Analysis
-
max time kernel
142s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
06/10/2023, 21:45
Static task
static1
General
-
Target
936232f78e8f6d418f30addf4bcbd26429327a581824d53faad177ac3d21f5e1.exe
-
Size
378KB
-
MD5
eb7c17b7d98d6534e96595d6a171dedd
-
SHA1
e9911bcdc1906761654aeb3cc66d93076df1ae8f
-
SHA256
936232f78e8f6d418f30addf4bcbd26429327a581824d53faad177ac3d21f5e1
-
SHA512
f676b903d9587a2e3884c2422c139b44c397b605fdbf9e6ad413922b10fa8154e05ca36ae0c16caa6e6cd38bbdaddeea07f6b5357333f3a1a61d835b9be39dc1
-
SSDEEP
6144:U40Sc92pCryG4kfjSGwEi56AOaG0yhn4UOaDU1PE9ozYqR0D:U40B2wryNS304n4haDU1qxD
Malware Config
Extracted
Family
mystic
C2
http://5.42.92.211/loghub/master
Signatures
-
Detect Mystic stealer payload 5 IoCs
resource yara_rule behavioral1/memory/2196-0-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral1/memory/2196-1-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral1/memory/2196-2-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral1/memory/2196-3-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral1/memory/2196-4-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1060 set thread context of 2196 1060 936232f78e8f6d418f30addf4bcbd26429327a581824d53faad177ac3d21f5e1.exe 87 -
Program crash 1 IoCs
pid pid_target Process procid_target 1976 1060 WerFault.exe 84 -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 1060 wrote to memory of 2196 1060 936232f78e8f6d418f30addf4bcbd26429327a581824d53faad177ac3d21f5e1.exe 87 PID 1060 wrote to memory of 2196 1060 936232f78e8f6d418f30addf4bcbd26429327a581824d53faad177ac3d21f5e1.exe 87 PID 1060 wrote to memory of 2196 1060 936232f78e8f6d418f30addf4bcbd26429327a581824d53faad177ac3d21f5e1.exe 87 PID 1060 wrote to memory of 2196 1060 936232f78e8f6d418f30addf4bcbd26429327a581824d53faad177ac3d21f5e1.exe 87 PID 1060 wrote to memory of 2196 1060 936232f78e8f6d418f30addf4bcbd26429327a581824d53faad177ac3d21f5e1.exe 87 PID 1060 wrote to memory of 2196 1060 936232f78e8f6d418f30addf4bcbd26429327a581824d53faad177ac3d21f5e1.exe 87 PID 1060 wrote to memory of 2196 1060 936232f78e8f6d418f30addf4bcbd26429327a581824d53faad177ac3d21f5e1.exe 87 PID 1060 wrote to memory of 2196 1060 936232f78e8f6d418f30addf4bcbd26429327a581824d53faad177ac3d21f5e1.exe 87 PID 1060 wrote to memory of 2196 1060 936232f78e8f6d418f30addf4bcbd26429327a581824d53faad177ac3d21f5e1.exe 87 PID 1060 wrote to memory of 2196 1060 936232f78e8f6d418f30addf4bcbd26429327a581824d53faad177ac3d21f5e1.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\936232f78e8f6d418f30addf4bcbd26429327a581824d53faad177ac3d21f5e1.exe"C:\Users\Admin\AppData\Local\Temp\936232f78e8f6d418f30addf4bcbd26429327a581824d53faad177ac3d21f5e1.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵PID:2196
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 4082⤵
- Program crash
PID:1976
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1060 -ip 10601⤵PID:3000