Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/05/2024, 10:23

General

  • Target

    1fe4c883d2d7c8f09c5eab45d00c85339660191140f68cf11bd29f978582386d.exe

  • Size

    657KB

  • MD5

    e5378c7aa769f854c35881601795a469

  • SHA1

    432909c18905de39981e27c964001c5b4a6cffdf

  • SHA256

    1fe4c883d2d7c8f09c5eab45d00c85339660191140f68cf11bd29f978582386d

  • SHA512

    b7139f53ba8edd52293f4c6c0bf8920a67cbe9ab0288d7d651c44174a91d6a303966690471790e1db8a392540fa6b17a63533355ed7ebf7c48252632638d4019

  • SSDEEP

    12288:JMr4y90+oZ51RZwEqDEd5lrMeAj5RWQRYJ7w6orKSKLzaRUT:Ryy5bnqYdrMH7WQj6on2aRUT

Malware Config

Signatures

  • Detect Mystic stealer payload 3 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1fe4c883d2d7c8f09c5eab45d00c85339660191140f68cf11bd29f978582386d.exe
    "C:\Users\Admin\AppData\Local\Temp\1fe4c883d2d7c8f09c5eab45d00c85339660191140f68cf11bd29f978582386d.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:64
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ms6Zu56.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ms6Zu56.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4372
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1LJ98sP4.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1LJ98sP4.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4944
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4880
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2fC2723.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2fC2723.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:536
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
            PID:2328
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3MR16TH.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3MR16TH.exe
        2⤵
        • Executes dropped EXE
        • Checks SCSI registry key(s)
        PID:1852

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3MR16TH.exe

      Filesize

      30KB

      MD5

      5ff1b48b7c4fedd441832e662b193294

      SHA1

      cd5e5b1dea51f156a85602a285cb7b6f3e7b9a01

      SHA256

      60bf0a75a0e646afd2c00cfddfe0669fe2abab1bce4c54f64eebf390fefee6bb

      SHA512

      76335507cf748defdbf2cb33e10988bdb2cbb99ff37b369ac0a2670f6aeae3ac298338ced9a3fce5aec9f5634f3449e134201d5282cd6a81bd3852e0e0f475b6

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ms6Zu56.exe

      Filesize

      533KB

      MD5

      fa6002a4f70722651e6d5efa859bebc8

      SHA1

      7c058ce7d310eed4e586096ef34bc073a5c23326

      SHA256

      3d2e5e93724c91f2a46f9b850a2e078b1148b35c2a6197b27a2b64a7c09efc58

      SHA512

      60e0165abe7f25d8fea036214f893fa98b018d62901b3d756b30fd6a212ab2b77b53b87418238c95d6ae37bf202155229baaf5353cbf461882abbd84ea211420

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1LJ98sP4.exe

      Filesize

      886KB

      MD5

      4c17b3e7891cc0dc445b98bad579b862

      SHA1

      1de1ed5f59adc00d54f7c814c3bcd0bb261bc6a1

      SHA256

      a01380704805f5b177b41a649ed781b170c9ce6c373bba2b15f4a19249966655

      SHA512

      ddc9b44d0e32fd382dd3c3418a9c077b3b7ebf41502bf5e072fc4f4d5708cb098362cc8832919c07ad50c5422d78fa7917b2715a3d065c5d231683911d29be7d

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2fC2723.exe

      Filesize

      1.1MB

      MD5

      9166cc8f3a785f3656868acc335f08e4

      SHA1

      b364d709678ca87e8a2073dc0e92305ce8ba7f06

      SHA256

      ae866155e9d507d7aade0f698005dd0e9531bd650a005b6ad0d9b51889e12a2e

      SHA512

      d73c74dc2dd6754973ab5634cdaa8094ac88a78cf74a6512a6fb77ef97bc07e790cd83fea113f53acf7288409f297042e649ce5758b5bce2aeba2bbf65ae567e

    • memory/1852-25-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

    • memory/1852-27-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

    • memory/2328-18-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/2328-19-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/2328-21-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/4880-14-0x0000000000400000-0x000000000040A000-memory.dmp

      Filesize

      40KB