Analysis Overview
SHA256
e45db5ef043ad9b5c82c58d0bff06826c09fe8eb833fcf9df03354265bc43755
Threat Level: Known bad
The file e45db5ef043ad9b5c82c58d0bff06826c09fe8eb833fcf9df03354265bc43755 was found to be: Known bad.
Malicious Activity Summary
Detect Mystic stealer payload
Mystic
Suspicious use of SetThreadContext
Program crash
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2023-10-06 20:59
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-06 20:59
Reported
2023-10-06 21:02
Platform
win10-20230915-en
Max time kernel
123s
Max time network
127s
Command Line
Signatures
Detect Mystic stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Mystic
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1148 set thread context of 4160 | N/A | C:\Users\Admin\AppData\Local\Temp\e45db5ef043ad9b5c82c58d0bff06826c09fe8eb833fcf9df03354265bc43755.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\e45db5ef043ad9b5c82c58d0bff06826c09fe8eb833fcf9df03354265bc43755.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e45db5ef043ad9b5c82c58d0bff06826c09fe8eb833fcf9df03354265bc43755.exe
"C:\Users\Admin\AppData\Local\Temp\e45db5ef043ad9b5c82c58d0bff06826c09fe8eb833fcf9df03354265bc43755.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1148 -s 148
Network
| Country | Destination | Domain | Proto |
| RU | 5.42.92.211:80 | 5.42.92.211 | tcp |
| US | 8.8.8.8:53 | 211.92.42.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.173.189.20.in-addr.arpa | udp |
Files
memory/4160-0-0x0000000000400000-0x0000000000428000-memory.dmp
memory/4160-3-0x0000000000400000-0x0000000000428000-memory.dmp
memory/4160-4-0x0000000000400000-0x0000000000428000-memory.dmp
memory/4160-5-0x0000000000400000-0x0000000000428000-memory.dmp
memory/4160-6-0x0000000000400000-0x0000000000428000-memory.dmp