mystic | c4e0cb607d432343219b41d78c2ec5dd75cd61337e01004ddbd2a25678afd2f2

Analysis

max time kernel
137s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
21/09/2023, 18:00

Target

file.exe
Size

700KB
MD5

a940041c46398589b82411421e1da99c
SHA1

dcda71537ac11519b263f6afc002f0714175a95e
SHA256

c4e0cb607d432343219b41d78c2ec5dd75cd61337e01004ddbd2a25678afd2f2
SHA512

072e369b2798aea4fbdb9490f78bf5560f475a33c6b46b146dd54062ec8af26e0d9f280813af29ae368e16adec60a8c7d4126d9c5bdca47d9a42ffd3abd93de0
SSDEEP

6144:f6vGALXgBEIy8wluzNcq/PVucQpbupc5YLu2+OYAO57ehy8wCmhM7vJQ8xWyvfr:SHXgFysVucQpb03UMwc1Nx/r

Score

10^/10

mystic stealer

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4184 set thread context of 2412	4184	file.exe	89

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3468	4184	WerFault.exe	83

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 4184 wrote to memory of 3636	4184	file.exe	88
PID 4184 wrote to memory of 3636	4184	file.exe	88
PID 4184 wrote to memory of 3636	4184	file.exe	88
PID 4184 wrote to memory of 2412	4184	file.exe	89
PID 4184 wrote to memory of 2412	4184	file.exe	89
PID 4184 wrote to memory of 2412	4184	file.exe	89
PID 4184 wrote to memory of 2412	4184	file.exe	89
PID 4184 wrote to memory of 2412	4184	file.exe	89
PID 4184 wrote to memory of 2412	4184	file.exe	89
PID 4184 wrote to memory of 2412	4184	file.exe	89
PID 4184 wrote to memory of 2412	4184	file.exe	89
PID 4184 wrote to memory of 2412	4184	file.exe	89
PID 4184 wrote to memory of 2412	4184	file.exe	89

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4184
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:3636
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:2412
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4184 -s 136
  2⤵
  - Program crash
  PID:3468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4184 -ip 4184
1⤵
PID:2380

memory/2412-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2412-1-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2412-2-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2412-3-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2412-4-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download