Overview

overview

10

Static

static

3

0d301494f1...b9.exe

windows10-2004-x64

10

17123cde24...76.exe

windows10-2004-x64

10

3513e5a1be...0b.exe

windows10-2004-x64

10

3548eb3ee0...c3.exe

windows10-2004-x64

10

37bb007e1a...b5.exe

windows10-2004-x64

10

3b8019115c...d8.exe

windows10-2004-x64

10

3ba16fdd2a...8a.exe

windows10-2004-x64

10

3c47d4d72a...e8.exe

windows10-2004-x64

10

5598d9028e...fd.exe

windows7-x64

10

5598d9028e...fd.exe

windows10-2004-x64

10

5d95f47641...f4.exe

windows10-2004-x64

10

61d857a524...a5.exe

windows10-2004-x64

10

64f004d4a2...36.exe

windows10-2004-x64

10

7787b07a17...49.exe

windows10-2004-x64

10

7cc3996906...7e.exe

windows10-2004-x64

10

825d0619a8...ce.exe

windows10-2004-x64

10

9e6f3fd3f7...c2.exe

windows10-2004-x64

10

a49c96afc3...92.exe

windows10-2004-x64

10

e2945d600c...9e.exe

windows10-2004-x64

10

eb8cedd00b...3b.exe

windows10-2004-x64

10

f9bdee7f3d...5b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 11:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3b8019115c4ceca7cbcfddbb6bbe680cac9c8811275a16616d40ff294ceb6ed8.exe

  • Size

    696KB

  • MD5

    27879b73babd965386e6ea971cd0c265

  • SHA1

    af275d236ac0898858ae954208d4731e10e6cc0c

  • SHA256

    3b8019115c4ceca7cbcfddbb6bbe680cac9c8811275a16616d40ff294ceb6ed8

  • SHA512

    2c885e48b4c553cc50d7f917dc54e9fbd8ee3cdd8c1f30bbce4c5af0a07e5e96d03e28aee3143b6dc6b28950ed03222d7fcb7dc5c1893eaaea6039103881e8b3

  • SSDEEP

    12288:bMrjy9099lSqc8ni531abDD7za10HlrdMvY112w7JQcVIfGQWsCDDm:Uyg9Iq3i53g40Hvus7mcVIvfCPm

Score
10/10
mysticsmokeloaderbackdoorevasionpersistencestealertrojan

Malware Config

Signatures

  • Detect Mystic stealer payload 3 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Executes dropped EXE 4 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Program crash 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3b8019115c4ceca7cbcfddbb6bbe680cac9c8811275a16616d40ff294ceb6ed8.exe
    "C:\Users\Admin\AppData\Local\Temp\3b8019115c4ceca7cbcfddbb6bbe680cac9c8811275a16616d40ff294ceb6ed8.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2440
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MG5EG62.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MG5EG62.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2840
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1rp24xV4.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1rp24xV4.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2936
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2OW1017.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2OW1017.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:8
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
            PID:3304
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 596
            4⤵
            • Program crash
            PID:60
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3gG70Mz.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3gG70Mz.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1748
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          3⤵
            PID:540
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            3⤵
            • Checks SCSI registry key(s)
            PID:2708
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1748 -s 560
            3⤵
            • Program crash
            PID:2744
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 8 -ip 8
        1⤵
          PID:3828
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1748 -ip 1748
          1⤵
            PID:4364

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3gG70Mz.exe
            Filesize

            268KB

            MD5

            f09b788bfb242f8edcb4b4ab2bd0275a

            SHA1

            71b2273479460cbda9d08073d0b116935d2c6813

            SHA256

            f291d8694f3198b824474d57a18792218a5d622f2f59370efe6679563db87521

            SHA512

            709bdc1a303159b27f7e7fa793d1c78f3d6223b5a3ba2c03cbea36eafc1bd0e2edc1bd19e61f7ed5ca53a1ab5018d7c171fc9c3c4ff67b02b4087a07cfd5dda6

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MG5EG62.exe
            Filesize

