Overview
overview
10Static
static
304a0e65087...2d.exe
windows10-2004-x64
100b23052e1d...05.exe
windows10-2004-x64
101319d83702...15.exe
windows10-2004-x64
1015bb5ac797...dd.exe
windows10-2004-x64
1019eb5c3dd8...ec.exe
windows10-2004-x64
102864919e9f...b7.exe
windows10-2004-x64
102f05412e59...2c.exe
windows10-2004-x64
103fd9e44b8d...84.exe
windows10-2004-x64
104920924329...b6.exe
windows10-2004-x64
106d6ab7a20c...33.exe
windows10-2004-x64
106e839edc16...b0.exe
windows10-2004-x64
106ff00efb56...f0.exe
windows10-2004-x64
107018985aa0...8e.exe
windows10-2004-x64
107b28b5b2ff...4e.exe
windows10-2004-x64
1093bee57b71...41.exe
windows10-2004-x64
10a22d19b8f1...9a.exe
windows10-2004-x64
10af3432152c...8d.exe
windows10-2004-x64
10bf27d39d4b...d1.exe
windows10-2004-x64
10db87d25edb...b5.exe
windows10-2004-x64
10f935568ec0...6c.exe
windows10-2004-x64
10Analysis
-
max time kernel
134s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 10:41
Static task
static1
Behavioral task
behavioral1
Sample
04a0e650872d7846563cdcc0dd200fe4ab443abf6a07ee52486d24d18d6aba2d.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral2
Sample
0b23052e1def21c0e818780565a7776ae96e61597a9cf4ab1fc690daa4a85105.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
1319d8370208b00e5260cfc0b8f145575c62bd43ab6f76605a992afeb6737f15.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral4
Sample
15bb5ac797303fa462001ce5fd88a7bfc4702cd65f0a1768f9b994f6495a49dd.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
19eb5c3dd82e78329d1d98ef6b119402fff11484aea9cfea0e3e1135eea669ec.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral6
Sample
2864919e9fd253aa62ab37d5b02410fa89dd3ead4618da0b908d3b41e73167b7.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
2f05412e59a8bdd056c643ef429f71b1cc81960c29ecda2121c342b304349d2c.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral8
Sample
3fd9e44b8df95e2fb188e6b032b029a961609f7baa7d332929166e71f86e8b84.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
4920924329af964d29e90b0bd3763c20450919411ad6b6ddabfd88061a7555b6.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral10
Sample
6d6ab7a20c1331b0189166b1cb07916ad2565031332833b346f8e5728ba48833.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral11
Sample
6e839edc16582f1c2d53d777f08720f69ec875a29be62c7adf21eaa0b7b302b0.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral12
Sample
6ff00efb56e1358cc67995d20e4e1edfffeb0789812a5cd830e2f477e16f63f0.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral13
Sample
7018985aa093121c146c37bf15499c6914c370d8b1e61fe98047260a3f0f5d8e.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral14
Sample
7b28b5b2ffa7298e1bc65ee1f5e49125dd2ae16da86952d43e4d1ac1e04c6e4e.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
93bee57b7167fba61070c22f0c719ebb27499c5ff106633260f340e4917cf741.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral16
Sample
a22d19b8f183bcd64a7c85a1e82f19e6db501a7e19b93ebc313864c2a0e6ce9a.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
af3432152c514465fb36f13137bae3206443814e6398ebe72ca129d56edcd08d.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral18
Sample
bf27d39d4bcefd6acc1e63fd0bf1bee8152a76443458be36ca71657a91e2d4d1.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral19
Sample
db87d25edb56c618d7d41f2f458fbc54cabc5289ab771f1eb34a0e08d92928b5.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral20
Sample
f935568ec008833a6b510aaa18da8f703b0263d31ec0ee4a4442facb817a946c.exe
Resource
win10v2004-20240226-en
General
-
Target
a22d19b8f183bcd64a7c85a1e82f19e6db501a7e19b93ebc313864c2a0e6ce9a.exe
-
Size
723KB
-
MD5
ca70b6b7eab6a054d392dc5d98839264
-
SHA1
72cfe825b3d930b137a3314a707c6e8d2573356a
-
SHA256
a22d19b8f183bcd64a7c85a1e82f19e6db501a7e19b93ebc313864c2a0e6ce9a
-
SHA512
0f348870c18cbc54871ee745b21c2a6eb6a2722f36e9abdf067796042278df46017458171c7408158f832606468c91d10ac9f9250bb67e9481be04e2e638492c
-
SSDEEP
12288:+Mrfy903SKxjPt13ERBqTs5U+ezRjWCQhFqg80rOjn1Phd:By9oj/24RghFXPOjn1j
Malware Config
Signatures
-
Detect Mystic stealer payload 3 IoCs
resource yara_rule behavioral16/memory/3656-54-0x0000000000400000-0x0000000000433000-memory.dmp mystic_family behavioral16/memory/3656-55-0x0000000000400000-0x0000000000433000-memory.dmp mystic_family behavioral16/memory/3656-57-0x0000000000400000-0x0000000000433000-memory.dmp mystic_family -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 1cf20nR0.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 1cf20nR0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 1cf20nR0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 1cf20nR0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 1cf20nR0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 1cf20nR0.exe -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Executes dropped EXE 4 IoCs
