Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    128s
  • max time network
    101s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/05/2024, 09:42

General

  • Target

    426e1b8066ed7b417a0887d9af5ab1436b8302f01a33910c8c64da68d5b06c18.exe

  • Size

    652KB

  • MD5

    a8b9734365073ce340b1123741d71abd

  • SHA1

    ba40a124883de4244aa8c1c389e94ddb9fddead6

  • SHA256

    426e1b8066ed7b417a0887d9af5ab1436b8302f01a33910c8c64da68d5b06c18

  • SHA512

    0f34f2c85ea88f4a6b440889df26087036a8802d8ea04ba3a5a1ec3db4745007806778aa24a1b45bb2db1902b841fd35099081b55daa9576d2b79e5636eaa76a

  • SSDEEP

    12288:8Mrcy9031jOhVjzy5AfppTmgmbdSqEfEFoGeKaHsUPkiD:AysWVfySppTmgcjqftrPkiD

Malware Config

Signatures

  • Detect Mystic stealer payload 3 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\426e1b8066ed7b417a0887d9af5ab1436b8302f01a33910c8c64da68d5b06c18.exe
    "C:\Users\Admin\AppData\Local\Temp\426e1b8066ed7b417a0887d9af5ab1436b8302f01a33910c8c64da68d5b06c18.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:112
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fo4qa29.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fo4qa29.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:348
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1HG66Ze2.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1HG66Ze2.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2072
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4500
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2qj8314.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2qj8314.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:3748
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
            PID:4532
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3QC27mb.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3QC27mb.exe
        2⤵
        • Executes dropped EXE
        • Checks SCSI registry key(s)
        PID:3400

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3QC27mb.exe

      Filesize

      31KB

      MD5

      61b6b786efacea6912a815b7692dac72

      SHA1

      5a864261a958ba9355d0fa20741e149f70a7918d

      SHA256

      99f45274606fe0acdf6c4bddbe53bdb8a3fd4a329bea222426e0a1547a8ff61d

      SHA512

      164e3de7001b6a7c8cfe1694cc7d3fbf43e69a9d6bf31c30b411acf22bfb98e00dd8491eba9a754172069fc2edd0be59ea39ce489ebe6553f11ef07bcb6c5f3e

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fo4qa29.exe

      Filesize

      528KB

      MD5

      f96632ad5ee676201c55b0218382157e

      SHA1

      2f57c77ea32769b52924056899028fbfb5aa4a12

      SHA256

      753e3b49d354b22afb771940598e5a459d157140c496fff1874e978755ff0325

      SHA512

      0dc9730fb1210a5cbfcd435f6a6a50d5920f6d8c9ef128919b5d53192ff5ae86a054c208bb248c2cb72caa64dd5ea853cc7429bf3dbaa06259f97f0699187a11

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1HG66Ze2.exe

      Filesize

      869KB

      MD5

      90a7fb448ebb8f342918c8650dd05df5

      SHA1

      d0bcec2d5576a34be3f4c0fd5f0bcdfdb94a29d5

      SHA256

      3701b6e633b701ec911cb1ba0cc786e848a4a35d062355edfa5799a3548ce78d

      SHA512

      c5e7a143fe61af01681a4b1cd5930f72dff03b88727252f655224c07619fc397be57a5662d65a2a4c46f6edd9561e84433823201b7d0478b184b4ccf8ed799c5

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2qj8314.exe

      Filesize

      1.0MB

      MD5

      7325f35f9a59903a210a5c41c2c74e67

      SHA1

      25ed8bda08cb3b91633641f6bab9e1e73b3460b9

      SHA256

      98891268879a8e945effc53f4d65e4d9b623d2088b2fc2b34676ebffe039d7bf

      SHA512

      c73dc673eaba673f542689e21b9811c36f13ec84cf7a4690d89b79a6a7102c4e281e6b2b45153f83ae9b23a8b0177d6d0868fc37d21ac14a2402aa3eed29acfb

    • memory/3400-24-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

    • memory/3400-26-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

    • memory/4500-14-0x0000000000400000-0x000000000040A000-memory.dmp

      Filesize

      40KB

    • memory/4532-18-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/4532-21-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/4532-19-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB