Overview

overview

10

Static

static

3

12529f4b65...8e.exe

windows10-2004-x64

10

177d217638...c9.exe

windows10-2004-x64

10

2dd3d7aef1...30.exe

windows10-2004-x64

10

3677484a61...a2.exe

windows10-2004-x64

10

4682d27822...6e.exe

windows10-2004-x64

10

492e1a379a...be.exe

windows10-2004-x64

10

50eee0d0ce...b6.exe

windows10-2004-x64

10

54a187adfc...90.exe

windows10-2004-x64

10

779aae8d26...ea.exe

windows10-2004-x64

10

7a8a88b0a1...14.exe

windows10-2004-x64

10

7d862d9155...a1.exe

windows10-2004-x64

10

994a6a489b...70.exe

windows10-2004-x64

10

b3e77f6d31...38.exe

windows10-2004-x64

10

b8349e4fcf...97.exe

windows10-2004-x64

10

c4b092b703...86.exe

windows10-2004-x64

10

c676d41b0a...68.exe

windows10-2004-x64

10

e6003af825...08.exe

windows10-2004-x64

10

edc38eb50d...b7.exe

windows10-2004-x64

10

ee34d9132f...8c.exe

windows10-2004-x64

10

f644369631...3f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-05-2024 08:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    50eee0d0cea3475aaf0d1b967b37fb6abff00bafb4fa6e17a8c948e2ef84aab6.exe

  • Size

    690KB

  • MD5

    ded34aadbb2d073dca9fe7ab881865c2

  • SHA1

    1152a50b60333303cf6122a25141fdad64bf2467

  • SHA256

    50eee0d0cea3475aaf0d1b967b37fb6abff00bafb4fa6e17a8c948e2ef84aab6

  • SHA512

    363e2a8155764e80ca17fed13951e343a18d7c6f9793f0d51b47c7b187e4da4e74386801032e9ad12542ae01dc24af686016f37aed1fab5ab75b3bb9dc554785

  • SSDEEP

    12288:wMrly90TY1vFUS3OmEEz7jP7+i+EryADUjm9YWCcyVITDLGngoV14Jk/xBAY:FyBPROmx7jj+i+ErvDcm9DCcGI3LGgoL

Score
10/10
mysticsmokeloaderbackdoorevasionpersistencestealertrojan

Malware Config

Signatures

  • Detect Mystic stealer payload 1 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Program crash 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\50eee0d0cea3475aaf0d1b967b37fb6abff00bafb4fa6e17a8c948e2ef84aab6.exe
    "C:\Users\Admin\AppData\Local\Temp\50eee0d0cea3475aaf0d1b967b37fb6abff00bafb4fa6e17a8c948e2ef84aab6.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:64
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nm5dF04.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nm5dF04.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2160
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1au95XV5.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1au95XV5.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1596
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3040
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1596 -s 564
          4⤵
          • Program crash
          PID:3508
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Gg2687.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Gg2687.exe
        3⤵
        • Executes dropped EXE
        PID:1496
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3Po11LA.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3Po11LA.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1628
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3⤵
        • Checks SCSI registry key(s)
        PID:3620
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1628 -s 580
        3⤵
        • Program crash
        PID:2980
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1596 -ip 1596
    1⤵
      PID:5112
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1628 -ip 1628
      1⤵
        PID:3956

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3Po11LA.exe
        Filesize

        896KB

        MD5

        baf1a3e94d7d12840c5a6d73b19f67d7

        SHA1

        bb34b8050f615df0737568e36352e468a2d82797

        SHA256

        56388fbb6b144e740e550e5b04cc88e244b531a134e1c26454f13afb73942631

        SHA512

        bf82b616e8300ff479275cc94254bf950d1876c3314e38d12d5d5c4e29dd4966beeed5c6c30d2e71541282a81236edf71466650b678f19be99ab6a8108300362

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nm5dF04.exe
        Filesize

        330KB

        MD5

        877c0ff8a9890b87f9553a77abfb64cb

        SHA1

        e7c3a145b2582a912548ff6f3b8d55c366f95115

        SHA256

        ea378bc3b81b8afc92afd17b9edc20d2f606e945c4650ce3820a65e7c13ddff8

        SHA512

        9c81bf30f7afd0426b63802750df2f18e9e6d4bee4288f83ca148c28ad3e2514190957e95d667ff1df586b8f5e1f347e18f747443194869777f4ee5cda46fa85

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1au95XV5.exe
        Filesize

        232KB

        MD5

        3ff825411b1fe07e712a5dcae34f80eb

        SHA1

        e3e4358cabfa74d6e36e26754b01ed78434a6877

        SHA256

        69bba958a5dcd8650921b25d978c4847819eb83adc143ba2bd396811d7d73739

        SHA512

        325c098b5a0a0ffee16a6074616126f9f4c7930b74507d38c63a294f659ab26fe1674af85a8ff495bd268aa821cc9d85f80f11ab1e7f828015920220e456ab81

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Gg2687.exe
        Filesize

        180KB

        MD5

        3f305144feb3040cf41b216841537ec2

        SHA1

        ae9066cc3b40be6250e7e6a90bcc2de160067b84

        SHA256

        89fec546032f1fc58fb08e79ab626d7e2401a5958b81a928ab5e0c1540e180b1

        SHA512

        ca3993ad5d0a376809e304a49eaf81c8ba3ecbe40e7085573698b1870291034f9bbfdec552b640b32d92b2f0b359f33c40f694f401abaf81d70ab7a6484a798e

        Download Submit

      • memory/3040-14-0x0000000000400000-0x000000000040A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/3040-15-0x0000000074B8E000-0x0000000074B8F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3620-22-0x0000000000400000-0x0000000000409000-memory.dmp

        Filesize

        36KB

        Download