Overview

overview

10

Static

static

3

0e5866c048...02.exe

windows10-2004-x64

10

168a3cbbca...f6.exe

windows10-2004-x64

10

23530bfa27...e2.exe

windows10-2004-x64

10

25974ec913...91.exe

windows10-2004-x64

10

29e8eb905d...57.exe

windows10-2004-x64

10

2ff2598373...ce.exe

windows10-2004-x64

10

30a7bebd46...c4.exe

windows10-2004-x64

10

36848c0be9...d8.exe

windows10-2004-x64

10

369e096918...34.exe

windows10-2004-x64

10

397f0bf375...c6.exe

windows10-2004-x64

10

3a437fa895...c1.exe

windows10-2004-x64

10

3f23e445a9...39.exe

windows10-2004-x64

10

44dedbcb8a...5f.exe

windows10-2004-x64

10

6aec122dba...ee.exe

windows10-2004-x64

10

b0d3a36603...55.exe

windows10-2004-x64

10

b4f17a4609...a2.exe

windows10-2004-x64

10

d2d831c046...51.exe

windows10-2004-x64

10

da40ec1cf9...48.exe

windows10-2004-x64

10

e7a2b48b9e...75.exe

windows10-2004-x64

10

f07691246e...f6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/05/2024, 10:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    397f0bf37598f6fd4fd6a8933cfdbaebedc80de5b8929b28899fdcf9b7ba0cc6.exe

  • Size

    655KB

  • MD5

    4e466ef961838d0961fab3f7211bfc4b

  • SHA1

    627306e28905086a367de959e57aea8ea082795a

  • SHA256

    397f0bf37598f6fd4fd6a8933cfdbaebedc80de5b8929b28899fdcf9b7ba0cc6

  • SHA512

    0c8264f1a82c1e0ad797a66359b08763d86f484c22c4bb1fa6420fbc75cb436d7a1ae64a4e91ab7d5e6fde5eac84710747801965b936ab46aa37f6f576e256d1

  • SSDEEP

    12288:8MrPy90pUrpJJTLnIGBW82SCvM5/JT+LvZNxgfEg7iBcl:zyuUlJt7IGfHCohCLvZEfP7iOl

Score
10/10
mysticsmokeloaderbackdoorevasionpersistencestealertrojan

Malware Config

Signatures

  • Detect Mystic stealer payload 3 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\397f0bf37598f6fd4fd6a8933cfdbaebedc80de5b8929b28899fdcf9b7ba0cc6.exe
    "C:\Users\Admin\AppData\Local\Temp\397f0bf37598f6fd4fd6a8933cfdbaebedc80de5b8929b28899fdcf9b7ba0cc6.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4736
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SC3pL44.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SC3pL44.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3956
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1FE68mB1.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1FE68mB1.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:3168
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
            PID:4884
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            4⤵
            • Modifies Windows Defender Real-time Protection settings
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:412
        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Cg0011.exe
          C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Cg0011.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:2828
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            4⤵
              PID:4500
        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3yO23mc.exe
          C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3yO23mc.exe
          2⤵
          • Executes dropped EXE
          • Checks SCSI registry key(s)
          PID:3432

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3yO23mc.exe
        Filesize

        31KB

        MD5

        44fd299487f09107b4e009a42b98d8aa

        SHA1

        5e831ceb9e21b652d1f56ef77a80c34b0ff74cd0

        SHA256

        93cf1ed1444da30c35f3e9af1aea4e75acb1259e560822e32680952727860cbc

        SHA512

        3b7dd3fd4c2d2024e982695042046e8c8bff1d9cf7715386a284b655b88b283169b96ea705def962a047d97371e0a3bda427f11a636496346b991fee5e97b2a3

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SC3pL44.exe
        Filesize

        532KB

        MD5

        fbaa3185655a147f0cd024354b272ec0

        SHA1

        8aebc5d758d6f818a674df6d44d29e47f541bf65

        SHA256

        a23e3b42d546e45e59a6cfc293d624ff748c13c36ef8145845cac1aff4769c79

        SHA512

        c3bda75204b9b67ebf69b947321d84cadc205e7ef67e8da55f3992abbf97b0cf3d7833272ad9f0a7f16177ace35107bcf681a5e0c8abbdb269cbbff6dd77db46

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1FE68mB1.exe
        Filesize

        920KB

        MD5

        9a3229b01ab7372b3a38339e57674b02

        SHA1

        692fba7ec819a098b8600b094525e7246b6dab2b

        SHA256

        b38decea83a43354c4fa7ef866845ecd08c6e812749d62f6732e91577e87e522

        SHA512

        9a6b5d9bc9d1eab2f4cc658721aaf39207026d800da1b794a888aed81a44d9fb56a8edeb92683e6d25e1274365d2a348da3e6f2570f6d083bd37653124c200b4

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Cg0011.exe
        Filesize

        1.1MB

        MD5

        a9c962be3482e5d88da474d79d08d4ae

        SHA1

        66ae36818323b19b1194a103d3a0b0c35567f745

        SHA256

        7842b844b072e80f8387301e2748992e2ab5fe08a7bed99d4e8b283ca190f519

        SHA512

        6b6e90217aaa3e2af357668eae20aea68ea1742af41672542d1216f30b189d397ac02b88980f6a4ed890360b12da717481238c49636ba8743c38a8fc5ea33156

        Download Submit

      • memory/412-14-0x0000000000400000-0x000000000040A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/3432-25-0x0000000000400000-0x0000000000409000-memory.dmp

        Filesize

        36KB

        Download

      • memory/3432-26-0x0000000000400000-0x0000000000409000-memory.dmp

        Filesize

        36KB

        Download

      • memory/4500-18-0x0000000000400000-0x0000000000433000-memory.dmp

        Filesize

        204KB

        Download

      • memory/4500-20-0x0000000000400000-0x0000000000433000-memory.dmp

        Filesize

        204KB

        Download

      • memory/4500-21-0x0000000000400000-0x0000000000433000-memory.dmp

        Filesize

        204KB

        Download