Analysis
-
max time kernel
133s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
24-05-2024 09:04
General
-
Target
0f998493b83f94488301c2a7f85ec4ad445820110ece601aee7e9d15a5ae5179.exe
-
Size
508KB
-
MD5
08f93718f532a5b6806992822abd5319
-
SHA1
bf256764f2a7e66ce6043af9a36558d8ebfae3c2
-
SHA256
0f998493b83f94488301c2a7f85ec4ad445820110ece601aee7e9d15a5ae5179
-
SHA512
01731396c4eddfca44f4421e74fff0c6a9551f87fcf4f6799e5a001ec1872cb398ffd66aaadc09bb92cedc47cb9e193b635f36d82a067d70a448764c47650801
-
SSDEEP
12288:tMr7y90cskbQBr9Sm/zFAUl4RI27Senp1/oGjhvC:SytQBHzFFs3/oGtC
Malware Config
Signatures
-
Detect Mystic stealer payload 3 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Mystic
Mystic is an infostealer written in C++.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Executes dropped EXE 4 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Program crash 3 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f998493b83f94488301c2a7f85ec4ad445820110ece601aee7e9d15a5ae5179.exe"C:\Users\Admin\AppData\Local\Temp\0f998493b83f94488301c2a7f85ec4ad445820110ece601aee7e9d15a5ae5179.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GS3jc24.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GS3jc24.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1FT75fe4.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1FT75fe4.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2736 -s 5524⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2NR7454.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2NR7454.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 456 -s 1564⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3Pm23bi.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3Pm23bi.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
- Checks SCSI registry key(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 1523⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2736 -ip 27361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 456 -ip 4561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1636 -ip 16361⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3Pm23bi.exeFilesize
145KB
MD59bb0eb72d32ec101bc3815421314f021
SHA11d841de7459312d07946eb0dae13a4c87bc0ca3c
SHA2563d5d022325d8cab27839dfecc7bb90cf6b6aa9e98c09f6092f85ed6e048d190d
SHA5129d1d41309bc29ee325e47a7e533ac89c0b3244c4a45f1fc56d600d374f7aad6e95f34602e17178f05e7e4d4593a377f0b318b4a35ff33a6cdd529f72ef0bd3db
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GS3jc24.exeFilesize
324KB
MD501ef9ff7ae7d9bf431b69d3071431266
SHA15177778dced679e5f8b51b7f2db415d941a50afd
SHA256c3fb710c4c8b6204f6f6950a15743f9d94ceda63399f4b6bcbe1dbfb65058f01
SHA51240915b996fb75c48c4c62876cb2815280f626afce175b740043e6248dcad5dfae2fbd8fdf615fe69e4f4191140a8480deeec8bc0b47288c64d0473c0f4191a86
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1FT75fe4.exeFilesize
129KB
MD54ed940ea493451635145489ffbdec386
SHA14b5d0ba229b8ac04f753864c1170da0070673e35
SHA256b736077e8eccf72bc48e2a28576bb47d59bdaa335baa2dc333fb3701becfacaa
SHA5128feea024e7bb279f401e144d80c20bd6022249ebe381e1ed36b7e19a382e1e7edd3a2b1e4f74e54a5e6dbe6bfe6ff3b27fb44fd0c2407551b1a33fbea9be229c
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2NR7454.exeFilesize
295KB
MD574f239f9f94d46453dc31466f26f7640
SHA123da44b3dd957bfd5cb307c52186a2d3d75b0bc8
SHA25681dbdaaefa4798995ed214aaaccd2175a91cc438d51b53da625d5d330eb0b304
SHA5129fbeaadfe94ef04915e109e07ca0a0d698542073f7f3800c75b30d248a6206ed2b70d6a5a83c25bb349877304d7d5dc4426e6f2e66b1bd9585dd09ff04a6fb20
-
memory/1760-14-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/1760-15-0x000000007450E000-0x000000007450F000-memory.dmpFilesize
4KB
-
memory/3180-19-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/3180-20-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/3180-22-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/4724-26-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB