Overview

overview

10

Static

static

3

f4555b5418...d8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-03-2024 02:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f4555b54180c53e34ad814d42e0a845aa07e98bf0bd305194be7e832c63657d8.exe

  • Size

    1.2MB

  • MD5

    07955226491bc30f939c7d1da1dbe64e

  • SHA1

    03881d43e06e1b02e5d0058b195203a1391852f4

  • SHA256

    f4555b54180c53e34ad814d42e0a845aa07e98bf0bd305194be7e832c63657d8

  • SHA512

    416ed817511c5ef2246b5e9da127a1c3a617673e926c88ea463172bfac186bb2e6ea736528ae0adc093b000e76b98b75ce783dbda0f3ff4ae8155f7a4e1d67d6

  • SSDEEP

    24576:ryyzUvBsZjf1NDCZroGqez2RDOS7J4Nx63+DuWFjURrZO7/7iiipdRS2NK5cm:e4rO4DJ7y63+PFIE/7mRSkK5

Score
10/10
mysticredlinesmokeloadergromebackdoorevasioninfostealerpersistencestealertrojan

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

grome

C2

77.91.124.86:19084

Signatures

  • Detect Mystic stealer payload 1 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Detects executables embedding registry key / value combination indicative of disabling Windows Defender features 1 IoCs
  • Detects executables packed with ConfuserEx Mod 1 IoCs
  • Executes dropped EXE 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f4555b54180c53e34ad814d42e0a845aa07e98bf0bd305194be7e832c63657d8.exe
    "C:\Users\Admin\AppData\Local\Temp\f4555b54180c53e34ad814d42e0a845aa07e98bf0bd305194be7e832c63657d8.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4412
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gg0rK76.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gg0rK76.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2272
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ou0TN33.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ou0TN33.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4028
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1VC42qC8.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1VC42qC8.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:1756
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            5⤵
              PID:2356
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              5⤵
              • Modifies Windows Defender Real-time Protection settings
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1376
          • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Fr3134.exe
            C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Fr3134.exe
            4⤵
            • Executes dropped EXE
            PID:2040
        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3eS92ew.exe
          C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3eS92ew.exe
          3⤵
          • Executes dropped EXE
          • Checks SCSI registry key(s)
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          PID:3020
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4eO517vE.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4eO517vE.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2004
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          3⤵
            PID:544

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4eO517vE.exe
        Filesize

        1.9MB

        MD5

        f6a960e73b56f4fa26437ac5e12d7773

        SHA1

        96b2c9aa721bdd672501e5b07d12f61b6db86886

        SHA256

        68285c53ce6f94bd947ead934a14efca01ae117452fe559954e943748713f93c

        SHA512

        f8f13dbc76b5a2c3736a350ed2a973e7ba47ec20e2de6bd509ac8f67916e44b34fe06aee7973b2387e190277c8d4a479dabf833618eeecdd290ff4db46b6d3a9

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gg0rK76.exe
        Filesize

        698KB

        MD5

        cf37c362b1315fcd7d5c5a6949afb490

        SHA1

        5fedb3d26f5310d18b7d23ae630102e34928f442

        SHA256

        b7232f1e4a6b35f836d1e0477df5c5bcfd2442963c5d0d970c7a3a686e957017

        SHA512

        feb61d923a7a0ea5a1088266111002b8f30f6b1edcd563f6af3b9edb80c33dc36c4679323316b52fa433750c3a185623a0be53db18851329e86f74d565cdd238

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3eS92ew.exe
        Filesize

        30KB

        MD5

        0a5301eaebbc0d911518a522131d77bc

        SHA1

        d7927e68859bad44b27ae61a7502197e42b7c80a

        SHA256

        f163e6834ab8ee4a4b0b479e045432cf3412144bb9b515177d330723f84d9cda

        SHA512

        39fd6434abc8f90bafeb6a93bcdd92c8279ab499c1802e735fcaa7d49224d16183866cc6802cd0abb06001dac4dcebebf298ee2f4c921f0e8b04f2a30c709aae

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ou0TN33.exe
        Filesize

        574KB

        MD5

        699e625390f2f89ad226573c6be60623

        SHA1

        d758ba568cf0ad83477c1b0c9a9a6fde42e45df6

        SHA256

        f6e0056da425ffc4eba2b5bb5869f9dd5ea3beacad99b4b2c23421b1d0757f3b

        SHA512

        32d9ddae1595208bc5eca7056615bddb268002ca7475e409f1da290b1dfce7cb381a09a3bfd5e062f6406698f27964367d3ff4dafee8e237b0f03e1aa70a1252

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1VC42qC8.exe
        Filesize

        1.6MB

        MD5

        29e9546e7fe835b413a5d65599213b53

        SHA1

        64d6d2eca4e197a390702a08b074c5ef6da2fa32

        SHA256

        d65b10dc2c1598935786fd0d562aaee9c9fc6b7d6f950da6de13db6686cab814

        SHA512

        e556877abd79052f3d3bc6175971001531f363745d396aa96302218cf11b4fc94980f946aae758ff14d8cc8af4d9dcb26503142e2d1cded2d21ab37ddc009658

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Fr3134.exe
        Filesize

        180KB

        MD5

        4190e7bd24169eb843c7217ebcadb360

        SHA1

        d2158f874a257fe0d9cb3eb1d2949135c53da037

        SHA256

        1fd396b1b0b6c40399fddd4e43d20ac01f9d6fa9fd204c990fa8e59825ac7bdc

        SHA512

        40ac888cb2b270d275784d31771eaa130891e0fd3f43e20c1c0b0670797af2351c7c1efa4503420c7ad11ee6049c46fb3fd171d256491591652719be978b99f7

        Download Submit

      • memory/544-44-0x00000000079B0000-0x0000000007ABA000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/544-41-0x0000000007890000-0x00000000078A0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/544-51-0x0000000007890000-0x00000000078A0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/544-50-0x0000000074A90000-0x0000000075240000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/544-47-0x0000000007940000-0x000000000798C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/544-37-0x0000000000400000-0x000000000043E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/544-38-0x0000000074A90000-0x0000000075240000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/544-39-0x0000000007BC0000-0x0000000008164000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/544-40-0x00000000076B0000-0x0000000007742000-memory.dmp

        Filesize

        584KB

        Download

      • memory/544-46-0x0000000007900000-0x000000000793C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/544-42-0x0000000002A00000-0x0000000002A0A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/544-43-0x0000000008790000-0x0000000008DA8000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/544-45-0x00000000078A0000-0x00000000078B2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1376-21-0x0000000000400000-0x000000000040A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/1376-28-0x0000000074A90000-0x0000000075240000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1376-49-0x0000000074A90000-0x0000000075240000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3020-29-0x0000000000400000-0x0000000000409000-memory.dmp

        Filesize

        36KB

        Download

      • memory/3020-32-0x0000000000400000-0x0000000000409000-memory.dmp

        Filesize

        36KB

        Download

      • memory/3500-30-0x0000000002F60000-0x0000000002F76000-memory.dmp

        Filesize

        88KB

        Download