Overview

overview

10

Static

static

3

06f1b755da...d3.exe

windows10-2004-x64

10

14b33a31c1...19.exe

windows10-2004-x64

10

16f3c19a7f...1a.exe

windows10-2004-x64

10

192ce44be6...d3.exe

windows10-2004-x64

10

208bd49be4...cf.exe

windows10-2004-x64

10

2ae8e0e720...19.exe

windows10-2004-x64

10

2b74e820a6...32.exe

windows10-2004-x64

10

396631ba37...a0.exe

windows10-2004-x64

10

777259b2de...25.exe

windows10-2004-x64

10

7f06170b1d...e6.exe

windows10-2004-x64

10

80f9db3963...66.exe

windows10-2004-x64

10

8d2837f05f...42.exe

windows10-2004-x64

10

9a7ee6b801...e4.exe

windows10-2004-x64

10

9c8e4ed081...a3.exe

windows10-2004-x64

10

a68c5e94f5...52.exe

windows10-2004-x64

10

aaed2c62a2...28.exe

windows10-2004-x64

10

e097574588...fe.exe

windows10-2004-x64

10

e256d9f4b9...eb.exe

windows10-2004-x64

10

f02caa1867...71.exe

windows10-2004-x64

10

f7447a8c0b...af.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 10:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    16f3c19a7f77c85baa3e8093067307517cb39818cb998de30b713a8353835c1a.exe

  • Size

    657KB

  • MD5

    01a84bc0f9662c85b3e51840340584e7

  • SHA1

    f9b058a4d293cd4736466b97a75159823e2a0ac9

  • SHA256

    16f3c19a7f77c85baa3e8093067307517cb39818cb998de30b713a8353835c1a

  • SHA512

    b78da685b4ac48bf111285dadd929e76f2282f50e66c31df783dc92c677d8c6d3ee5d64aa11b7d70102cf556565bdd29b6a7bbd0b88582115471d77ef73f193d

  • SSDEEP

    12288:KMrhy90Dr/7bS2jGH0CwdYQS6QbyfFAF0oxJ5myPoOmIfb:TyanVGUCwd/S6QbyfFA75oOmGb

Score
10/10
mysticsmokeloaderbackdoorevasionpersistencestealertrojan

Malware Config

Signatures

  • Detect Mystic stealer payload 3 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\16f3c19a7f77c85baa3e8093067307517cb39818cb998de30b713a8353835c1a.exe
    "C:\Users\Admin\AppData\Local\Temp\16f3c19a7f77c85baa3e8093067307517cb39818cb998de30b713a8353835c1a.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3080
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Id1Tk83.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Id1Tk83.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3012
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Tl75WE8.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Tl75WE8.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:3476
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2068
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2iu9448.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2iu9448.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1836
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
            PID:3556
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3uE65Mj.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3uE65Mj.exe
        2⤵
        • Executes dropped EXE
        • Checks SCSI registry key(s)
        PID:3088

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Privilege Escalation

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Defense Evasion

    Modify Registry

    2
    T1112

    Impair Defenses

    1
    T1562

    Disable or Modify Tools

    1
    T1562.001

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3uE65Mj.exe
      Filesize

      30KB

      MD5

      02bf10f796901f77e15450a0ade88c5c

      SHA1

      370b1f21850f48c7118294254c4b0cccbe3d6ce6

      SHA256

      d1086600b1cb6172db50366e66a6884381d2f17f94a0c26c606243a9e39086ff

      SHA512

      effec019ccd580e58ddf3dace92794ad8f85fa6e22e1f1f8bf28bcd38f6ca01f24b4c70cc8575fcb6c29a7403a3b79b75354d2754451565d46cdd9fefa6b7bc0

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Id1Tk83.exe
      Filesize

      533KB

      MD5

      987805bec721420c6dbae12d3fef4175

      SHA1

      180daf1addf6fbb464bc1600337ca9125a68e7ad

      SHA256

      0562354daac0af76f2fc26f6cb1b1c836dbc44897cd3c21b86f06ece5009624d

      SHA512

      94b528330591235178e77f24753da94c5afc451cf02e865dfd406e881e36a59dea3812a02731b9f02b79269cfa7a0f225eb35c64049bae1f14575db1900a24bf

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Tl75WE8.exe
      Filesize

      886KB

      MD5

      1d9d7a899796eeef436cd9bd87c3f80b

      SHA1

      022ca79920460943be3633016075272c4a990cfe

      SHA256

      ca9d570cd537a6c8f6b48c2c92a7c95e7ff837d3084f6e3c7803897a5a63fb95

      SHA512

      1e7d9b16e4690b59d7b7a281668ddc3a3fc5b8d51f50c92dbaef5ecee6e770fb531ac266eab83480b21e7f49fe863225eebe86b602d47f8523bde4e672ef041e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2iu9448.exe
      Filesize

      1.1MB

      MD5

      773e9b58999ac4f1a4f26929f85883e4

      SHA1

      46a9342c366ef802375e2d48d904227ac819b157

      SHA256

      fb4ed616baeaaf895b7aafbbb9595f00a883982fa4a08c17b03fda80e05936a7

      SHA512

      d63ba4f2a5746119d7cd5be602cb0f8797ddef0d1fe2effa997cef7b9f1ad03b5d2c34a19c03dec6e5b6498d0dfb51832e8cd7199633ef8170b85791e956b280

      Download Submit
    • memory/2068-14-0x0000000000400000-0x000000000040A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/3088-25-0x0000000000400000-0x0000000000409000-memory.dmp
      Filesize

      36KB

      Download
    • memory/3088-27-0x0000000000400000-0x0000000000409000-memory.dmp
      Filesize

      36KB

      Download
    • memory/3556-18-0x0000000000400000-0x0000000000434000-memory.dmp
      Filesize

      208KB

      Download
    • memory/3556-21-0x0000000000400000-0x0000000000434000-memory.dmp
      Filesize

      208KB

      Download
    • memory/3556-19-0x0000000000400000-0x0000000000434000-memory.dmp
      Filesize

      208KB

      Download