Overview

overview

10

Static

static

3

0805913f50...13.exe

windows10-2004-x64

10

11eba51293...3a.exe

windows10-2004-x64

10

17a0568b20...3a.exe

windows10-2004-x64

10

346c46bc82...26.exe

windows10-2004-x64

10

4867af9d5d...1f.exe

windows10-2004-x64

10

5f2f269e1f...9a.exe

windows10-2004-x64

10

64e73ef21d...a1.exe

windows10-2004-x64

10

7c556f6f80...61.exe

windows10-2004-x64

10

8c970cc94c...d3.exe

windows10-2004-x64

10

9296923f57...24.exe

windows10-2004-x64

10

ae96a881fd...69.exe

windows10-2004-x64

10

b150b2b6ed...d5.exe

windows10-2004-x64

10

c1b0ce286b...51.exe

windows10-2004-x64

10

c1d1b117a2...35.exe

windows10-2004-x64

10

d876400b35...04.exe

windows10-2004-x64

10

eb3bd6af82...52.exe

windows10-2004-x64

10

eb7c2e9dc2...28.exe

windows10-2004-x64

10

ed2eb0d5dc...bf.exe

windows10-2004-x64

10

fc2a396813...13.exe

windows10-2004-x64

10

fd4ce916b7...90.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    132s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-05-2024 18:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eb3bd6af828d49516b571018684b6f164a7f79bb71c38674e37a085ab5813352.exe

  • Size

    645KB

  • MD5

    5c7efd9ec3e27bb93244365f3ccf6bd7

  • SHA1

    8cff2506763935140038ddfd27738d40ebf05eab

  • SHA256

    eb3bd6af828d49516b571018684b6f164a7f79bb71c38674e37a085ab5813352

  • SHA512

    ea7f94292cb9c024af86dd3176afb4daa7940d2fc6c3616bbba3d9493251273ab921916a04f6a5fd629a5204199ea9dac8948bd03a5031333773e695bf32ac20

  • SSDEEP

    12288:6cMrEy90nyAH07CUhQWRNJcN7MOApGiBg4D/ovR18txF7y+bR6Vq:64y13eUhiPA8iBDxF7+o

Score
10/10
mysticsmokeloaderbackdoorevasionpersistencestealertrojan

Malware Config

Signatures

  • Detect Mystic stealer payload 3 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eb3bd6af828d49516b571018684b6f164a7f79bb71c38674e37a085ab5813352.exe
    "C:\Users\Admin\AppData\Local\Temp\eb3bd6af828d49516b571018684b6f164a7f79bb71c38674e37a085ab5813352.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3580
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bO1Oi36.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bO1Oi36.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2024
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1QD06VA8.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1QD06VA8.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1056
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1168
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2GQ9959.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2GQ9959.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:556
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
            PID:4496
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3La00TE.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3La00TE.exe
        2⤵
        • Executes dropped EXE
        • Checks SCSI registry key(s)
        PID:2780

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Privilege Escalation

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Defense Evasion

    Modify Registry

    2
    T1112

    Impair Defenses

    1
    T1562

    Disable or Modify Tools

    1
    T1562.001

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3La00TE.exe
      Filesize

      30KB

      MD5

      d84569a706b9c209fe691fb20af40afe

      SHA1

      2fd9b3710be51ee7318be4b905cf17447331cc73

      SHA256

      8225d0527e3a0ad5fd83412ed5d2c026ed2677b3f8f221160d64e5bbbe492838

      SHA512

      c346a73bb0710f520524e3b0680f14c9e53428842850c000d5a1d02fcfda0014f57d619e295ad3b45bb31724e6edb69229e77d1ab73a082620ab0ba1cdc9feee

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bO1Oi36.exe
      Filesize

      521KB

      MD5

      7f35d65926d1b28d7e70210e085c6caf

      SHA1

      461a90b25f1c893a50394ec5f7765761892a40f1

      SHA256

      c55be9f930e9865d003860a3f6389c6e3e70dd04879076d6c654387c79e7cfae

      SHA512

      e1d511dde2beb736c7f745bcc72ac30827ef82e4fe6d4410701b735e45c2ad56483fea01ddcda331e9420c4d6c76eab1170a64ed6acabd72f8ca3765d3158c0e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1QD06VA8.exe
      Filesize

      878KB

      MD5

      010bf0c94334d77fdcd5ebf4c268a1f2

      SHA1

      dbbf0d948f8eb38a89081c350ed15a6d5237b234

      SHA256

      5cbe4f941a16573029af6f3d4339e987280ad08f7fe84aae64627c182fe95fcd

      SHA512

      033ba8a967f16a25245fa384d132fdb1b8b0ad28620987a81824261317c19dcdf1e7a935ea3d901596f9a4030cebeff27379ad745d920f47c300a4ddb2460e85

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2GQ9959.exe
      Filesize

      1.1MB

      MD5

      b14d236952119c720e5dd5981abcf5ac

      SHA1

      5fe5e42551f0339ee787f0e14c4b0d347031cbcc

      SHA256

      587a9ec0924567e8ae88d08796671f0f6a39fb31cd7e53fe268fc7b83f3af1f6

      SHA512

      dc2c37208b00c4188b05285d70735497407a3217ed4218fed6a7ff716994e59004ae6f824538a01b2dc82e540f91bf53aa5e51905fc7f59c414b997870fcbda8

      Download Submit
    • memory/1168-14-0x0000000000400000-0x000000000040A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/2780-25-0x0000000000400000-0x0000000000409000-memory.dmp
      Filesize

      36KB

      Download
    • memory/2780-27-0x0000000000400000-0x0000000000409000-memory.dmp
      Filesize

      36KB

      Download
    • memory/4496-18-0x0000000000400000-0x0000000000434000-memory.dmp
      Filesize

      208KB

      Download
    • memory/4496-19-0x0000000000400000-0x0000000000434000-memory.dmp
      Filesize

      208KB

      Download
    • memory/4496-21-0x0000000000400000-0x0000000000434000-memory.dmp
      Filesize

      208KB

      Download