Overview

overview

10

Static

static

3

0bbde9df88...20.exe

windows10-2004-x64

10

14381f89f8...62.exe

windows10-2004-x64

10

1c09c6faad...a0.exe

windows7-x64

3

1c09c6faad...a0.exe

windows10-2004-x64

10

1c8308039a...16.exe

windows7-x64

3

1c8308039a...16.exe

windows10-2004-x64

10

1fe4c883d2...6d.exe

windows10-2004-x64

10

234b8aa959...d8.exe

windows10-2004-x64

10

410e72302d...e8.exe

windows7-x64

3

410e72302d...e8.exe

windows10-2004-x64

10

4431aa7413...8c.exe

windows7-x64

3

4431aa7413...8c.exe

windows10-2004-x64

10

68f997d58c...e5.exe

windows10-2004-x64

10

812ce70322...27.exe

windows10-2004-x64

10

88a3f8285d...ab.exe

windows10-2004-x64

10

90fdeaf3f0...a8.exe

windows7-x64

3

90fdeaf3f0...a8.exe

windows10-2004-x64

10

9d92aedf9d...9d.exe

windows7-x64

3

9d92aedf9d...9d.exe

windows10-2004-x64

10

9ff2fb6bb8...32.exe

windows10-2004-x64

10

ac4e2e3d9d...dd.exe

windows7-x64

3

ac4e2e3d9d...dd.exe

windows10-2004-x64

10

b62483116d...b6.exe

windows10-2004-x64

10

c901122f00...70.exe

windows10-2004-x64

10

cfda8adb75...7f.exe

windows10-2004-x64

10

dfe8591c80...49.exe

windows10-2004-x64

10

f5659ff4e2...ff.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 10:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cfda8adb7597e205b205c916dd913856ad96e83acc3a76ec0ca6f85b8cb33c7f.exe

  • Size

    668KB

  • MD5

    4cd9f4a51d4222f674cc44432ae8509c

  • SHA1

    bf4548f30db9b5eac81fce9e0d693f7bc5b484ac

  • SHA256

    cfda8adb7597e205b205c916dd913856ad96e83acc3a76ec0ca6f85b8cb33c7f

  • SHA512

    e36834e17fda3fbe45ca15b149b35940f7719dc10d7406d24e06be35ffe4c0613742eafb4f61d6120aff8d128d9fd5a759cf41ec5655e3508a47b0e4f4e4516f

  • SSDEEP

    12288:nMrty90KXqjPUic360qc6NxeFLAYjiSs06d+JcSeCg8ammGlVoOb11:iyd4Mqdc886jd+Hg8aU/L1

Score
10/10
mysticsmokeloaderbackdoorevasionpersistencestealertrojan

Malware Config

Signatures

  • Detect Mystic stealer payload 3 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cfda8adb7597e205b205c916dd913856ad96e83acc3a76ec0ca6f85b8cb33c7f.exe
    "C:\Users\Admin\AppData\Local\Temp\cfda8adb7597e205b205c916dd913856ad96e83acc3a76ec0ca6f85b8cb33c7f.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3832
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Wr7xo92.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Wr7xo92.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1776
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1ve71NP8.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1ve71NP8.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1856
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1000
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Ek8667.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Ek8667.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:3540
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
            PID:2100
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            4⤵
              PID:2116
        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3Ev01rY.exe
          C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3Ev01rY.exe
          2⤵
          • Executes dropped EXE
          • Checks SCSI registry key(s)
          PID:3500

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3Ev01rY.exe
        Filesize

        31KB

        MD5

        9851cb7792be9fa6987f032602301246

        SHA1

        66f850d255aaec219836862dbe7f0aa20d2639f3

        SHA256

        fd678b0bb19973e0652b0b3b2176e61396842cf919f3c92f280014fd5d1bc816

        SHA512

        fd62e805c27ad3ffa7e145b1151e0bf395764ef80c56ac0d03e447264f3a6f1f4cce5a9b5c8b99d02589486b62e29d888f27af640097bd65f0e339c778108d81

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Wr7xo92.exe
        Filesize

        544KB

        MD5

        8585d0e4352299c99876cfef8b414070

        SHA1

        dca00d76457ce03461a14b22d01ef707bb0fc1d7

        SHA256

        dfc623ffda35bad99869f0655b9e7d7b874416554e2d47692a871318ed0c19b4

        SHA512

        e2f898dffc89c0da49194d2547c9f57b980b26a4f66f9ec07aaad1ce1787225e57843cd9c216614eab8e15ee0b1f2123b76905067522899fadb6bc19135d9c97

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1ve71NP8.exe
        Filesize

        933KB

        MD5

        f6a8a247bfe4b1fd68989a8b511540e0

        SHA1

        8703abc93f079277c5fd3f42c599f1c9662edf35

        SHA256

        d7d74dbfbf20858d5bab1651ee0ed2a7003a2307be96b924a99a06a0206f69a6

        SHA512

        9ce17b86d9b67a117cdcccf0246a1f642764eb2202beb1aacd53275a651f630424d944fb41ad0cdd98d5c6133a6451b75e7a0e296e70e93cc744f8497747f545

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Ek8667.exe
        Filesize

        1.1MB

        MD5

        7f27e3beca6f4d5ddb633fc7f14ba9b3

        SHA1

        f0724dd591dbbb68911325037df5585687fd199e

        SHA256

        c05c6c42c65f0a82b57c76f35ce2400f494076b239fe86f472de9fca75799151

        SHA512

        556c26c91a1cbaf267ae56278122ef6466d471d440b657c5221f13c256d398370569b2141041dc67e3faa0c0af6a8d63d551fa4032fa5685f3e3d56ef02fec34

        Download Submit

      • memory/1000-14-0x0000000000400000-0x000000000040A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/1000-18-0x000000007441E000-0x000000007441F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2116-19-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2116-20-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2116-22-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3500-26-0x0000000000400000-0x0000000000409000-memory.dmp

        Filesize

        36KB

        Download

      • memory/3500-27-0x0000000000400000-0x0000000000409000-memory.dmp

        Filesize

        36KB

        Download