Analysis Overview
SHA256
5b2d55c2547ea66d708d13f3b63f0c78932421f7453a79b40b1942cd73ddf55b
Threat Level: Known bad
The file 5b2d55c2547ea66d708d13f3b63f0c78932421f7453a79b40b1942cd73ddf55b was found to be: Known bad.
Malicious Activity Summary
Detect Mystic stealer payload
Mystic
Suspicious use of SetThreadContext
Program crash
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2023-10-06 21:40
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-06 21:40
Reported
2023-10-06 21:42
Platform
win10-20230915-en
Max time kernel
107s
Max time network
112s
Command Line
Signatures
Detect Mystic stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Mystic
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4936 set thread context of 1780 | N/A | C:\Users\Admin\AppData\Local\Temp\5b2d55c2547ea66d708d13f3b63f0c78932421f7453a79b40b1942cd73ddf55b.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\5b2d55c2547ea66d708d13f3b63f0c78932421f7453a79b40b1942cd73ddf55b.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5b2d55c2547ea66d708d13f3b63f0c78932421f7453a79b40b1942cd73ddf55b.exe
"C:\Users\Admin\AppData\Local\Temp\5b2d55c2547ea66d708d13f3b63f0c78932421f7453a79b40b1942cd73ddf55b.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4936 -s 152
Network
| Country | Destination | Domain | Proto |
| RU | 5.42.92.211:80 | 5.42.92.211 | tcp |
| US | 8.8.8.8:53 | 211.92.42.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.211.247.8.in-addr.arpa | udp |
Files
memory/1780-0-0x0000000000400000-0x0000000000428000-memory.dmp
memory/1780-3-0x0000000000400000-0x0000000000428000-memory.dmp
memory/1780-4-0x0000000000400000-0x0000000000428000-memory.dmp
memory/1780-5-0x0000000000400000-0x0000000000428000-memory.dmp
memory/1780-6-0x0000000000400000-0x0000000000428000-memory.dmp