Overview

overview

10

Static

static

3

1bd70f5afc...20.exe

windows10-2004-x64

10

20d5ad811e...b7.exe

windows10-2004-x64

10

2ca6e4b470...97.exe

windows10-2004-x64

10

30323f682e...18.exe

windows10-2004-x64

10

426e1b8066...18.exe

windows10-2004-x64

10

43ea4b5927...9e.exe

windows10-2004-x64

10

44ba27c950...f2.exe

windows10-2004-x64

10

6e35231281...45.exe

windows10-2004-x64

10

7cac44d1ec...c4.exe

windows10-2004-x64

10

823db2b88d...40.exe

windows10-2004-x64

10

a884418225...db.exe

windows10-2004-x64

10

c68d91a00f...d2.exe

windows10-2004-x64

10

cabcad649e...d3.exe

windows7-x64

10

cabcad649e...d3.exe

windows10-2004-x64

10

cb4c64011d...ef.exe

windows10-2004-x64

10

d55f431b8e...57.exe

windows10-2004-x64

10

dea00ebf60...e0.exe

windows10-2004-x64

10

e017c199a6...9b.exe

windows10-2004-x64

10

e01acda385...7b.exe

windows10-2004-x64

10

e46b62442d...14.exe

windows10-2004-x64

10

ef7029b98b...78.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 09:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1bd70f5afcc29724401d52710f012058d999560c75bde3fd609f66ffc0bd9720.exe

  • Size

    655KB

  • MD5

    9e3b491b79a3f531499f4c5b9c6e4181

  • SHA1

    e4af677226d01e5bf1a05cb8e06599ebac84d82e

  • SHA256

    1bd70f5afcc29724401d52710f012058d999560c75bde3fd609f66ffc0bd9720

  • SHA512

    99ed75c1d7731e032ce4f7c85df8946d2830f00004d079763fd96da5a443dca4cf9219df1889a550c4cc1fc630916309601507da5dc44e7189a19291f7237275

  • SSDEEP

    12288:OMrHy90Ur0MAYbIdHpBhA+sZlVmzWVvExD4ipCDU0pjFTW:Jy/r9AY0hp/BYlQg9D3dpW

Score
10/10
mysticsmokeloaderbackdoorevasionpersistencestealertrojan

Malware Config

Signatures

  • Detect Mystic stealer payload 3 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1bd70f5afcc29724401d52710f012058d999560c75bde3fd609f66ffc0bd9720.exe
    "C:\Users\Admin\AppData\Local\Temp\1bd70f5afcc29724401d52710f012058d999560c75bde3fd609f66ffc0bd9720.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2712
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\JX0PL95.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\JX0PL95.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2408
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1lw48nR0.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1lw48nR0.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:5096
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2668
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Qv1983.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Qv1983.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1868
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
            PID:3912
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3EF28kI.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3EF28kI.exe
        2⤵
        • Executes dropped EXE
        • Checks SCSI registry key(s)
        PID:1924

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3EF28kI.exe
      Filesize

      30KB

      MD5

      86f62a1fd6fd95f4d0e2262307d3d9a9

      SHA1

      0c59e7ae611f226dce5988f23a74aa31529c524a

      SHA256

      7a54070f8e30df9edd70154d32fc8e5997dce5e1802d75e86c22daabe2a87d52

      SHA512

      638f1f82f1e9a8d92eb64afe6d190e2652bc6e8bd890a179e3c0fdb38bfaeb6644a1050bb5f99e3825ae3911cd7d3f06280aade3e28cd3ee949a44137b786db3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\JX0PL95.exe
      Filesize

      531KB

      MD5

      dddbf2ebcb633582ee6400dd36b16bc0

      SHA1

      d2b2b3ba8c39bdd8dfa3041cdb0d7d9d57549ffe

      SHA256

      e35e6bdfa682b576316a16000c194ac3a7856192342fc40d70773a06daee77ad

      SHA512

      165977675dcbe20b9a650473106fb27195620c65633fddf01d938ceaba1605a0fe876d491ac1c07b4d7f3f05827b9a04a41f50d4bc304a3f0d20b3c3f844819f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1lw48nR0.exe
      Filesize

      886KB

      MD5

      c45eb38302380e03ba02613950e5c420

      SHA1

      2abe960a779f5c5872add598fb335a10df509a14

      SHA256

      245670631da5614bfa5a92db4fa6d89635afaa10086e73dc61c58ac72877a97f

      SHA512

      938d01e9f1af55f2ad062688003d8528032df6652b28350a7ef8eaea5a99d3366a88b08dae7df112c464797a213b9bd77f530820f8663e35076403562251723d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Qv1983.exe
      Filesize

      1.1MB

      MD5

      0c0ee01ac2b670b435d716e940e01844

      SHA1

      ffffe6ee4dece8a91a8467c50c7805c2e5a7fbb4

      SHA256

      d27fd39ff22830da319a54bad938bcccbc62e5a71cd07e3deb297e5a2673b613

      SHA512

      62ab2c20722f17e0c1d09e323973d9d434de6c711930325e7a0ddcb949531074e4ced1223b9379f866c200f0eb00b40836b98dc95acafb06955f0d7a80d7f8ba

      Download Submit

    • memory/1924-25-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

      Download

    • memory/1924-26-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

      Download

    • memory/2668-14-0x0000000000400000-0x000000000040A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3912-18-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/3912-20-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/3912-21-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download