Overview

overview

10

Static

static

3

0d17733c30...5d.exe

windows10-2004-x64

10

12afd6aace...a7.exe

windows10-2004-x64

10

1a9919325d...ce.exe

windows10-2004-x64

10

1b565f7ed3...1d.exe

windows10-2004-x64

10

2c58ee5805...6e.exe

windows10-2004-x64

10

33598ea86e...12.exe

windows10-2004-x64

10

4e5d421522...cb.exe

windows10-2004-x64

10

4ff3477e4f...b7.exe

windows10-2004-x64

10

6ee2a56c58...f5.exe

windows10-2004-x64

10

803bdeb4bc...3b.exe

windows10-2004-x64

10

82c26e730c...f6.exe

windows10-2004-x64

10

92d5779e2c...c1.exe

windows10-2004-x64

10

b0845c677f...61.exe

windows10-2004-x64

10

b82c1f093a...b3.exe

windows10-2004-x64

10

c52f1aa452...c1.exe

windows10-2004-x64

10

c7bf16d19a...5c.exe

windows10-2004-x64

10

d85805160c...b3.exe

windows10-2004-x64

10

e4e49b8568...6d.exe

windows10-2004-x64

10

e5ef76e6dd...ba.exe

windows10-2004-x64

10

fac8fce7e3...0e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 17:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    82c26e730c449cb8fa3b24eb4cad396dfb875eecd3ee1ccbb1d8fe29530d3ef6.exe

  • Size

    1.2MB

  • MD5

    55cdd95fc367cdccba3cf9a83bb8676e

  • SHA1

    8ded20c3a09f0ebf77a6412e07b088f478a5b61c

  • SHA256

    82c26e730c449cb8fa3b24eb4cad396dfb875eecd3ee1ccbb1d8fe29530d3ef6

  • SHA512

    528acc8bcd165996bb7fdc3429c933f94cd9b8f8565df5bf54a331519241efac28938ed6b066938b94fac46dd71affd424b2ec225466675dae91778ce47d3caf

  • SSDEEP

    24576:gyd1h+cgcAt/V3DklK4IxQzHTV8XP3sWlHRUGJoK+oYMNyK:n5gr3QoLxQN0P8WxUzWN

Score
10/10
mysticsmokeloaderbackdoorevasionpersistencestealertrojan

Malware Config

Signatures

  • Detect Mystic stealer payload 3 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Program crash 3 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\82c26e730c449cb8fa3b24eb4cad396dfb875eecd3ee1ccbb1d8fe29530d3ef6.exe
    "C:\Users\Admin\AppData\Local\Temp\82c26e730c449cb8fa3b24eb4cad396dfb875eecd3ee1ccbb1d8fe29530d3ef6.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1004
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VE1Mv64.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VE1Mv64.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4172
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Wz73oG2.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Wz73oG2.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:3160
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4484
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 576
          4⤵
          • Program crash
          PID:3140
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2lM4333.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2lM4333.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2268
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
            PID:2868
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 600
            4⤵
            • Program crash
            PID:1056
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3gJ06Ji.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3gJ06Ji.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4872
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          3⤵
          • Checks SCSI registry key(s)
          PID:384
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 572
          3⤵
          • Program crash
          PID:4792
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 3160 -ip 3160
      1⤵
        PID:4812
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2268 -ip 2268
        1⤵
          PID:2292
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4872 -ip 4872
          1⤵
            PID:632

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3gJ06Ji.exe
            Filesize

            1.6MB

            MD5

            bb15cec1552b814cd4f121eacaf07ca3

            SHA1

            48b19541a3315d5d45f6d9c58386f999f340696a

            SHA256

            ac592ed0fd072aa98b1098b5d23de6a8e09b5e33c21fb0e1705458a5a6d3e28a

            SHA512

            9f6aff698162c4fc7cbe5112e53389d5d3253926e778fda16811cdb52ff1554023f5f029b704149f05c7121ee774b247f47db8f9904c83866484103db9e0b1c2

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VE1Mv64.exe
            Filesize

            739KB

            MD5

            d9672337e47855244e5e59f1b51af06f

            SHA1

            5e3d0295d1b779e95199a24d130331c6f2a0512a

            SHA256

            56b70ed46710e95d76904d25e723f62385f6c9da77fa44e58ce8db00abc4ce23

            SHA512

            c416e769de5c65fb1ae7e849b82b3ab3fb21dec9cec0ce5620a266c0eb1aeb7ed9df939f392158f30ca1441738e32a997c48f4fb52058af34a7065e95cc7be4f

