Overview

overview

10

Static

static

3

01f1d397ee...7e.exe

windows10-2004-x64

10

061d4b3cae...c3.exe

windows10-2004-x64

10

1510cb1a4f...7d.exe

windows10-2004-x64

10

18c958ac25...40.exe

windows10-2004-x64

10

1ae5f47f1c...e8.exe

windows10-2004-x64

10

27768bc448...de.exe

windows10-2004-x64

10

32de0993bc...1e.exe

windows10-2004-x64

10

4758300458...ca.exe

windows10-2004-x64

10

58fadac014...99.exe

windows10-2004-x64

10

5bcb59af1e...c1.exe

windows10-2004-x64

10

6e55f3939c...05.exe

windows10-2004-x64

10

7974488bc6...15.exe

windows10-2004-x64

10

835316bac6...9f.exe

windows10-2004-x64

10

9e24511e4a...1c.exe

windows10-2004-x64

10

a9634fd1ba...2f.exe

windows10-2004-x64

10

c1f424012a...97.exe

windows10-2004-x64

10

d73983a055...6c.exe

windows10-2004-x64

10

d7acd7c73c...c4.exe

windows10-2004-x64

10

e7a1c6bd3a...74.exe

windows10-2004-x64

10

e9a8b4bb4d...42.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    138s
  • max time network
    110s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-05-2024 19:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    061d4b3cae1ba072bfa6849a31d62afd811d04b5a2eabddc17081e56f1701cc3.exe

  • Size

    656KB

  • MD5

    1a8079b8f19a5d0a3382c8f0f1c82b23

  • SHA1

    2fa2c4c059b2b1da583ddee3173fadd02d501ff8

  • SHA256

    061d4b3cae1ba072bfa6849a31d62afd811d04b5a2eabddc17081e56f1701cc3

  • SHA512

    49657dc6adf64355cc4c14baa8b15da1dc1ce3897b770c530d66a593da220463e4072d09f0ad905da8c49e17cbca9fd8cbac4a63dc16a73a1ad922a41118ccdc

  • SSDEEP

    12288:7Mrty90IqQic5Cf54N7Mw7KKNc9lKR+9W0Eu+wSGgjU427q4IIWI:yyVqQiUChU75Nc9lKR0W0EB+RCI

Score
10/10
mysticsmokeloaderbackdoorevasionpersistencestealertrojan

Malware Config

Signatures

  • Detect Mystic stealer payload 3 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Program crash 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\061d4b3cae1ba072bfa6849a31d62afd811d04b5a2eabddc17081e56f1701cc3.exe
    "C:\Users\Admin\AppData\Local\Temp\061d4b3cae1ba072bfa6849a31d62afd811d04b5a2eabddc17081e56f1701cc3.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2768
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aR4sY95.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aR4sY95.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4484
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1GJ79bp7.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1GJ79bp7.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2356
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1232
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2356 -s 576
          4⤵
          • Program crash
          PID:4344
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Pj9120.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Pj9120.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:904
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
            PID:2884
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 904 -s 572
            4⤵
            • Program crash
            PID:224
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3jY78be.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3jY78be.exe
        2⤵
        • Executes dropped EXE
        • Checks SCSI registry key(s)
        PID:3360
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2356 -ip 2356
      1⤵
        PID:2616
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 904 -ip 904
        1⤵
          PID:404

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3jY78be.exe
          Filesize

          31KB

          MD5

          660ee44062a62cb8db14126820e8439a

          SHA1

          4ce91b12fa201fcd40a88ce01a3e06c129ff12a7

          SHA256

          cd6547c71b21b84db9f773a666ee290fad806b8f32e9c8a3f60c8c71fe92653a

          SHA512

          24323f8bff470d78a524d3b153124f192ae02bd64fa9d8a9cbb68033904640bf3c8b5dc63a7bafd599ec83c27c22964b36e19ce864372681578cd839dc4b9704

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aR4sY95.exe
          Filesize

          532KB

          MD5

          88eb1d7a802a2b6b9e3fb4d8bc66a46d

          SHA1

          49316a947358d073b721dcd50c0b66e437c7cf9f

          SHA256

          8706421d0fcee839da39ea13c6e1cdfa1996fb0813eb099a3680146878b76857

          SHA512

          91c452df87bdabfd05e7e84507be9e3ec2e2c989d2f78f788ac183d39626bf3b69dca7f99f8124e83b4f230164515b38bbed7eba048b4a19f21f46fa6b7840ac

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1GJ79bp7.exe
          Filesize

          935KB

          MD5

          cbb313983c04005881fe4471332ce0e6

          SHA1

          38bea7fbef06c90380444951540567bb80e081c5

          SHA256

          b005b61dfb0c7a298fadc4b11ea9a7a5b11d305136e692e555020b7989274bcb

          SHA512

          ba7f725041e5e5fe41075497284357c7b8bce6ed1059f455da2d94262b56eeaf9028b58e1fc84419af1d3be96415a33dfa4982d9f7553ac3129d4b58940624b4

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Pj9120.exe
          Filesize

          1.1MB

          MD5

          25e8e635d50c9a8cd65c94b4a1ad2a03

          SHA1

          a091e7441672bfd52c2a917b982b53470068b472

          SHA256

          793ec3e4229f327d2c3787aa5cd4135033ce600cf9240d2a3e5d2bead6660c73

          SHA512

          ecbd779c50132878004cb5053a1a81c93053fe4e19aa46b115b0cf3b6efa0b7e49b9a7abc2a103526f1f16a52bd176ff52099a548a2ee810ee63c5345bcb837d

          Download Submit

        • memory/1232-14-0x0000000000400000-0x000000000040A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/1232-15-0x000000007441E000-0x000000007441F000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2884-19-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

          Download

        • memory/2884-20-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

          Download

        • memory/2884-22-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

          Download

        • memory/3360-26-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

          Download

        • memory/3360-27-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

          Download