Overview

overview

10

Static

static

3

12529f4b65...8e.exe

windows10-2004-x64

10

177d217638...c9.exe

windows10-2004-x64

10

2dd3d7aef1...30.exe

windows10-2004-x64

10

3677484a61...a2.exe

windows10-2004-x64

10

4682d27822...6e.exe

windows10-2004-x64

10

492e1a379a...be.exe

windows10-2004-x64

10

50eee0d0ce...b6.exe

windows10-2004-x64

10

54a187adfc...90.exe

windows10-2004-x64

10

779aae8d26...ea.exe

windows10-2004-x64

10

7a8a88b0a1...14.exe

windows10-2004-x64

10

7d862d9155...a1.exe

windows10-2004-x64

10

994a6a489b...70.exe

windows10-2004-x64

10

b3e77f6d31...38.exe

windows10-2004-x64

10

b8349e4fcf...97.exe

windows10-2004-x64

10

c4b092b703...86.exe

windows10-2004-x64

10

c676d41b0a...68.exe

windows10-2004-x64

10

e6003af825...08.exe

windows10-2004-x64

10

edc38eb50d...b7.exe

windows10-2004-x64

10

ee34d9132f...8c.exe

windows10-2004-x64

10

f644369631...3f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    158s
  • max time network
    165s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-05-2024 08:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4682d278226e301e51cb7c58cec10030fc6150aa3814efe79eb0a39400e08b6e.exe

  • Size

    713KB

  • MD5

    3b44aab959d46df5ff3374adfa5b575b

  • SHA1

    ff6d6362f5139c2a650bafb90a6b1ee78a53a608

  • SHA256

    4682d278226e301e51cb7c58cec10030fc6150aa3814efe79eb0a39400e08b6e

  • SHA512

    42c5db052b01548d1d843a169a264ba87a20f790397ae968c0d0096b7dcb1342596b7067ad4a1bc36409382dceeeff9b4be51c45c602164815000c1d4e44d77a

  • SSDEEP

    12288:5Mrty90odAKlKWsDZ0NGmcF1DepG5J/+nfUrggA1T5V46Bl3h7l+eHqHSRJuSfGn:0yXAlPScfCpG5J+nfUSrzjlFK+7v415

Score
10/10
mysticredlinesmokeloadertaigabackdoorinfostealerpersistencestealertrojan

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://5.42.92.190/fks/index.php

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

taiga

C2

5.42.92.51:19057

Signatures

  • Detect Mystic stealer payload 4 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 18 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4682d278226e301e51cb7c58cec10030fc6150aa3814efe79eb0a39400e08b6e.exe
    "C:\Users\Admin\AppData\Local\Temp\4682d278226e301e51cb7c58cec10030fc6150aa3814efe79eb0a39400e08b6e.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4068
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IH7Iq97.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IH7Iq97.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1456
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\PV9sE19.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\PV9sE19.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:3472
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1fW25Kc2.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1fW25Kc2.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:4316
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            5⤵
              PID:412
          • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2ra3967.exe
            C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2ra3967.exe
            4⤵
            • Executes dropped EXE
            • Checks SCSI registry key(s)
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            PID:1412
        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6nB5Kx1.exe
          C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6nB5Kx1.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:2948
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            4⤵
              PID:648
        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7oL2ze77.exe
          C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7oL2ze77.exe
          2⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:2368
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\is64.bat" "
            3⤵
              PID:1548
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3784 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:8
          1⤵
            PID:1520

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7oL2ze77.exe
            Filesize

            73KB

            MD5

            6bfb531c225a70a7307ca0c116a4e80f

            SHA1

            6215748eda1b82c1fc62d8cdc5b64ea479801918

            SHA256

            c6ed97bece0f0c55d992292a964758620ebfafb20640e54242a5ccf4c84192e2

            SHA512

            e255fee12474f0452836035bea2315a03b017af5ebd881b1abec263b8aaac6dc3c8e6193431f0adfa6702c511bc0f06b3a042fc8ff3bdf551d3c52544dbfdc1f

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IH7Iq97.exe
            Filesize

            591KB

            MD5

            8dd1466b44c3563dd089942bc5490269

            SHA1

            cace87c8d63bef64603130a1f26bb07ddedfd8f2

            SHA256

            c227efd5b27da7d284dcdc860277d8af9415ea32a24db1f706061379de122044

            SHA512

            9a4ad05e0857b42a79072022bafde682a3a19877a136e9de8c11fcf90415e2512c8cdf40547420d978ca95308b675d2ea6927fa380525ff735ac6706b8419b12

