Analysis
-
max time kernel
124s -
max time network
131s -
platform
windows10-1703_x64 -
resource
win10-20230915-en -
resource tags
arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system -
submitted
04/10/2023, 14:07
Static task
static1
Behavioral task
behavioral1
Sample
d5575d0469bb88aa7204a9b8d9d60a81fefef6834726b9394e811a70ee2ca57d.exe
Resource
win10-20230915-en
General
-
Target
d5575d0469bb88aa7204a9b8d9d60a81fefef6834726b9394e811a70ee2ca57d.exe
-
Size
1.8MB
-
MD5
ca07658115cc668cb217bacd366736bc
-
SHA1
83e70e91f433cdb77b7a13f1c6b57c874e0a890b
-
SHA256
d5575d0469bb88aa7204a9b8d9d60a81fefef6834726b9394e811a70ee2ca57d
-
SHA512
0912639d64d00219de05071460846be2a38e86e49605f8f82579582a993103eea078249a1cc12356afdb5a01e729f1e4d756105e97f372e69426fe9bd8994a1c
-
SSDEEP
49152:BuXyYB6Ag5uJO/7RA+soZYXtCO9qWHm3:NYw1RhYdCC0
Malware Config
Signatures
-
Detect Mystic stealer payload 4 IoCs
resource yara_rule behavioral1/memory/3172-66-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral1/memory/3172-69-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral1/memory/3172-70-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral1/memory/3172-72-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 1dy85Rf0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 1dy85Rf0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 1dy85Rf0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 1dy85Rf0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 1dy85Rf0.exe -
Executes dropped EXE 5 IoCs
pid Process 3044 Xz0TB19.exe 2532 zg5Vl09.exe 1168 vD1Ij09.exe 524 1dy85Rf0.exe 4400 2pw5130.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 1dy85Rf0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 1dy85Rf0.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" d5575d0469bb88aa7204a9b8d9d60a81fefef6834726b9394e811a70ee2ca57d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" Xz0TB19.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" zg5Vl09.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" vD1Ij09.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4400 set thread context of 3172 4400 2pw5130.exe 76 -
Program crash 2 IoCs
pid pid_target Process procid_target 4688 4400 WerFault.exe 74 4908 3172 WerFault.exe 76 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 524 1dy85Rf0.exe 524 1dy85Rf0.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 524 1dy85Rf0.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1528 wrote to memory of 3044 1528 d5575d0469bb88aa7204a9b8d9d60a81fefef6834726b9394e811a70ee2ca57d.exe 70 PID 1528 wrote to memory of 3044 1528 d5575d0469bb88aa7204a9b8d9d60a81fefef6834726b9394e811a70ee2ca57d.exe 70 PID 1528 wrote to memory of 3044 1528 d5575d0469bb88aa7204a9b8d9d60a81fefef6834726b9394e811a70ee2ca57d.exe 70 PID 3044 wrote to memory of 2532 3044 Xz0TB19.exe 71 PID 3044 wrote to memory of 2532 3044 Xz0TB19.exe 71 PID 3044 wrote to memory of 2532 3044 Xz0TB19.exe 71 PID 2532 wrote to memory of 1168 2532 zg5Vl09.exe 72 PID 2532 wrote to memory of 1168 2532 zg5Vl09.exe 72 PID 2532 wrote to memory of 1168 2532 zg5Vl09.exe 72 PID 1168 wrote to memory of 524 1168 vD1Ij09.exe 73 PID 1168 wrote to memory of 524 1168 vD1Ij09.exe 73 PID 1168 wrote to memory of 524 1168 vD1Ij09.exe 73 PID 1168 wrote to memory of 4400 1168 vD1Ij09.exe 74 PID 1168 wrote to memory of 4400 1168 vD1Ij09.exe 74 PID 1168 wrote to memory of 4400 1168 vD1Ij09.exe 74 PID 4400 wrote to memory of 3532 4400 2pw5130.exe 75 PID 4400 wrote to memory of 3532 4400 2pw5130.exe 75 PID 4400 wrote to memory of 3532 4400 2pw5130.exe 75 PID 4400 wrote to memory of 3172 4400 2pw5130.exe 76 PID 4400 wrote to memory of 3172 4400 2pw5130.exe 76 PID 4400 wrote to memory of 3172 4400 2pw5130.exe 76 PID 4400 wrote to memory of 3172 4400 2pw5130.exe 76 PID 4400 wrote to memory of 3172 4400 2pw5130.exe 76 PID 4400 wrote to memory of 3172 4400 2pw5130.exe 76 PID 4400 wrote to memory of 3172 4400 2pw5130.exe 76 PID 4400 wrote to memory of 3172 4400 2pw5130.exe 76 PID 4400 wrote to memory of 3172 4400 2pw5130.exe 76 PID 4400 wrote to memory of 3172 4400 2pw5130.exe 76
Processes
-
