Overview

overview

10

Static

static

3

cbf2171616...14.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-04-2024 10:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cbf2171616a11736845095e1a1e40b71c7a6b51e3c4453da03db769132820714.exe

  • Size

    860KB

  • MD5

    10546d4f84b9966d5f72ed3bdf530c4c

  • SHA1

    f0179725a1691177a47341327ebaa2e0d2864edb

  • SHA256

    cbf2171616a11736845095e1a1e40b71c7a6b51e3c4453da03db769132820714

  • SHA512

    bdc714a77f447a130c10511b4a066b13180fd723c79efc59e4ead98e11b4fec73bf083431d19deec7036c5ee7a460f2e8f29c2651325f334e66e7eb53f130a05

  • SSDEEP

    24576:pyzao0HuuMlmyvo5SO93mlKkgpvkryQwJiQHehoZM:cHuMl503Dkgkyiu

Score
10/10
mysticredlinesmokeloaderbrehabackdoorevasioninfostealerpersistencestealertrojan

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

breha

C2

77.91.124.55:19071

Signatures

  • Detect Mystic stealer payload 1 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Executes dropped EXE 8 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cbf2171616a11736845095e1a1e40b71c7a6b51e3c4453da03db769132820714.exe
    "C:\Users\Admin\AppData\Local\Temp\cbf2171616a11736845095e1a1e40b71c7a6b51e3c4453da03db769132820714.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3176
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fu7FA98.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fu7FA98.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3716
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wm8Uu21.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wm8Uu21.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4540
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Yl3FA41.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Yl3FA41.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:2996
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ug2Bz93.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ug2Bz93.exe
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of WriteProcessMemory
            PID:2584
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1GK86gA3.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1GK86gA3.exe
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Executes dropped EXE
              • Windows security modification
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4276
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2SA8995.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2SA8995.exe
              6⤵
              • Executes dropped EXE
              PID:1084
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3xy63bs.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3xy63bs.exe
            5⤵
            • Executes dropped EXE
            • Checks SCSI registry key(s)
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            PID:4092
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4Ae589gL.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4Ae589gL.exe
          4⤵
          • Executes dropped EXE
          PID:3648
  • C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start wuauserv
    1⤵
    • Launches sc.exe
    PID:2684

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fu7FA98.exe
    Filesize

    722KB

    MD5

    389aa6a4960b6de773a0f491b14329b3

    SHA1

    ef4cbb9d574d6475d1bac511fcd103bf68f4707f

    SHA256

    d0c7b1ffa44a3d35577285c697a226cc905426c10d5e35031b3f60e101a92473

    SHA512

    03f72727719e74c09b49cb9df7b8e40ec463e2fb5a102041f863eb8aef8c726335a17a273c228f3adbc5293ce267ec77c1aa174b7e3a82dd3e426d24ec0dab5c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wm8Uu21.exe
    Filesize

    545KB

    MD5

    0e2d0c5ad0cfaf7f1956990498a44f41

    SHA1

    48d6ef07b7caae17a3a7e02917c439a8355bb7da

    SHA256

    68e39a0f2038392bdb0296890eb2fd78f43af72b971973e10d6d5adfc120095f

    SHA512

    d1dfb90431430c92cce106744e5f1e0199ff9c3ba05f6cb776ce40d733c1e6b1d1475d36b7b7ebc9929d32d33f652c7597b07f4213d0f835147f850b7d64d318

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4Ae589gL.exe
    Filesize

    221KB

    MD5

    8905918bd7e4f4aeda3a804d81f9ee40

    SHA1

    3c488a81539116085a1c22df26085f798f7202c8

    SHA256

    0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde

    SHA512

    6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Yl3FA41.exe
    Filesize

    371KB

    MD5

    c4d9a0c04f74a3a9c679637fc27bf8f1

    SHA1

    b7c196d2c60d18e3595c67ba560cf5565b200a81

    SHA256

    25b6ea13a8cd76a2e30144d9bc8b27254413777b2f4d2c32898802a0b71f06d9

    SHA512

    835d8dc48adb9eb91cda1d737ae599f31b727282eeef0d93b7a2f35a2972588a407c37ba0b3173287f82ddd5ac7f07e0d0cd2aa76246c27c5c2dfc144e362a6b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3xy63bs.exe
    Filesize

    30KB

    MD5

    35a15fad3767597b01a20d75c3c6889a

    SHA1

    eef19e2757667578f73c4b5720cf94c2ab6e60c8

    SHA256

    90ccd84f28e4dd03fb70b8739c4636acbcf8a030404b5a24264afd1acd09ecbc

    SHA512

    c1ea2659e28130f00869391a33dfdc2a763a710a56de2acaa6c71caa9c1eb5809e7ca1dfa1620ac5c3174052d3e277b832853a137a4663483855295fdab23577

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ug2Bz93.exe
    Filesize

    246KB

    MD5

    4061eb8eeee971de67ce22a2a288873b

    SHA1

    4209d6c394897c1cfff9505da020bb6a9d81521b

    SHA256

    b57d8bfdeb36184296fdfc848a3b8fb3de6fc146b28abad342584e4ef00ba3fb

    SHA512

    a543add378d7e3a34455e9034d027dc93a7c806dace273dafed7f2f0c2e44917acb7200f5bd9e858b6e69595386035bdcaf4eb0e22d967b716a4bbff8d0c45da

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1GK86gA3.exe
    Filesize

    11KB

    MD5

    d2ed05fd71460e6d4c505ce87495b859

    SHA1

    a970dfe775c4e3f157b5b2e26b1f77da7ae6d884

    SHA256

    3a119008fd025a394f6fb93a0c941e1dc0fa1f9c7606a674388f21d99dfe116f

    SHA512

    a15efc7c5ddd82ea612444b5df530d11da43bbaaf7f7ae4801c8063c8cffe4538cd47e27639e380b9d1c7e342575169e06af4b298a8faf635865dc4f9dc11b8e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2SA8995.exe
    Filesize

    180KB

    MD5

    53e28e07671d832a65fbfe3aa38b6678

    SHA1

    6f9ea0ed8109030511c2c09c848f66bd0d16d1e1

    SHA256

    5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e

    SHA512

    053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

    Download Submit

  • memory/3496-46-0x0000000002700000-0x0000000002716000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3648-62-0x0000000007280000-0x00000000072BC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3648-61-0x00000000070F0000-0x0000000007102000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3648-63-0x0000000007120000-0x000000000716C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3648-64-0x0000000074BA0000-0x0000000075350000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3648-65-0x0000000006FA0000-0x0000000006FB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3648-54-0x0000000074BA0000-0x0000000075350000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3648-53-0x0000000000100000-0x000000000013E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3648-55-0x0000000007390000-0x0000000007934000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3648-56-0x0000000006E80000-0x0000000006F12000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3648-57-0x0000000006FA0000-0x0000000006FB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3648-58-0x00000000023D0000-0x00000000023DA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3648-59-0x0000000007F60000-0x0000000008578000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/3648-60-0x0000000007940000-0x0000000007A4A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4092-47-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/4092-45-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/4276-38-0x0000000074BA0000-0x0000000075350000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4276-36-0x0000000074BA0000-0x0000000075350000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4276-35-0x0000000000D90000-0x0000000000D9A000-memory.dmp

    Filesize

    40KB

    Download