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6nB5Kx1.exe
            Filesize

            358KB

            MD5

            250b9e7a803d0d21f5315e7e7cc7ce2b

            SHA1

            b2e4e984b8e1de270da3aba6f379e250f252de08

            SHA256

            f9dfc483725cf3185690d1fc0206c360691a07cf9bcbf634ee90c69215312ba3

            SHA512

            ecba68ab49e017c5ff5d219cff46955a454dfaee1602ee270b91dc5814de20a9eb9d5775ec9c0dd5076b70e7873adac73b07d44e8d9fe13c6c3dc62a9a90ca9d

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\PV9sE19.exe
            Filesize

            344KB

            MD5

            a2a013dcdd4b163fc7f1105aafb3464b

            SHA1

            9aa8dd21befcc589b6c0844a14ca3285213f4124

            SHA256

            7c7f66c513dc50bc719105251cb23edc6a8dac7747eb71b1faae8162fe947f82

            SHA512

            5a97395ca250858f6c90fc80ce8e09e6d8d5a2c8a0b067da76e4e5902438712f3a50f6034eb2a7f997b6470a66737876cc537e6650941a07eca013a68320e03c

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1fW25Kc2.exe
            Filesize

            319KB

            MD5

            10697784260e7d29fd5c401701b53ec6

            SHA1

            f0b1f766c5e78e6c85694005571171581284ab2b

            SHA256

            1521edc83245005bc209b480e94acc0f100a58d19a05a461a05927b62ca1c55f

            SHA512

            a67518429b79b3ec590ed4005691d8ee4b21a29f9e4e0195a623899f23d5080bd7c6bd157cc781824f39145e26ce8f519af4690b02db5264d5bb0c78bc346dd1

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2ra3967.exe
            Filesize

            37KB

            MD5

            b938034561ab089d7047093d46deea8f

            SHA1

            d778c32cc46be09b107fa47cf3505ba5b748853d

            SHA256

            260784b1afd8b819cb6ccb91f01090942375e527abdc060dd835992d88c04161

            SHA512

            4909585c112fba3575e07428679fd7add07453e11169f33922faca2012d8e8fa6dfb763d991c68d3b4bbc6e78b6f37d2380c502daada325d73c7fff6c647769b

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\is64.bat
            Filesize

            181B

            MD5

            225edee1d46e0a80610db26b275d72fb

            SHA1

            ce206abf11aaf19278b72f5021cc64b1b427b7e8

            SHA256

            e1befb57d724c9dc760cf42d7e0609212b22faeb2dc0c3ffe2fbd7134ff69559

            SHA512

            4f01a2a248a1322cb690b7395b818d2780e46f4884e59f1ab96125d642b6358eea97c7fad6023ef17209b218daa9c88d15ea2b92f124ecb8434c0c7b4a710504

            Download Submit

          • memory/412-21-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

            Download

          • memory/412-22-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

            Download

          • memory/412-24-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

            Download

          • memory/412-25-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

            Download

          • memory/648-37-0x0000000000400000-0x000000000043C000-memory.dmp

            Filesize

            240KB

            Download

          • memory/648-49-0x0000000007E00000-0x00000000083A4000-memory.dmp

            Filesize

            5.6MB

            Download

          • memory/648-51-0x0000000007940000-0x00000000079D2000-memory.dmp

            Filesize

            584KB

            Download

          • memory/648-52-0x0000000007A00000-0x0000000007A0A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/648-53-0x00000000089D0000-0x0000000008FE8000-memory.dmp

            Filesize

            6.1MB

            Download

          • memory/648-54-0x00000000083B0000-0x00000000084BA000-memory.dmp

            Filesize

            1.0MB

            Download

          • memory/648-55-0x0000000007C00000-0x0000000007C12000-memory.dmp

            Filesize

            72KB

            Download

          • memory/648-56-0x0000000007C60000-0x0000000007C9C000-memory.dmp

            Filesize

            240KB

            Download

          • memory/648-57-0x0000000007CA0000-0x0000000007CEC000-memory.dmp

            Filesize

            304KB

            Download

          • memory/1412-33-0x0000000000400000-0x000000000040B000-memory.dmp

            Filesize

            44KB

            Download

          • memory/1412-28-0x0000000000400000-0x000000000040B000-memory.dmp

            Filesize

            44KB

            Download

          • memory/3316-30-0x0000000002980000-0x0000000002996000-memory.dmp

            Filesize

            88KB

            Download