Analysis
-
max time kernel
138s -
max time network
110s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
22-05-2024 19:04
General
-
Target
061d4b3cae1ba072bfa6849a31d62afd811d04b5a2eabddc17081e56f1701cc3.exe
-
Size
656KB
-
MD5
1a8079b8f19a5d0a3382c8f0f1c82b23
-
SHA1
2fa2c4c059b2b1da583ddee3173fadd02d501ff8
-
SHA256
061d4b3cae1ba072bfa6849a31d62afd811d04b5a2eabddc17081e56f1701cc3
-
SHA512
49657dc6adf64355cc4c14baa8b15da1dc1ce3897b770c530d66a593da220463e4072d09f0ad905da8c49e17cbca9fd8cbac4a63dc16a73a1ad922a41118ccdc
-
SSDEEP
12288:7Mrty90IqQic5Cf54N7Mw7KKNc9lKR+9W0Eu+wSGgjU427q4IIWI:yyVqQiUChU75Nc9lKR0W0EB+RCI
Malware Config
Signatures
-
Detect Mystic stealer payload 3 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Mystic
Mystic is an infostealer written in C++.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Executes dropped EXE 4 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Program crash 2 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 30 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\061d4b3cae1ba072bfa6849a31d62afd811d04b5a2eabddc17081e56f1701cc3.exe"C:\Users\Admin\AppData\Local\Temp\061d4b3cae1ba072bfa6849a31d62afd811d04b5a2eabddc17081e56f1701cc3.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aR4sY95.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aR4sY95.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1GJ79bp7.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1GJ79bp7.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2356 -s 5764⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Pj9120.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Pj9120.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 904 -s 5724⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3jY78be.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3jY78be.exe2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2356 -ip 23561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 904 -ip 9041⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3jY78be.exeFilesize
31KB
MD5660ee44062a62cb8db14126820e8439a
SHA14ce91b12fa201fcd40a88ce01a3e06c129ff12a7
SHA256cd6547c71b21b84db9f773a666ee290fad806b8f32e9c8a3f60c8c71fe92653a
SHA51224323f8bff470d78a524d3b153124f192ae02bd64fa9d8a9cbb68033904640bf3c8b5dc63a7bafd599ec83c27c22964b36e19ce864372681578cd839dc4b9704
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aR4sY95.exeFilesize
532KB
MD588eb1d7a802a2b6b9e3fb4d8bc66a46d
SHA149316a947358d073b721dcd50c0b66e437c7cf9f
SHA2568706421d0fcee839da39ea13c6e1cdfa1996fb0813eb099a3680146878b76857
SHA51291c452df87bdabfd05e7e84507be9e3ec2e2c989d2f78f788ac183d39626bf3b69dca7f99f8124e83b4f230164515b38bbed7eba048b4a19f21f46fa6b7840ac
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1GJ79bp7.exeFilesize
935KB
MD5cbb313983c04005881fe4471332ce0e6
SHA138bea7fbef06c90380444951540567bb80e081c5
SHA256b005b61dfb0c7a298fadc4b11ea9a7a5b11d305136e692e555020b7989274bcb
SHA512ba7f725041e5e5fe41075497284357c7b8bce6ed1059f455da2d94262b56eeaf9028b58e1fc84419af1d3be96415a33dfa4982d9f7553ac3129d4b58940624b4
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Pj9120.exeFilesize
1.1MB
MD525e8e635d50c9a8cd65c94b4a1ad2a03
SHA1a091e7441672bfd52c2a917b982b53470068b472
SHA256793ec3e4229f327d2c3787aa5cd4135033ce600cf9240d2a3e5d2bead6660c73
SHA512ecbd779c50132878004cb5053a1a81c93053fe4e19aa46b115b0cf3b6efa0b7e49b9a7abc2a103526f1f16a52bd176ff52099a548a2ee810ee63c5345bcb837d
-
memory/1232-14-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/1232-15-0x000000007441E000-0x000000007441F000-memory.dmpFilesize
4KB
-
memory/2884-19-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/2884-20-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/2884-22-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/3360-26-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/3360-27-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB