Overview

overview

10

Static

static

3

0bbde9df88...20.exe

windows10-2004-x64

10

14381f89f8...62.exe

windows10-2004-x64

10

1c09c6faad...a0.exe

windows7-x64

3

1c09c6faad...a0.exe

windows10-2004-x64

10

1c8308039a...16.exe

windows7-x64

3

1c8308039a...16.exe

windows10-2004-x64

10

1fe4c883d2...6d.exe

windows10-2004-x64

10

234b8aa959...d8.exe

windows10-2004-x64

10

410e72302d...e8.exe

windows7-x64

3

410e72302d...e8.exe

windows10-2004-x64

10

4431aa7413...8c.exe

windows7-x64

3

4431aa7413...8c.exe

windows10-2004-x64

10

68f997d58c...e5.exe

windows10-2004-x64

10

812ce70322...27.exe

windows10-2004-x64

10

88a3f8285d...ab.exe

windows10-2004-x64

10

90fdeaf3f0...a8.exe

windows7-x64

3

90fdeaf3f0...a8.exe

windows10-2004-x64

10

9d92aedf9d...9d.exe

windows7-x64

3

9d92aedf9d...9d.exe

windows10-2004-x64

10

9ff2fb6bb8...32.exe

windows10-2004-x64

10

ac4e2e3d9d...dd.exe

windows7-x64

3

ac4e2e3d9d...dd.exe

windows10-2004-x64

10

b62483116d...b6.exe

windows10-2004-x64

10

c901122f00...70.exe

windows10-2004-x64

10

cfda8adb75...7f.exe

windows10-2004-x64

10

dfe8591c80...49.exe

windows10-2004-x64

10

f5659ff4e2...ff.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 10:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    14381f89f8b411cd75bc72635e73d8b296854b0c9775f80c2fec874a6761d562.exe

  • Size

    653KB

  • MD5

    0bbb9c4f3aec16c989bc0ae674f2fdd7

  • SHA1

    f4cb9ea6f447375dbb447888aae37951bd45437c

  • SHA256

    14381f89f8b411cd75bc72635e73d8b296854b0c9775f80c2fec874a6761d562

  • SHA512

    b6569ab53a12d66f9e80c9e1b41856037bd5f3f0bc3b8dc03329f62e4927e92c5793fa8bab3bb0a8f77a802f29dee68d5d1ee578129e9d60904fe5a47de09344

  • SSDEEP

    12288:IMr2y90xBxqhIcmgPpOfTqogw/8s0lw8TRGXDJHN1fEuWD:eym8PcXcTRGzREuWD

Score
10/10
mysticsmokeloaderbackdoorevasionpersistencestealertrojan

Malware Config

Signatures

  • Detect Mystic stealer payload 3 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\14381f89f8b411cd75bc72635e73d8b296854b0c9775f80c2fec874a6761d562.exe
    "C:\Users\Admin\AppData\Local\Temp\14381f89f8b411cd75bc72635e73d8b296854b0c9775f80c2fec874a6761d562.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1320
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bz4yx42.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bz4yx42.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2924
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1rV67Gq5.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1rV67Gq5.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1388
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
            PID:5104
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            4⤵
            • Modifies Windows Defender Real-time Protection settings
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3008
        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2qw6973.exe
          C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2qw6973.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:4636
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            4⤵
              PID:3576
        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3Sg93wL.exe
          C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3Sg93wL.exe
          2⤵
          • Executes dropped EXE
          • Checks SCSI registry key(s)
          PID:4308
      • C:\Windows\system32\sc.exe
        C:\Windows\system32\sc.exe start wuauserv
        1⤵
        • Launches sc.exe
        PID:2924

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3Sg93wL.exe
        Filesize

        31KB

        MD5

        304540fc7e2a119c2afa14406b7a2868

        SHA1

        f621a995e534cfb37da63ade9b0f330da2da066d

        SHA256

        840c9ec18affe5b5bc404e0093066f084fbff11ea054e68c4d2807817e13781a

        SHA512

        e73624c589acb009a7f89beed1a7cc84f84ad089227584ac0960a03327f316d4b7a6a96ba7de75d257b78a76055147d3f9e9ef01e4b88b9956802e937177ff50

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bz4yx42.exe
        Filesize

        529KB

        MD5

        0f47739e06646de86f5701c8de1bc7db

        SHA1

        f781ea9ae9b73b77952ac19a134a57b2c6a4f9ab

        SHA256

        f19f0b5be0f85e44b1960ae183395d15448081027e8e978758a98092a1d6d422

        SHA512

        a37aa0a6cb96e0ec0d0a84b7e2896e2b986d78d9eb1e416b0dccfeb300d322b26e401483f28c22a46cf2762db8a64f70f18e92d273d0880aadf3e1eb5ec312dd

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1rV67Gq5.exe
        Filesize

        869KB

        MD5

        0c8222341ec3010e03d74d8981c73549

        SHA1

        f5d600f1db05a7bbfe39f3680aa77cbb5455d18c

        SHA256

        42f4a709b4ce2c67b9b5d4dac61bae1a36cb75b4d4886df2b10f5ac141c5b973

        SHA512

        5c06ba4513700e67c5d52f55cfa22cd26beaaef757e915b931c4c39fac0613a8e4a7a92b6fdfc50c7bb8367391a4359f318e7756cd606341628436363c3c59ca

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2qw6973.exe
        Filesize

        1.0MB

        MD5

        ffcc23e85272b43f209a8800b46d317e

        SHA1

        57bfc03a3a8578d58c9ab1d0ea10470d54262233

        SHA256

        a5351a58357f4c9ed0e2e25066f32b2f3bbc69fb84b2e2c8ab12b695b0b7cec9

        SHA512

        5477ba219f1282cf017782a47ff6d31ead3f165b26b44abcc45debe8ad120926a65785c72ec45ba86e8a6696001eca393ed521f1b60648b1881fb4b7a91d7848

        Download Submit

      • memory/3008-14-0x0000000000400000-0x000000000040A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/3576-18-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3576-21-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3576-20-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4308-25-0x0000000000400000-0x0000000000409000-memory.dmp

        Filesize

        36KB

        Download

      • memory/4308-26-0x0000000000400000-0x0000000000409000-memory.dmp

        Filesize

        36KB

        Download