Overview

overview

10

Static

static

3

04a87b8f05...aa.exe

windows10-2004-x64

10

114af5c13b...fd.exe

windows10-2004-x64

10

1e8dd381c7...01.exe

windows10-2004-x64

10

22e22c4ac4...b8.exe

windows10-2004-x64

10

2539ef3c9e...7a.exe

windows10-2004-x64

10

28e3223b75...cb.exe

windows10-2004-x64

10

2a370f0b1b...d2.exe

windows10-2004-x64

10

312eee3369...2a.exe

windows10-2004-x64

10

49fe85c527...13.exe

windows10-2004-x64

10

5b3b69df98...46.exe

windows10-2004-x64

10

73935ea9dd...cf.exe

windows10-2004-x64

10

7afbfc55db...35.exe

windows10-2004-x64

10

7b920ad0a6...fd.exe

windows10-2004-x64

10

867a7ac357...10.exe

windows10-2004-x64

10

a69474bf18...5d.exe

windows10-2004-x64

10

c1509297f2...7d.exe

windows10-2004-x64

10

c1821fe13b...86.exe

windows10-2004-x64

10

d431e54eb0...f6.exe

windows10-2004-x64

10

e0e0fe767a...79.exe

windows10-2004-x64

10

f1372b1a09...cc.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 17:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e0e0fe767a4d28c22c9164941b937ca32139dda9a5ac00b380e14f39f0bc2e79.exe

  • Size

    696KB

  • MD5

    c7ebfe13a7bf0a68584149c5ddb03abd

  • SHA1

    ddc8cd20e9ae316e160214ded1afbb8c077b14f1

  • SHA256

    e0e0fe767a4d28c22c9164941b937ca32139dda9a5ac00b380e14f39f0bc2e79

  • SHA512

    1f2e9b44c23b34151cc8c86b13c6046618f0b0b64593e645fc1aa347e7d5645defdb6d1c70f7f3bfb5b70376dcf000f47d9a8979deb5a8d74876cfa86146deb4

  • SSDEEP

    12288:oMrYy90yI3SObs3vabwalG13yWvTGGtGzyDQUBw6a0b96kuVz:gyDICObs3alG13wGTc0EkOz

Score
10/10
mysticsmokeloaderbackdoorevasionpersistencestealertrojan

Malware Config

Signatures

  • Detect Mystic stealer payload 3 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Executes dropped EXE 4 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Program crash 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e0e0fe767a4d28c22c9164941b937ca32139dda9a5ac00b380e14f39f0bc2e79.exe
    "C:\Users\Admin\AppData\Local\Temp\e0e0fe767a4d28c22c9164941b937ca32139dda9a5ac00b380e14f39f0bc2e79.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2292
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\YF8Im73.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\YF8Im73.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2420
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1kk24Nw1.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1kk24Nw1.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1664
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2wf7879.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2wf7879.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:220
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
            PID:1884
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 220 -s 160
            4⤵
            • Program crash
            PID:4064
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3iJ50yS.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3iJ50yS.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1372
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          3⤵
            PID:3712
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            3⤵
            • Checks SCSI registry key(s)
            PID:3616
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1372 -s 152
            3⤵
            • Program crash
            PID:3692
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 220 -ip 220
        1⤵
          PID:4620
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1372 -ip 1372
          1⤵
            PID:3952
          • C:\Windows\system32\sc.exe
            C:\Windows\system32\sc.exe start wuauserv
            1⤵
            • Launches sc.exe
            PID:912

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3iJ50yS.exe
            Filesize

            268KB

            MD5

            7ea92704fae8dad8ce88f4d81a0fd471

            SHA1

            f38a6922bc9e503df13f43ecffa47b3eb1c06af6

            SHA256

            e279eb0fa684212454e21abbed38544525754320db1fd5baba7952882d5ab607

            SHA512

            59abd89ebd282795209a12bc8c97b5f73cd1426d92e065f4219691616f482718c6275b709bb571f35bdfbaa94f5a8e3ba657f58e313e8a09d446b348871c7bf4

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\YF8Im73.exe
            Filesize

            452KB

            MD5

            68a5c26eefbaf9cdeca6e4da90ec4a30

            SHA1

            f08d6739e1e2a7c282ae427d5b8593ad36b654b4

            SHA256

            631a8ca2ac6e02a4a31f6affd61ec8619c9ec85480c14f5d0e3b1a8458948c47

            SHA512

            1a5c87be6d57d0378bf1caf8d0f5025ce79fc0228c57a9728a1ac780938314151f43a1c8c16b01ed27dddbcc435c0f5b7c343fca1457b38c9252036029a6b28a

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1kk24Nw1.exe
            Filesize

            192KB

            MD5

            8904f85abd522c7d0cb5789d9583ccff

            SHA1

            5b34d8595b37c9e1fb9682b06dc5228efe07f0c6

            SHA256

            7624b62fe97c8e370c82bc86f69c2f627328e701ce1f3d9bed92a1e5fe11fd7f

            SHA512

            04dd0c4e612b6287af6a655425085d687538d756dcd639ecb6c62bcdafddde52c56ae305a6240ee1329a95d9cc59dee6de5000d273a5a560ad1adc3284e00e12

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2wf7879.exe
            Filesize

            378KB

            MD5

            4ccc01683e03688de17345bed7d3506f

            SHA1

            0d8f6f41ba801f259627cdaf1abe4da4d9c23dda

            SHA256

            aac38b1eaa6d074eda4d6e89dd26699fcb093344269a4e1d7f73b4a171f3146d

            SHA512

            2d45f20759c1dd0bef8f4452393c9709b6f4b3a7123648cc69d0058e129803c5e82257404071882081503be5f7dd25c4749056d60e3badcd2b014aa6e3280c4c

            Download Submit

          • memory/1664-35-0x0000000004990000-0x00000000049A6000-memory.dmp

            Filesize

            88KB

            Download

          • memory/1664-29-0x0000000004990000-0x00000000049A6000-memory.dmp

            Filesize

            88KB

            Download

          • memory/1664-18-0x0000000004990000-0x00000000049AC000-memory.dmp

            Filesize

            112KB

            Download

          • memory/1664-19-0x0000000073E00000-0x00000000745B0000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/1664-20-0x0000000004990000-0x00000000049A6000-memory.dmp

            Filesize

            88KB

            Download

          • memory/1664-47-0x0000000004990000-0x00000000049A6000-memory.dmp

            Filesize

            88KB

            Download

          • memory/1664-45-0x0000000004990000-0x00000000049A6000-memory.dmp

            Filesize

            88KB

            Download

          • memory/1664-43-0x0000000004990000-0x00000000049A6000-memory.dmp

            Filesize

            88KB

            Download

          • memory/1664-41-0x0000000004990000-0x00000000049A6000-memory.dmp

            Filesize

            88KB

            Download

          • memory/1664-37-0x0000000004990000-0x00000000049A6000-memory.dmp

            Filesize

            88KB

            Download

          • memory/1664-16-0x0000000073E00000-0x00000000745B0000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/1664-33-0x0000000004990000-0x00000000049A6000-memory.dmp

            Filesize

            88KB

            Download

          • memory/1664-31-0x0000000004990000-0x00000000049A6000-memory.dmp

            Filesize

            88KB

            Download

          • memory/1664-17-0x0000000004AD0000-0x0000000005074000-memory.dmp

            Filesize

            5.6MB

            Download

          • memory/1664-27-0x0000000004990000-0x00000000049A6000-memory.dmp

            Filesize

            88KB

            Download

          • memory/1664-25-0x0000000004990000-0x00000000049A6000-memory.dmp

            Filesize

            88KB

            Download

          • memory/1664-21-0x0000000004990000-0x00000000049A6000-memory.dmp

            Filesize

            88KB

            Download

          • memory/1664-39-0x0000000004990000-0x00000000049A6000-memory.dmp

            Filesize

            88KB

            Download

          • memory/1664-23-0x0000000004990000-0x00000000049A6000-memory.dmp

            Filesize

            88KB

            Download

          • memory/1664-49-0x0000000073E00000-0x00000000745B0000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/1664-15-0x00000000022D0000-0x00000000022EE000-memory.dmp

            Filesize

            120KB

            Download

          • memory/1664-14-0x0000000073E0E000-0x0000000073E0F000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1884-56-0x0000000000400000-0x0000000000428000-memory.dmp

            Filesize

            160KB

            Download

          • memory/1884-54-0x0000000000400000-0x0000000000428000-memory.dmp

            Filesize

            160KB

            Download

          • memory/1884-53-0x0000000000400000-0x0000000000428000-memory.dmp

            Filesize

            160KB

            Download

          • memory/3616-60-0x0000000000400000-0x0000000000409000-memory.dmp

            Filesize

            36KB

            Download