pid Process 3484 fP4on48.exe 4512 1cf20nR0.exe 4456 2NU4677.exe 216 3ix45uw.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 1cf20nR0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 1cf20nR0.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" a22d19b8f183bcd64a7c85a1e82f19e6db501a7e19b93ebc313864c2a0e6ce9a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" fP4on48.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4456 set thread context of 3656 4456 2NU4677.exe 96 PID 216 set thread context of 4196 216 3ix45uw.exe 101 -
Program crash 2 IoCs
pid pid_target Process procid_target 1432 4456 WerFault.exe 95 3120 216 WerFault.exe 100 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4512 1cf20nR0.exe 4512 1cf20nR0.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4512 1cf20nR0.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 4768 wrote to memory of 3484 4768 a22d19b8f183bcd64a7c85a1e82f19e6db501a7e19b93ebc313864c2a0e6ce9a.exe 83 PID 4768 wrote to memory of 3484 4768 a22d19b8f183bcd64a7c85a1e82f19e6db501a7e19b93ebc313864c2a0e6ce9a.exe 83 PID 4768 wrote to memory of 3484 4768 a22d19b8f183bcd64a7c85a1e82f19e6db501a7e19b93ebc313864c2a0e6ce9a.exe 83 PID 3484 wrote to memory of 4512 3484 fP4on48.exe 84 PID 3484 wrote to memory of 4512 3484 fP4on48.exe 84 PID 3484 wrote to memory of 4512 3484 fP4on48.exe 84 PID 3484 wrote to memory of 4456 3484 fP4on48.exe 95 PID 3484 wrote to memory of 4456 3484 fP4on48.exe 95 PID 3484 wrote to memory of 4456 3484 fP4on48.exe 95 PID 4456 wrote to memory of 3656 4456 2NU4677.exe 96 PID 4456 wrote to memory of 3656 4456 2NU4677.exe 96 PID 4456 wrote to memory of 3656 4456 2NU4677.exe 96 PID 4456 wrote to memory of 3656 4456 2NU4677.exe 96 PID 4456 wrote to memory of 3656 4456 2NU4677.exe 96 PID 4456 wrote to memory of 3656 4456 2NU4677.exe 96 PID 4456 wrote to memory of 3656 4456 2NU4677.exe 96 PID 4456 wrote to memory of 3656 4456 2NU4677.exe 96 PID 4456 wrote to memory of 3656 4456 2NU4677.exe 96 PID 4456 wrote to memory of 3656 4456 2NU4677.exe 96 PID 4768 wrote to memory of 216 4768 a22d19b8f183bcd64a7c85a1e82f19e6db501a7e19b93ebc313864c2a0e6ce9a.exe 100 PID 4768 wrote to memory of 216 4768 a22d19b8f183bcd64a7c85a1e82f19e6db501a7e19b93ebc313864c2a0e6ce9a.exe 100 PID 4768 wrote to memory of 216 4768 a22d19b8f183bcd64a7c85a1e82f19e6db501a7e19b93ebc313864c2a0e6ce9a.exe 100 PID 216 wrote to memory of 4196 216 3ix45uw.exe 101 PID 216 wrote to memory of 4196 216 3ix45uw.exe 101 PID 216 wrote to memory of 4196 216 3ix45uw.exe 101 PID 216 wrote to memory of 4196 216 3ix45uw.exe 101 PID 216 wrote to memory of 4196 216 3ix45uw.exe 101 PID 216 wrote to memory of 4196 216 3ix45uw.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\a22d19b8f183bcd64a7c85a1e82f19e6db501a7e19b93ebc313864c2a0e6ce9a.exe"C:\Users\Admin\AppData\Local\Temp\a22d19b8f183bcd64a7c85a1e82f19e6db501a7e19b93ebc313864c2a0e6ce9a.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fP4on48.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fP4on48.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1cf20nR0.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1cf20nR0.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4512
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2NU4677.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2NU4677.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4456 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵PID:3656
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 5724⤵
- Program crash
PID:1432
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3ix45uw.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3ix45uw.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:216 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
- Checks SCSI registry key(s)
PID:4196
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 216 -s 6003⤵
- Program crash
PID:3120
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4456 -ip 44561⤵PID:3196
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 216 -ip 2161⤵PID:4852
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
270KB
MD5c1c8e9af560235565445f1b0a6239aa6
SHA161e061dee015768176b04cfce9133350c22c23f6
SHA2566aedf78736ac572c8ee9d81b607c326878658767da95ef927febbd9b074ac65f
SHA51229e574c18baed07380008f1285b99a7fc6fac7b241eea07aa4ef4f940a6b1d8e192dd188ff62e37ea7cea81fa4ea6e52dad9c8f0806238192fff1271eddec390
-
Filesize
478KB
MD512c678a0b844e06adfb25c66e1d14f94
SHA16051584ef77c11d81199c118cb5fe19bb9140795
SHA256ba3ea81a0c35357c3f09fa7a9fbe09de17e326b2842b583f876233c05ade516a
SHA512a67d935fe9980f142148c819c708226d267515473c5547e5adbd741efb00a60c0d53bdc8cf9f76a47c0efa48445a5d10e528ad02c009a894a5458cb78b80f440
-
Filesize
194KB
MD56241b03d68a610324ecda52f0f84e287
SHA1da80280b6e3925e455925efd6c6e59a6118269c4
SHA256ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2
SHA512a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9
-
Filesize
422KB
MD581f1bd2b46a8b98e804ca864e52c2053
SHA12d05bd9f60d478699aaf0efe924892bc13c7c3b5
SHA2564b8ffbba0f58fb849aaf86fab329b7b3df65911477f172f046c97d5741d3c310
SHA51280fa738d3b366bb7b7222fc8471882ea150404d420d03754a093339428b9a00a31e61bf61dbc45926fe39a79e5f995330aadd3cf4f983ccae64caad5c987d226