Overview

overview

10

Static

static

3

0697314d1d...a5.exe

windows10-2004-x64

10

0f998493b8...79.exe

windows10-2004-x64

10

21e1937094...38.exe

windows10-2004-x64

10

2800d64eb3...31.exe

windows10-2004-x64

10

299e46ee08...d5.exe

windows10-2004-x64

10

3d64fae31a...d7.exe

windows10-2004-x64

10

652a4e2d36...35.exe

windows10-2004-x64

10

6b4d258a8d...1a.exe

windows10-2004-x64

10

74c99e0dfd...42.exe

windows10-2004-x64

10

7e6bab9491...d0.exe

windows10-2004-x64

10

80af2b3540...7e.exe

windows10-2004-x64

10

a96b277202...ca.exe

windows10-2004-x64

10

b618a9cedf...7f.exe

windows10-2004-x64

10

c1237a6a46...5b.exe

windows10-2004-x64

10

d7fde0f5ef...97.exe

windows10-2004-x64

10

da85318c86...60.exe

windows10-2004-x64

10

dc220ed080...4e.exe

windows10-2004-x64

10

e5e7bb0a7c...4a.exe

windows10-2004-x64

10

e91c8d8104...e0.exe

windows10-2004-x64

10

f3b6442113...3b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-05-2024 05:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0f998493b83f94488301c2a7f85ec4ad445820110ece601aee7e9d15a5ae5179.exe

  • Size

    508KB

  • MD5

    08f93718f532a5b6806992822abd5319

  • SHA1

    bf256764f2a7e66ce6043af9a36558d8ebfae3c2

  • SHA256

    0f998493b83f94488301c2a7f85ec4ad445820110ece601aee7e9d15a5ae5179

  • SHA512

    01731396c4eddfca44f4421e74fff0c6a9551f87fcf4f6799e5a001ec1872cb398ffd66aaadc09bb92cedc47cb9e193b635f36d82a067d70a448764c47650801

  • SSDEEP

    12288:tMr7y90cskbQBr9Sm/zFAUl4RI27Senp1/oGjhvC:SytQBHzFFs3/oGtC

Score
10/10
mysticsmokeloaderbackdoorevasionpersistencestealertrojan

Malware Config

Signatures

  • Detect Mystic stealer payload 3 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Program crash 3 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0f998493b83f94488301c2a7f85ec4ad445820110ece601aee7e9d15a5ae5179.exe
    "C:\Users\Admin\AppData\Local\Temp\0f998493b83f94488301c2a7f85ec4ad445820110ece601aee7e9d15a5ae5179.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2760
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GS3jc24.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GS3jc24.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2820
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1FT75fe4.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1FT75fe4.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:5028
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3328
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 568
          4⤵
          • Program crash
          PID:4264
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2NR7454.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2NR7454.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4568
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
            PID:3840
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            4⤵
              PID:3960
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 584
              4⤵
              • Program crash
              PID:4764
        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3Pm23bi.exe
          C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3Pm23bi.exe
          2⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:4188
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            3⤵
            • Checks SCSI registry key(s)
            PID:4008
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4188 -s 152
            3⤵
            • Program crash
            PID:644
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5028 -ip 5028
        1⤵
          PID:4908
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4568 -ip 4568
          1⤵
            PID:4256
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4188 -ip 4188
            1⤵
              PID:3812

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3Pm23bi.exe
              Filesize

              145KB

              MD5

              9bb0eb72d32ec101bc3815421314f021

              SHA1

              1d841de7459312d07946eb0dae13a4c87bc0ca3c

              SHA256

              3d5d022325d8cab27839dfecc7bb90cf6b6aa9e98c09f6092f85ed6e048d190d

              SHA512

              9d1d41309bc29ee325e47a7e533ac89c0b3244c4a45f1fc56d600d374f7aad6e95f34602e17178f05e7e4d4593a377f0b318b4a35ff33a6cdd529f72ef0bd3db

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GS3jc24.exe
              Filesize

              324KB

              MD5

              01ef9ff7ae7d9bf431b69d3071431266

              SHA1

              5177778dced679e5f8b51b7f2db415d941a50afd

              SHA256

              c3fb710c4c8b6204f6f6950a15743f9d94ceda63399f4b6bcbe1dbfb65058f01

              SHA512

              40915b996fb75c48c4c62876cb2815280f626afce175b740043e6248dcad5dfae2fbd8fdf615fe69e4f4191140a8480deeec8bc0b47288c64d0473c0f4191a86

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1FT75fe4.exe
              Filesize

              129KB

              MD5

              4ed940ea493451635145489ffbdec386

              SHA1

              4b5d0ba229b8ac04f753864c1170da0070673e35

              SHA256

              b736077e8eccf72bc48e2a28576bb47d59bdaa335baa2dc333fb3701becfacaa

              SHA512

              8feea024e7bb279f401e144d80c20bd6022249ebe381e1ed36b7e19a382e1e7edd3a2b1e4f74e54a5e6dbe6bfe6ff3b27fb44fd0c2407551b1a33fbea9be229c

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2NR7454.exe
              Filesize

              295KB

              MD5

              74f239f9f94d46453dc31466f26f7640

              SHA1

              23da44b3dd957bfd5cb307c52186a2d3d75b0bc8

              SHA256

              81dbdaaefa4798995ed214aaaccd2175a91cc438d51b53da625d5d330eb0b304

              SHA512

              9fbeaadfe94ef04915e109e07ca0a0d698542073f7f3800c75b30d248a6206ed2b70d6a5a83c25bb349877304d7d5dc4426e6f2e66b1bd9585dd09ff04a6fb20

              Download Submit

            • memory/3328-14-0x0000000000400000-0x000000000040A000-memory.dmp

              Filesize

              40KB

              Download

            • memory/3328-15-0x0000000074AAE000-0x0000000074AAF000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3960-22-0x0000000000400000-0x0000000000432000-memory.dmp

              Filesize

              200KB

              Download

            • memory/3960-21-0x0000000000400000-0x0000000000432000-memory.dmp

              Filesize

              200KB

              Download

            • memory/3960-19-0x0000000000400000-0x0000000000432000-memory.dmp

              Filesize

              200KB

              Download

            • memory/4008-26-0x0000000000400000-0x0000000000409000-memory.dmp

              Filesize

              36KB

              Download