Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-05-2024 19:04

General

  • Target

    eb3bd6af828d49516b571018684b6f164a7f79bb71c38674e37a085ab5813352.exe

  • Size

    645KB

  • MD5

    5c7efd9ec3e27bb93244365f3ccf6bd7

  • SHA1

    8cff2506763935140038ddfd27738d40ebf05eab

  • SHA256

    eb3bd6af828d49516b571018684b6f164a7f79bb71c38674e37a085ab5813352

  • SHA512

    ea7f94292cb9c024af86dd3176afb4daa7940d2fc6c3616bbba3d9493251273ab921916a04f6a5fd629a5204199ea9dac8948bd03a5031333773e695bf32ac20

  • SSDEEP

    12288:6cMrEy90nyAH07CUhQWRNJcN7MOApGiBg4D/ovR18txF7y+bR6Vq:64y13eUhiPA8iBDxF7+o

Malware Config

Signatures

  • Detect Mystic stealer payload 3 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eb3bd6af828d49516b571018684b6f164a7f79bb71c38674e37a085ab5813352.exe
    "C:\Users\Admin\AppData\Local\Temp\eb3bd6af828d49516b571018684b6f164a7f79bb71c38674e37a085ab5813352.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2748
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bO1Oi36.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bO1Oi36.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2916
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1QD06VA8.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1QD06VA8.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2516
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4496
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2GQ9959.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2GQ9959.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:772
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
            PID:4776
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3La00TE.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3La00TE.exe
        2⤵
        • Executes dropped EXE
        • Checks SCSI registry key(s)
        PID:4920
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start wuauserv
      1⤵
      • Launches sc.exe
      PID:432

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3La00TE.exe

      Filesize

      30KB

      MD5

      d84569a706b9c209fe691fb20af40afe

      SHA1

      2fd9b3710be51ee7318be4b905cf17447331cc73

      SHA256

      8225d0527e3a0ad5fd83412ed5d2c026ed2677b3f8f221160d64e5bbbe492838

      SHA512

      c346a73bb0710f520524e3b0680f14c9e53428842850c000d5a1d02fcfda0014f57d619e295ad3b45bb31724e6edb69229e77d1ab73a082620ab0ba1cdc9feee

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bO1Oi36.exe

      Filesize

      521KB

      MD5

      7f35d65926d1b28d7e70210e085c6caf

      SHA1

      461a90b25f1c893a50394ec5f7765761892a40f1

      SHA256

      c55be9f930e9865d003860a3f6389c6e3e70dd04879076d6c654387c79e7cfae

      SHA512

      e1d511dde2beb736c7f745bcc72ac30827ef82e4fe6d4410701b735e45c2ad56483fea01ddcda331e9420c4d6c76eab1170a64ed6acabd72f8ca3765d3158c0e

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1QD06VA8.exe

      Filesize

      878KB

      MD5

      010bf0c94334d77fdcd5ebf4c268a1f2

      SHA1

      dbbf0d948f8eb38a89081c350ed15a6d5237b234

      SHA256

      5cbe4f941a16573029af6f3d4339e987280ad08f7fe84aae64627c182fe95fcd

      SHA512

      033ba8a967f16a25245fa384d132fdb1b8b0ad28620987a81824261317c19dcdf1e7a935ea3d901596f9a4030cebeff27379ad745d920f47c300a4ddb2460e85

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2GQ9959.exe

      Filesize

      1.1MB

      MD5

      b14d236952119c720e5dd5981abcf5ac

      SHA1

      5fe5e42551f0339ee787f0e14c4b0d347031cbcc

      SHA256

      587a9ec0924567e8ae88d08796671f0f6a39fb31cd7e53fe268fc7b83f3af1f6

      SHA512

      dc2c37208b00c4188b05285d70735497407a3217ed4218fed6a7ff716994e59004ae6f824538a01b2dc82e540f91bf53aa5e51905fc7f59c414b997870fcbda8

    • memory/4496-14-0x0000000000400000-0x000000000040A000-memory.dmp

      Filesize

      40KB

    • memory/4776-21-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/4776-19-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/4776-18-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/4920-26-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

    • memory/4920-25-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB