Overview

overview

10

Static

static

3

04079e5802...9d.exe

windows10-2004-x64

10

1c1f4eb981...3b.exe

windows10-2004-x64

10

2598a43559...cf.exe

windows10-2004-x64

10

3aa30d5528...5d.exe

windows10-2004-x64

10

46e0ffa2e7...59.exe

windows10-2004-x64

10

4cc86e1dc4...05.exe

windows10-2004-x64

10

61799398ea...0c.exe

windows10-2004-x64

10

6bfb353493...b4.exe

windows10-2004-x64

10

70f5b2bcd0...c3.exe

windows7-x64

10

70f5b2bcd0...c3.exe

windows10-2004-x64

10

7363065308...5d.exe

windows10-2004-x64

10

864fc02972...03.exe

windows10-2004-x64

10

979a085483...e6.exe

windows10-2004-x64

10

9bbc6ca861...5b.exe

windows10-2004-x64

10

a22013e24e...09.exe

windows10-2004-x64

10

c31e600a38...cd.exe

windows10-2004-x64

10

e2e852038c...e5.exe

windows10-2004-x64

10

ec4e6a678a...72.exe

windows10-2004-x64

10

f46c47981f...85.exe

windows10-2004-x64

10

f603ceb39f...6e.exe

windows10-2004-x64

10

fbe6d8ed22...1a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-05-2024 08:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    864fc029724f0d9d2cbfc5469cf806bb3431fdde2ed473a19fbb890b3282bf03.exe

  • Size

    605KB

  • MD5

    5232c11ee090fe4a8fbde69d1f452ba2

  • SHA1

    ad508a34f36f8f0d1bcd7b06fc3e79a829a1f374

  • SHA256

    864fc029724f0d9d2cbfc5469cf806bb3431fdde2ed473a19fbb890b3282bf03

  • SHA512

    76c8261dc7a2dc3c849c2b0e4f36751604a969b2ed29029552014d664e7342b11472421330e3181126c87ba0e5cd4f14597a1fe37c0a28da54a21433f9b95270

  • SSDEEP

    12288:LMr1y90+pMc0JJGdc9wvughyZh/rgUSt9F5vhz0Gz:ayOcU5zguFUvhwGz

Score
10/10
mysticsmokeloaderbackdoorpersistencestealertrojan

Malware Config

Signatures

  • Detect Mystic stealer payload 3 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • .NET Reactor proctector 2 IoCs

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Program crash 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\864fc029724f0d9d2cbfc5469cf806bb3431fdde2ed473a19fbb890b3282bf03.exe
    "C:\Users\Admin\AppData\Local\Temp\864fc029724f0d9d2cbfc5469cf806bb3431fdde2ed473a19fbb890b3282bf03.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3680
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cm1qj45.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cm1qj45.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4348
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Yx67SE5.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Yx67SE5.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:3316
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2XJ2373.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2XJ2373.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:3936
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
            PID:4588
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 140
            4⤵
            • Program crash
            PID:3404
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3gH49Ye.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3gH49Ye.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1600
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          3⤵
          • Checks SCSI registry key(s)
          PID:2492
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 152
          3⤵
          • Program crash
          PID:756
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3936 -ip 3936
      1⤵
        PID:5000
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1600 -ip 1600
        1⤵
          PID:1160

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3gH49Ye.exe
          Filesize

          145KB

          MD5

          48bce5a94c23f5fb41fef672a154f3c3

          SHA1

          592795aa9424bce8456ed6bf5145b4ee4030dea2

          SHA256

          008ff96edda147b9f601f058ebbb51e36f7a191a186ad46a1d93b509670131be

          SHA512

          8642ecd8722d39a9ccf860add0a3acf44790e253798b912c6be854a56a690d7522019873fb3824e96454a392ce60e41db12e81e45be96bad7ec1adc5a7b4348d

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cm1qj45.exe
          Filesize

          421KB

          MD5

          87ee40d6c92bb156b8f33955a66bcb42

          SHA1

          38faa38fc6ac25f2bc3b6e6263cb38065dac7133

          SHA256

          a213bb820e3b04aa0f9ed2d69ac5eef80ff185eb6883c7299d05ec8c635b44d6

          SHA512

          bafe32eebdf7116c4f0ad625f58b82b4fdcfdce274b19c46e8c3312422b2da3022b848e5117a325e1fbe75bb0d6ae70a27fec8df530d50ff26ce85ec927aca7f

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Yx67SE5.exe
          Filesize

          188KB

          MD5

          425e2a994509280a8c1e2812dfaad929

          SHA1

          4d5eff2fb3835b761e2516a873b537cbaacea1fe

          SHA256

          6f40f29ad16466785dfbe836dd375400949ff894e8aa03e2805ab1c1ac2d6f5a

          SHA512

          080a41e7926122e14b38901f2e1eb8100a08c5068a9a74099f060c5e601f056a66e607b4e006820276834bb01d913a3894de98e6d9ba62ce843df14058483aa0

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2XJ2373.exe
          Filesize

          295KB

          MD5

          8e224abf2b75c656df5de9d7ad26a28f

          SHA1

          6966b62dc46debf777adacef5068e3fbaa531265

          SHA256

          f00cbde5381a2a373ebabf761c6e7dc1a1724e56d97f381c5824da0d800bf42c

          SHA512

          2c2ec21ac0608d46613cb0f432f79eb58270dddfdba7709a2c5a1c65ff182698f5ec084a6d76cfdf168c0e376c96ba3b30b7647e16ed88a83247f57575a8a23e

          Download Submit

        • memory/2492-34-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

          Download

        • memory/3316-20-0x00000000742E0000-0x0000000074A90000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/3316-18-0x00000000742E0000-0x0000000074A90000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/3316-19-0x00000000050A0000-0x0000000005132000-memory.dmp

          Filesize

          584KB

          Download

        • memory/3316-17-0x0000000004990000-0x00000000049AE000-memory.dmp

          Filesize

          120KB

          Download

        • memory/3316-21-0x00000000742E0000-0x0000000074A90000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/3316-23-0x00000000742E0000-0x0000000074A90000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/3316-16-0x00000000049F0000-0x0000000004F94000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/3316-15-0x0000000002330000-0x0000000002350000-memory.dmp

          Filesize

          128KB

          Download

        • memory/3316-14-0x00000000742EE000-0x00000000742EF000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4588-27-0x0000000000400000-0x0000000000432000-memory.dmp

          Filesize

          200KB

          Download

        • memory/4588-30-0x0000000000400000-0x0000000000432000-memory.dmp

          Filesize

          200KB

          Download

        • memory/4588-28-0x0000000000400000-0x0000000000432000-memory.dmp

          Filesize

          200KB

          Download