Analysis
-
max time kernel
135s -
max time network
108s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
24-05-2024 07:44
General
-
Target
fff53a878cc4bf75cd2f5a6ea052244eda18185761d3173fcd0c10469adce0d6.exe
-
Size
896KB
-
MD5
acb96f2c56fdf3eb258c2edae74918b8
-
SHA1
b4f63010294375e0655311a97aa2fbe840d04ae3
-
SHA256
fff53a878cc4bf75cd2f5a6ea052244eda18185761d3173fcd0c10469adce0d6
-
SHA512
2e147a07f4f1f043ed3bdcb3a066e2d6b3691bf4d395c23f16c93c3ed6bd2d783e4b9b6e8b67dca4677bba1eeccd8919f41912caafed8c4f9449c7ee7d742ab7
-
SSDEEP
24576:zyyDiQj64i1K7jr+ihsg6rCm8dR9N4NuayU40/JOLuy:Gypj6h6j66+CHzWFyDS0Lu
Malware Config
Extracted
mystic
http://5.42.92.211/
Signatures
-
Detect Mystic stealer payload 3 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Mystic
Mystic is an infostealer written in C++.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Executes dropped EXE 4 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Program crash 3 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\fff53a878cc4bf75cd2f5a6ea052244eda18185761d3173fcd0c10469adce0d6.exe"C:\Users\Admin\AppData\Local\Temp\fff53a878cc4bf75cd2f5a6ea052244eda18185761d3173fcd0c10469adce0d6.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eq7EB65.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eq7EB65.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1mW05hR9.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1mW05hR9.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3288 -s 5644⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2IL7615.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2IL7615.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 1364⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3NI02mm.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3NI02mm.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
- Checks SCSI registry key(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 5683⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3288 -ip 32881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4472 -ip 44721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4540 -ip 45401⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3NI02mm.exeFilesize
896KB
MD51b03d1a599fe2b528de2ab58cadf06ce
SHA139bba094894b5fc7d2b4dd7b5e9751d79080f1e4
SHA256a0aef99670f72d858bf596dafc4807222e01941b8481e084870388a0412bdf46
SHA5122644770935bb7e2c3228581c45774285584a7c594497b2a3568c86ae7225eafd01ef74f6a7b2c1862d52ec1d9ac1ff85512df1ba4c203e96b2857958bf33a665
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eq7EB65.exeFilesize
534KB
MD59bb62ac4c4a11244ac2d48acc361a173
SHA1cb21091838b45262bc60a3978fe9fbd10a287359
SHA25650bd44f2f38a1486ec19c1450c215b29968172d80ac2a0c8a0ca89c8102c615b
SHA512a8341626d729084d0db2649c0f818174168a908e76c62f1fc07a1bf6b444f7e95a027728e8bca38915551aa3b66cb1802702b00d5992f8ac609011533c2aadaa
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1mW05hR9.exeFilesize
232KB
MD53ff825411b1fe07e712a5dcae34f80eb
SHA1e3e4358cabfa74d6e36e26754b01ed78434a6877
SHA25669bba958a5dcd8650921b25d978c4847819eb83adc143ba2bd396811d7d73739
SHA512325c098b5a0a0ffee16a6074616126f9f4c7930b74507d38c63a294f659ab26fe1674af85a8ff495bd268aa821cc9d85f80f11ab1e7f828015920220e456ab81
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2IL7615.exeFilesize
1.1MB
MD5ab7bca2a84b52b77d01bcfb149e5b8dd
SHA127c5a572787ec979aca90d0b2b19c7b6cb35d122
SHA2565bcd00727a0ee6755aeea34aa9e091894cdeb0c32714dfbe97d6b1fb1e1d0503
SHA512453fdff06af99ccc261f692545341474453c1a2ee566c11cab646e9d869382145d59968dea7ba80812c2b4c8347bc220eef4153cb538088e165064630eb7ef6a
-
memory/1256-14-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/1256-15-0x0000000074ADE000-0x0000000074ADF000-memory.dmpFilesize
4KB
-
memory/2376-26-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/4676-19-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/4676-22-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/4676-20-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB