Overview

overview

10

Static

static

3

072894a720...70.exe

windows10-2004-x64

10

075e0048e6...e5.exe

windows10-2004-x64

10

131b78a330...7b.exe

windows10-2004-x64

10

56b0ed98e3...54.exe

windows10-2004-x64

10

807255749f...62.exe

windows7-x64

10

807255749f...62.exe

windows10-2004-x64

10

8a8433aeba...ed.exe

windows10-2004-x64

10

8cae2c42df...9a.exe

windows7-x64

10

8cae2c42df...9a.exe

windows10-2004-x64

10

d730c48963...34.exe

windows10-2004-x64

10

e98954290c...65.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    134s
  • max time network
    103s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-05-2024 18:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    56b0ed98e3472c3ed4c501f9630c8e00fd98a17a99687541889c257dffc5d254.exe

  • Size

    646KB

  • MD5

    f6b5bede9b07bfce7ac3d693d5494761

  • SHA1

    7433b82c21237a1a65994a7ae0843d5ee891ae92

  • SHA256

    56b0ed98e3472c3ed4c501f9630c8e00fd98a17a99687541889c257dffc5d254

  • SHA512

    485a0e0c14a0fdddf9936fbb65f5202989c20f707194bc2cd0af96a08ccc173f65089805aa1287dcdb9389f968f769b91b760f9c6bee379ea8b7822badb544c2

  • SSDEEP

    12288:7Mruy90A+LXj+ipMEl92UTVK40hxLqrNuB5sZ75Ar+P9L:Vyy6ml92Ug4SGrNuBOZ72r+L

Score
10/10
mysticsmokeloaderbackdoorevasionpersistencestealertrojan

Malware Config

Signatures

  • Detect Mystic stealer payload 3 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\56b0ed98e3472c3ed4c501f9630c8e00fd98a17a99687541889c257dffc5d254.exe
    "C:\Users\Admin\AppData\Local\Temp\56b0ed98e3472c3ed4c501f9630c8e00fd98a17a99687541889c257dffc5d254.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1164
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ez6IT84.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ez6IT84.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:60
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1tX58Us5.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1tX58Us5.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:548
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3872
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2yc4542.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2yc4542.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1820
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
            PID:4008
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3eg67fO.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3eg67fO.exe
        2⤵
        • Executes dropped EXE
        • Checks SCSI registry key(s)
        PID:4772

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3eg67fO.exe
      Filesize

      30KB

      MD5

      8183afb2622655cd9d9d743dcb21f07f

      SHA1

      76ee5e70b0c936ca1ddd4352ee9428f5797184e6

      SHA256

      ee7c1c77bca6eb42c882a643e9c8393d4ced0ed87a325d01a524f8060c47599c

      SHA512

      be7ef2a819b6b6d641dc453b7098993b8732e288a489a2f626d780269af0f26b678670d7b9e2129b384b83381a4bf5d3d3eaef86422a66ad60d0e29573e785c6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ez6IT84.exe
      Filesize

      521KB

      MD5

      10c805e74405d3464023dd14063d16a9

      SHA1

      eee591acd850842f39891253cd9e84a6de5c44bd

      SHA256

      e4add5510b46951dc8a7c0e13be23874795ad2ada12cd074e970110fb554befa

      SHA512

      cd5b1607141107c093ed2b21361e9798bdf0ad9eb449885d1a4fe8c9fb749a47be9f6b48f96fd6280f950da55d712af4aae0703ceaa09773c58918851af07927

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1tX58Us5.exe
      Filesize

      878KB

      MD5

      47bb163f5d535957ee17616d75ebdd09

      SHA1

      754f070513a61b90ba93a5b2ddf48d86effb4049

      SHA256

      ea71b32cb6f87f70a23a2e558aa956a4cab0ec73864d31f91b87bb4a6d7616d0

      SHA512

      aff63f8932e82486ceaf94cb3981d43d81c69d0c68741d700716d299b18d2002155ca3d875fbc69f0418dfaa13255cbcd0ee319e5dbc8d6898b394cff6a90909

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2yc4542.exe
      Filesize

      1.1MB

      MD5

      bcd73b10030a7551081985b97bbeb320

      SHA1

      166b6963804ae79014bd8de0b29e4f80c8579396

      SHA256

      705923b98070517d048b894317bd086261f54631fc2b0aa5374d58cb18f52c87

      SHA512

      f14332402c84a1cc1edc6601dca2edb88de587fee65c7ec6f5b9de2eefa6c1b6d1930f65a52e9287471e4e4b8de3160b3e64053de861511f05be524aa17a9b96

      Download Submit

    • memory/3872-14-0x0000000000400000-0x000000000040A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4008-18-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/4008-22-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/4008-24-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/4772-25-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

      Download

    • memory/4772-26-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

      Download