Analysis

  • max time kernel
    112s
  • max time network
    116s
  • platform
    windows10-1703_x64
  • resource
    win10-20230915-en
  • resource tags

    arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
  • submitted
    06/10/2023, 21:35

General

  • Target

    7994c1a62ea89bb9237c4dc0bfb6b4ccc026c4c8971bebe11d13de37352d7239.exe

  • Size

    1.2MB

  • MD5

    ba6d343aebb18fbdbdc8b55f4496c716

  • SHA1

    562b382500f4a502f64fb0458d87eb1cce8cd355

  • SHA256

    7994c1a62ea89bb9237c4dc0bfb6b4ccc026c4c8971bebe11d13de37352d7239

  • SHA512

    20a14a6bd332ecd79a828defadcfc93ac073170c7925b7a0434c65bb4216457099a52c0764201cc9bbeae811c26c2372e3475d5644b2d43dad8ce771667c832c

  • SSDEEP

    24576:FyJlxCkwLtbHr+HWf8sRR7bplUzF2l5rRGHQLusQF7:g1CDRa2XbplUh27rHk

Malware Config

Signatures

  • Detect Mystic stealer payload 4 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

  • Executes dropped EXE 5 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 2 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7994c1a62ea89bb9237c4dc0bfb6b4ccc026c4c8971bebe11d13de37352d7239.exe
    "C:\Users\Admin\AppData\Local\Temp\7994c1a62ea89bb9237c4dc0bfb6b4ccc026c4c8971bebe11d13de37352d7239.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3108
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sK2Zo5RQ.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sK2Zo5RQ.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4800
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\PZ0cL1Zv.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\PZ0cL1Zv.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2988
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\OS5Mh4tR.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\OS5Mh4tR.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:4688
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\oU0sX8vu.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\oU0sX8vu.exe
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of WriteProcessMemory
            PID:1036
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1tt38WD9.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1tt38WD9.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of WriteProcessMemory
              PID:2284
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                7⤵
                  PID:4544
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 568
                    8⤵
                    • Program crash
                    PID:656
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 2284 -s 144
                  7⤵
                  • Program crash
                  PID:608

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sK2Zo5RQ.exe

            Filesize

            1.0MB

            MD5

            3d1af630afdf5da35986317a1398ac38

            SHA1

            cdecbe60afe943b1614708e72d7e67ff5513398b

            SHA256

            7b8ae81ef1423cead978a62b57b72349a89013cab614dcd409198ae6ce767da6

            SHA512

            6b9bb1c5da9bdabbded4bd140d2e80f7d2190ed06b75f122087ba60a83ce30d41fc4ed75afbf5c5b2760670d755155fff555d569c036586bce72bfa3d1f80d8c

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sK2Zo5RQ.exe

            Filesize

            1.0MB

            MD5

            3d1af630afdf5da35986317a1398ac38

            SHA1

            cdecbe60afe943b1614708e72d7e67ff5513398b

            SHA256

            7b8ae81ef1423cead978a62b57b72349a89013cab614dcd409198ae6ce767da6

            SHA512

            6b9bb1c5da9bdabbded4bd140d2e80f7d2190ed06b75f122087ba60a83ce30d41fc4ed75afbf5c5b2760670d755155fff555d569c036586bce72bfa3d1f80d8c

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\PZ0cL1Zv.exe

            Filesize

            884KB

            MD5

            7d5cfd3832171729e4cc65619b2a3441

            SHA1

            2cc7eff939fff7190cfa4742bcff6947556e667f

            SHA256

            e81f500f7d3bfa296c5cbefb21e98d9761c1d0cc3b32dc9e01f9488b9ff29675

            SHA512

            8bee0e42147bccc5a520bc62562436b1ac39d6814c3cd70c8c987db75ec8e59211605946e85e1d0c6971a3a0dc47572a457d9892455f1113adc3d300b39f9dbf

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\PZ0cL1Zv.exe

            Filesize

            884KB

            MD5

            7d5cfd3832171729e4cc65619b2a3441

            SHA1

            2cc7eff939fff7190cfa4742bcff6947556e667f

            SHA256

            e81f500f7d3bfa296c5cbefb21e98d9761c1d0cc3b32dc9e01f9488b9ff29675

            SHA512

            8bee0e42147bccc5a520bc62562436b1ac39d6814c3cd70c8c987db75ec8e59211605946e85e1d0c6971a3a0dc47572a457d9892455f1113adc3d300b39f9dbf

          • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\OS5Mh4tR.exe

            Filesize

            590KB

            MD5

            5b6852a5a87f1eaddbe0403ff18f44ee

            SHA1

            5d0041d5fe7c833354f64d8abc6c22cc20bd7576

            SHA256

            6bb0d3f307a2124ee2291749e593571921675dee18892415af1301ed2bae15f0

            SHA512

            68168a23d62fc3aec26d65d69f8f3a3f6af0c223251bc12b9070e22851c2acb10ee70f2db5b17cf973f02eaefe0102bbad816eccce22740286e0e800bc45a9cc

          • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\OS5Mh4tR.exe

            Filesize

            590KB

            MD5

            5b6852a5a87f1eaddbe0403ff18f44ee

            SHA1

            5d0041d5fe7c833354f64d8abc6c22cc20bd7576

            SHA256

            6bb0d3f307a2124ee2291749e593571921675dee18892415af1301ed2bae15f0

            SHA512

            68168a23d62fc3aec26d65d69f8f3a3f6af0c223251bc12b9070e22851c2acb10ee70f2db5b17cf973f02eaefe0102bbad816eccce22740286e0e800bc45a9cc

          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\oU0sX8vu.exe

            Filesize

            417KB

            MD5

            072ef02ab1ad22f5d092ca19a7e15a9f

            SHA1

            90708916718cb37a75787f981bd01431d3cba163

            SHA256

            b7f75c2a125a90122cc6f851829443b5c3cd7ae18cbeecd4b7c183e43a78d34b

            SHA512

            616ce8fc830d7ea339b5662eb03df92671dee2574d6655842238133d475e6631fcdb886e137203518615c1975d6941d9f5b2c636ef09d054945c306e20bba716

          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\oU0sX8vu.exe

            Filesize

            417KB

            MD5

            072ef02ab1ad22f5d092ca19a7e15a9f

            SHA1

            90708916718cb37a75787f981bd01431d3cba163

            SHA256

            b7f75c2a125a90122cc6f851829443b5c3cd7ae18cbeecd4b7c183e43a78d34b

            SHA512

            616ce8fc830d7ea339b5662eb03df92671dee2574d6655842238133d475e6631fcdb886e137203518615c1975d6941d9f5b2c636ef09d054945c306e20bba716

          • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1tt38WD9.exe

            Filesize

            378KB

            MD5

            e5493f444443c786ee7a8ef329caf38f

            SHA1

            116568938dfd71ec67fb19d3c6b774aab8ca69c6

            SHA256

            8fdb070143618ff3251d4fdd5e8e509d64120ee54c1ae54d5ee2d393350f12ab

            SHA512

            5a8c1b1d1c0efd5d6a6b393be05919e6162ab08c33379784d59c404204d6cba6646b87628a6c8857cd3b29e9dcfee9bf6bfc161818924029560cc60e28ec065d

          • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1tt38WD9.exe

            Filesize

            378KB

            MD5

            e5493f444443c786ee7a8ef329caf38f

            SHA1

            116568938dfd71ec67fb19d3c6b774aab8ca69c6

            SHA256

            8fdb070143618ff3251d4fdd5e8e509d64120ee54c1ae54d5ee2d393350f12ab

            SHA512

            5a8c1b1d1c0efd5d6a6b393be05919e6162ab08c33379784d59c404204d6cba6646b87628a6c8857cd3b29e9dcfee9bf6bfc161818924029560cc60e28ec065d

          • memory/4544-35-0x0000000000400000-0x0000000000428000-memory.dmp

            Filesize

            160KB

          • memory/4544-38-0x0000000000400000-0x0000000000428000-memory.dmp

            Filesize

            160KB

          • memory/4544-39-0x0000000000400000-0x0000000000428000-memory.dmp

            Filesize

            160KB

          • memory/4544-41-0x0000000000400000-0x0000000000428000-memory.dmp

            Filesize

            160KB