71a57c6c19df9d8665c12c219e74ec49ff8f0655ce029418ce

          SHA512

          92d1f24ab9528ead0fae5d04020fb307a1b2d03793947dd43b8c5acf938eba4898b8a6bcb6fa959075e243ffbe2a3da1820b202d0909d686611f367566ac3e94

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ao8cz88.exe
          Filesize

          262KB

          MD5

          581b889fa75b34f650f022b761fa5ba8

          SHA1

          9aeec626321d157ccfb5f53073a318663117c702

          SHA256

          5d3a782f6533e3acf352c355f090bc7e253bcf4e8acf88a0a318e8c320b187f9

          SHA512

          15a62951a3256d0526fc75ce64c72e9225d4e60d90f31c89c53f87bc8b8fc36a60cc83526bf8b18758a8ab87624617cc243428c7fd20ac4b56ce774dc00a9e8c

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Og26XL6.exe
          Filesize

          141KB

          MD5

          eba5a1efc773cee9ea990a51a462bfec

          SHA1

          840ea8efc6165b72ad950c276f5af6be7f562828

          SHA256

          733f8968d7c790071b4d8cc100f62c705b84cc5d9917c16f1b135fa145bb9f35

          SHA512

          d7e9e59543bc37c1343862c5f4ce94b219090260088fcf1fea75a5e5edb576d3647d63c2ebf87f4123ff1e13b1ca96c70ec1f8d96a09beb4bc575bd5712c1bba

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Og26XL6.exe
          Filesize

          198KB

          MD5

          aa2247f3d89d9ddf12bb2bb5127ee244

          SHA1

          153927ed20412489ff3596ce11a9732edf8dcc39

          SHA256

          04ce89d85afd945c8432552a312e7c8577f7856bf9e0352d4c73a02930c36e43

          SHA512

          01bddd7c715c136f4ea8fa7f25d018aaa2dd1b3f669d27047e1aaf2755a59b4ce53d4155c964887bfa1b946ae981089e74cf7afdbd0fec0eb908755353bc088b

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2cS3266.exe
          Filesize

          90KB

          MD5

          ad739572bde9beef5e7aefbb335d8f1f

          SHA1

          ba59bcd1fcf162f3e7726d5931eae1b53b02da26

          SHA256

          d95e1d3bbdb77a34f78df4e7bc3097bd6637d188f2c59031e9690931adcb48a2

          SHA512

          8cae120666547713fc0e33325081551049d4160504f2b7033803fb247fee44bd915e450a8a0083e3232028d707c69af89b42d566fbbd534117c50197d44fd720

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2cS3266.exe
          Filesize

          93KB

          MD5

          3c41e8d5d530e66d64b27cc40b47c95c

          SHA1

          10b007134f34b4bb446856b3bd28167c30e6db40

          SHA256

          b5d219f3390c4f425ba59f63b2d6e0b60ae025d7432f7e1007283566ce658a57

          SHA512

          f9100e79fd2e3da9d31c1b836b854b291ae9333dfdcfc772c8fad04d840f2c2b4d43b1de0e73cfd455f543ebc9185464a7193e05d7a6c87dad797e101ded879c

          Download Submit

        • memory/1100-27-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

          Download

        • memory/1100-29-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

          Download

        • memory/3372-28-0x0000000002950000-0x0000000002966000-memory.dmp

          Filesize

          88KB

          Download

        • memory/4280-18-0x0000000074000000-0x00000000747B0000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/4280-33-0x0000000074000000-0x00000000747B0000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/4280-14-0x0000000000400000-0x000000000040A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/4900-21-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

          Download

        • memory/4900-20-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

          Download

        • memory/4900-24-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

          Download

        • memory/4900-19-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

          Download