Analysis Overview
SHA256
9c48b66a8f2c5f41305994fb9d1af129db5a9d1438eaff4cb7e73a777bf5d3d6
Threat Level: Known bad
The file 9c48b66a8f2c5f41305994fb9d1af129db5a9d1438eaff4cb7e73a777bf5d3d6 was found to be: Known bad.
Malicious Activity Summary
Detect Mystic stealer payload
Mystic
Suspicious use of SetThreadContext
Program crash
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2023-10-06 21:36
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-06 21:36
Reported
2023-10-06 21:39
Platform
win10-20230915-en
Max time kernel
126s
Max time network
131s
Command Line
Signatures
Detect Mystic stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Mystic
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4604 set thread context of 3800 | N/A | C:\Users\Admin\AppData\Local\Temp\9c48b66a8f2c5f41305994fb9d1af129db5a9d1438eaff4cb7e73a777bf5d3d6.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\9c48b66a8f2c5f41305994fb9d1af129db5a9d1438eaff4cb7e73a777bf5d3d6.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9c48b66a8f2c5f41305994fb9d1af129db5a9d1438eaff4cb7e73a777bf5d3d6.exe
"C:\Users\Admin\AppData\Local\Temp\9c48b66a8f2c5f41305994fb9d1af129db5a9d1438eaff4cb7e73a777bf5d3d6.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 340
Network
| Country | Destination | Domain | Proto |
| RU | 5.42.92.211:80 | 5.42.92.211 | tcp |
| US | 8.8.8.8:53 | 211.92.42.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.121.18.2.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.173.189.20.in-addr.arpa | udp |
Files
memory/3800-0-0x0000000000400000-0x0000000000428000-memory.dmp
memory/3800-3-0x0000000000400000-0x0000000000428000-memory.dmp
memory/3800-4-0x0000000000400000-0x0000000000428000-memory.dmp
memory/3800-5-0x0000000000400000-0x0000000000428000-memory.dmp
memory/3800-6-0x0000000000400000-0x0000000000428000-memory.dmp