Analysis
-
max time kernel
112s -
max time network
116s -
platform
windows10-1703_x64 -
resource
win10-20230915-en -
resource tags
arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system -
submitted
06/10/2023, 21:35
Static task
static1
Behavioral task
behavioral1
Sample
7994c1a62ea89bb9237c4dc0bfb6b4ccc026c4c8971bebe11d13de37352d7239.exe
Resource
win10-20230915-en
General
-
Target
7994c1a62ea89bb9237c4dc0bfb6b4ccc026c4c8971bebe11d13de37352d7239.exe
-
Size
1.2MB
-
MD5
ba6d343aebb18fbdbdc8b55f4496c716
-
SHA1
562b382500f4a502f64fb0458d87eb1cce8cd355
-
SHA256
7994c1a62ea89bb9237c4dc0bfb6b4ccc026c4c8971bebe11d13de37352d7239
-
SHA512
20a14a6bd332ecd79a828defadcfc93ac073170c7925b7a0434c65bb4216457099a52c0764201cc9bbeae811c26c2372e3475d5644b2d43dad8ce771667c832c
-
SSDEEP
24576:FyJlxCkwLtbHr+HWf8sRR7bplUzF2l5rRGHQLusQF7:g1CDRa2XbplUh27rHk
Malware Config
Signatures
-
Detect Mystic stealer payload 4 IoCs
resource yara_rule behavioral1/memory/4544-35-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral1/memory/4544-38-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral1/memory/4544-39-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral1/memory/4544-41-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic -
Executes dropped EXE 5 IoCs
pid Process 4800 sK2Zo5RQ.exe 2988 PZ0cL1Zv.exe 4688 OS5Mh4tR.exe 1036 oU0sX8vu.exe 2284 1tt38WD9.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" OS5Mh4tR.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" oU0sX8vu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 7994c1a62ea89bb9237c4dc0bfb6b4ccc026c4c8971bebe11d13de37352d7239.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" sK2Zo5RQ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" PZ0cL1Zv.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2284 set thread context of 4544 2284 1tt38WD9.exe 76 -
Program crash 2 IoCs
pid pid_target Process procid_target 608 2284 WerFault.exe 74 656 4544 WerFault.exe 76 -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 3108 wrote to memory of 4800 3108 7994c1a62ea89bb9237c4dc0bfb6b4ccc026c4c8971bebe11d13de37352d7239.exe 70 PID 3108 wrote to memory of 4800 3108 7994c1a62ea89bb9237c4dc0bfb6b4ccc026c4c8971bebe11d13de37352d7239.exe 70 PID 3108 wrote to memory of 4800 3108 7994c1a62ea89bb9237c4dc0bfb6b4ccc026c4c8971bebe11d13de37352d7239.exe 70 PID 4800 wrote to memory of 2988 4800 sK2Zo5RQ.exe 71 PID 4800 wrote to memory of 2988 4800 sK2Zo5RQ.exe 71 PID 4800 wrote to memory of 2988 4800 sK2Zo5RQ.exe 71 PID 2988 wrote to memory of 4688 2988 PZ0cL1Zv.exe 72 PID 2988 wrote to memory of 4688 2988 PZ0cL1Zv.exe 72 PID 2988 wrote to memory of 4688 2988 PZ0cL1Zv.exe 72 PID 4688 wrote to memory of 1036 4688 OS5Mh4tR.exe 73 PID 4688 wrote to memory of 1036 4688 OS5Mh4tR.exe 73 PID 4688 wrote to memory of 1036 4688 OS5Mh4tR.exe 73 PID 1036 wrote to memory of 2284 1036 oU0sX8vu.exe 74 PID 1036 wrote to memory of 2284 1036 oU0sX8vu.exe 74 PID 1036 wrote to memory of 2284 1036 oU0sX8vu.exe 74 PID 2284 wrote to memory of 4544 2284 1tt38WD9.exe 76 PID 2284 wrote to memory of 4544 2284 1tt38WD9.exe 76 PID 2284 wrote to memory of 4544 2284 1tt38WD9.exe 76 PID 2284 wrote to memory of 4544 2284 1tt38WD9.exe 76 PID 2284 wrote to memory of 4544 2284 1tt38WD9.exe 76 PID 2284 wrote to memory of 4544 2284 1tt38WD9.exe 76 PID 2284 wrote to memory of 4544 2284 1tt38WD9.exe 76 PID 2284 wrote to memory of 4544 2284 1tt38WD9.exe 76 PID 2284 wrote to memory of 4544 2284 1tt38WD9.exe 76 PID 2284 wrote to memory of 4544 2284 1tt38WD9.exe 76
Processes
-
