mystic | 1cff28b8b789041ee9d6b0d6df608403b0c8eb36bdeb642d12bb3fe7db0b78a8

Analysis

max time kernel
111s
max time network
116s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
30/09/2023, 10:45

Target

1cff28b8b789041ee9d6b0d6df608403b0c8eb36bdeb642d12bb3fe7db0b78a8.exe
Size

356KB
MD5

3309b55942260cc092f77394c10fd173
SHA1

1fc942ba4625fe01d8c2dda4b8cd7862cc0daa58
SHA256

1cff28b8b789041ee9d6b0d6df608403b0c8eb36bdeb642d12bb3fe7db0b78a8
SHA512

ad4821a85f7f53357e4cad10fc7413203e2f2b8981ff74aed44551626cf67150b14f6bb4a550581f3eb834d91ecd75d05baf84aae18c3477a9eb60a1656d8f11
SSDEEP

6144:jETeW/s5GqrO5aXnfEGIXWPvZAO/yaPBTPrBGD1IMy8ni5VZnQyJDMVs0BC+:NmcGqrOk86xvPBTjBGDiB2iuyJDIs0Bl

Score

10^/10

mystic stealer

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3468 set thread context of 1220	3468	1cff28b8b789041ee9d6b0d6df608403b0c8eb36bdeb642d12bb3fe7db0b78a8.exe	72

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5048	3468	WerFault.exe	69

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 3468 wrote to memory of 164	3468	1cff28b8b789041ee9d6b0d6df608403b0c8eb36bdeb642d12bb3fe7db0b78a8.exe	71
PID 3468 wrote to memory of 164	3468	1cff28b8b789041ee9d6b0d6df608403b0c8eb36bdeb642d12bb3fe7db0b78a8.exe	71
PID 3468 wrote to memory of 164	3468	1cff28b8b789041ee9d6b0d6df608403b0c8eb36bdeb642d12bb3fe7db0b78a8.exe	71
PID 3468 wrote to memory of 1220	3468	1cff28b8b789041ee9d6b0d6df608403b0c8eb36bdeb642d12bb3fe7db0b78a8.exe	72
PID 3468 wrote to memory of 1220	3468	1cff28b8b789041ee9d6b0d6df608403b0c8eb36bdeb642d12bb3fe7db0b78a8.exe	72
PID 3468 wrote to memory of 1220	3468	1cff28b8b789041ee9d6b0d6df608403b0c8eb36bdeb642d12bb3fe7db0b78a8.exe	72
PID 3468 wrote to memory of 1220	3468	1cff28b8b789041ee9d6b0d6df608403b0c8eb36bdeb642d12bb3fe7db0b78a8.exe	72
PID 3468 wrote to memory of 1220	3468	1cff28b8b789041ee9d6b0d6df608403b0c8eb36bdeb642d12bb3fe7db0b78a8.exe	72
PID 3468 wrote to memory of 1220	3468	1cff28b8b789041ee9d6b0d6df608403b0c8eb36bdeb642d12bb3fe7db0b78a8.exe	72
PID 3468 wrote to memory of 1220	3468	1cff28b8b789041ee9d6b0d6df608403b0c8eb36bdeb642d12bb3fe7db0b78a8.exe	72
PID 3468 wrote to memory of 1220	3468	1cff28b8b789041ee9d6b0d6df608403b0c8eb36bdeb642d12bb3fe7db0b78a8.exe	72
PID 3468 wrote to memory of 1220	3468	1cff28b8b789041ee9d6b0d6df608403b0c8eb36bdeb642d12bb3fe7db0b78a8.exe	72
PID 3468 wrote to memory of 1220	3468	1cff28b8b789041ee9d6b0d6df608403b0c8eb36bdeb642d12bb3fe7db0b78a8.exe	72

C:\Users\Admin\AppData\Local\Temp\1cff28b8b789041ee9d6b0d6df608403b0c8eb36bdeb642d12bb3fe7db0b78a8.exe
"C:\Users\Admin\AppData\Local\Temp\1cff28b8b789041ee9d6b0d6df608403b0c8eb36bdeb642d12bb3fe7db0b78a8.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3468
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:164
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:1220
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3468 -s 252
  2⤵
  - Program crash
  PID:5048

memory/1220-0-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1220-3-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1220-4-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1220-5-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1220-6-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download