Analysis

  • max time kernel
    138s
  • max time network
    107s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-05-2024 18:38

General

  • Target

    061d4b3cae1ba072bfa6849a31d62afd811d04b5a2eabddc17081e56f1701cc3.exe

  • Size

    656KB

  • MD5

    1a8079b8f19a5d0a3382c8f0f1c82b23

  • SHA1

    2fa2c4c059b2b1da583ddee3173fadd02d501ff8

  • SHA256

    061d4b3cae1ba072bfa6849a31d62afd811d04b5a2eabddc17081e56f1701cc3

  • SHA512

    49657dc6adf64355cc4c14baa8b15da1dc1ce3897b770c530d66a593da220463e4072d09f0ad905da8c49e17cbca9fd8cbac4a63dc16a73a1ad922a41118ccdc

  • SSDEEP

    12288:7Mrty90IqQic5Cf54N7Mw7KKNc9lKR+9W0Eu+wSGgjU427q4IIWI:yyVqQiUChU75Nc9lKR0W0EB+RCI

Malware Config

Signatures

  • Detect Mystic stealer payload 3 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Program crash 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\061d4b3cae1ba072bfa6849a31d62afd811d04b5a2eabddc17081e56f1701cc3.exe
    "C:\Users\Admin\AppData\Local\Temp\061d4b3cae1ba072bfa6849a31d62afd811d04b5a2eabddc17081e56f1701cc3.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4292
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aR4sY95.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aR4sY95.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3636
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1GJ79bp7.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1GJ79bp7.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:3192
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2776
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 592
          4⤵
          • Program crash
          PID:4720
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Pj9120.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Pj9120.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2096
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
            PID:1364
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 572
            4⤵
            • Program crash
            PID:1964
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3jY78be.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3jY78be.exe
        2⤵
        • Executes dropped EXE
        • Checks SCSI registry key(s)
        PID:976
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3192 -ip 3192
      1⤵
        PID:3024
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2096 -ip 2096
        1⤵
          PID:1884

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3jY78be.exe

          Filesize

          31KB

          MD5

          660ee44062a62cb8db14126820e8439a

          SHA1

          4ce91b12fa201fcd40a88ce01a3e06c129ff12a7

          SHA256

          cd6547c71b21b84db9f773a666ee290fad806b8f32e9c8a3f60c8c71fe92653a

          SHA512

          24323f8bff470d78a524d3b153124f192ae02bd64fa9d8a9cbb68033904640bf3c8b5dc63a7bafd599ec83c27c22964b36e19ce864372681578cd839dc4b9704

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aR4sY95.exe

          Filesize

          532KB

          MD5

          88eb1d7a802a2b6b9e3fb4d8bc66a46d

          SHA1

          49316a947358d073b721dcd50c0b66e437c7cf9f

          SHA256

          8706421d0fcee839da39ea13c6e1cdfa1996fb0813eb099a3680146878b76857

          SHA512

          91c452df87bdabfd05e7e84507be9e3ec2e2c989d2f78f788ac183d39626bf3b69dca7f99f8124e83b4f230164515b38bbed7eba048b4a19f21f46fa6b7840ac

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1GJ79bp7.exe

          Filesize

          935KB

          MD5

          cbb313983c04005881fe4471332ce0e6

          SHA1

          38bea7fbef06c90380444951540567bb80e081c5

          SHA256

          b005b61dfb0c7a298fadc4b11ea9a7a5b11d305136e692e555020b7989274bcb

          SHA512

          ba7f725041e5e5fe41075497284357c7b8bce6ed1059f455da2d94262b56eeaf9028b58e1fc84419af1d3be96415a33dfa4982d9f7553ac3129d4b58940624b4

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Pj9120.exe

          Filesize

          1.1MB

          MD5

          25e8e635d50c9a8cd65c94b4a1ad2a03

          SHA1

          a091e7441672bfd52c2a917b982b53470068b472

          SHA256

          793ec3e4229f327d2c3787aa5cd4135033ce600cf9240d2a3e5d2bead6660c73

          SHA512

          ecbd779c50132878004cb5053a1a81c93053fe4e19aa46b115b0cf3b6efa0b7e49b9a7abc2a103526f1f16a52bd176ff52099a548a2ee810ee63c5345bcb837d

        • memory/976-26-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

        • memory/976-28-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

        • memory/1364-19-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/1364-22-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/1364-20-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/2776-14-0x0000000000400000-0x000000000040A000-memory.dmp

          Filesize

          40KB

        • memory/2776-15-0x0000000073DAE000-0x0000000073DAF000-memory.dmp

          Filesize

          4KB