C:\Users\Admin\AppData\Local\Temp\7994c1a62ea89bb9237c4dc0bfb6b4ccc026c4c8971bebe11d13de37352d7239.exe"C:\Users\Admin\AppData\Local\Temp\7994c1a62ea89bb9237c4dc0bfb6b4ccc026c4c8971bebe11d13de37352d7239.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3108 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sK2Zo5RQ.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sK2Zo5RQ.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\PZ0cL1Zv.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\PZ0cL1Zv.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\OS5Mh4tR.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\OS5Mh4tR.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4688 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\oU0sX8vu.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\oU0sX8vu.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1tt38WD9.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1tt38WD9.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵PID:4544
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 5688⤵
- Program crash
PID:656
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2284 -s 1447⤵
- Program crash
PID:608
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD53d1af630afdf5da35986317a1398ac38
SHA1cdecbe60afe943b1614708e72d7e67ff5513398b
SHA2567b8ae81ef1423cead978a62b57b72349a89013cab614dcd409198ae6ce767da6
SHA5126b9bb1c5da9bdabbded4bd140d2e80f7d2190ed06b75f122087ba60a83ce30d41fc4ed75afbf5c5b2760670d755155fff555d569c036586bce72bfa3d1f80d8c
-
Filesize
1.0MB
MD53d1af630afdf5da35986317a1398ac38
SHA1cdecbe60afe943b1614708e72d7e67ff5513398b
SHA2567b8ae81ef1423cead978a62b57b72349a89013cab614dcd409198ae6ce767da6
SHA5126b9bb1c5da9bdabbded4bd140d2e80f7d2190ed06b75f122087ba60a83ce30d41fc4ed75afbf5c5b2760670d755155fff555d569c036586bce72bfa3d1f80d8c
-
Filesize
884KB
MD57d5cfd3832171729e4cc65619b2a3441
SHA12cc7eff939fff7190cfa4742bcff6947556e667f
SHA256e81f500f7d3bfa296c5cbefb21e98d9761c1d0cc3b32dc9e01f9488b9ff29675
SHA5128bee0e42147bccc5a520bc62562436b1ac39d6814c3cd70c8c987db75ec8e59211605946e85e1d0c6971a3a0dc47572a457d9892455f1113adc3d300b39f9dbf
-
Filesize
884KB
MD57d5cfd3832171729e4cc65619b2a3441
SHA12cc7eff939fff7190cfa4742bcff6947556e667f
SHA256e81f500f7d3bfa296c5cbefb21e98d9761c1d0cc3b32dc9e01f9488b9ff29675
SHA5128bee0e42147bccc5a520bc62562436b1ac39d6814c3cd70c8c987db75ec8e59211605946e85e1d0c6971a3a0dc47572a457d9892455f1113adc3d300b39f9dbf
-
Filesize
590KB
MD55b6852a5a87f1eaddbe0403ff18f44ee
SHA15d0041d5fe7c833354f64d8abc6c22cc20bd7576
SHA2566bb0d3f307a2124ee2291749e593571921675dee18892415af1301ed2bae15f0
SHA51268168a23d62fc3aec26d65d69f8f3a3f6af0c223251bc12b9070e22851c2acb10ee70f2db5b17cf973f02eaefe0102bbad816eccce22740286e0e800bc45a9cc
-
Filesize
590KB
MD55b6852a5a87f1eaddbe0403ff18f44ee
SHA15d0041d5fe7c833354f64d8abc6c22cc20bd7576
SHA2566bb0d3f307a2124ee2291749e593571921675dee18892415af1301ed2bae15f0
SHA51268168a23d62fc3aec26d65d69f8f3a3f6af0c223251bc12b9070e22851c2acb10ee70f2db5b17cf973f02eaefe0102bbad816eccce22740286e0e800bc45a9cc
-
Filesize
417KB
MD5072ef02ab1ad22f5d092ca19a7e15a9f
SHA190708916718cb37a75787f981bd01431d3cba163
SHA256b7f75c2a125a90122cc6f851829443b5c3cd7ae18cbeecd4b7c183e43a78d34b
SHA512616ce8fc830d7ea339b5662eb03df92671dee2574d6655842238133d475e6631fcdb886e137203518615c1975d6941d9f5b2c636ef09d054945c306e20bba716
-
Filesize
417KB
MD5072ef02ab1ad22f5d092ca19a7e15a9f
SHA190708916718cb37a75787f981bd01431d3cba163
SHA256b7f75c2a125a90122cc6f851829443b5c3cd7ae18cbeecd4b7c183e43a78d34b
SHA512616ce8fc830d7ea339b5662eb03df92671dee2574d6655842238133d475e6631fcdb886e137203518615c1975d6941d9f5b2c636ef09d054945c306e20bba716
-
Filesize
378KB
MD5e5493f444443c786ee7a8ef329caf38f
SHA1116568938dfd71ec67fb19d3c6b774aab8ca69c6
SHA2568fdb070143618ff3251d4fdd5e8e509d64120ee54c1ae54d5ee2d393350f12ab
SHA5125a8c1b1d1c0efd5d6a6b393be05919e6162ab08c33379784d59c404204d6cba6646b87628a6c8857cd3b29e9dcfee9bf6bfc161818924029560cc60e28ec065d
-
Filesize
378KB
MD5e5493f444443c786ee7a8ef329caf38f
SHA1116568938dfd71ec67fb19d3c6b774aab8ca69c6
SHA2568fdb070143618ff3251d4fdd5e8e509d64120ee54c1ae54d5ee2d393350f12ab
SHA5125a8c1b1d1c0efd5d6a6b393be05919e6162ab08c33379784d59c404204d6cba6646b87628a6c8857cd3b29e9dcfee9bf6bfc161818924029560cc60e28ec065d