Overview

overview

10

Static

static

3

00dd845a27...d6.exe

windows10-2004-x64

10

0e4f6fa259...f8.exe

windows10-2004-x64

10

160cf91bb4...9b.exe

windows10-2004-x64

10

2469003f42...fb.exe

windows10-2004-x64

10

37d87e8c1a...0c.exe

windows10-2004-x64

10

4c3f025b17...a7.exe

windows10-2004-x64

10

4de214f155...f2.exe

windows10-2004-x64

10

4fe5ee134e...25.exe

windows10-2004-x64

10

5bc4a6b3d5...f6.exe

windows10-2004-x64

10

62325240aa...fc.exe

windows10-2004-x64

10

77ac4e5ef8...53.exe

windows10-2004-x64

10

78a2f3c49d...66.exe

windows10-2004-x64

10

7c1372b4b0...fc.exe

windows10-2004-x64

10

7cd3eb4cd6...0e.exe

windows10-2004-x64

10

7dee432d6d...a7.exe

windows10-2004-x64

10

a277894fe9...7d.exe

windows10-2004-x64

10

cd0d56c5ce...15.exe

windows10-2004-x64

10

d304eb3331...e2.exe

windows10-2004-x64

10

d3dd28146b...8b.exe

windows10-2004-x64

10

ece19c5d5c...54.exe

windows10-2004-x64

10

f9789caac1...5f.exe

windows7-x64

10

f9789caac1...5f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-05-2024 18:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a277894fe9048cd5fca86a41cd15d3ca798f15ec412ab35d84f136d39597b97d.exe

  • Size

    831KB

  • MD5

    85e4a0f5a6136ee4873a53af1f693ed0

  • SHA1

    c8295b1ef666acdb88a5e320b5a1d70eeb17d96b

  • SHA256

    a277894fe9048cd5fca86a41cd15d3ca798f15ec412ab35d84f136d39597b97d

  • SHA512

    cccfff50a1c9736573e80e7d66991930ffd0a607441e2bba89a61a7e5860d31494475387068895ed0f42d05251ece93f599f78ef325c62db1c04170099243c7c

  • SSDEEP

    12288:wMrNy90oQfovlCb2GmvXKcOr1+JTWZx2LufAKuBG/Nw8SjKgpJlGRqMul0CX/Qmd:tyPQfoIO6cxWZxuBHvb+qMuJPSzk7

Score
10/10
mysticsmokeloaderbackdoorevasionpersistencestealertrojan

Malware Config

Signatures

  • Detect Mystic stealer payload 1 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a277894fe9048cd5fca86a41cd15d3ca798f15ec412ab35d84f136d39597b97d.exe
    "C:\Users\Admin\AppData\Local\Temp\a277894fe9048cd5fca86a41cd15d3ca798f15ec412ab35d84f136d39597b97d.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4776
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OK8oV32.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OK8oV32.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4600
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1LI96Cu3.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1LI96Cu3.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2460
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:852
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2ZQ3937.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2ZQ3937.exe
        3⤵
        • Executes dropped EXE
        PID:1708
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3kj59GC.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3kj59GC.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:2720
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3⤵
        • Checks SCSI registry key(s)
        PID:2384

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3kj59GC.exe
    Filesize

    916KB

    MD5

    7bd7a6ca99c240a8f965694db9779220

    SHA1

    a4b22dd580b07c487c96e5889c272c8ce966f6d8

    SHA256

    2cba59d0e93c789487237caefe4701ddafed3f03a507276006965f63a5b17763

    SHA512

    37fbe01fe87017e69200bb9bb521ee6d0bf7fb410dbb6015a914e392170b16afbb17121e0f3bc38fabc3b6f4e337cde802def340124c1f9b1c1c72f59440f714

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OK8oV32.exe
    Filesize

    464KB

    MD5

    00d2e192feaff9eaca0ec3c12f0a54f9

    SHA1

    9a6af5c7fa6a09c1510247fe4091d3c418f4d0fb

    SHA256

    96ce06b368c27ec0be775933dad4b108745aeec3e6af2dc16cdb891999f3066e

    SHA512

    694996933f02137531d01c9b16c7fb0240250f42ea06c9e7a61210b54afbd7aa02a865007825a6414bc029259b3c8ec1d7a2f9a33b529024c7216aa954ff3493

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1LI96Cu3.exe
    Filesize

    894KB

    MD5

    482c2daaa7250f2f2349259f7b6b09c3

    SHA1

    1313bc91e68a021c138ecf958db84c1d5b844895

    SHA256

    44caf6ae6a43d1d4c73ba84983921d506f45dc226a311a5e307e94132322e446

    SHA512

    676663ccddf48938b1b99632359978ef8847e7ed186c60c5b12b0f04040452fa9ece35b9f252768b49fce37e920d078c594bd1ea14f8d3ea0e10191959644076

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2ZQ3937.exe
    Filesize

    180KB

    MD5

    53e28e07671d832a65fbfe3aa38b6678

    SHA1

    6f9ea0ed8109030511c2c09c848f66bd0d16d1e1

    SHA256

    5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e

    SHA512

    053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

    Download Submit
  • memory/852-14-0x0000000000400000-0x000000000040A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/2384-21-0x0000000000400000-0x0000000000409000-memory.dmp
    Filesize

    36KB

    Download