C:\Users\Admin\AppData\Local\Temp\d5575d0469bb88aa7204a9b8d9d60a81fefef6834726b9394e811a70ee2ca57d.exe"C:\Users\Admin\AppData\Local\Temp\d5575d0469bb88aa7204a9b8d9d60a81fefef6834726b9394e811a70ee2ca57d.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Xz0TB19.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Xz0TB19.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zg5Vl09.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zg5Vl09.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vD1Ij09.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vD1Ij09.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1dy85Rf0.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1dy85Rf0.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:524
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2pw5130.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2pw5130.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵PID:3532
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵PID:3172
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 5687⤵
- Program crash
PID:4908
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4400 -s 1886⤵
- Program crash
PID:4688
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD5fb21f672183102f0141907d9eecfa5ec
SHA1547cf25aa9097d793cfd21e9c25a1997828b6ffb
SHA2567e810b5a28c1178854bb1392ba8ffe6c117081e5501449b23af95bd29ece1706
SHA512309e098338d0cbe106c3a002b3f0aa41b3ebcb8b6dc67930d9d2c58861e0302f61bb01ee92a8b5eda9e75999248e5edda67e83ac5d025de1b070d1c6da7dd632
-
Filesize
1.7MB
MD5fb21f672183102f0141907d9eecfa5ec
SHA1547cf25aa9097d793cfd21e9c25a1997828b6ffb
SHA2567e810b5a28c1178854bb1392ba8ffe6c117081e5501449b23af95bd29ece1706
SHA512309e098338d0cbe106c3a002b3f0aa41b3ebcb8b6dc67930d9d2c58861e0302f61bb01ee92a8b5eda9e75999248e5edda67e83ac5d025de1b070d1c6da7dd632
-
Filesize
1.1MB
MD5897a6c7114c8b76f2616a2f5a5e99a73
SHA123e08d0cb39e8ceed59463941717730da4dc3851
SHA2566c0b5ab90decba958b9e7d7413a58c4419c1e901b2d4bd9ae434c80ae60a4595
SHA5125d7281c0a853cf70a0528df9783df942052af021a345fd37906edc785a1cd65ae03a6016eff6af63edccf19861a8ff1450857d33012033cf31bfbc4b9c4dc050
-
Filesize
1.1MB
MD5897a6c7114c8b76f2616a2f5a5e99a73
SHA123e08d0cb39e8ceed59463941717730da4dc3851
SHA2566c0b5ab90decba958b9e7d7413a58c4419c1e901b2d4bd9ae434c80ae60a4595
SHA5125d7281c0a853cf70a0528df9783df942052af021a345fd37906edc785a1cd65ae03a6016eff6af63edccf19861a8ff1450857d33012033cf31bfbc4b9c4dc050
-
Filesize
689KB
MD57a89084157d7e8165a35f0a1f0392d0e
SHA15d8f6f810315730c68d678e8250e5486e8d5e42d
SHA256764158e48ff7093a7dc5798ff90c1d92571f75b1c47506bea5926692b47a15f5
SHA5122920f96be6bd291130a2b39b5ba2c8ed8065a77d32e2f05155d292cdb3389bf703253a63aa61825c6f4acf62d4957ca8cac47ea72dbeac8185bb1386002a3258
-
Filesize
689KB
MD57a89084157d7e8165a35f0a1f0392d0e
SHA15d8f6f810315730c68d678e8250e5486e8d5e42d
SHA256764158e48ff7093a7dc5798ff90c1d92571f75b1c47506bea5926692b47a15f5
SHA5122920f96be6bd291130a2b39b5ba2c8ed8065a77d32e2f05155d292cdb3389bf703253a63aa61825c6f4acf62d4957ca8cac47ea72dbeac8185bb1386002a3258
-
Filesize
192KB
MD58904f85abd522c7d0cb5789d9583ccff
SHA15b34d8595b37c9e1fb9682b06dc5228efe07f0c6
SHA2567624b62fe97c8e370c82bc86f69c2f627328e701ce1f3d9bed92a1e5fe11fd7f
SHA51204dd0c4e612b6287af6a655425085d687538d756dcd639ecb6c62bcdafddde52c56ae305a6240ee1329a95d9cc59dee6de5000d273a5a560ad1adc3284e00e12
-
Filesize
192KB
MD58904f85abd522c7d0cb5789d9583ccff
SHA15b34d8595b37c9e1fb9682b06dc5228efe07f0c6
SHA2567624b62fe97c8e370c82bc86f69c2f627328e701ce1f3d9bed92a1e5fe11fd7f
SHA51204dd0c4e612b6287af6a655425085d687538d756dcd639ecb6c62bcdafddde52c56ae305a6240ee1329a95d9cc59dee6de5000d273a5a560ad1adc3284e00e12
-
Filesize
1.8MB
MD540b5f6383751db38a4ace28c0f245a7f
SHA14786b073c39e46dd772e1d4b5e1e8bc3d6b6cee3
SHA256c13b36dd7e9f13d7d7be8848b7b20f881420ab027d3d4255734b4e58045b60a8
SHA512b487f839cf5c9743bafbb60fd3f55ca725f557da445b22fb5660720c36d3fa7aa19cc83adbbe2188ae32fed147378a76e11a193da11e5e0d641dd3207a3a1ace
-
Filesize
1.8MB
MD540b5f6383751db38a4ace28c0f245a7f
SHA14786b073c39e46dd772e1d4b5e1e8bc3d6b6cee3
SHA256c13b36dd7e9f13d7d7be8848b7b20f881420ab027d3d4255734b4e58045b60a8
SHA512b487f839cf5c9743bafbb60fd3f55ca725f557da445b22fb5660720c36d3fa7aa19cc83adbbe2188ae32fed147378a76e11a193da11e5e0d641dd3207a3a1ace