Overview

overview

10

Static

static

3

006388190d...bb.exe

windows10-2004-x64

10

0254882920...b5.exe

windows10-2004-x64

10

059acceaf9...4e.exe

windows10-2004-x64

10

23e52eabfc...16.exe

windows10-2004-x64

10

346c48a087...17.exe

windows10-2004-x64

10

3a559db9fb...76.exe

windows10-2004-x64

10

3bd30de35b...fb.exe

windows10-2004-x64

10

4563b46d64...3c.exe

windows10-2004-x64

10

45ab0e1069...0f.exe

windows10-2004-x64

10

545f251975...f8.exe

windows10-2004-x64

10

5bd9b291d7...ab.exe

windows10-2004-x64

10

5e70f35516...00.exe

windows10-2004-x64

10

7348ee4e4e...6d.exe

windows10-2004-x64

10

8b460dc8cc...29.exe

windows10-2004-x64

10

928c96df1b...ca.exe

windows10-2004-x64

10

972fcfe587...1d.exe

windows10-2004-x64

10

a025c0e619...2e.exe

windows10-2004-x64

10

bc0667bb8d...75.exe

windows10-2004-x64

10

cf82c35e0a...89.exe

windows10-2004-x64

10

fbe2b19c30...62.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    134s
  • max time network
    109s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-05-2024 18:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3a559db9fbdf13125c1dec222cde0f982fe63820a3dda722db7b0f646fe80e76.exe

  • Size

    654KB

  • MD5

    6bf1ef97fb912648145ba8485d0034aa

  • SHA1

    ebe81236c38c87b10c18ac8294858b0dd5c723bd

  • SHA256

    3a559db9fbdf13125c1dec222cde0f982fe63820a3dda722db7b0f646fe80e76

  • SHA512

    33fe49918aa24ba2b8f91841d306be23331272e104ff45a02036d2ff23d18ff27eeab62dfdedd80adcfdc0b751d22fe5f24bf6956ef81a7f6e7def89d5ff0c13

  • SSDEEP

    12288:TMrry90TX9G2u/oa4+IenzZPBXUafP5DyCMZ8Xvnr80snL:4yopa9lnsCMkC

Score
10/10
mysticsmokeloaderbackdoorevasionpersistencestealertrojan

Malware Config

Signatures

  • Detect Mystic stealer payload 3 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3a559db9fbdf13125c1dec222cde0f982fe63820a3dda722db7b0f646fe80e76.exe
    "C:\Users\Admin\AppData\Local\Temp\3a559db9fbdf13125c1dec222cde0f982fe63820a3dda722db7b0f646fe80e76.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3360
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dY4qN56.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dY4qN56.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2816
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1gb93pY5.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1gb93pY5.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4008
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
            PID:2188
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            4⤵
            • Modifies Windows Defender Real-time Protection settings
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4248
        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Kz6190.exe
          C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Kz6190.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:2544
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            4⤵
              PID:2336
        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3Mj79rp.exe
          C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3Mj79rp.exe
          2⤵
          • Executes dropped EXE
          • Checks SCSI registry key(s)
          PID:1728

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3Mj79rp.exe
        Filesize

        30KB

        MD5

        215e3a9d31f716e9fa83930c20b0447b

        SHA1

        eedb95d8509fd44874d0edd450afc719b179bb91

        SHA256

        d3d4a9677a53e4a96c61e7db4859048dca12af579a174e69df3088d6efa0562d

        SHA512

        f39ea66bf720fb573a7a45878d4bd255e66f3709c54f2a00877425072d1b16eca69cda79cabd95705a88b54fd6676e78d39de914470b2569707639681657c92d

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dY4qN56.exe
        Filesize

        530KB

        MD5

        e63ba8400f262a064a03ad903da92ea1

        SHA1

        ee6722892cf70e631549afe07ef6566b85f5f92e

        SHA256

        b85d1c3b8f669d663ed41d0075485df944d5e0fbacb12b285b30862afd9934f4

        SHA512

        d831ba8fb671364601219947f67214321e4ab6e1bd5362446a90e0455e3095ad9f0d721338d4dbea284c53a51d469a6d575f162d0d36caa3493d69f730004dd5

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1gb93pY5.exe
        Filesize

        883KB

        MD5

        e710131b72c78af653d8d53004137b86

        SHA1

        e2130960a1e26da27507be5fdcf680ecb646914b

        SHA256

        b0b161892bf942f12c413d1c9677688ea67d9e131236ab707726b0ce1b504f33

        SHA512

        be99c3428847c92d735ffa581f9ec311f061285008b728e23dbe692ca3345e1ffedaea19ae55337b65664bfcb665ebe798f21a5c6d8c2bdcce4449b205eeabff

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Kz6190.exe
        Filesize

        1.1MB

        MD5

        464cce29c9abcbab188937169d186a28

        SHA1

        6a2e7d87d074c17b945396562f140dc3582f41ee

        SHA256

        22401410ce1fa30f7c3526c4e579f092c7b0d96205766eb7d69a34de62e7e2b6

        SHA512

        fe18c91339bad1b6664a878fc73f35880d6ac765acc3f3390312751f1ece5c6aef87293c30af880e456827dd78fff42b345a078c2b9a677697bcde79f5bea98e

        Download Submit

      • memory/1728-24-0x0000000000400000-0x0000000000409000-memory.dmp

        Filesize

        36KB

        Download

      • memory/1728-26-0x0000000000400000-0x0000000000409000-memory.dmp

        Filesize

        36KB

        Download

      • memory/2336-18-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2336-19-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2336-21-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4248-14-0x0000000000400000-0x000000000040A000-memory.dmp

        Filesize

        40KB

        Download