Overview

overview

10

Static

static

3

0bbde9df88...20.exe

windows10-2004-x64

10

14381f89f8...62.exe

windows10-2004-x64

10

1c09c6faad...a0.exe

windows7-x64

3

1c09c6faad...a0.exe

windows10-2004-x64

10

1c8308039a...16.exe

windows7-x64

3

1c8308039a...16.exe

windows10-2004-x64

10

1fe4c883d2...6d.exe

windows10-2004-x64

10

234b8aa959...d8.exe

windows10-2004-x64

10

410e72302d...e8.exe

windows7-x64

3

410e72302d...e8.exe

windows10-2004-x64

10

4431aa7413...8c.exe

windows7-x64

3

4431aa7413...8c.exe

windows10-2004-x64

10

68f997d58c...e5.exe

windows10-2004-x64

10

812ce70322...27.exe

windows10-2004-x64

10

88a3f8285d...ab.exe

windows10-2004-x64

10

90fdeaf3f0...a8.exe

windows7-x64

3

90fdeaf3f0...a8.exe

windows10-2004-x64

10

9d92aedf9d...9d.exe

windows7-x64

3

9d92aedf9d...9d.exe

windows10-2004-x64

10

9ff2fb6bb8...32.exe

windows10-2004-x64

10

ac4e2e3d9d...dd.exe

windows7-x64

3

ac4e2e3d9d...dd.exe

windows10-2004-x64

10

b62483116d...b6.exe

windows10-2004-x64

10

c901122f00...70.exe

windows10-2004-x64

10

cfda8adb75...7f.exe

windows10-2004-x64

10

dfe8591c80...49.exe

windows10-2004-x64

10

f5659ff4e2...ff.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 10:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    14381f89f8b411cd75bc72635e73d8b296854b0c9775f80c2fec874a6761d562.exe

  • Size

    653KB

  • MD5

    0bbb9c4f3aec16c989bc0ae674f2fdd7

  • SHA1

    f4cb9ea6f447375dbb447888aae37951bd45437c

  • SHA256

    14381f89f8b411cd75bc72635e73d8b296854b0c9775f80c2fec874a6761d562

  • SHA512

    b6569ab53a12d66f9e80c9e1b41856037bd5f3f0bc3b8dc03329f62e4927e92c5793fa8bab3bb0a8f77a802f29dee68d5d1ee578129e9d60904fe5a47de09344

  • SSDEEP

    12288:IMr2y90xBxqhIcmgPpOfTqogw/8s0lw8TRGXDJHN1fEuWD:eym8PcXcTRGzREuWD

Score
10/10
mysticsmokeloaderbackdoorevasionpersistencestealertrojan

Malware Config

Signatures

  • Detect Mystic stealer payload 3 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\14381f89f8b411cd75bc72635e73d8b296854b0c9775f80c2fec874a6761d562.exe
    "C:\Users\Admin\AppData\Local\Temp\14381f89f8b411cd75bc72635e73d8b296854b0c9775f80c2fec874a6761d562.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1048
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bz4yx42.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bz4yx42.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2368
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1rV67Gq5.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1rV67Gq5.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2052
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1492
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2qw6973.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2qw6973.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:3200
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
            PID:764
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3Sg93wL.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3Sg93wL.exe
        2⤵
        • Executes dropped EXE
        • Checks SCSI registry key(s)
        PID:1600

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Privilege Escalation

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Defense Evasion

    Modify Registry

    2
    T1112

    Impair Defenses

    1
    T1562

    Disable or Modify Tools

    1
    T1562.001

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3Sg93wL.exe
      Filesize

      31KB

      MD5

      304540fc7e2a119c2afa14406b7a2868

      SHA1

      f621a995e534cfb37da63ade9b0f330da2da066d

      SHA256

      840c9ec18affe5b5bc404e0093066f084fbff11ea054e68c4d2807817e13781a

      SHA512

      e73624c589acb009a7f89beed1a7cc84f84ad089227584ac0960a03327f316d4b7a6a96ba7de75d257b78a76055147d3f9e9ef01e4b88b9956802e937177ff50

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bz4yx42.exe
      Filesize

      529KB

      MD5

      0f47739e06646de86f5701c8de1bc7db

      SHA1

      f781ea9ae9b73b77952ac19a134a57b2c6a4f9ab

      SHA256

      f19f0b5be0f85e44b1960ae183395d15448081027e8e978758a98092a1d6d422

      SHA512

      a37aa0a6cb96e0ec0d0a84b7e2896e2b986d78d9eb1e416b0dccfeb300d322b26e401483f28c22a46cf2762db8a64f70f18e92d273d0880aadf3e1eb5ec312dd

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1rV67Gq5.exe
      Filesize

      869KB

      MD5

      0c8222341ec3010e03d74d8981c73549

      SHA1

      f5d600f1db05a7bbfe39f3680aa77cbb5455d18c

      SHA256

      42f4a709b4ce2c67b9b5d4dac61bae1a36cb75b4d4886df2b10f5ac141c5b973

      SHA512

      5c06ba4513700e67c5d52f55cfa22cd26beaaef757e915b931c4c39fac0613a8e4a7a92b6fdfc50c7bb8367391a4359f318e7756cd606341628436363c3c59ca

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2qw6973.exe
      Filesize

      1.0MB

      MD5

      ffcc23e85272b43f209a8800b46d317e

      SHA1

      57bfc03a3a8578d58c9ab1d0ea10470d54262233

      SHA256

      a5351a58357f4c9ed0e2e25066f32b2f3bbc69fb84b2e2c8ab12b695b0b7cec9

      SHA512

      5477ba219f1282cf017782a47ff6d31ead3f165b26b44abcc45debe8ad120926a65785c72ec45ba86e8a6696001eca393ed521f1b60648b1881fb4b7a91d7848

      Download Submit
    • memory/764-18-0x0000000000400000-0x0000000000434000-memory.dmp
      Filesize

      208KB

      Download
    • memory/764-21-0x0000000000400000-0x0000000000434000-memory.dmp
      Filesize

      208KB

      Download
    • memory/764-19-0x0000000000400000-0x0000000000434000-memory.dmp
      Filesize

      208KB

      Download
    • memory/1492-14-0x0000000000400000-0x000000000040A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/1600-25-0x0000000000400000-0x0000000000409000-memory.dmp
      Filesize

      36KB

      Download
    • memory/1600-26-0x0000000000400000-0x0000000000409000-memory.dmp
      Filesize

      36KB

      Download