Analysis
-
max time kernel
126s -
max time network
131s -
platform
windows10-1703_x64 -
resource
win10-20230915-en -
resource tags
arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system -
submitted
06/10/2023, 21:36
Static task
static1
General
-
Target
9c48b66a8f2c5f41305994fb9d1af129db5a9d1438eaff4cb7e73a777bf5d3d6.exe
-
Size
378KB
-
MD5
bbc1fdf93e5bf450f7344d24adeddcd7
-
SHA1
059135673ee5b8266176d9739cae3cf5caca3a39
-
SHA256
9c48b66a8f2c5f41305994fb9d1af129db5a9d1438eaff4cb7e73a777bf5d3d6
-
SHA512
195928cb917b1fe36b56f7cad8c52b63691eeedb4b09c4f1f0c482eaf5e8e8fd3da61ccf40a876faf4a0f95dc1f8176551a53da622493a317945f769b05813db
-
SSDEEP
6144:P4pSk92pCryG4kfjSGwEi56AOLGCNeE02iQUcnnnnWgaSNBTR460D:P4p12wryNSsPJ2n9nnnnMSNBTRoD
Malware Config
Extracted
Family
mystic
C2
http://5.42.92.211/loghub/master
Signatures
-
Detect Mystic stealer payload 5 IoCs
resource yara_rule behavioral1/memory/3800-0-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral1/memory/3800-3-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral1/memory/3800-4-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral1/memory/3800-5-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral1/memory/3800-6-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4604 set thread context of 3800 4604 9c48b66a8f2c5f41305994fb9d1af129db5a9d1438eaff4cb7e73a777bf5d3d6.exe 73 -
Program crash 1 IoCs
pid pid_target Process procid_target 2696 4604 WerFault.exe 70 -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 4604 wrote to memory of 4520 4604 9c48b66a8f2c5f41305994fb9d1af129db5a9d1438eaff4cb7e73a777bf5d3d6.exe 72 PID 4604 wrote to memory of 4520 4604 9c48b66a8f2c5f41305994fb9d1af129db5a9d1438eaff4cb7e73a777bf5d3d6.exe 72 PID 4604 wrote to memory of 4520 4604 9c48b66a8f2c5f41305994fb9d1af129db5a9d1438eaff4cb7e73a777bf5d3d6.exe 72 PID 4604 wrote to memory of 3800 4604 9c48b66a8f2c5f41305994fb9d1af129db5a9d1438eaff4cb7e73a777bf5d3d6.exe 73 PID 4604 wrote to memory of 3800 4604 9c48b66a8f2c5f41305994fb9d1af129db5a9d1438eaff4cb7e73a777bf5d3d6.exe 73 PID 4604 wrote to memory of 3800 4604 9c48b66a8f2c5f41305994fb9d1af129db5a9d1438eaff4cb7e73a777bf5d3d6.exe 73 PID 4604 wrote to memory of 3800 4604 9c48b66a8f2c5f41305994fb9d1af129db5a9d1438eaff4cb7e73a777bf5d3d6.exe 73 PID 4604 wrote to memory of 3800 4604 9c48b66a8f2c5f41305994fb9d1af129db5a9d1438eaff4cb7e73a777bf5d3d6.exe 73 PID 4604 wrote to memory of 3800 4604 9c48b66a8f2c5f41305994fb9d1af129db5a9d1438eaff4cb7e73a777bf5d3d6.exe 73 PID 4604 wrote to memory of 3800 4604 9c48b66a8f2c5f41305994fb9d1af129db5a9d1438eaff4cb7e73a777bf5d3d6.exe 73 PID 4604 wrote to memory of 3800 4604 9c48b66a8f2c5f41305994fb9d1af129db5a9d1438eaff4cb7e73a777bf5d3d6.exe 73 PID 4604 wrote to memory of 3800 4604 9c48b66a8f2c5f41305994fb9d1af129db5a9d1438eaff4cb7e73a777bf5d3d6.exe 73 PID 4604 wrote to memory of 3800 4604 9c48b66a8f2c5f41305994fb9d1af129db5a9d1438eaff4cb7e73a777bf5d3d6.exe 73
Processes
-
C:\Users\Admin\AppData\Local\Temp\9c48b66a8f2c5f41305994fb9d1af129db5a9d1438eaff4cb7e73a777bf5d3d6.exe"C:\Users\Admin\AppData\Local\Temp\9c48b66a8f2c5f41305994fb9d1af129db5a9d1438eaff4cb7e73a777bf5d3d6.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4604 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵PID:4520
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵PID:3800
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 3402⤵
- Program crash
PID:2696
-