Overview

overview

10

Static

static

3

06f3c929ba...53.exe

windows10-2004-x64

10

122d65cff9...20.exe

windows10-2004-x64

10

1a0bfd97a4...9c.exe

windows10-2004-x64

10

1a180e9105...fe.exe

windows10-2004-x64

10

1c5289e7e6...0b.exe

windows10-2004-x64

10

32ca200f34...aa.exe

windows10-2004-x64

10

3aa025ea78...5d.exe

windows10-2004-x64

10

3bcf19ad48...5c.exe

windows10-2004-x64

10

6b10f19a8c...42.exe

windows10-2004-x64

10

8b1c0f6d0e...f8.exe

windows10-2004-x64

10

9270cb48ef...96.exe

windows10-2004-x64

10

982c3849f2...2b.exe

windows10-2004-x64

10

a5ef532105...7b.exe

windows10-2004-x64

10

a96e6df3c0...de.exe

windows10-2004-x64

10

ba6bca4989...71.exe

windows10-2004-x64

10

bad97858db...8e.exe

windows10-2004-x64

10

bcce7883f8...a7.exe

windows7-x64

10

bcce7883f8...a7.exe

windows10-2004-x64

10

cfb7a03bea...b3.exe

windows10-2004-x64

10

f446c909f1...3f.exe

windows10-2004-x64

10

f8f22cd34c...16.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-05-2024 19:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3aa025ea78f4c4f22121974ca9750d5a185b237e08bdbb6226487f9b7182e85d.exe

  • Size

    658KB

  • MD5

    b0c2c81fdcde86499d25384bcc5b5496

  • SHA1

    88e3a72292ded161a03f21a75f9867e2b37f2a1c

  • SHA256

    3aa025ea78f4c4f22121974ca9750d5a185b237e08bdbb6226487f9b7182e85d

  • SHA512

    e5bc6a333d930c280e690afe6d6ab0a9aea8faaa1c3ec3111a53b2f6c96eb92b6cdb07b2476ceadf69a9bf80a6dd3024a34560ec2e9dd5b09b647f3c5f6ceebd

  • SSDEEP

    12288:QMrWy90eldXuavK8MFqMsq40dEqPEF4FHe/O1wqFhyh1bN2Ar:WyPpdKVqMsgdEqA4FHe/0eF7r

Score
10/10
mysticsmokeloaderbackdoorevasionpersistencestealertrojan

Malware Config

Signatures

  • Detect Mystic stealer payload 3 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3aa025ea78f4c4f22121974ca9750d5a185b237e08bdbb6226487f9b7182e85d.exe
    "C:\Users\Admin\AppData\Local\Temp\3aa025ea78f4c4f22121974ca9750d5a185b237e08bdbb6226487f9b7182e85d.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:5076
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cd7Xt28.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cd7Xt28.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1768
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1qy89gQ1.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1qy89gQ1.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:5080
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1364
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2eP3859.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2eP3859.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:3184
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
            PID:5096
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3sQ62eA.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3sQ62eA.exe
        2⤵
        • Executes dropped EXE
        • Checks SCSI registry key(s)
        PID:364

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3sQ62eA.exe
      Filesize

      30KB

      MD5

      7fd8af5304b8a42cfa0789c68cf3c5f5

      SHA1

      9e0d86b3a16f0b4b5552599d17bc81ca9d7caae6

      SHA256

      8b338baf2fc4f210192cfd5b91731240f736a00b1a9500edf8cf69d50391b4bf

      SHA512

      959d9b878f34084cf6b5df1d22f3ab0e986cd506852cc0a03eca09aed383fcc05de70b9fd5918ea5e658437fe7848631ce547ac05a694fed318df2cb9c222d95

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cd7Xt28.exe
      Filesize

      535KB

      MD5

      b09e420cf45230a44567f430930365b1

      SHA1

      0df8708e33e0f8b067f9e297720297395301d82e

      SHA256

      87d140d7e8a0f6081e1fff4f212630d08e8959e131dc82a13827ce04bdc3315d

      SHA512

      8b4dfb5962b953d4cd7e388238db291f49cbb9a9e44596db4aa2f709d955f31db7c13c8f757647b3d872efafac69aedbcf1be647f2b57079c7aeb04a5bf2f61f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1qy89gQ1.exe
      Filesize

      886KB

      MD5

      f3a03faab31565c8caeed42902fae963

      SHA1

      413f1209770bd881a8d52232fe1538469d8fdd29

      SHA256

      8f88d0e19b4bf9a8f0f7997996a945decc02631aaf1f10c3e50df4ea61e896fb

      SHA512

      a216ae2e9b2ab77d6517470fd523acbb7deda58fb810ded8679e4ab99891610526f86cc106ba37b1906cc8bb6f98cc372108100294dcedd49c28579606d3f497

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2eP3859.exe
      Filesize

      1.1MB

      MD5

      67c318ba3f42eca9ba296cdf6822d816

      SHA1

      7d1114a59f2106d11079db6e535e89a01c39d493

      SHA256

      f28d96a64de53d5d1800b53ebe218a0454172762ebe4c7939fe9c767650cd95b

      SHA512

      f71d4c84469e98377eacdda5438f1a883b6e8b6f55eb4e0961148a677398d81077acceafb74bdbb9d35f40ff7ba0a93c5b1ab6ded8e7a3ca6b84cef5ff10803c

      Download Submit

    • memory/364-25-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

      Download

    • memory/364-26-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

      Download

    • memory/1364-14-0x0000000000400000-0x000000000040A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/5096-18-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/5096-21-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/5096-19-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download