Overview

overview

10

Static

static

3

15dbe47ffc...c2.exe

windows10-2004-x64

10

259d304678...83.exe

windows10-2004-x64

10

2692caca2a...20.exe

windows10-2004-x64

10

28a50ab6e2...10.exe

windows10-2004-x64

10

4c05a0a402...f4.exe

windows10-2004-x64

10

5a9aed6661...2d.exe

windows10-2004-x64

10

5f5fe0dfe7...ca.exe

windows10-2004-x64

10

6b5a910219...c6.exe

windows10-2004-x64

10

6d91ecfeed...9b.exe

windows7-x64

10

6d91ecfeed...9b.exe

windows10-2004-x64

10

6ffb586f67...d9.exe

windows10-2004-x64

10

73c6d3d5d7...90.exe

windows10-2004-x64

10

75b625c13b...07.exe

windows10-2004-x64

10

8a4cf22002...f5.exe

windows7-x64

10

8a4cf22002...f5.exe

windows10-2004-x64

10

aa03da34a3...c3.exe

windows10-2004-x64

10

c4259cbbbe...3b.exe

windows10-2004-x64

10

c71d93f739...fb.exe

windows10-2004-x64

10

c98c961b6f...67.exe

windows10-2004-x64

10

d76ee17b4a...b8.exe

windows10-2004-x64

7

ec3af3633a...54.exe

windows10-2004-x64

10

fbb293bc8b...e5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-05-2024 10:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fbb293bc8b089d284989e99bec9363092a97e4084b29e5eeb9d9ac35568bb7e5.exe

  • Size

    644KB

  • MD5

    a119f408d6f9327beb89d3d0567775eb

  • SHA1

    0a2087df9196da35d1ab399859bb1b0686f334b3

  • SHA256

    fbb293bc8b089d284989e99bec9363092a97e4084b29e5eeb9d9ac35568bb7e5

  • SHA512

    f3dbf32f8aabb589f736cddca2ad9f209ad10d06eb51c2334bceb6a17b93f1d18412366d87cc81bc8bf33b0f2cab04651f8703d0b9fc1d5b0cd440d840a3079e

  • SSDEEP

    12288:NMrOy909b5rILTLw/aztAjCM603Ss6Uv5zu4mcxvflBxg+CUb:fy+b9oTc/QWjq0Vzvp9DC2

Score
10/10
mysticsmokeloaderbackdoorevasionpersistencestealertrojan

Malware Config

Signatures

  • Detect Mystic stealer payload 3 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fbb293bc8b089d284989e99bec9363092a97e4084b29e5eeb9d9ac35568bb7e5.exe
    "C:\Users\Admin\AppData\Local\Temp\fbb293bc8b089d284989e99bec9363092a97e4084b29e5eeb9d9ac35568bb7e5.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:5096
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cs6Wy28.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cs6Wy28.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1184
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Zm28dL2.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Zm28dL2.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4796
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2076
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2kx9856.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2kx9856.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2536
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
            PID:1144
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3OV51GV.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3OV51GV.exe
        2⤵
        • Executes dropped EXE
        • Checks SCSI registry key(s)
        PID:1400

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3OV51GV.exe
      Filesize

      31KB

      MD5

      49a23df96801ba7195116dbfa9fa07c0

      SHA1

      90c0849d1cc36b5dd8e764c96ab6e55b81fbfde8

      SHA256

      6b63d9413653b4952d0cfb06a7f3ffddaa4b002069b7fa038cbb2ea657d79373

      SHA512

      961b96fc76ddc1ad570934f61d704b2fbc15beb7b353abd1f6c305a951f24cce31bcedca91424f43c329e099ca20c3f7fd5ee6187969ffd019c8e028c44bd55a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cs6Wy28.exe
      Filesize

      520KB

      MD5

      b7eda3b7b76865c14fb995ebfd9cb9b5

      SHA1

      299edc32713df4ce5678dd9859250c7afd6349fb

      SHA256

      68335a6e13fbf631f59a411d5e853e6c2c18ebf3577ab779c6443ee416ed10c6

      SHA512

      240ac0dc0833ed0fb04042ffbd79e481502d1ad29daa3df03c04e525a96a0302a194e2ebbc9e21e95280fc8f58fdcf9dd7fa59f46e7c91707bfd77bc2c3db09d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Zm28dL2.exe
      Filesize

      869KB

      MD5

      a6f1b23ea809d906c8c1decbc1a295f2

      SHA1

      1c243e018eda26aa849db9a6e48484acc64510f9

      SHA256

      045cca3608c945a606676d863cdbbb1bbb017f80b81fa39f6641105f499e6679

      SHA512

      e2ac435f785bffe854f466c153ea7815df095cbed50b3d37fbc455aa539f378aa25b98398d32c39744702cdda3a0acef1d9216851223208e39d28389c4accd48

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2kx9856.exe
      Filesize

      1.0MB

      MD5

      68dd924448db0dbf3f939e49810fd695

      SHA1

      78d2d5b0d7ffa616b43beb2ae1c9407450dd96aa

      SHA256

      c7ec464acd5e71db4ec72c3c2df7cfacdabb5c8d2b8f96dcfb737d9b44e7ac46

      SHA512

      8db87017ccebd52f450aa2b6b90f64cd197821d2b20977ebb6cdadf866b7282920b256089fe495ee452f94ef9b9bd912eea7ecff4cfb47cf3785eff106ec0835

      Download Submit

    • memory/1144-18-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/1144-21-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/1144-19-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/1400-25-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

      Download

    • memory/1400-26-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

      Download

    • memory/2076-14-0x0000000000400000-0x000000000040A000-memory.dmp

      Filesize

      40KB

      Download