Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
04-03-2024 02:06
General
-
Target
f4555b54180c53e34ad814d42e0a845aa07e98bf0bd305194be7e832c63657d8.exe
-
Size
1.2MB
-
MD5
07955226491bc30f939c7d1da1dbe64e
-
SHA1
03881d43e06e1b02e5d0058b195203a1391852f4
-
SHA256
f4555b54180c53e34ad814d42e0a845aa07e98bf0bd305194be7e832c63657d8
-
SHA512
416ed817511c5ef2246b5e9da127a1c3a617673e926c88ea463172bfac186bb2e6ea736528ae0adc093b000e76b98b75ce783dbda0f3ff4ae8155f7a4e1d67d6
-
SSDEEP
24576:ryyzUvBsZjf1NDCZroGqez2RDOS7J4Nx63+DuWFjURrZO7/7iiipdRS2NK5cm:e4rO4DJ7y63+PFIE/7mRSkK5
Malware Config
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Extracted
redline
grome
77.91.124.86:19084
Signatures
-
Detect Mystic stealer payload 1 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Detects executables embedding registry key / value combination indicative of disabling Windows Defender features 1 IoCs
-
Detects executables packed with ConfuserEx Mod 1 IoCs
-
Executes dropped EXE 6 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 37 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f4555b54180c53e34ad814d42e0a845aa07e98bf0bd305194be7e832c63657d8.exe"C:\Users\Admin\AppData\Local\Temp\f4555b54180c53e34ad814d42e0a845aa07e98bf0bd305194be7e832c63657d8.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gg0rK76.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gg0rK76.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ou0TN33.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ou0TN33.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1VC42qC8.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1VC42qC8.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Fr3134.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Fr3134.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3eS92ew.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3eS92ew.exe3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4eO517vE.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4eO517vE.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4eO517vE.exeFilesize
1.9MB
MD5f6a960e73b56f4fa26437ac5e12d7773
SHA196b2c9aa721bdd672501e5b07d12f61b6db86886
SHA25668285c53ce6f94bd947ead934a14efca01ae117452fe559954e943748713f93c
SHA512f8f13dbc76b5a2c3736a350ed2a973e7ba47ec20e2de6bd509ac8f67916e44b34fe06aee7973b2387e190277c8d4a479dabf833618eeecdd290ff4db46b6d3a9
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gg0rK76.exeFilesize
698KB
MD5cf37c362b1315fcd7d5c5a6949afb490
SHA15fedb3d26f5310d18b7d23ae630102e34928f442
SHA256b7232f1e4a6b35f836d1e0477df5c5bcfd2442963c5d0d970c7a3a686e957017
SHA512feb61d923a7a0ea5a1088266111002b8f30f6b1edcd563f6af3b9edb80c33dc36c4679323316b52fa433750c3a185623a0be53db18851329e86f74d565cdd238
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3eS92ew.exeFilesize
30KB
MD50a5301eaebbc0d911518a522131d77bc
SHA1d7927e68859bad44b27ae61a7502197e42b7c80a
SHA256f163e6834ab8ee4a4b0b479e045432cf3412144bb9b515177d330723f84d9cda
SHA51239fd6434abc8f90bafeb6a93bcdd92c8279ab499c1802e735fcaa7d49224d16183866cc6802cd0abb06001dac4dcebebf298ee2f4c921f0e8b04f2a30c709aae
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ou0TN33.exeFilesize
574KB
MD5699e625390f2f89ad226573c6be60623
SHA1d758ba568cf0ad83477c1b0c9a9a6fde42e45df6
SHA256f6e0056da425ffc4eba2b5bb5869f9dd5ea3beacad99b4b2c23421b1d0757f3b
SHA51232d9ddae1595208bc5eca7056615bddb268002ca7475e409f1da290b1dfce7cb381a09a3bfd5e062f6406698f27964367d3ff4dafee8e237b0f03e1aa70a1252
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1VC42qC8.exeFilesize
1.6MB
MD529e9546e7fe835b413a5d65599213b53
SHA164d6d2eca4e197a390702a08b074c5ef6da2fa32
SHA256d65b10dc2c1598935786fd0d562aaee9c9fc6b7d6f950da6de13db6686cab814
SHA512e556877abd79052f3d3bc6175971001531f363745d396aa96302218cf11b4fc94980f946aae758ff14d8cc8af4d9dcb26503142e2d1cded2d21ab37ddc009658
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Fr3134.exeFilesize
180KB
MD54190e7bd24169eb843c7217ebcadb360
SHA1d2158f874a257fe0d9cb3eb1d2949135c53da037
SHA2561fd396b1b0b6c40399fddd4e43d20ac01f9d6fa9fd204c990fa8e59825ac7bdc
SHA51240ac888cb2b270d275784d31771eaa130891e0fd3f43e20c1c0b0670797af2351c7c1efa4503420c7ad11ee6049c46fb3fd171d256491591652719be978b99f7
-
memory/544-44-0x00000000079B0000-0x0000000007ABA000-memory.dmpFilesize
1.0MB
-
memory/544-41-0x0000000007890000-0x00000000078A0000-memory.dmpFilesize
64KB
-
memory/544-51-0x0000000007890000-0x00000000078A0000-memory.dmpFilesize
64KB
-
memory/544-50-0x0000000074A90000-0x0000000075240000-memory.dmpFilesize
7.7MB
-
memory/544-47-0x0000000007940000-0x000000000798C000-memory.dmpFilesize
304KB
-
memory/544-37-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/544-38-0x0000000074A90000-0x0000000075240000-memory.dmpFilesize
7.7MB
-
memory/544-39-0x0000000007BC0000-0x0000000008164000-memory.dmpFilesize
5.6MB
-
memory/544-40-0x00000000076B0000-0x0000000007742000-memory.dmpFilesize
584KB
-
memory/544-46-0x0000000007900000-0x000000000793C000-memory.dmpFilesize
240KB
-
memory/544-42-0x0000000002A00000-0x0000000002A0A000-memory.dmpFilesize
40KB
-
memory/544-43-0x0000000008790000-0x0000000008DA8000-memory.dmpFilesize
6.1MB
-
memory/544-45-0x00000000078A0000-0x00000000078B2000-memory.dmpFilesize
72KB
-
memory/1376-21-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/1376-28-0x0000000074A90000-0x0000000075240000-memory.dmpFilesize
7.7MB
-
memory/1376-49-0x0000000074A90000-0x0000000075240000-memory.dmpFilesize
7.7MB
-
memory/3020-29-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/3020-32-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/3500-30-0x0000000002F60000-0x0000000002F76000-memory.dmpFilesize
88KB