Analysis

  • max time kernel
    136s
  • max time network
    107s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-05-2024 18:55

General

  • Target

    cf840721c08fa286313bd7ac68fc5bac88559652036dfbdcc7b3c6f0cfa13d70.exe

  • Size

    653KB

  • MD5

    14656483a2946f19c7c918dbe5d537f4

  • SHA1

    0f55bc8757709fc17cf86317ddd8a9b92eb9f94f

  • SHA256

    cf840721c08fa286313bd7ac68fc5bac88559652036dfbdcc7b3c6f0cfa13d70

  • SHA512

    222259cbf31951a3c8bd567e715f312538fda0253630c0bb62e9bad472e8b75ed878cc4a7fcb583d9ed4d2ba6e7ba4350f06025f64d9560b16b2af93fe5d8e75

  • SSDEEP

    12288:pMrNy90j2CrZ3gEuD+IxNXGEWmnP4HWaZ0RD65h3Ef+5YW2x3iY3S98:Ey82+t1IlGE14HWnRD65ha48

Malware Config

Signatures

  • Detect Mystic stealer payload 3 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cf840721c08fa286313bd7ac68fc5bac88559652036dfbdcc7b3c6f0cfa13d70.exe
    "C:\Users\Admin\AppData\Local\Temp\cf840721c08fa286313bd7ac68fc5bac88559652036dfbdcc7b3c6f0cfa13d70.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2164
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sJ2DX51.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sJ2DX51.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1652
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Wv12kl4.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Wv12kl4.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4512
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1904
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2PK7079.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2PK7079.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4384
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
            PID:3488
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3LM44qU.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3LM44qU.exe
        2⤵
        • Executes dropped EXE
        • Checks SCSI registry key(s)
        PID:3032

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3LM44qU.exe

      Filesize

      30KB

      MD5

      587204dec020b59c39e994689d308b36

      SHA1

      9bf3c24a462c26f337dfb3a22a649be8effd53ce

      SHA256

      e8f929a5489d4524dd948c1d42adbf4650d628fae06ed090d112a674ab9f330a

      SHA512

      10185fb42665604de874f2bc671c573b1a4828f4e5184ad773a9add1f2176c421dec2e3bbe2dcb1352f638237a79fd2e47731526fbd380a6d83f155222c9695a

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sJ2DX51.exe

      Filesize

      528KB

      MD5

      095eae25cf99013cb95d365e45043bad

      SHA1

      c977d026c2ea71164e302ffb7739bf5fc3dc1409

      SHA256

      813fd089754f941bfcdab5c9ef44cf6a6874e32f98a84330afb3b4ed03806412

      SHA512

      4e63600109a92dfa9a7b1d257e18aa61f3d4089e4c8f91b281801ca7e99a3bfe2f8ff926703049fb67250f41594e38956ab4694d2e3182b4c40a1d2a12d14411

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Wv12kl4.exe

      Filesize

      886KB

      MD5

      e6c622dda3a4806f5e20122c3c263e29

      SHA1

      1f1467822754c7d75e8214b967be6f254605a4b6

      SHA256

      fee7f941dd52109d66c97e18ebf86632e1ec2465d93379755edcaee74f3bad15

      SHA512

      74efb19e2fbecf77e3456a88adf2bd5926c14869e0da3bd0bb4642df54a2fe4a68b5b2e641a262b59eeccf997790d03d8ee33a24a21cb9bf1a6edb717c3f79d3

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2PK7079.exe

      Filesize

      1.1MB

      MD5

      b574f40e1deab2460227e9899ec46533

      SHA1

      e9f9c9298eaa099ee059cb3ba62ed5d62eda4c6a

      SHA256

      6275786357c95c0d5cd5fcf86175640fb6e960736b985b7c4e2c5468bd5c2aaa

      SHA512

      37e4f04239f6ca6df5e0210d5a7654538da8f7b2fdda9a7cb7f5bd6efabda9d7070471ba968e74ba655bbb9c4bb74c58216b57488a80d787f7565be23dc6693c

    • memory/1904-14-0x0000000000400000-0x000000000040A000-memory.dmp

      Filesize

      40KB

    • memory/3032-25-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

    • memory/3032-27-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

    • memory/3488-18-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/3488-19-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/3488-21-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB