Analysis
-
max time kernel
151s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
24-05-2024 05:33
General
-
Target
3ae8cc733ec108080a1919852f9eed660c71dff454329a044b21af12ce8fa4e3.exe
-
Size
956KB
-
MD5
c7d606e2c52cb54347c035c4f20385af
-
SHA1
fd14a9789a5cb3291a9fc9a21fc6a7011df32cfc
-
SHA256
3ae8cc733ec108080a1919852f9eed660c71dff454329a044b21af12ce8fa4e3
-
SHA512
c3a07f6ef78ffdf38fee9613b451476e0c17aceebe9115bfd63c02350989197b15426fc854a3cc7a59878a3baa274c1a55b988374003389ee3ccbfa346ebce22
-
SSDEEP
24576:IyjahTARFOjnPlTRpSQ4Mh51NLlCTmBqqJj/vieOyO:P8TcIjnPlUOlwoqw3R
Malware Config
Extracted
mystic
http://5.42.92.211/
Extracted
redline
breha
77.91.124.55:19071
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Signatures
-
Detect Mystic stealer payload 3 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Executes dropped EXE 7 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Program crash 4 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 50 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\3ae8cc733ec108080a1919852f9eed660c71dff454329a044b21af12ce8fa4e3.exe"C:\Users\Admin\AppData\Local\Temp\3ae8cc733ec108080a1919852f9eed660c71dff454329a044b21af12ce8fa4e3.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Op9Fk77.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Op9Fk77.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rI7FK34.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rI7FK34.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Ff69WZ4.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Ff69WZ4.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 6005⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2mI8436.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2mI8436.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 5725⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3IW07tF.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3IW07tF.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 5724⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4zQ997RJ.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4zQ997RJ.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 5723⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3880 -ip 38801⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 432 -ip 4321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2044 -ip 20441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4628 -ip 46281⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4120 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:81⤵
-
C:\Users\Admin\AppData\Roaming\rtfguwdC:\Users\Admin\AppData\Roaming\rtfguwd1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
486KB
MD500c781c1a5a925ca9bdcd6ad04ea2b06
SHA15f38e88beb9c393cea4baf891f315dab3861fa7d
SHA2567f8b87d974c6c2d287aa2900b29835cfa76fcbff144aa6e74143152f3f2fe8d1
SHA51246976b08ff464076492e837fa17a3c24611519671ef538a11f281236bf69bac715507637840113d9cd97f60cce33afc9b23aadf866717e121aa5dec9cae1d3d8
-
Filesize
654KB
MD506b98319424809f40aab2aa25a0eaa97
SHA129f5653c0c8ab96dfc5448dfa7905065e0b30eca
SHA256bfe6775656ff4b278516ca6770f7e49cdee3e0634740689f1861860ee20ed7c5
SHA512934a7379d9ad87c00a29ee0c217359e938488d7fba16e7cf0a21bbd8645b1eb7d7466afbaef6ddf03d41e8b1173ab014d08f53c0f34c6bcaf3cf748b8736763e
-
Filesize
294KB
MD57c2deede43e8c1956b006b1bba71e487
SHA10ce56c5e6b75ee49784b292eea1cde63848dc878
SHA25625b116a8d53057ce4c2fd2ddc0ebb71b29a2a06ac6d8291fcc8c4a0a38bae5e1
SHA512c4f9862a3ea8137efb4d7a3da054edb94981a0c7a262bcd9762801f642e0337a4f1c9657a5e3718bdd1c1a7a3168e93e128fe1704e62fa2f77cff69eaf294e6f
-
Filesize
403KB
MD55b0f6bb73b28259e867536399af3480c
SHA1d10b298aeb766e21d47408fc73f505a7187cbf0c
SHA256fbe4d3d9dd6925d40a98ede371080a34a3e68fef342f5c66f4d8eceaec5c342e
SHA512eca50c7f7b38a83eed685669579714c568b9198860c2dd60ead8f039f81ed9a2b241b208e31e5829fe480557f23a12fc5030796750396f0fa6ea50f310362f23
-
Filesize
277KB
MD557b209441e027b6f046eb096af754dea
SHA1c0ba339a2e2f0452f92504dc457ed0a13c75d60f
SHA25617f767d30ed32e2a7cd42ac45ef3335bde326720e7b5a04c856a2cc3ab7076b8
SHA512a93a70f7dc32d4416b392359df22da01fcc73ef84ff9484437dc6ef6d11b678abbeb7cfc4ae5b168823c44573b7ba112fc2ce3ae978240e558774cd2d738c86a
-
Filesize
450KB
MD5d4be2c5b707bf8843e59188945b51203
SHA135f0cde80b5e04204700ca82e1d866e369d1949c
SHA2568571095773c6e5ae684bb053bdc6822ab5bae4b212ccb29855d2380937a5a2fa
SHA512e914c757ce1e0f8cc8409bcb85f302c26b2cd5277a22355b3116ad54ffdea8627b28b456bf5c857d5aee1c6034ca1269f9ec5c2620a92de557032beb3cee2190
-
Filesize
101KB
MD589d41e1cf478a3d3c2c701a27a5692b2
SHA1691e20583ef80cb9a2fd3258560e7f02481d12fd
SHA256dc5ac8d4d6d5b230ab73415c80439b4da77da1cfde18214ef601897f661abdac
SHA5125c9658f6ca0d8d067bfc76072c438ac13daa12d8c1fef33369e1bc36a592d160a2bdb22b4f3eed73e8670bb65107a4134e18e6dc604897a80cc0768769f475dc
-
Filesize
40KB
-
Filesize
36KB
-
Filesize
88KB
-
Filesize
6.1MB
-
Filesize
248KB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
40KB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
304KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB