Overview

overview

10

Static

static

3

0e266a7216...9f.exe

windows10-2004-x64

10

0fed7be9f1...18.exe

windows10-2004-x64

10

16ac715816...ea.exe

windows10-2004-x64

10

26c470a8b0...9a.exe

windows10-2004-x64

10

2d47818e79...79.exe

windows10-2004-x64

10

2e6c446801...a5.exe

windows7-x64

10

2e6c446801...a5.exe

windows10-2004-x64

10

2f02d9074f...e7.exe

windows10-2004-x64

10

4d1fc94da1...dc.exe

windows10-2004-x64

10

521f6870a3...07.exe

windows10-2004-x64

10

5e01d698ad...d1.exe

windows10-2004-x64

10

7dc4ebbe25...36.exe

windows10-2004-x64

10

862a8f43d1...32.exe

windows10-2004-x64

10

ba494624ee...0c.exe

windows10-2004-x64

10

ba4c5213c0...28.exe

windows10-2004-x64

10

bbfb7f577d...dc.exe

windows10-2004-x64

10

be3d316058...ca.exe

windows10-2004-x64

10

e1d166047d...d0.exe

windows10-2004-x64

10

e56b24cbcd...10.exe

windows10-2004-x64

10

ef4487829b...03.exe

windows10-2004-x64

10

fdbb9a49cd...e7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 19:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0fed7be9f1bc5655b7c37c7839da72b6233320884e7029c3ca465ec9fa0bdc18.exe

  • Size

    627KB

  • MD5

    a023dcdf69a662c78b89ea42e27ddff1

  • SHA1

    c285a8ddd972405bba6a643c45614bb9f6a7a1bb

  • SHA256

    0fed7be9f1bc5655b7c37c7839da72b6233320884e7029c3ca465ec9fa0bdc18

  • SHA512

    02bed9b5c5bdabbb6890d92813c11c0401078a51762733a0ff1652860ce1f04b0df88f1a1873b940133dcdce2ca609897b00b27116b353b8b299daa662b1db9b

  • SSDEEP

    12288:0Mrvy90w5u6t5if8iVo7jP8+ixDdt+PNbzQAyU9rwRxxDb/3brOw5aLc:Dyo6Ti27j0+ix8zQAXRCxb/3brL5l

Score
10/10
mysticsmokeloaderbackdoorevasionpersistencestealertrojan

Malware Config

Extracted

Family

mystic

C2

http://5.42.92.211/

Signatures

  • Detect Mystic stealer payload 3 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Program crash 3 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0fed7be9f1bc5655b7c37c7839da72b6233320884e7029c3ca465ec9fa0bdc18.exe
    "C:\Users\Admin\AppData\Local\Temp\0fed7be9f1bc5655b7c37c7839da72b6233320884e7029c3ca465ec9fa0bdc18.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2896
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uw4jo81.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uw4jo81.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4088
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1yt26wD6.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1yt26wD6.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:912
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2088
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 584
          4⤵
          • Program crash
          PID:528
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2UU0135.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2UU0135.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2700
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
            PID:4584
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 564
            4⤵
            • Program crash
            PID:4708
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3HJ06gh.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3HJ06gh.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4104
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          3⤵
          • Checks SCSI registry key(s)
          PID:768
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4104 -s 584
          3⤵
          • Program crash
          PID:3228
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 912 -ip 912
      1⤵
        PID:4520
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2700 -ip 2700
        1⤵
          PID:3216
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4104 -ip 4104
          1⤵
            PID:3656
          • C:\Windows\system32\sc.exe
            C:\Windows\system32\sc.exe start wuauserv
            1⤵
            • Launches sc.exe
            PID:1056

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3HJ06gh.exe
            Filesize

            258KB

            MD5

            42f7f253e4560c3f34e51224ff2db445

            SHA1

            9a498ee905e5b19a281996c16156746432e8177b

            SHA256

            46751ea25f8226cf0b1d6c1d2d8ad7a261cb5fd48719ec669b2acc5a95bd508d

            SHA512

            464a27fe76ce7aef5af45028020c7d85a60b4fe2ac01df40503a0b267b7ec7cfc23ec237ffbdc18364d68f066473685d522c0026792a7a91030fcb3ad6ced6c9

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uw4jo81.exe
            Filesize

            388KB

            MD5

            bea1f77d6043e836fb62540b338868c1

            SHA1

            106977b5d3227b55becd83803ba51227dadb46df

            SHA256

            3715bb832ec20a415c1ceb7b59fcd275de12645a9b7436cdbe56686a0465e45a

            SHA512

            bb97470a52aec9c3c2486543fb3c73320a94548e305df298ce6b44fbe4dab7fc498a7cb2da953e64d737e7022e3ea553d5c7a64962be338d0c7dc26fbccb62d6

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1yt26wD6.exe
            Filesize

            232KB

            MD5

            3ff825411b1fe07e712a5dcae34f80eb

            SHA1

            e3e4358cabfa74d6e36e26754b01ed78434a6877

            SHA256

            69bba958a5dcd8650921b25d978c4847819eb83adc143ba2bd396811d7d73739

            SHA512

            325c098b5a0a0ffee16a6074616126f9f4c7930b74507d38c63a294f659ab26fe1674af85a8ff495bd268aa821cc9d85f80f11ab1e7f828015920220e456ab81

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2UU0135.exe
            Filesize

            410KB

            MD5

            8e41a4f4df8c05d127d45ea1dc5a221d

            SHA1

            65b67a5618a75cb178aba2ce942e235c0c2cfd08

            SHA256

            e213d0e65d3e73eecd6320248a0f4fad2db57d558639448e95e655c3c6da1d24

            SHA512

            6d0c2e685b76c6c5c226bbbd8cf331bcdfb7eb3359a7e2ae7bee24482b2c00c3df7f186101dbc022be11d1ada80a84602f218cc61c6442617cdededad1cb1122

            Download Submit

          • memory/768-26-0x0000000000400000-0x0000000000409000-memory.dmp

            Filesize

            36KB

            Download

          • memory/2088-14-0x0000000000400000-0x000000000040A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/2088-15-0x000000007406E000-0x000000007406F000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4584-19-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

            Download

          • memory/4584-22-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

            Download

          • memory/4584-20-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

            Download