Overview

overview

10

Static

static

3

09aa894ba7...91.exe

windows7-x64

3

09aa894ba7...91.exe

windows10-2004-x64

10

0a8ac35e43...21.exe

windows10-2004-x64

10

1b7a61dc3f...51.exe

windows10-2004-x64

10

551b1eafcb...e2.exe

windows10-2004-x64

10

7ca70af036...50.exe

windows10-2004-x64

10

8744deeac7...a9.exe

windows10-2004-x64

10

8b831a9336...51.exe

windows10-2004-x64

10

9bcf3e48a2...50.exe

windows10-2004-x64

10

9d0a8b0afa...78.exe

windows10-2004-x64

10

a457720537...84.exe

windows10-2004-x64

10

a6aa2043f4...84.exe

windows10-2004-x64

10

b52c912b98...a3.exe

windows10-2004-x64

10

b9636f454e...f7.exe

windows10-2004-x64

10

b9cf5844f6...d1.exe

windows10-2004-x64

10

bdef450da7...8e.exe

windows10-2004-x64

10

eae63cf77a...de.exe

windows10-2004-x64

10

f1c0aed941...02.exe

windows10-2004-x64

10

f1cfe53024...42.exe

windows10-2004-x64

10

f726f9f109...ad.exe

windows10-2004-x64

10

fbaaf142d7...90.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    128s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 10:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b9636f454e7a68c89164dedcf58da53a18aeb784c2db2df56f5684178058c7f7.exe

  • Size

    661KB

  • MD5

    2039021a8b1902d9371bfd2f8cdda163

  • SHA1

    3f70273299310a3b3087e8e922f245f31797525d

  • SHA256

    b9636f454e7a68c89164dedcf58da53a18aeb784c2db2df56f5684178058c7f7

  • SHA512

    8969c9357400eda5d5520483bbd8c5b461a41194a7c51a0c3bc09f4ede8082ee200cf56e1a8a7b9e4eb28be7c84e1873e7f0c6f6036bd3d66c7ff1e5e56596c1

  • SSDEEP

    12288:2Mrry90puJE/T6HMfeKwfoWAac2oFJLwvK9MICg8n93J6yA:FyiAO6HMWFfnFc2CJLwS6fn56yA

Score
10/10
mysticsmokeloaderbackdoorevasionpersistencestealertrojan

Malware Config

Signatures

  • Detect Mystic stealer payload 3 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b9636f454e7a68c89164dedcf58da53a18aeb784c2db2df56f5684178058c7f7.exe
    "C:\Users\Admin\AppData\Local\Temp\b9636f454e7a68c89164dedcf58da53a18aeb784c2db2df56f5684178058c7f7.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3632
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sr2nd83.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sr2nd83.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:5000
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1HS09yK1.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1HS09yK1.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4588
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3772
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2qx7524.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2qx7524.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4696
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
            PID:704
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            4⤵
              PID:3800
        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3wa36lj.exe
          C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3wa36lj.exe
          2⤵
          • Executes dropped EXE
          • Checks SCSI registry key(s)
          PID:1480

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3wa36lj.exe
        Filesize

        30KB

        MD5

        87d8feef3b4e673e15ee5e8399444021

        SHA1

        3a487acbbf44fdb3a3b3caa22b75c9cff5c6995c

        SHA256

        17209d3e2a1f688e8c5927fc172938bc1339d5e04bea1b70db3895c27359868f

        SHA512

        df44654d7b944c64a75a2e6e8c993144e3265fdd2b3ef9412044d5287fc07f1019a3c154fa60a448dc36523d230bd7897bde078bc0eed4a9a4dbc835a08e44c0

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sr2nd83.exe
        Filesize

        537KB

        MD5

        0ec7e3f96b881a2945ab0cd86b36e448

        SHA1

        733a16baf7d11d83e0a7fdb2c55fde25238023ef

        SHA256

        4ebbc6c22c93a9925a53b927d3c63f1cd7bc56a35a9b26c7966cffed3dba4754

        SHA512

        e044d5303006ed6e3377dacaf3901b87cd0f99b25e5f6ac15ff6e008682785fbc0ea29389060f36aa84b7278ea1dcd925470402bbd1451d32001f6df2a70a783

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1HS09yK1.exe
        Filesize

        896KB

        MD5

        31dc50bb7773755a0b527415d04064f2

        SHA1

        ec2d24de207ce4f31bac02db633e1fa308173c58

        SHA256

        b59deefdc1962e108c7c124acab2bd04c57436e09ddeaa67d521a5403c10d2c3

        SHA512

        333d6e21de76a52b0e7a8e8609bc444ef02b714ba4bf66786485796a24b4fefbd9ce4251d4c5417a2df4f7fc8b46b2333536142d305c4d3a63bbdeb6c25695e7

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2qx7524.exe
        Filesize

        1.1MB

        MD5

        f700c1c447ebe41f7dfe00c07b83a69f

        SHA1

        07db680b38caad373f2efb450c192d8c07608c33

        SHA256

        88ebf69d8a4556deace22f3fead855c006531b29cb28bcaf5b54cc191e3a4a28

        SHA512

        3b268de7042b3250352cd0a050f80f57d78c72f12f70c8aa6f76ccc7a66e7b2d0e16d7f7a2db3ee7a89115203dddec142c74880d1b8f580ddeb2a96f2cf34076

        Download Submit

      • memory/1480-24-0x0000000000400000-0x0000000000409000-memory.dmp

        Filesize

        36KB

        Download

      • memory/1480-26-0x0000000000400000-0x0000000000409000-memory.dmp

        Filesize

        36KB

        Download

      • memory/3772-14-0x0000000000400000-0x000000000040A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/3800-18-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3800-19-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3800-21-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download