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Wz73oG2.exe
            Filesize

            1.8MB

            MD5

            7ff60b81cdc13db40d086d86b470072f

            SHA1

            6024ad854cb6f149391930388c9851888db87b08

            SHA256

            d0b4d52ab3e17f14e34c1751fa2b69ce52e34ca0076663a7fdeeed7824faa08f

            SHA512

            fc4cac5efbbbf6b3cf4a6e327d29ee52f42bc6df4eacb3a2e77c1b4b9cdda5107ebf7478c4e974d1beff96957021de0354183b6a97af1b1812bade382f0f90c7

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2lM4333.exe
            Filesize

            1.7MB

            MD5

            52f182039ef01e396d7302aaf7391a19

            SHA1

            60e94cc7454ea39596cd62a9a51145de6a28d224

            SHA256

            995cb76b4703e2c98b500dab899c7225f639d4b4a0103d2923cad1f34ff062ca

            SHA512

            fb48e713594f60f2e867aaa99deafeeffdc2bebff8b344578c5a7b49b1949b08e8159750ea99f5cef9bc185eb2d319bee1ccae4c86faf3b005a8c7ff173a300f

            Download Submit

          • memory/384-60-0x0000000000400000-0x0000000000409000-memory.dmp

            Filesize

            36KB

            Download

          • memory/2868-53-0x0000000000400000-0x0000000000428000-memory.dmp

            Filesize

            160KB

            Download

          • memory/2868-54-0x0000000000400000-0x0000000000428000-memory.dmp

            Filesize

            160KB

            Download

          • memory/2868-56-0x0000000000400000-0x0000000000428000-memory.dmp

            Filesize

            160KB

            Download

          • memory/4484-37-0x0000000003040000-0x0000000003056000-memory.dmp

            Filesize

            88KB

            Download

          • memory/4484-23-0x0000000003040000-0x0000000003056000-memory.dmp

            Filesize

            88KB

            Download

          • memory/4484-49-0x0000000003040000-0x0000000003056000-memory.dmp

            Filesize

            88KB

            Download

          • memory/4484-47-0x0000000003040000-0x0000000003056000-memory.dmp

            Filesize

            88KB

            Download

          • memory/4484-45-0x0000000003040000-0x0000000003056000-memory.dmp

            Filesize

            88KB

            Download

          • memory/4484-43-0x0000000003040000-0x0000000003056000-memory.dmp

            Filesize

            88KB

            Download

          • memory/4484-21-0x0000000003040000-0x000000000305C000-memory.dmp

            Filesize

            112KB

            Download

          • memory/4484-35-0x0000000003040000-0x0000000003056000-memory.dmp

            Filesize

            88KB

            Download

          • memory/4484-33-0x0000000003040000-0x0000000003056000-memory.dmp

            Filesize

            88KB

            Download

          • memory/4484-27-0x0000000003040000-0x0000000003056000-memory.dmp

            Filesize

            88KB

            Download

          • memory/4484-25-0x0000000003040000-0x0000000003056000-memory.dmp

            Filesize

            88KB

            Download

          • memory/4484-41-0x0000000003040000-0x0000000003056000-memory.dmp

            Filesize

            88KB

            Download

          • memory/4484-39-0x0000000003040000-0x0000000003056000-memory.dmp

            Filesize

            88KB

            Download

          • memory/4484-31-0x0000000003040000-0x0000000003056000-memory.dmp

            Filesize

            88KB

            Download

          • memory/4484-29-0x0000000003040000-0x0000000003056000-memory.dmp

            Filesize

            88KB

            Download

          • memory/4484-22-0x0000000003040000-0x0000000003056000-memory.dmp

            Filesize

            88KB

            Download

          • memory/4484-20-0x0000000005A60000-0x0000000006004000-memory.dmp

            Filesize

            5.6MB

            Download

          • memory/4484-19-0x0000000002F90000-0x0000000002FAE000-memory.dmp

            Filesize

            120KB

            Download

          • memory/4484-18-0x0000000000400000-0x0000000000432000-memory.dmp

            Filesize

            200KB

            Download

          • memory/4484-16-0x0000000000400000-0x0000000000432000-memory.dmp

            Filesize

            200KB

            Download

          • memory/4484-15-0x0000000000400000-0x0000000000432000-memory.dmp

            Filesize

            200KB

            Download

          • memory/4484-14-0x0000000000400000-0x0000000000432000-memory.dmp

            Filesize

            200KB

            Download