Overview

overview

10

Static

static

3

088a62b3ab...ea.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    131s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-04-2024 10:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    088a62b3ab8a6cb9e8c78e220d8aec5b8ed463d91a3309299e17a2e90af11aea.exe

  • Size

    721KB

  • MD5

    1682ace070b7498115d27c779d4d41e5

  • SHA1

    1a2c3384b780cda0688ff7ffc4a53d3de35fde12

  • SHA256

    088a62b3ab8a6cb9e8c78e220d8aec5b8ed463d91a3309299e17a2e90af11aea

  • SHA512

    0d593cd2dbe498fc270273c8f78f9b9f8e836245b564454d3cdc45747643a04d06055a7b4cf90d81dc76d5f533c6f2be14f355e9d8a2212b6e6edffb32ad7213

  • SSDEEP

    12288:jMrwy90ZmDRb95JLu/m3kDmURMr20yALGFUM3jeueRDY0mUTR4dptCBXIc6b:ryb5SmUDmU02HAqh6FdqpkBp6b

Score
10/10
mysticsmokeloaderbackdoorevasionpersistencestealertrojan

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Signatures

  • Detect Mystic stealer payload 1 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Executes dropped EXE 4 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\088a62b3ab8a6cb9e8c78e220d8aec5b8ed463d91a3309299e17a2e90af11aea.exe
    "C:\Users\Admin\AppData\Local\Temp\088a62b3ab8a6cb9e8c78e220d8aec5b8ed463d91a3309299e17a2e90af11aea.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2280
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HO2QC93.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HO2QC93.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4796
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1KH89VS5.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1KH89VS5.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        PID:4144
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2vR1463.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2vR1463.exe
        3⤵
        • Executes dropped EXE
        PID:4060
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3lr04Gg.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3lr04Gg.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:3192
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3⤵
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        PID:408
  • C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c regini "C:\Users\Admin\AppData\Roaming\random_1712054535.txt"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1408
    • C:\Windows\system32\regini.exe
      regini "C:\Users\Admin\AppData\Roaming\random_1712054535.txt"
      2⤵
        PID:5092

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3lr04Gg.exe
      Filesize

      916KB

      MD5

      98eb85a28d4f8993fc0230976fd1f74f

      SHA1

      e68085e3cd992c682d90816b0f3feb7e3ede1fb7

      SHA256

      9594dc80097c0512ab77d843d183c652cec90b148effa8f84342748529a1fd5d

      SHA512

      3a11170e8f78f9b998a50d3caba795a157aea073dac14343bd299a2300b12606dc790ae82dd1fc4c3590be0ec8a447f23b32e1e1b093b4417c2bd8918f0da03c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HO2QC93.exe
      Filesize

      354KB

      MD5

      ccce94da996f09caf6ca1e0cb455c204

      SHA1

      f0633a79f8f1b02b046ed8b91a67d75149aa6b01

      SHA256

      3b6e0ae1bf782ab0c174cff82f3088fd4bf28fe5c273b426d3dce205deac58eb

      SHA512

      a80870cdfae14a9ebd8cba27dec2bd428fe36696f2404081a84f2f12a15942482b57a3d5e0d5985e368678b745ce1e3a01415f8d97f79ec618c02d34d2fa0db2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1KH89VS5.exe
      Filesize

      265KB

      MD5

      15fe972bcfd9189d826083838645b850

      SHA1

      d2bf7fee68e358fa71b942b8ae92e483536abf86

      SHA256

      ec739f26f487bcc65718bb8c28a5e3adf817a18e01952bd888f618a57c1e61d4

      SHA512

      30f7c8daa78ba9bb32d5dca56440fd9b1d36336f496521920ab41737787c1c8e0bcdd714b72249e0ab52908d7918afcaf9e0b3f5ba2a8a2888e9adb538810cfe

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2vR1463.exe
      Filesize

      180KB

      MD5

      53e28e07671d832a65fbfe3aa38b6678

      SHA1

      6f9ea0ed8109030511c2c09c848f66bd0d16d1e1

      SHA256

      5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e

      SHA512

      053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

      Download Submit

    • C:\Users\Admin\AppData\Roaming\random_1712054535.txt
      Filesize

      78B

      MD5

      2d245696c73134b0a9a2ac296ea7c170

      SHA1

      f234419d7a09920a46ad291b98d7dca5a11f0da8

      SHA256

      ed83e1f6850e48029654e9829cbf6e2cdff82f55f61d1449f822e448f75e8930

      SHA512

      af0b981ef20aa94aff080fbd2030556fe47c4cc563885b162e604f72bc70c4a0eee4ee57ce4ea8964e6363a32ba34f8bee933db30d3d61392c42299621a4fc79

      Download Submit

    • memory/408-22-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

      Download

    • memory/408-23-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

      Download

    • memory/408-25-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

      Download

    • memory/3464-24-0x0000000002E70000-0x0000000002E86000-memory.dmp

      Filesize

      88KB

      Download