Overview

overview

10

Static

static

3

cbf2171616...14.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-04-2024 13:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cbf2171616a11736845095e1a1e40b71c7a6b51e3c4453da03db769132820714.exe

  • Size

    860KB

  • MD5

    10546d4f84b9966d5f72ed3bdf530c4c

  • SHA1

    f0179725a1691177a47341327ebaa2e0d2864edb

  • SHA256

    cbf2171616a11736845095e1a1e40b71c7a6b51e3c4453da03db769132820714

  • SHA512

    bdc714a77f447a130c10511b4a066b13180fd723c79efc59e4ead98e11b4fec73bf083431d19deec7036c5ee7a460f2e8f29c2651325f334e66e7eb53f130a05

  • SSDEEP

    24576:pyzao0HuuMlmyvo5SO93mlKkgpvkryQwJiQHehoZM:cHuMl503Dkgkyiu

Score
10/10
mysticredlinesmokeloaderbrehabackdoorevasioninfostealerpersistencestealertrojan

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

breha

C2

77.91.124.55:19071

Signatures

  • Detect Mystic stealer payload 1 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Executes dropped EXE 8 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cbf2171616a11736845095e1a1e40b71c7a6b51e3c4453da03db769132820714.exe
    "C:\Users\Admin\AppData\Local\Temp\cbf2171616a11736845095e1a1e40b71c7a6b51e3c4453da03db769132820714.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:412
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fu7FA98.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fu7FA98.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3168
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wm8Uu21.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wm8Uu21.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2040
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Yl3FA41.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Yl3FA41.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:4604
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ug2Bz93.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ug2Bz93.exe
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of WriteProcessMemory
            PID:1096
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1GK86gA3.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1GK86gA3.exe
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Executes dropped EXE
              • Windows security modification
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1868
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2SA8995.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2SA8995.exe
              6⤵
              • Executes dropped EXE
              PID:1212
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3xy63bs.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3xy63bs.exe
            5⤵
            • Executes dropped EXE
            • Checks SCSI registry key(s)
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            PID:3224
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4Ae589gL.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4Ae589gL.exe
          4⤵
          • Executes dropped EXE
          PID:1540
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3856 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:2304

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fu7FA98.exe
      Filesize

      722KB

      MD5

      389aa6a4960b6de773a0f491b14329b3

      SHA1

      ef4cbb9d574d6475d1bac511fcd103bf68f4707f

      SHA256

      d0c7b1ffa44a3d35577285c697a226cc905426c10d5e35031b3f60e101a92473

      SHA512

      03f72727719e74c09b49cb9df7b8e40ec463e2fb5a102041f863eb8aef8c726335a17a273c228f3adbc5293ce267ec77c1aa174b7e3a82dd3e426d24ec0dab5c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wm8Uu21.exe
      Filesize

      545KB

      MD5

      0e2d0c5ad0cfaf7f1956990498a44f41

      SHA1

      48d6ef07b7caae17a3a7e02917c439a8355bb7da

      SHA256

      68e39a0f2038392bdb0296890eb2fd78f43af72b971973e10d6d5adfc120095f

      SHA512

      d1dfb90431430c92cce106744e5f1e0199ff9c3ba05f6cb776ce40d733c1e6b1d1475d36b7b7ebc9929d32d33f652c7597b07f4213d0f835147f850b7d64d318

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4Ae589gL.exe
      Filesize

      221KB

      MD5

      8905918bd7e4f4aeda3a804d81f9ee40

      SHA1

      3c488a81539116085a1c22df26085f798f7202c8

      SHA256

      0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde

      SHA512

      6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Yl3FA41.exe
      Filesize

      371KB

      MD5

      c4d9a0c04f74a3a9c679637fc27bf8f1

      SHA1

      b7c196d2c60d18e3595c67ba560cf5565b200a81

      SHA256

      25b6ea13a8cd76a2e30144d9bc8b27254413777b2f4d2c32898802a0b71f06d9

      SHA512

      835d8dc48adb9eb91cda1d737ae599f31b727282eeef0d93b7a2f35a2972588a407c37ba0b3173287f82ddd5ac7f07e0d0cd2aa76246c27c5c2dfc144e362a6b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3xy63bs.exe
      Filesize

      30KB

      MD5

      35a15fad3767597b01a20d75c3c6889a

      SHA1

      eef19e2757667578f73c4b5720cf94c2ab6e60c8

      SHA256

      90ccd84f28e4dd03fb70b8739c4636acbcf8a030404b5a24264afd1acd09ecbc

      SHA512

      c1ea2659e28130f00869391a33dfdc2a763a710a56de2acaa6c71caa9c1eb5809e7ca1dfa1620ac5c3174052d3e277b832853a137a4663483855295fdab23577

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ug2Bz93.exe
      Filesize

      246KB

      MD5

      4061eb8eeee971de67ce22a2a288873b

      SHA1

      4209d6c394897c1cfff9505da020bb6a9d81521b

      SHA256

      b57d8bfdeb36184296fdfc848a3b8fb3de6fc146b28abad342584e4ef00ba3fb

      SHA512

      a543add378d7e3a34455e9034d027dc93a7c806dace273dafed7f2f0c2e44917acb7200f5bd9e858b6e69595386035bdcaf4eb0e22d967b716a4bbff8d0c45da

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1GK86gA3.exe
      Filesize

      11KB

      MD5

      d2ed05fd71460e6d4c505ce87495b859

      SHA1

      a970dfe775c4e3f157b5b2e26b1f77da7ae6d884

      SHA256

      3a119008fd025a394f6fb93a0c941e1dc0fa1f9c7606a674388f21d99dfe116f

      SHA512

      a15efc7c5ddd82ea612444b5df530d11da43bbaaf7f7ae4801c8063c8cffe4538cd47e27639e380b9d1c7e342575169e06af4b298a8faf635865dc4f9dc11b8e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2SA8995.exe
      Filesize

      180KB

      MD5

      53e28e07671d832a65fbfe3aa38b6678

      SHA1

      6f9ea0ed8109030511c2c09c848f66bd0d16d1e1

      SHA256

      5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e

      SHA512

      053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

      Download Submit

    • memory/1540-63-0x0000000007D80000-0x0000000007DCC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1540-64-0x00000000743A0000-0x0000000074B50000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1540-60-0x0000000008420000-0x000000000852A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/1540-62-0x0000000007D40000-0x0000000007D7C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/1540-61-0x0000000007CE0000-0x0000000007CF2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1540-65-0x0000000007BD0000-0x0000000007BE0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1540-53-0x0000000000B40000-0x0000000000B7E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1540-54-0x00000000743A0000-0x0000000074B50000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1540-55-0x0000000007E70000-0x0000000008414000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/1540-56-0x0000000007960000-0x00000000079F2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/1540-57-0x0000000007BD0000-0x0000000007BE0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1540-58-0x0000000007920000-0x000000000792A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1540-59-0x0000000008A40000-0x0000000009058000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/1868-36-0x0000000000880000-0x000000000088A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1868-38-0x00000000743A0000-0x0000000074B50000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1868-35-0x00000000743A0000-0x0000000074B50000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3224-48-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

      Download

    • memory/3224-45-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

      Download

    • memory/3364-46-0x0000000003270000-0x0000000003286000-memory.dmp

      Filesize

      88KB

      Download