Overview

overview

10

Static

static

3

0bbde9df88...20.exe

windows10-2004-x64

10

14381f89f8...62.exe

windows10-2004-x64

10

1c09c6faad...a0.exe

windows7-x64

3

1c09c6faad...a0.exe

windows10-2004-x64

10

1c8308039a...16.exe

windows7-x64

3

1c8308039a...16.exe

windows10-2004-x64

10

1fe4c883d2...6d.exe

windows10-2004-x64

10

234b8aa959...d8.exe

windows10-2004-x64

10

410e72302d...e8.exe

windows7-x64

3

410e72302d...e8.exe

windows10-2004-x64

10

4431aa7413...8c.exe

windows7-x64

3

4431aa7413...8c.exe

windows10-2004-x64

10

68f997d58c...e5.exe

windows10-2004-x64

10

812ce70322...27.exe

windows10-2004-x64

10

88a3f8285d...ab.exe

windows10-2004-x64

10

90fdeaf3f0...a8.exe

windows7-x64

3

90fdeaf3f0...a8.exe

windows10-2004-x64

10

9d92aedf9d...9d.exe

windows7-x64

3

9d92aedf9d...9d.exe

windows10-2004-x64

10

9ff2fb6bb8...32.exe

windows10-2004-x64

10

ac4e2e3d9d...dd.exe

windows7-x64

3

ac4e2e3d9d...dd.exe

windows10-2004-x64

10

b62483116d...b6.exe

windows10-2004-x64

10

c901122f00...70.exe

windows10-2004-x64

10

cfda8adb75...7f.exe

windows10-2004-x64

10

dfe8591c80...49.exe

windows10-2004-x64

10

f5659ff4e2...ff.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    134s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 10:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cfda8adb7597e205b205c916dd913856ad96e83acc3a76ec0ca6f85b8cb33c7f.exe

  • Size

    668KB

  • MD5

    4cd9f4a51d4222f674cc44432ae8509c

  • SHA1

    bf4548f30db9b5eac81fce9e0d693f7bc5b484ac

  • SHA256

    cfda8adb7597e205b205c916dd913856ad96e83acc3a76ec0ca6f85b8cb33c7f

  • SHA512

    e36834e17fda3fbe45ca15b149b35940f7719dc10d7406d24e06be35ffe4c0613742eafb4f61d6120aff8d128d9fd5a759cf41ec5655e3508a47b0e4f4e4516f

  • SSDEEP

    12288:nMrty90KXqjPUic360qc6NxeFLAYjiSs06d+JcSeCg8ammGlVoOb11:iyd4Mqdc886jd+Hg8aU/L1

Score
10/10
mysticsmokeloaderbackdoorevasionpersistencestealertrojan

Malware Config

Signatures

  • Detect Mystic stealer payload 3 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cfda8adb7597e205b205c916dd913856ad96e83acc3a76ec0ca6f85b8cb33c7f.exe
    "C:\Users\Admin\AppData\Local\Temp\cfda8adb7597e205b205c916dd913856ad96e83acc3a76ec0ca6f85b8cb33c7f.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2484
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Wr7xo92.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Wr7xo92.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4532
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1ve71NP8.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1ve71NP8.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4988
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2880
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Ek8667.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Ek8667.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:3968
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
            PID:1552
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3Ev01rY.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3Ev01rY.exe
        2⤵
        • Executes dropped EXE
        • Checks SCSI registry key(s)
        PID:4556

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3Ev01rY.exe
      Filesize

      31KB

      MD5

      9851cb7792be9fa6987f032602301246

      SHA1

      66f850d255aaec219836862dbe7f0aa20d2639f3

      SHA256

      fd678b0bb19973e0652b0b3b2176e61396842cf919f3c92f280014fd5d1bc816

      SHA512

      fd62e805c27ad3ffa7e145b1151e0bf395764ef80c56ac0d03e447264f3a6f1f4cce5a9b5c8b99d02589486b62e29d888f27af640097bd65f0e339c778108d81

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Wr7xo92.exe
      Filesize

      544KB

      MD5

      8585d0e4352299c99876cfef8b414070

      SHA1

      dca00d76457ce03461a14b22d01ef707bb0fc1d7

      SHA256

      dfc623ffda35bad99869f0655b9e7d7b874416554e2d47692a871318ed0c19b4

      SHA512

      e2f898dffc89c0da49194d2547c9f57b980b26a4f66f9ec07aaad1ce1787225e57843cd9c216614eab8e15ee0b1f2123b76905067522899fadb6bc19135d9c97

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1ve71NP8.exe
      Filesize

      933KB

      MD5

      f6a8a247bfe4b1fd68989a8b511540e0

      SHA1

      8703abc93f079277c5fd3f42c599f1c9662edf35

      SHA256

      d7d74dbfbf20858d5bab1651ee0ed2a7003a2307be96b924a99a06a0206f69a6

      SHA512

      9ce17b86d9b67a117cdcccf0246a1f642764eb2202beb1aacd53275a651f630424d944fb41ad0cdd98d5c6133a6451b75e7a0e296e70e93cc744f8497747f545

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Ek8667.exe
      Filesize

      1.1MB

      MD5

      7f27e3beca6f4d5ddb633fc7f14ba9b3

      SHA1

      f0724dd591dbbb68911325037df5585687fd199e

      SHA256

      c05c6c42c65f0a82b57c76f35ce2400f494076b239fe86f472de9fca75799151

      SHA512

      556c26c91a1cbaf267ae56278122ef6466d471d440b657c5221f13c256d398370569b2141041dc67e3faa0c0af6a8d63d551fa4032fa5685f3e3d56ef02fec34

      Download Submit

    • memory/1552-18-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/1552-19-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/1552-21-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/2880-14-0x0000000000400000-0x000000000040A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4556-24-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

      Download

    • memory/4556-26-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

      Download