Overview

overview

10

Static

static

3

0e5866c048...02.exe

windows10-2004-x64

10

168a3cbbca...f6.exe

windows10-2004-x64

10

23530bfa27...e2.exe

windows10-2004-x64

10

25974ec913...91.exe

windows10-2004-x64

10

29e8eb905d...57.exe

windows10-2004-x64

10

2ff2598373...ce.exe

windows10-2004-x64

10

30a7bebd46...c4.exe

windows10-2004-x64

10

36848c0be9...d8.exe

windows10-2004-x64

10

369e096918...34.exe

windows10-2004-x64

10

397f0bf375...c6.exe

windows10-2004-x64

10

3a437fa895...c1.exe

windows10-2004-x64

10

3f23e445a9...39.exe

windows10-2004-x64

10

44dedbcb8a...5f.exe

windows10-2004-x64

10

6aec122dba...ee.exe

windows10-2004-x64

10

b0d3a36603...55.exe

windows10-2004-x64

10

b4f17a4609...a2.exe

windows10-2004-x64

10

d2d831c046...51.exe

windows10-2004-x64

10

da40ec1cf9...48.exe

windows10-2004-x64

10

e7a2b48b9e...75.exe

windows10-2004-x64

10

f07691246e...f6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/05/2024, 10:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    da40ec1cf90ce4636876a76bd250b12ca3df8f973c3aa4752203ce19ac39a548.exe

  • Size

    645KB

  • MD5

    ff0a44771f8c71eb1e1133bad5a063f6

  • SHA1

    aa94caffc849a8fc2d13a15dfee2dc9ac8ee3ea8

  • SHA256

    da40ec1cf90ce4636876a76bd250b12ca3df8f973c3aa4752203ce19ac39a548

  • SHA512

    f4bf9a3d722328734efb3f3ea94661141ba0f1ad0b8b0e7977d63bd7f26a5ffff32213ec4608d9d9d8fdfb1d11a65dfaac2452ce7b505a8f4b36cbfa5620e211

  • SSDEEP

    12288:CMrcy90K25kbg2PhnAnD7I+YOTHcd+WIngk9svUzXYY50zpgR4:qyq21AnCOTH5WzMXYu0u+

Score
10/10
mysticsmokeloaderbackdoorevasionpersistencestealertrojan

Malware Config

Signatures

  • Detect Mystic stealer payload 3 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\da40ec1cf90ce4636876a76bd250b12ca3df8f973c3aa4752203ce19ac39a548.exe
    "C:\Users\Admin\AppData\Local\Temp\da40ec1cf90ce4636876a76bd250b12ca3df8f973c3aa4752203ce19ac39a548.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:628
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pB5bo16.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pB5bo16.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:544
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Zs95Ir0.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Zs95Ir0.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4832
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:428
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Zr8880.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Zr8880.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1676
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
            PID:4624
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3su11BW.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3su11BW.exe
        2⤵
        • Executes dropped EXE
        • Checks SCSI registry key(s)
        PID:3784

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3su11BW.exe
      Filesize

      30KB

      MD5

      fd912d5ab836700e1c976f2b73449722

      SHA1

      8796019546e053241cc6d10830bb125d0c4f5d44

      SHA256

      a44ac33c31320a1ff3546d70874df17d7d5553e66032e364b0f39e2ec5cce351

      SHA512

      14af0670cab5f56e34a1c01bfa8566d6c35a882a9640deda3b9fc7987b305ff796f5aacef766604e35fdf8c20cb050b8dc7c3cf1358bc43d683584a2059d1720

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pB5bo16.exe
      Filesize

      521KB

      MD5

      eb394a7cf244711b5847f834612b5a96

      SHA1

      7f3d45f59cc16ca50710ee67db7d28d9752e462b

      SHA256

      7c31ec2e5cd94537ce5be8a8cbb2679d8bddd3dbdeb28e78c038c3c2e6c5811e

      SHA512

      6a23e392388b10fc8a0182000024964f7029dff346fb8ad93795526a53ac3c72842ea8ab5950d0738aa52438731c1f4a1edc4e864c41d74157eb7d9eb1936409

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Zs95Ir0.exe
      Filesize

      878KB

      MD5

      4f9fb77f53f7c0c809b26a7b5110a04a

      SHA1

      6995fa732bd77f79d18a88bd85adb4d2cfc90290

      SHA256

      9f69e58fb7a580110432af938cc6a780f380ea20cd1079fde12c6421c3441be0

      SHA512

      ae28ac715125f9870fdc88be6537df84ebe6bfacccdb8faff039a8d669911e3c9b05f25a7dfbf532fe00d3bcf0354630dc6fba5ed4d990cd0a8abcc9bd878ea6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Zr8880.exe
      Filesize

      1.1MB

      MD5

      90b8a56ae2d1d120eeb356c6d27dc52c

      SHA1

      aa2314e5f8d427e3ed57f3caad7b17749bcc2acd

      SHA256

      8f8b7a5de111412d340245013f3032e824ab5b542bda88202232aec941a220ad

      SHA512

      a1e35824cb15a001c53117da8b6bfdfe8f06283f6d8539b0112d4f59598f7ce40190946933fcd6567267d730e410852a5d4cbe266d089b618ff249aebdc66e80

      Download Submit

    • memory/428-14-0x0000000000400000-0x000000000040A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3784-25-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

      Download

    • memory/3784-26-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

      Download

    • memory/4624-18-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/4624-21-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/4624-19-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download