Overview

overview

10

Static

static

3

016b8fab11...90.exe

windows10-2004-x64

10

046f35763e...68.exe

windows10-2004-x64

10

14e25178ee...de.exe

windows10-2004-x64

10

58609bf38b...1d.exe

windows10-2004-x64

10

5e46be5a16...b4.exe

windows10-2004-x64

10

64220efa05...b0.exe

windows10-2004-x64

10

7252b3ba90...cd.exe

windows10-2004-x64

10

761baf17cd...b8.exe

windows10-2004-x64

10

79b34442d1...59.exe

windows10-2004-x64

10

7bca30b01b...44.exe

windows10-2004-x64

7

7f2d656f1a...24.exe

windows10-2004-x64

10

92903f5aac...33.exe

windows10-2004-x64

10

a6fd8428c6...ff.exe

windows10-2004-x64

10

a9a24c6b40...79.exe

windows10-2004-x64

10

c957c1f7d6...20.exe

windows10-2004-x64

10

d30a3fe09c...90.exe

windows10-2004-x64

10

d4c8c5a1d2...4e.exe

windows10-2004-x64

10

e2ca05276c...37.exe

windows10-2004-x64

10

e79c48869d...9a.exe

windows10-2004-x64

10

fff53a878c...d6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    108s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-05-2024 07:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fff53a878cc4bf75cd2f5a6ea052244eda18185761d3173fcd0c10469adce0d6.exe

  • Size

    896KB

  • MD5

    acb96f2c56fdf3eb258c2edae74918b8

  • SHA1

    b4f63010294375e0655311a97aa2fbe840d04ae3

  • SHA256

    fff53a878cc4bf75cd2f5a6ea052244eda18185761d3173fcd0c10469adce0d6

  • SHA512

    2e147a07f4f1f043ed3bdcb3a066e2d6b3691bf4d395c23f16c93c3ed6bd2d783e4b9b6e8b67dca4677bba1eeccd8919f41912caafed8c4f9449c7ee7d742ab7

  • SSDEEP

    24576:zyyDiQj64i1K7jr+ihsg6rCm8dR9N4NuayU40/JOLuy:Gypj6h6j66+CHzWFyDS0Lu

Score
10/10
mysticsmokeloaderbackdoorevasionpersistencestealertrojan

Malware Config

Extracted

Family

mystic

C2

http://5.42.92.211/

Signatures

  • Detect Mystic stealer payload 3 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Program crash 3 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fff53a878cc4bf75cd2f5a6ea052244eda18185761d3173fcd0c10469adce0d6.exe
    "C:\Users\Admin\AppData\Local\Temp\fff53a878cc4bf75cd2f5a6ea052244eda18185761d3173fcd0c10469adce0d6.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3144
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eq7EB65.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eq7EB65.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4320
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1mW05hR9.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1mW05hR9.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:3288
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1256
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3288 -s 564
          4⤵
          • Program crash
          PID:4196
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2IL7615.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2IL7615.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4472
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
            PID:4676
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 136
            4⤵
            • Program crash
            PID:1068
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3NI02mm.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3NI02mm.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4540
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          3⤵
          • Checks SCSI registry key(s)
          PID:2376
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 568
          3⤵
          • Program crash
          PID:3840
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3288 -ip 3288
      1⤵
        PID:1020
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4472 -ip 4472
        1⤵
          PID:552
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4540 -ip 4540
          1⤵
            PID:1624

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3NI02mm.exe
            Filesize

            896KB

            MD5

            1b03d1a599fe2b528de2ab58cadf06ce

            SHA1

            39bba094894b5fc7d2b4dd7b5e9751d79080f1e4

            SHA256

            a0aef99670f72d858bf596dafc4807222e01941b8481e084870388a0412bdf46

            SHA512

            2644770935bb7e2c3228581c45774285584a7c594497b2a3568c86ae7225eafd01ef74f6a7b2c1862d52ec1d9ac1ff85512df1ba4c203e96b2857958bf33a665

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eq7EB65.exe
            Filesize

            534KB

            MD5

            9bb62ac4c4a11244ac2d48acc361a173

            SHA1

            cb21091838b45262bc60a3978fe9fbd10a287359

            SHA256

            50bd44f2f38a1486ec19c1450c215b29968172d80ac2a0c8a0ca89c8102c615b

            SHA512

            a8341626d729084d0db2649c0f818174168a908e76c62f1fc07a1bf6b444f7e95a027728e8bca38915551aa3b66cb1802702b00d5992f8ac609011533c2aadaa

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1mW05hR9.exe
            Filesize

            232KB

            MD5

            3ff825411b1fe07e712a5dcae34f80eb

            SHA1

            e3e4358cabfa74d6e36e26754b01ed78434a6877

            SHA256

            69bba958a5dcd8650921b25d978c4847819eb83adc143ba2bd396811d7d73739

            SHA512

            325c098b5a0a0ffee16a6074616126f9f4c7930b74507d38c63a294f659ab26fe1674af85a8ff495bd268aa821cc9d85f80f11ab1e7f828015920220e456ab81

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2IL7615.exe
            Filesize

            1.1MB

            MD5

            ab7bca2a84b52b77d01bcfb149e5b8dd

            SHA1

            27c5a572787ec979aca90d0b2b19c7b6cb35d122

            SHA256

            5bcd00727a0ee6755aeea34aa9e091894cdeb0c32714dfbe97d6b1fb1e1d0503

            SHA512

            453fdff06af99ccc261f692545341474453c1a2ee566c11cab646e9d869382145d59968dea7ba80812c2b4c8347bc220eef4153cb538088e165064630eb7ef6a

            Download Submit

          • memory/1256-14-0x0000000000400000-0x000000000040A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/1256-15-0x0000000074ADE000-0x0000000074ADF000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2376-26-0x0000000000400000-0x0000000000409000-memory.dmp

            Filesize

            36KB

            Download

          • memory/4676-19-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

            Download

          • memory/4676-22-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

            Download

          • memory/4676-20-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

            Download