Analysis
-
max time kernel
135s -
max time network
106s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
23-05-2024 18:30
General
-
Target
c5e42a3a502b792f98bf1c2a5548dcfe3d99699a1ebd3b1dbbc5eebb02e0e13e.exe
-
Size
749KB
-
MD5
a488dc8386a267e2acce14f3d1555b2b
-
SHA1
c430f860139a9789dce9e649372373c5404f384f
-
SHA256
c5e42a3a502b792f98bf1c2a5548dcfe3d99699a1ebd3b1dbbc5eebb02e0e13e
-
SHA512
b8f58f66d108d2891a070bf3fb2062f260626fb38f65cd9cc729c176e3e2e0b39eef01567bf5f8ab1066b26d7ddcb11a080cfc35222e9a8f97a1fca62bcb35be
-
SSDEEP
12288:yMrCy90ULBNqxe1t61hnIXvVoEpvX3KNzpdty6t0b1f3OAm/NyvLdOkaAl2TH:AyZOY1t6PnO5p/a7jJM1+1/NyT8kqH
Malware Config
Signatures
-
Detect Mystic stealer payload 1 IoCs
-
Mystic
Mystic is an infostealer written in C++.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
.NET Reactor proctector 2 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
-
Executes dropped EXE 4 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c5e42a3a502b792f98bf1c2a5548dcfe3d99699a1ebd3b1dbbc5eebb02e0e13e.exe"C:\Users\Admin\AppData\Local\Temp\c5e42a3a502b792f98bf1c2a5548dcfe3d99699a1ebd3b1dbbc5eebb02e0e13e.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nk3Gs03.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nk3Gs03.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1ae74NR7.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1ae74NR7.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Hu6027.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Hu6027.exe3⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3Wb30Ka.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3Wb30Ka.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
- Checks SCSI registry key(s)
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
973KB
MD55dc4be46727c1853e63ebdd240ec9bd9
SHA16265b41bbecbb96cf666d2b4cbd6f209f44d7a2d
SHA2561df63e2de3adac7ff425c75b3f649078fd7a8e0008e5063bd290adb1cdba2446
SHA51259828cba7af9fb26c6717eb3e655eec07f732ec92d3ec0cce7ed2df1acf6095dec2d97cdbbd3591ed96c08cb2adcff12c31534a93b48757ff8976c0a4233062b
-
Filesize
364KB
MD54b8a14d31e5650b660a83a8f6a1513fe
SHA17ad410958dcac6b8a057bf72bf3b4b57bd712a5a
SHA256979affe7d58425f6e1ccef7dd74524dab735710df7d0584ff23205d83fa25fc4
SHA512d57441ee3e220e9776d6e4f5d22d63711bba0a5e2270daa33b13a6670dbed0ae740e5405ef095da11668e3d948087c920a05696c0a2f8d5325eb77a44d553a96
-
Filesize
188KB
MD5425e2a994509280a8c1e2812dfaad929
SHA14d5eff2fb3835b761e2516a873b537cbaacea1fe
SHA2566f40f29ad16466785dfbe836dd375400949ff894e8aa03e2805ab1c1ac2d6f5a
SHA512080a41e7926122e14b38901f2e1eb8100a08c5068a9a74099f060c5e601f056a66e607b4e006820276834bb01d913a3894de98e6d9ba62ce843df14058483aa0
-
Filesize
186KB
MD53a24a41f3044d90555f6cdea0f2533f8
SHA125a1913e9e41dd13039d023a5f63a050256c72ca
SHA2565e900b7d563b6dc3f5c5db7386ae7ea83ec512b1a72a1cac6d16d17110a90253
SHA5128d12aca702a3f81329fe0dad30b28269fd9933b5493e8d978080fbee9b66a1727b76b6230d910a9cda1ca68141b55ef7b63fd3f7de077eb453da7d8b44f5b837
-
Filesize
36KB
-
Filesize
120KB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
128KB
-
Filesize
4KB