Overview

overview

10

Static

static

3

04a0e65087...2d.exe

windows10-2004-x64

10

0b23052e1d...05.exe

windows10-2004-x64

10

1319d83702...15.exe

windows10-2004-x64

10

15bb5ac797...dd.exe

windows10-2004-x64

10

19eb5c3dd8...ec.exe

windows10-2004-x64

10

2864919e9f...b7.exe

windows10-2004-x64

10

2f05412e59...2c.exe

windows10-2004-x64

10

3fd9e44b8d...84.exe

windows10-2004-x64

10

4920924329...b6.exe

windows10-2004-x64

10

6d6ab7a20c...33.exe

windows10-2004-x64

10

6e839edc16...b0.exe

windows10-2004-x64

10

6ff00efb56...f0.exe

windows10-2004-x64

10

7018985aa0...8e.exe

windows10-2004-x64

10

7b28b5b2ff...4e.exe

windows10-2004-x64

10

93bee57b71...41.exe

windows10-2004-x64

10

a22d19b8f1...9a.exe

windows10-2004-x64

10

af3432152c...8d.exe

windows10-2004-x64

10

bf27d39d4b...d1.exe

windows10-2004-x64

10

db87d25edb...b5.exe

windows10-2004-x64

10

f935568ec0...6c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-05-2024 10:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bf27d39d4bcefd6acc1e63fd0bf1bee8152a76443458be36ca71657a91e2d4d1.exe

  • Size

    733KB

  • MD5

    f6ff6d5bcfc6785ac6f50078974cab80

  • SHA1

    40b4e177adf9c23cc7e08a67b78250874f78c501

  • SHA256

    bf27d39d4bcefd6acc1e63fd0bf1bee8152a76443458be36ca71657a91e2d4d1

  • SHA512

    86b9ab7ba445bd325e7ab0c5d40ea57799c8254dba0bacc1e11f4306a3fc4be7b0902138ad5c4d1819ba1197e11a0aee5429c734dca7b4600fe30ddda8dda6a1

  • SSDEEP

    12288:AMr2y90cvDIUilEPl88a0nkI8BuKu2GRkAPUwVmBkBiq+4sltxxFi:myhsUilEPq8Fnkpu2GRkRrRqvslt4

Score
10/10
mysticsmokeloaderbackdoorevasionpersistencestealertrojan

Malware Config

Signatures

  • Detect Mystic stealer payload 3 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Executes dropped EXE 4 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Program crash 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bf27d39d4bcefd6acc1e63fd0bf1bee8152a76443458be36ca71657a91e2d4d1.exe
    "C:\Users\Admin\AppData\Local\Temp\bf27d39d4bcefd6acc1e63fd0bf1bee8152a76443458be36ca71657a91e2d4d1.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3420
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VU8XV55.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VU8XV55.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1480
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1HE24SB2.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1HE24SB2.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1932
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2nh0970.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2nh0970.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2120
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
            PID:4280
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            4⤵
              PID:2344
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              4⤵
                PID:4708
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 2120 -s 624
                4⤵
                • Program crash
                PID:4792
          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3uW43Fx.exe
            C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3uW43Fx.exe
            2⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:3496
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              3⤵
              • Checks SCSI registry key(s)
              PID:4088
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3496 -s 136
              3⤵
              • Program crash
              PID:3048
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2120 -ip 2120
          1⤵
            PID:2396
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3496 -ip 3496
            1⤵
              PID:5000

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3uW43Fx.exe
              Filesize

              280KB

              MD5

              0bd32839b444684cfb65a34e4f31780b

              SHA1

              55a5b4bd45696e03d4a35c1d0a6260b3a46846b0

              SHA256

              27b58702d8f19e28ab866afe7c633d75c93f4d0ac154d3803a6e3d8e8f32bfc3

              SHA512

              6d9fe18e99c1a82c016e4450b2dfe19bb4e67d26bba2da6e8b560e71de4793e76f09599f39f54ab27a46898c7f7dda888be421bbcb5bb8b3f06566e944ccfc76

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VU8XV55.exe
              Filesize

              485KB

              MD5

              0f205ca2cc22873955c23316cfb699ec

              SHA1

              cb6eb8bb00190355d40ab1e8523f01625d99223a

              SHA256

              072f1187c5b0ffe2ff3de81416fefc27c9a178d9ae310d8dda3afd2f3b4fb4a4

              SHA512

              f55f904302b822d303c4a1a052979ce0a801d6ec606ba04931568674c54de4db2f6b10de832c552b33890da1b25b2ac7a141862169eed3fddd50bdfdea90d33b

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1HE24SB2.exe
              Filesize

              194KB

              MD5

              35d718538c3e1346cb4fcf54aaa0f141

              SHA1

              234c0aa0465c27c190a83936e8e3aa3c4b991224

              SHA256

              97e62bfa90aca06c595fb150e36f56b4a285f58cc072b8c458ae79805523fc36

              SHA512

              4bcf5cabe93ec54608ccb95d80822f411bb32c2746be609873a493045913fb53e0a953e75f82dfe620d661f049437da7a70d34995dc915bb0b09426e97f0aec3

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2nh0970.exe
              Filesize

              432KB

              MD5

              8170d94baae55a3e44b95b13f236a055

              SHA1

              b43a34a894ea751cd9a63c621786cbec7849e279

              SHA256

              be82ae3d01c3f9a5e75c54a99d555a990e04257a9fea1998ad7c661cf1a07ad4

              SHA512

              d7db6dc84fa4c6197756609403eb73568c3a6ac6ce9d4fd690d41d40e05c06b0d649caf2ec9881188b75d425c9edc8e917bea1b2e68b0f47502db01c794aa09a

              Download Submit

            • memory/1932-40-0x0000000002510000-0x0000000002526000-memory.dmp

              Filesize

              88KB

              Download

            • memory/1932-35-0x0000000002510000-0x0000000002526000-memory.dmp

              Filesize

              88KB

              Download

            • memory/1932-18-0x0000000002510000-0x000000000252C000-memory.dmp

              Filesize

              112KB

              Download

            • memory/1932-19-0x0000000074A10000-0x00000000751C0000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/1932-20-0x0000000074A10000-0x00000000751C0000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/1932-21-0x0000000002510000-0x0000000002526000-memory.dmp

              Filesize

              88KB

              Download

            • memory/1932-48-0x0000000002510000-0x0000000002526000-memory.dmp

              Filesize

              88KB

              Download

            • memory/1932-46-0x0000000002510000-0x0000000002526000-memory.dmp

              Filesize

              88KB

              Download

            • memory/1932-44-0x0000000002510000-0x0000000002526000-memory.dmp

              Filesize

              88KB

              Download

            • memory/1932-42-0x0000000002510000-0x0000000002526000-memory.dmp

              Filesize

              88KB

              Download

            • memory/1932-16-0x0000000074A10000-0x00000000751C0000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/1932-38-0x0000000002510000-0x0000000002526000-memory.dmp

              Filesize

              88KB

              Download

            • memory/1932-36-0x0000000002510000-0x0000000002526000-memory.dmp

              Filesize

              88KB

              Download

            • memory/1932-17-0x0000000004C00000-0x00000000051A4000-memory.dmp

              Filesize

              5.6MB

              Download

            • memory/1932-32-0x0000000002510000-0x0000000002526000-memory.dmp

              Filesize

              88KB

              Download

            • memory/1932-31-0x0000000002510000-0x0000000002526000-memory.dmp

              Filesize

              88KB

              Download

            • memory/1932-28-0x0000000002510000-0x0000000002526000-memory.dmp

              Filesize

              88KB

              Download

            • memory/1932-26-0x0000000002510000-0x0000000002526000-memory.dmp

              Filesize

              88KB

              Download

            • memory/1932-24-0x0000000002510000-0x0000000002526000-memory.dmp

              Filesize

              88KB

              Download

            • memory/1932-22-0x0000000002510000-0x0000000002526000-memory.dmp

              Filesize

              88KB

              Download

            • memory/1932-50-0x0000000074A10000-0x00000000751C0000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/1932-15-0x00000000007C0000-0x00000000007DE000-memory.dmp

              Filesize

              120KB

              Download

            • memory/1932-14-0x0000000074A1E000-0x0000000074A1F000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4088-61-0x0000000000400000-0x0000000000409000-memory.dmp

              Filesize

              36KB

              Download

            • memory/4708-57-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

              Download

            • memory/4708-55-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

              Download

            • memory/4708-54-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

              Download