Overview

overview

10

Static

static

3

016b8fab11...90.exe

windows10-2004-x64

10

046f35763e...68.exe

windows10-2004-x64

10

14e25178ee...de.exe

windows10-2004-x64

10

58609bf38b...1d.exe

windows10-2004-x64

10

5e46be5a16...b4.exe

windows10-2004-x64

10

64220efa05...b0.exe

windows10-2004-x64

10

7252b3ba90...cd.exe

windows10-2004-x64

10

761baf17cd...b8.exe

windows10-2004-x64

10

79b34442d1...59.exe

windows10-2004-x64

10

7bca30b01b...44.exe

windows10-2004-x64

7

7f2d656f1a...24.exe

windows10-2004-x64

10

92903f5aac...33.exe

windows10-2004-x64

10

a6fd8428c6...ff.exe

windows10-2004-x64

10

a9a24c6b40...79.exe

windows10-2004-x64

10

c957c1f7d6...20.exe

windows10-2004-x64

10

d30a3fe09c...90.exe

windows10-2004-x64

10

d4c8c5a1d2...4e.exe

windows10-2004-x64

10

e2ca05276c...37.exe

windows10-2004-x64

10

e79c48869d...9a.exe

windows10-2004-x64

10

fff53a878c...d6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-05-2024 07:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    761baf17cd7e790b03075c76f9e902cd11700ce8b920d2741b04a70371069ab8.exe

  • Size

    640KB

  • MD5

    54c00829bacd1fac5f4b3dd3ccddab88

  • SHA1

    f240b2d3e965a8519ff74ceb16a32c54c94f52f2

  • SHA256

    761baf17cd7e790b03075c76f9e902cd11700ce8b920d2741b04a70371069ab8

  • SHA512

    8ba3f790616051fbad5142c887b050ae7589bf97b51b8c8ec1faba98689b6ee48b2ac543652cdfac240ce3c1af2f6a3c2f544309a903257000bcce614c2e2cdd

  • SSDEEP

    12288:kMrMy90wSaqrzDRHYtbtxNKS7vr+BFVP5NjOFPUMhqOMDQ:Iyzor3RMbtmSn+JP5NCFP9tMDQ

Score
10/10
mysticsmokeloaderbackdoorevasionpersistencestealertrojan

Malware Config

Signatures

  • Detect Mystic stealer payload 3 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\761baf17cd7e790b03075c76f9e902cd11700ce8b920d2741b04a70371069ab8.exe
    "C:\Users\Admin\AppData\Local\Temp\761baf17cd7e790b03075c76f9e902cd11700ce8b920d2741b04a70371069ab8.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:5104
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tq8bq28.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tq8bq28.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3404
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ij00nl7.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ij00nl7.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:3472
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:5088
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2hg2480.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2hg2480.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4596
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
            PID:3084
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3RW86Mn.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3RW86Mn.exe
        2⤵
        • Executes dropped EXE
        • Checks SCSI registry key(s)
        PID:4208

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3RW86Mn.exe
      Filesize

      31KB

      MD5

      ce3ea54aa29976f92dbb026924e6580c

      SHA1

      6cf2bf75090b1c9276cd11cd1ff429e26cbcb84b

      SHA256

      f7641d7a71c1ad7d965531c9b975046d8c146209189887ef24c5bf42467a27b7

      SHA512

      17df9b428f974c5fec4643e22584684f20d133661e7c1c0dde8fe2391ef34964141298457d2fb042dd0e9883af460688d5f9f1d83659ef5f1574366a94b37eb9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tq8bq28.exe
      Filesize

      515KB

      MD5

      f24d725b3fbbff06b37c7edc7f22ba1c

      SHA1

      ce77269d92ec548c0340e1027dbcbba923143879

      SHA256

      e15c944f15c57f02ccaeea55591311bb37af2f22dac067e1c4e8a3e9de98e914

      SHA512

      233e3d51652d4895415e8de42528ad50f0584b9fe2a9f1b87191a1f92d17d7cfde346bb5405b19a7c2b18fb29ad2e8d49f00b31d43fc423e043403c5f5296df9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ij00nl7.exe
      Filesize

      869KB

      MD5

      ed431060c97b12b5b24d40df072cc520

      SHA1

      058afa4b30d9aa1cc634b740a42575fe7d516f05

      SHA256

      832f1fd68693d595ac4a815eb17253a8652a30ef35cabaad6542be8ff24ef9fc

      SHA512

      c15981976106ef1a97cc8ac9f179e944c8da6736bc08e1154e42aeaa1f1539d17345352db2a322469f3497e4a47c35b77291a0d2bf64a80771800bc295c9b187

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2hg2480.exe
      Filesize

      1.0MB

      MD5

      ade60db339f9a15d8e6690883e78a0f5

      SHA1

      f56ece723454dc52282f0c2d5e5a7698d64ade6f

      SHA256

      13779f99e39a684bcd1ed479b17daddae7ccde369a879d9319c02c4d4faae469

      SHA512

      7566ebe6340cda81ea5e3388660bac198c1f377f164adc6a8816ca6a929b5aa83961342e9287e9d95f6ca42b2f9e2a57a87ed7f207a311953d589cba9a86c97a

      Download Submit

    • memory/3084-18-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/3084-21-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/3084-19-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/4208-24-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

      Download

    • memory/4208-26-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

      Download

    • memory/5088-14-0x0000000000400000-0x000000000040A000-memory.dmp

      Filesize

      40KB

      Download