            452KB

            MD5

            0b47b99adb36648c75e59ea8edfe887c

            SHA1

            d9aad265309203b60b9454afac83be056c85d250

            SHA256

            b9c8f23484482dffa45efb6de348db3196b8404ce69a21743a8eb0f44e6da8a0

            SHA512

            f69a3fda19148fac783cb297cd14d8f405b16d44c4aeff6afbd5939981ac7fd521f7d6825ce0a470a37cc7f63024678090b5c8a02f698a61883be87fa9cf4221

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1rp24xV4.exe
            Filesize

            192KB

            MD5

            8904f85abd522c7d0cb5789d9583ccff

            SHA1

            5b34d8595b37c9e1fb9682b06dc5228efe07f0c6

            SHA256

            7624b62fe97c8e370c82bc86f69c2f627328e701ce1f3d9bed92a1e5fe11fd7f

            SHA512

            04dd0c4e612b6287af6a655425085d687538d756dcd639ecb6c62bcdafddde52c56ae305a6240ee1329a95d9cc59dee6de5000d273a5a560ad1adc3284e00e12

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2OW1017.exe
            Filesize

            378KB

            MD5

            f0831f173733de08511f3a0739f278a6

            SHA1

            06dc809d653c5d2c97386084ae13b50a73eb5b60

            SHA256

            8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27

            SHA512

            19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

            Download Submit

          • memory/2708-61-0x0000000000400000-0x0000000000409000-memory.dmp

            Filesize

            36KB

            Download

          • memory/2936-37-0x0000000002680000-0x0000000002696000-memory.dmp

            Filesize

            88KB

            Download

          • memory/2936-29-0x0000000002680000-0x0000000002696000-memory.dmp

            Filesize

            88KB

            Download

          • memory/2936-19-0x0000000073C40000-0x00000000743F0000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/2936-41-0x0000000002680000-0x0000000002696000-memory.dmp

            Filesize

            88KB

            Download

          • memory/2936-47-0x0000000002680000-0x0000000002696000-memory.dmp

            Filesize

            88KB

            Download

          • memory/2936-45-0x0000000002680000-0x0000000002696000-memory.dmp

            Filesize

            88KB

            Download

          • memory/2936-43-0x0000000002680000-0x0000000002696000-memory.dmp

            Filesize

            88KB

            Download

          • memory/2936-48-0x0000000073C40000-0x00000000743F0000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/2936-39-0x0000000002680000-0x0000000002696000-memory.dmp

            Filesize

            88KB

            Download

          • memory/2936-17-0x0000000004C30000-0x00000000051D4000-memory.dmp

            Filesize

            5.6MB

            Download

          • memory/2936-35-0x0000000002680000-0x0000000002696000-memory.dmp

            Filesize

            88KB

            Download

          • memory/2936-33-0x0000000002680000-0x0000000002696000-memory.dmp

            Filesize

            88KB

            Download

          • memory/2936-31-0x0000000002680000-0x0000000002696000-memory.dmp

            Filesize

            88KB

            Download

          • memory/2936-18-0x0000000002680000-0x000000000269C000-memory.dmp

            Filesize

            112KB

            Download

          • memory/2936-27-0x0000000002680000-0x0000000002696000-memory.dmp

            Filesize

            88KB

            Download

          • memory/2936-25-0x0000000002680000-0x0000000002696000-memory.dmp

            Filesize

            88KB

            Download

          • memory/2936-23-0x0000000002680000-0x0000000002696000-memory.dmp

            Filesize

            88KB

            Download

          • memory/2936-21-0x0000000002680000-0x0000000002696000-memory.dmp

            Filesize

            88KB

            Download

          • memory/2936-20-0x0000000002680000-0x0000000002696000-memory.dmp

            Filesize

            88KB

            Download

          • memory/2936-50-0x0000000073C40000-0x00000000743F0000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/2936-16-0x0000000073C40000-0x00000000743F0000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/2936-14-0x0000000073C4E000-0x0000000073C4F000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2936-15-0x0000000002500000-0x000000000251E000-memory.dmp

            Filesize

            120KB

            Download

          • memory/3304-57-0x0000000000400000-0x0000000000428000-memory.dmp

            Filesize

            160KB

            Download

          • memory/3304-55-0x0000000000400000-0x0000000000428000-memory.dmp

            Filesize

            160KB

            Download

          • memory/3304-54-0x0000000000400000-0x0000000000428000-memory.dmp

            Filesize

            160KB

            Download