Overview

overview

10

Static

static

3

0697314d1d...a5.exe

windows10-2004-x64

10

0f998493b8...79.exe

windows10-2004-x64

10

21e1937094...38.exe

windows10-2004-x64

10

2800d64eb3...31.exe

windows10-2004-x64

10

3d64fae31a...d7.exe

windows10-2004-x64

10

652a4e2d36...35.exe

windows10-2004-x64

10

6b4d258a8d...1a.exe

windows10-2004-x64

10

74c99e0dfd...42.exe

windows10-2004-x64

10

7e6bab9491...d0.exe

windows10-2004-x64

80af2b3540...7e.exe

windows10-2004-x64

10

a96b277202...ca.exe

windows10-2004-x64

10

c1237a6a46...5b.exe

windows10-2004-x64

7

d7fde0f5ef...97.exe

windows10-2004-x64

10

dc220ed080...4e.exe

windows10-2004-x64

10

e5e7bb0a7c...4a.exe

windows10-2004-x64

10

e91c8d8104...e0.exe

windows10-2004-x64

10

f3b6442113...3b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    133s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-05-2024 09:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0f998493b83f94488301c2a7f85ec4ad445820110ece601aee7e9d15a5ae5179.exe

  • Size

    508KB

  • MD5

    08f93718f532a5b6806992822abd5319

  • SHA1

    bf256764f2a7e66ce6043af9a36558d8ebfae3c2

  • SHA256

    0f998493b83f94488301c2a7f85ec4ad445820110ece601aee7e9d15a5ae5179

  • SHA512

    01731396c4eddfca44f4421e74fff0c6a9551f87fcf4f6799e5a001ec1872cb398ffd66aaadc09bb92cedc47cb9e193b635f36d82a067d70a448764c47650801

  • SSDEEP

    12288:tMr7y90cskbQBr9Sm/zFAUl4RI27Senp1/oGjhvC:SytQBHzFFs3/oGtC

Score
10/10
mysticsmokeloaderbackdoorevasionpersistencestealertrojan

Malware Config

Signatures

  • Detect Mystic stealer payload 3 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Program crash 3 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0f998493b83f94488301c2a7f85ec4ad445820110ece601aee7e9d15a5ae5179.exe
    "C:\Users\Admin\AppData\Local\Temp\0f998493b83f94488301c2a7f85ec4ad445820110ece601aee7e9d15a5ae5179.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4812
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GS3jc24.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GS3jc24.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3620
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1FT75fe4.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1FT75fe4.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2736
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1760
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2736 -s 552
          4⤵
          • Program crash
          PID:5060
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2NR7454.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2NR7454.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:456
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
            PID:3180
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 456 -s 156
            4⤵
            • Program crash
            PID:2224
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3Pm23bi.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3Pm23bi.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1636
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          3⤵
          • Checks SCSI registry key(s)
          PID:4724
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 152
          3⤵
          • Program crash
          PID:3492
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2736 -ip 2736
      1⤵
        PID:5096
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 456 -ip 456
        1⤵
          PID:2436
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1636 -ip 1636
          1⤵
            PID:1464

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3Pm23bi.exe
            Filesize

            145KB

            MD5

            9bb0eb72d32ec101bc3815421314f021

            SHA1

            1d841de7459312d07946eb0dae13a4c87bc0ca3c

            SHA256

            3d5d022325d8cab27839dfecc7bb90cf6b6aa9e98c09f6092f85ed6e048d190d

            SHA512

            9d1d41309bc29ee325e47a7e533ac89c0b3244c4a45f1fc56d600d374f7aad6e95f34602e17178f05e7e4d4593a377f0b318b4a35ff33a6cdd529f72ef0bd3db

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GS3jc24.exe
            Filesize

            324KB

            MD5

            01ef9ff7ae7d9bf431b69d3071431266

            SHA1

            5177778dced679e5f8b51b7f2db415d941a50afd

            SHA256

            c3fb710c4c8b6204f6f6950a15743f9d94ceda63399f4b6bcbe1dbfb65058f01

            SHA512

            40915b996fb75c48c4c62876cb2815280f626afce175b740043e6248dcad5dfae2fbd8fdf615fe69e4f4191140a8480deeec8bc0b47288c64d0473c0f4191a86

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1FT75fe4.exe
            Filesize

            129KB

            MD5

            4ed940ea493451635145489ffbdec386

            SHA1

            4b5d0ba229b8ac04f753864c1170da0070673e35

            SHA256

            b736077e8eccf72bc48e2a28576bb47d59bdaa335baa2dc333fb3701becfacaa

            SHA512

            8feea024e7bb279f401e144d80c20bd6022249ebe381e1ed36b7e19a382e1e7edd3a2b1e4f74e54a5e6dbe6bfe6ff3b27fb44fd0c2407551b1a33fbea9be229c

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2NR7454.exe
            Filesize

            295KB

            MD5

            74f239f9f94d46453dc31466f26f7640

            SHA1

            23da44b3dd957bfd5cb307c52186a2d3d75b0bc8

            SHA256

            81dbdaaefa4798995ed214aaaccd2175a91cc438d51b53da625d5d330eb0b304

            SHA512

            9fbeaadfe94ef04915e109e07ca0a0d698542073f7f3800c75b30d248a6206ed2b70d6a5a83c25bb349877304d7d5dc4426e6f2e66b1bd9585dd09ff04a6fb20

            Download Submit

          • memory/1760-14-0x0000000000400000-0x000000000040A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/1760-15-0x000000007450E000-0x000000007450F000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3180-19-0x0000000000400000-0x0000000000432000-memory.dmp

            Filesize

            200KB

            Download

          • memory/3180-20-0x0000000000400000-0x0000000000432000-memory.dmp

            Filesize

            200KB

            Download

          • memory/3180-22-0x0000000000400000-0x0000000000432000-memory.dmp

            Filesize

            200KB

            Download

          • memory/4724-26-0x0000000000400000-0x0000000000409000-memory.dmp

            Filesize

            36KB

            Download