Overview

overview

10

Static

static

3

0bbde9df88...20.exe

windows10-2004-x64

10

14381f89f8...62.exe

windows10-2004-x64

10

1c09c6faad...a0.exe

windows7-x64

3

1c09c6faad...a0.exe

windows10-2004-x64

10

1c8308039a...16.exe

windows7-x64

3

1c8308039a...16.exe

windows10-2004-x64

10

1fe4c883d2...6d.exe

windows10-2004-x64

10

234b8aa959...d8.exe

windows10-2004-x64

10

410e72302d...e8.exe

windows7-x64

3

410e72302d...e8.exe

windows10-2004-x64

10

4431aa7413...8c.exe

windows7-x64

3

4431aa7413...8c.exe

windows10-2004-x64

10

68f997d58c...e5.exe

windows10-2004-x64

10

812ce70322...27.exe

windows10-2004-x64

10

88a3f8285d...ab.exe

windows10-2004-x64

10

90fdeaf3f0...a8.exe

windows7-x64

3

90fdeaf3f0...a8.exe

windows10-2004-x64

10

9d92aedf9d...9d.exe

windows7-x64

3

9d92aedf9d...9d.exe

windows10-2004-x64

10

9ff2fb6bb8...32.exe

windows10-2004-x64

10

ac4e2e3d9d...dd.exe

windows7-x64

3

ac4e2e3d9d...dd.exe

windows10-2004-x64

10

b62483116d...b6.exe

windows10-2004-x64

10

c901122f00...70.exe

windows10-2004-x64

10

cfda8adb75...7f.exe

windows10-2004-x64

10

dfe8591c80...49.exe

windows10-2004-x64

10

f5659ff4e2...ff.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    133s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 10:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b62483116d18fcce423634c2d593e9a4337f6e491ba99627ad7d7030d97546b6.exe

  • Size

    642KB

  • MD5

    4b28b510d24ff62495814bd03cd127dd

  • SHA1

    7b1886b629f47dfead2a7cc7fc86d741786ff51e

  • SHA256

    b62483116d18fcce423634c2d593e9a4337f6e491ba99627ad7d7030d97546b6

  • SHA512

    aad6de7433c9a68f6f8cc12566796fa5159d1345ee5d7d459cad671844e0fb138e22cc057e9ab4c6922c8dfefef5573f5d7a4b51a433461fc1659a12fb9cf88c

  • SSDEEP

    12288:/Mrey90Ly/P4XcjJ3RbQpARnGwLgIljsS4/tNfg8nApf0jh:lyhwoJRbQ2dGOlj94/Dg8M0t

Score
10/10
mysticsmokeloaderbackdoorevasionpersistencestealertrojan

Malware Config

Signatures

  • Detect Mystic stealer payload 3 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b62483116d18fcce423634c2d593e9a4337f6e491ba99627ad7d7030d97546b6.exe
    "C:\Users\Admin\AppData\Local\Temp\b62483116d18fcce423634c2d593e9a4337f6e491ba99627ad7d7030d97546b6.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3812
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\YL6Of87.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\YL6Of87.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3264
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1lU34wa8.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1lU34wa8.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:224
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
            PID:3932
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            4⤵
            • Modifies Windows Defender Real-time Protection settings
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3088
        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Hi7634.exe
          C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Hi7634.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:4752
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            4⤵
              PID:4756
        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3Fx71Vm.exe
          C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3Fx71Vm.exe
          2⤵
          • Executes dropped EXE
          • Checks SCSI registry key(s)
          PID:4868

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3Fx71Vm.exe
        Filesize

        31KB

        MD5

        b9ada6602891d302eef7d59830e092d2

        SHA1

        5f52ef27154479cd23acbf32fdc7465eb08cbb90

        SHA256

        ae39dbb2ed6825ce38994c8d3851962662bb4474fbc2f10d38179d680082f039

        SHA512

        7b40555ce1a1af239edfe3026fdc01813182146cd3cbf47068e905ba5982005506fc6d30c22af2d0213048312471609bdab154b0540e9edf5cc3e9e2dc7a0fce

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\YL6Of87.exe
        Filesize

        518KB

        MD5

        870a09baa75399f7d1504126b4ea18df

        SHA1

        4f3e4014af549b8099fb4d4791ce0b976cd8ba39

        SHA256

        59ffc302494ff5179b53733a82b5f705cdef56be8021e244efb7624006fdfdab

        SHA512

        e8e74ddddd110a1970173cc7fe6e421f641d09ee3298ef793117483322e6ae980d46b538883e3f5987f61222f88adfdbabdaf4ad9430d337837e36859bf72df6

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1lU34wa8.exe
        Filesize

        869KB

        MD5

        e2d6208fdd703f4c0f73de20642dfe27

        SHA1

        0fc109b3ff16626d629449f10f8b079e7f52c1f0

        SHA256

        7c500cdf614bb593db0e4081fd182fa3d9f8952aecfb1bda2d5abfb71394e76a

        SHA512

        6e8a3525e0581724c8174144e6e687caa29f4c8532f7b5a7f6818eef94755d3375178aa982699c28de0faf0952f65d85940cead71545858556df1ab7d4a21518

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Hi7634.exe
        Filesize

        1.0MB

        MD5

        94da092e12117b622c5a575dfada9c19

        SHA1

        9cc1f33bcafc1c01d1b9d61745f0c79c4b2ba190

        SHA256

        27dbc14e4ce30fc9752a627ad83d2ded88a8307d0966bed4683d2013a3a59aa0

        SHA512

        4e37c83fadd01b54ef798dfcad192d2586c16c4f48dcddbcdd343fe05e31d46b7227447f00a31181cf31fe06b9fb0cc6875bf6928634f2cc74d397c759249da4

        Download Submit

      • memory/3088-14-0x0000000000400000-0x000000000040A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/3088-16-0x0000000074B4E000-0x0000000074B4F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4756-19-0x0000000000400000-0x0000000000433000-memory.dmp

        Filesize

        204KB

        Download

      • memory/4756-22-0x0000000000400000-0x0000000000433000-memory.dmp

        Filesize

        204KB

        Download

      • memory/4756-20-0x0000000000400000-0x0000000000433000-memory.dmp

        Filesize

        204KB

        Download

      • memory/4868-26-0x0000000000400000-0x0000000000409000-memory.dmp

        Filesize

        36KB

        Download

      • memory/4868-28-0x0000000000400000-0x0000000000409000-memory.dmp

        Filesize

        36KB

        Download