Overview

overview

10

Static

static

3

Wextract.exe

windows10-1703-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    152s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    25-10-2024 00:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Wextract.exe

  • Size

    1.1MB

  • MD5

    a97c8dfc5e061cfc5e2e6817b7c76c74

  • SHA1

    a78dbab8b472e19a5dc9cf9757963e7ba81d1eca

  • SHA256

    ef838597447eff451405481eeefd6cff4d9d8f0b2a069e336253482b522ea83b

  • SHA512

    6e69b033084db5f0e187ca9729228dad0221dbae51dc38e0de84f25bea47e6fcfe43cad8180e6d08d4db532ff430700c031171a4bc6e830df281c79d3cb7a014

  • SSDEEP

    24576:Ry/nw5UwS20veuyvtELz1F19e2Nx0dUiLWlkJx2iwBkhDN:E/nw5V0zyK02FMSkEk

Score
10/10
healermysticredlinesmokeloadertrushbackdoordiscoverydropperevasioninfostealerpersistencestealertrojan

Malware Config

Extracted

Family

redline

Botnet

trush

C2

77.91.124.82:19071

Attributes
  • auth_value

    c13814867cde8193679cd0cad2d774be

Signatures

  • Detect Mystic stealer payload 1 IoCs
  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Executes dropped EXE 8 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Wextract.exe
    "C:\Users\Admin\AppData\Local\Temp\Wextract.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4180
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1645342.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1645342.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4856
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0862017.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0862017.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4744
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1397332.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1397332.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:220
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5816736.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5816736.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1944
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2054330.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2054330.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:3656
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c0227158.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c0227158.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3040
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            5⤵
            • System Location Discovery: System Language Discovery
            • Checks SCSI registry key(s)
            PID:3128
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 144
            5⤵
            • Program crash
            PID:3616
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d3388816.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d3388816.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1620
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
            PID:4252
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:3740
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 572
            4⤵
            • Program crash
            PID:2916
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e9710847.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e9710847.exe
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:4268

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e9710847.exe
      Filesize

      17KB

      MD5

      8152fae489344c942c368d2219808887

      SHA1

      39170cf8b60389b6a5d77e4d5ea17d276a90aa68

      SHA256

      fe1c7994cbaeb7dafa54f7c8bc5af4f9814c523166e3f54382fcaef9e9f79edf

      SHA512

      fbe2c4cc9cc29c74013a990fc6a23090e4cbc6c4ca00ac584307d23f2962ed12cf9476cc3114fb29ed5c8301d6f9819ab24e97f8b4709cb99ff93f059f8584ca

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1645342.exe
      Filesize

      988KB

      MD5

      d138e69367e98c8e9723a7187016ed9b

      SHA1

      2727ddc140c8cb3e16fcb5ab980f500a09a55a9e

      SHA256

      2149c2243760e044d855d641293148e5403de1f21b813ab984d62177bea8725b

      SHA512

      f5bc2619652aba8e570b45a7a14739a7c4967ca421e39b0e5f11ac55e5f430f2861dc6d8a180845718d3febd1e970f52b6cf7cac06c0253c494db894a5344b6d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d3388816.exe
      Filesize

      1.0MB

      MD5

      5c94ea6a9d1862a9dd24ebae28b5a4f8

      SHA1

      2165bb63e29eb15915b57a491e2ada1245e1e3c5

      SHA256

      1b70fc55d652e65a4f2c999bea95d5f43433a8583668aca4038c5438f836e81c

      SHA512

      a5b2f44d4f3e55f8ff74cea6ce10ae622f62fb792c1395fd0db13a403bffb18f7646f1b30a26b4add33bc4e4c22ff38a6b5413fb33b6dd57ba081052e6175298

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0862017.exe
      Filesize

      596KB

      MD5

      4fe59bbd6dd785688015e55fb5b12f9c

      SHA1

      c68ed8e6dd2d993ca33b378a1dd9fbaa1210ddff

      SHA256

      a5d9cc249d04a27f05c0fc0bba897bc79456af9922fc0ae247821c255c5a4df6

      SHA512

      fcafd61f17fce487b55dc530c9d4ea70af9f3c45ea0be57dc7ed4ed1402bdf33cb7abd545943d9f540838ab204811e70926907e5aef236da995d579fa1b5bed1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c0227158.exe
      Filesize

      884KB

      MD5

      4dae9be78f20a4d6208c198684b2efef

      SHA1

      e43984e97a33e5a6290df0826c78940f0aff2123

      SHA256

      2be6550df7e43d60377aabb5ee792b6bccc521b5ea4fe845daef4c6196536f3e

      SHA512

      ed21c69018bfd85674e2c2597233d7c7965b4126b634691c4f1ad7ed0d6dc557177410fa7f0842330d2c7bb4882f1f54537ebf8341d20e7fa835521789b6a303

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1397332.exe
      Filesize

      236KB

      MD5

      2e756da4310a70d391538824101c553f

      SHA1

      ae5919f24621a7883ef08071a7da93c6bda4da6e

      SHA256

      29fb879ad3496a924c15e83c286d79c4034a46152611da8a82e343615da6fc74

      SHA512

      d524140679df4d30dc4fd6245415b482ab4d259defa835c8d319798d095efa142554965ce3dfb0e1e18d96269cca4135fe261a8eea6d05a37523a437524e49f3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5816736.exe
      Filesize

      11KB

      MD5

      f3f7d21db806df8ffa070e03f92944f6

      SHA1

      27017a2c245744d64a5ef716da3a85a8799add5f

      SHA256

      4f0a4b96086b2bc45032f0e6b04e6878a70bfa9c9b8eea4298f10cc7a36df6d5

      SHA512

      ed935ace54ad21541655dc45494e0b09bd075c6556a51bbf506d54099d91d36c5948f474b6a25ff84245782348d939a886028ccfcec97f31f41019a302073b16

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2054330.exe
      Filesize

      168KB

      MD5

      c8b54c5f6174286e23b6c0c588d96ca5

      SHA1

      cd41640eff90f2da9cb31a9440241639eff67afc

      SHA256

      e5a57435bae4a59f68efea06fa230c0af205c401b73774f778107c509349a4c9

      SHA512

      f946f55fc3971950ae960a6d42eb6b1eb34af526b0b80b9b31452fd0a711fc033dd891c6d1737090a392a5e8815d0781c17442e23f87067e956bcdaef2eb1175

      Download Submit

    • memory/1944-28-0x0000000000610000-0x000000000061A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3128-36-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

      Download

    • memory/3740-42-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/3740-46-0x0000000005590000-0x0000000005596000-memory.dmp

      Filesize

      24KB

      Download

    • memory/3740-47-0x000000000F140000-0x000000000F746000-memory.dmp

      Filesize

      6.0MB

      Download

    • memory/3740-48-0x000000000EC50000-0x000000000ED5A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3740-49-0x000000000EB80000-0x000000000EB92000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3740-50-0x000000000EBE0000-0x000000000EC1E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3740-51-0x0000000006E70000-0x0000000006EBB000-memory.dmp

      Filesize

      300KB

      Download