mystic | aeef7b8f29007417b69fd4314ae871c382fb907a2d74e893af3ab319ba7eab49

Analysis

max time kernel
169s
max time network
276s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
04/10/2023, 07:05

Target

1iX63SW3.exe
Size

285KB
MD5

d6e71ef438147418bbf08acfb7399fce
SHA1

c1f3c35cb876586dbb8ba93e00aeaf41333b3e4c
SHA256

aeef7b8f29007417b69fd4314ae871c382fb907a2d74e893af3ab319ba7eab49
SHA512

398ca79e6c3642401080d95f029eea5191692e561af9dbf1ab8b1163122dff9fd60a2427d561af259b7a39f49feec895a67f9a06677e34dcdfe206b4981d6d0e
SSDEEP

6144:GU+Elo4WGFw16HctKEGh7fuFcqKYikGCVabmox:GU+ElodKHcUAKY/GCVox

Score

10^/10

mystic stealer

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3728 set thread context of 4532	3728	1iX63SW3.exe	72

Program crash 1 IoCs

pid	pid_target	Process	procid_target
196	3728	WerFault.exe	69

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 3728 wrote to memory of 4416	3728	1iX63SW3.exe	71
PID 3728 wrote to memory of 4416	3728	1iX63SW3.exe	71
PID 3728 wrote to memory of 4416	3728	1iX63SW3.exe	71
PID 3728 wrote to memory of 4532	3728	1iX63SW3.exe	72
PID 3728 wrote to memory of 4532	3728	1iX63SW3.exe	72
PID 3728 wrote to memory of 4532	3728	1iX63SW3.exe	72
PID 3728 wrote to memory of 4532	3728	1iX63SW3.exe	72
PID 3728 wrote to memory of 4532	3728	1iX63SW3.exe	72
PID 3728 wrote to memory of 4532	3728	1iX63SW3.exe	72
PID 3728 wrote to memory of 4532	3728	1iX63SW3.exe	72
PID 3728 wrote to memory of 4532	3728	1iX63SW3.exe	72
PID 3728 wrote to memory of 4532	3728	1iX63SW3.exe	72
PID 3728 wrote to memory of 4532	3728	1iX63SW3.exe	72

C:\Users\Admin\AppData\Local\Temp\1iX63SW3.exe
"C:\Users\Admin\AppData\Local\Temp\1iX63SW3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3728
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:4416
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:4532
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3728 -s 348
  2⤵
  - Program crash
  PID:196

memory/4532-0-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4532-4-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4532-3-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4532-5-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4532-6-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download