Overview

overview

10

Static

static

3

04a0e65087...2d.exe

windows10-2004-x64

10

0b23052e1d...05.exe

windows10-2004-x64

10

1319d83702...15.exe

windows10-2004-x64

10

15bb5ac797...dd.exe

windows10-2004-x64

10

19eb5c3dd8...ec.exe

windows10-2004-x64

10

2864919e9f...b7.exe

windows10-2004-x64

10

2f05412e59...2c.exe

windows10-2004-x64

10

3fd9e44b8d...84.exe

windows10-2004-x64

10

4920924329...b6.exe

windows10-2004-x64

10

6d6ab7a20c...33.exe

windows10-2004-x64

10

6e839edc16...b0.exe

windows10-2004-x64

10

6ff00efb56...f0.exe

windows10-2004-x64

10

7018985aa0...8e.exe

windows10-2004-x64

10

7b28b5b2ff...4e.exe

windows10-2004-x64

10

93bee57b71...41.exe

windows10-2004-x64

10

a22d19b8f1...9a.exe

windows10-2004-x64

10

af3432152c...8d.exe

windows10-2004-x64

10

bf27d39d4b...d1.exe

windows10-2004-x64

10

db87d25edb...b5.exe

windows10-2004-x64

10

f935568ec0...6c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    134s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-05-2024 10:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a22d19b8f183bcd64a7c85a1e82f19e6db501a7e19b93ebc313864c2a0e6ce9a.exe

  • Size

    723KB

  • MD5

    ca70b6b7eab6a054d392dc5d98839264

  • SHA1

    72cfe825b3d930b137a3314a707c6e8d2573356a

  • SHA256

    a22d19b8f183bcd64a7c85a1e82f19e6db501a7e19b93ebc313864c2a0e6ce9a

  • SHA512

    0f348870c18cbc54871ee745b21c2a6eb6a2722f36e9abdf067796042278df46017458171c7408158f832606468c91d10ac9f9250bb67e9481be04e2e638492c

  • SSDEEP

    12288:+Mrfy903SKxjPt13ERBqTs5U+ezRjWCQhFqg80rOjn1Phd:By9oj/24RghFXPOjn1j

Score
10/10
mysticsmokeloaderbackdoorevasionpersistencestealertrojan

Malware Config

Signatures

  • Detect Mystic stealer payload 3 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Executes dropped EXE 4 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Program crash 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a22d19b8f183bcd64a7c85a1e82f19e6db501a7e19b93ebc313864c2a0e6ce9a.exe
    "C:\Users\Admin\AppData\Local\Temp\a22d19b8f183bcd64a7c85a1e82f19e6db501a7e19b93ebc313864c2a0e6ce9a.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4768
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fP4on48.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fP4on48.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3484
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1cf20nR0.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1cf20nR0.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4512
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2NU4677.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2NU4677.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4456
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
            PID:3656
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 572
            4⤵
            • Program crash
            PID:1432
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3ix45uw.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3ix45uw.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:216
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          3⤵
          • Checks SCSI registry key(s)
          PID:4196
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 216 -s 600
          3⤵
          • Program crash
          PID:3120
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4456 -ip 4456
      1⤵
        PID:3196
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 216 -ip 216
        1⤵
          PID:4852

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Persistence

        Create or Modify System Process

        1
        T1543

        Windows Service

        1
        T1543.003

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Privilege Escalation

        Create or Modify System Process

        1
        T1543

        Windows Service

        1
        T1543.003

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Defense Evasion

        Modify Registry

        3
        T1112

        Impair Defenses

        2
        T1562

        Disable or Modify Tools

        2
        T1562.001

        Credential Access

        Discovery

        Query Registry

        1
        T1012

        Peripheral Device Discovery

        1
        T1120

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3ix45uw.exe
          Filesize

          270KB

          MD5

          c1c8e9af560235565445f1b0a6239aa6

          SHA1

          61e061dee015768176b04cfce9133350c22c23f6

          SHA256

          6aedf78736ac572c8ee9d81b607c326878658767da95ef927febbd9b074ac65f

          SHA512

          29e574c18baed07380008f1285b99a7fc6fac7b241eea07aa4ef4f940a6b1d8e192dd188ff62e37ea7cea81fa4ea6e52dad9c8f0806238192fff1271eddec390

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fP4on48.exe
          Filesize

