Analysis

  • max time kernel
    91s
  • max time network
    102s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-05-2024 10:18

General

  • Target

    5f5fe0dfe7abbcda9826593f0816a3b72630e87a3d058a3382b48820dfc0f3ca.exe

  • Size

    334KB

  • MD5

    028bb2836faeb4ed911711bbae9ad27d

  • SHA1

    bd16951419c1a78c8e23f0e1666249ca3e50c409

  • SHA256

    5f5fe0dfe7abbcda9826593f0816a3b72630e87a3d058a3382b48820dfc0f3ca

  • SHA512

    7bf790bc6aaa9663817770a418bc96c7738d4efd2433dcff9c616cb0c37bf42d7db10b4019b510ed2d069cb38374cb2faa2a0bd0b2f3adf5e82b0da1f2adf170

  • SSDEEP

    6144:Kby+bnr+4p0yN90QEpQ4eSEo9i3CbxJTUHMh8WZP0g+4+WHSWp3WdnYK:NMr0y90bFeSD9i3YJTUs2Wug+4+wS9j

Malware Config

Signatures

  • Detect Mystic stealer payload 4 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5f5fe0dfe7abbcda9826593f0816a3b72630e87a3d058a3382b48820dfc0f3ca.exe
    "C:\Users\Admin\AppData\Local\Temp\5f5fe0dfe7abbcda9826593f0816a3b72630e87a3d058a3382b48820dfc0f3ca.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3628
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1qF29QN9.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1qF29QN9.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:2624
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3⤵
          PID:3228
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3228 -s 548
            4⤵
            • Program crash
            PID:2864
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2Sj9142.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2Sj9142.exe
        2⤵
        • Executes dropped EXE
        • Checks SCSI registry key(s)
        PID:4416
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3228 -ip 3228
      1⤵
        PID:1756

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1qF29QN9.exe

        Filesize

        300KB

        MD5

        784667bb96ccb30c4cf44f2c5f493769

        SHA1

        28185165ab4dbbb4a139ae1af0bb6934ebe05c04

        SHA256

        1025fb084bca865df30e69eea7a9a4a3c852626e148b340de661e6f5b63bc1c9

        SHA512

        62c9def097f132cdb26b11e586f3e15407b9eb9e9e32f79460a3be1bd4c8e046db8488f754cd1c1cc4fe4025a3f9bc9484e94eae0c7d273050f8e6548d12bc20

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2Sj9142.exe

        Filesize

        37KB

        MD5

        b938034561ab089d7047093d46deea8f

        SHA1

        d778c32cc46be09b107fa47cf3505ba5b748853d

        SHA256

        260784b1afd8b819cb6ccb91f01090942375e527abdc060dd835992d88c04161

        SHA512

        4909585c112fba3575e07428679fd7add07453e11169f33922faca2012d8e8fa6dfb763d991c68d3b4bbc6e78b6f37d2380c502daada325d73c7fff6c647769b

      • memory/3228-7-0x0000000000400000-0x0000000000433000-memory.dmp

        Filesize

        204KB

      • memory/3228-11-0x0000000000400000-0x0000000000433000-memory.dmp

        Filesize

        204KB

      • memory/3228-8-0x0000000000400000-0x0000000000433000-memory.dmp

        Filesize

        204KB

      • memory/3228-9-0x0000000000400000-0x0000000000433000-memory.dmp

        Filesize

        204KB

      • memory/4416-15-0x0000000000400000-0x000000000040B000-memory.dmp

        Filesize

        44KB

      • memory/4416-16-0x0000000000400000-0x000000000040B000-memory.dmp

        Filesize

        44KB