          478KB

          MD5

          12c678a0b844e06adfb25c66e1d14f94

          SHA1

          6051584ef77c11d81199c118cb5fe19bb9140795

          SHA256

          ba3ea81a0c35357c3f09fa7a9fbe09de17e326b2842b583f876233c05ade516a

          SHA512

          a67d935fe9980f142148c819c708226d267515473c5547e5adbd741efb00a60c0d53bdc8cf9f76a47c0efa48445a5d10e528ad02c009a894a5458cb78b80f440

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1cf20nR0.exe
          Filesize

          194KB

          MD5

          6241b03d68a610324ecda52f0f84e287

          SHA1

          da80280b6e3925e455925efd6c6e59a6118269c4

          SHA256

          ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2

          SHA512

          a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2NU4677.exe
          Filesize

          422KB

          MD5

          81f1bd2b46a8b98e804ca864e52c2053

          SHA1

          2d05bd9f60d478699aaf0efe924892bc13c7c3b5

          SHA256

          4b8ffbba0f58fb849aaf86fab329b7b3df65911477f172f046c97d5741d3c310

          SHA512

          80fa738d3b366bb7b7222fc8471882ea150404d420d03754a093339428b9a00a31e61bf61dbc45926fe39a79e5f995330aadd3cf4f983ccae64caad5c987d226

          Download Submit
        • memory/3656-57-0x0000000000400000-0x0000000000433000-memory.dmp
          Filesize

          204KB

          Download
        • memory/3656-55-0x0000000000400000-0x0000000000433000-memory.dmp
          Filesize

          204KB

          Download
        • memory/3656-54-0x0000000000400000-0x0000000000433000-memory.dmp
          Filesize

          204KB

          Download
        • memory/4196-61-0x0000000000400000-0x0000000000409000-memory.dmp
          Filesize

          36KB

          Download
        • memory/4512-38-0x0000000002350000-0x0000000002366000-memory.dmp
          Filesize

          88KB

          Download
        • memory/4512-28-0x0000000002350000-0x0000000002366000-memory.dmp
          Filesize

          88KB

          Download
        • memory/4512-46-0x0000000002350000-0x0000000002366000-memory.dmp
          Filesize

          88KB

          Download
        • memory/4512-44-0x0000000002350000-0x0000000002366000-memory.dmp
          Filesize

          88KB

          Download
        • memory/4512-42-0x0000000002350000-0x0000000002366000-memory.dmp
          Filesize

          88KB

          Download
        • memory/4512-40-0x0000000002350000-0x0000000002366000-memory.dmp
          Filesize

          88KB

          Download
        • memory/4512-20-0x00000000744D0000-0x0000000074C80000-memory.dmp
          Filesize

          7.7MB

          Download
        • memory/4512-36-0x0000000002350000-0x0000000002366000-memory.dmp
          Filesize

          88KB

          Download
        • memory/4512-34-0x0000000002350000-0x0000000002366000-memory.dmp
          Filesize

          88KB

          Download
        • memory/4512-33-0x0000000002350000-0x0000000002366000-memory.dmp
          Filesize

          88KB

          Download
        • memory/4512-30-0x0000000002350000-0x0000000002366000-memory.dmp
          Filesize

          88KB

          Download
        • memory/4512-48-0x0000000002350000-0x0000000002366000-memory.dmp
          Filesize

          88KB

          Download
        • memory/4512-26-0x0000000002350000-0x0000000002366000-memory.dmp
          Filesize

          88KB

          Download
        • memory/4512-24-0x0000000002350000-0x0000000002366000-memory.dmp
          Filesize

          88KB

          Download
        • memory/4512-22-0x0000000002350000-0x0000000002366000-memory.dmp
          Filesize

          88KB

          Download
        • memory/4512-21-0x0000000002350000-0x0000000002366000-memory.dmp
          Filesize

          88KB

          Download
        • memory/4512-50-0x00000000744D0000-0x0000000074C80000-memory.dmp
          Filesize

          7.7MB

          Download
        • memory/4512-19-0x00000000744D0000-0x0000000074C80000-memory.dmp
          Filesize

          7.7MB

          Download
        • memory/4512-18-0x0000000002350000-0x000000000236C000-memory.dmp
          Filesize

          112KB

          Download
        • memory/4512-16-0x00000000744D0000-0x0000000074C80000-memory.dmp
          Filesize

          7.7MB

          Download
        • memory/4512-17-0x0000000004B40000-0x00000000050E4000-memory.dmp
          Filesize

          5.6MB

          Download
        • memory/4512-15-0x00000000022D0000-0x00000000022EE000-memory.dmp
          Filesize

          120KB

          Download
        • memory/4512-14-0x00000000744DE000-0x00000000744DF000-memory.dmp
          Filesize

          4KB

          Download