Analysis
-
max time kernel
127s -
max time network
132s -
platform
windows10-1703_x64 -
resource
win10-20230915-en -
resource tags
arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system -
submitted
07/10/2023, 05:23
Static task
static1
Behavioral task
behavioral1
Sample
00386f027f485e3c325747de08d96436d0da06eabe563f34accef9a6ae02dd90.exe
Resource
win10-20230915-en
General
-
Target
00386f027f485e3c325747de08d96436d0da06eabe563f34accef9a6ae02dd90.exe
-
Size
1.2MB
-
MD5
b152d60b488c5118c50b765992ec403b
-
SHA1
6e953e877b4ec22062b0d3697d58b90d25d825ed
-
SHA256
00386f027f485e3c325747de08d96436d0da06eabe563f34accef9a6ae02dd90
-
SHA512
79a40da3a7ec15eca8e7bc8bac6f5935ea3c6f08deec57742b587c6ff4bf26cb709a59fbd9010c92bc6999d9fead461f78ee484a5f09a05de85bf1c21cd645c5
-
SSDEEP
24576:qyYkwlodxvbwv1UXLwIxYgVLAcBEQXg+zYKnBDqLA9lqv93P8YYg:xY9idxTPLw0YeBEQwDwuLAg9/
Malware Config
Signatures
-
Detect Mystic stealer payload 4 IoCs
resource yara_rule behavioral1/memory/4812-35-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral1/memory/4812-38-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral1/memory/4812-39-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral1/memory/4812-41-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic -
Executes dropped EXE 5 IoCs
pid Process 208 MR9gI7qX.exe 4984 fJ5JG9LE.exe 2008 Kr1QT9He.exe 4912 EQ4Nt1rU.exe 164 1HD36rL9.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 00386f027f485e3c325747de08d96436d0da06eabe563f34accef9a6ae02dd90.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" MR9gI7qX.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" fJ5JG9LE.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" Kr1QT9He.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" EQ4Nt1rU.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 164 set thread context of 4812 164 1HD36rL9.exe 76 -
Program crash 2 IoCs
pid pid_target Process procid_target 2276 164 WerFault.exe 74 4980 4812 WerFault.exe 76 -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 2256 wrote to memory of 208 2256 00386f027f485e3c325747de08d96436d0da06eabe563f34accef9a6ae02dd90.exe 70 PID 2256 wrote to memory of 208 2256 00386f027f485e3c325747de08d96436d0da06eabe563f34accef9a6ae02dd90.exe 70 PID 2256 wrote to memory of 208 2256 00386f027f485e3c325747de08d96436d0da06eabe563f34accef9a6ae02dd90.exe 70 PID 208 wrote to memory of 4984 208 MR9gI7qX.exe 71 PID 208 wrote to memory of 4984 208 MR9gI7qX.exe 71 PID 208 wrote to memory of 4984 208 MR9gI7qX.exe 71 PID 4984 wrote to memory of 2008 4984 fJ5JG9LE.exe 72 PID 4984 wrote to memory of 2008 4984 fJ5JG9LE.exe 72 PID 4984 wrote to memory of 2008 4984 fJ5JG9LE.exe 72 PID 2008 wrote to memory of 4912 2008 Kr1QT9He.exe 73 PID 2008 wrote to memory of 4912 2008 Kr1QT9He.exe 73 PID 2008 wrote to memory of 4912 2008 Kr1QT9He.exe 73 PID 4912 wrote to memory of 164 4912 EQ4Nt1rU.exe 74 PID 4912 wrote to memory of 164 4912 EQ4Nt1rU.exe 74 PID 4912 wrote to memory of 164 4912 EQ4Nt1rU.exe 74 PID 164 wrote to memory of 4812 164 1HD36rL9.exe 76 PID 164 wrote to memory of 4812 164 1HD36rL9.exe 76 PID 164 wrote to memory of 4812 164 1HD36rL9.exe 76 PID 164 wrote to memory of 4812 164 1HD36rL9.exe 76 PID 164 wrote to memory of 4812 164 1HD36rL9.exe 76 PID 164 wrote to memory of 4812 164 1HD36rL9.exe 76 PID 164 wrote to memory of 4812 164 1HD36rL9.exe 76 PID 164 wrote to memory of 4812 164 1HD36rL9.exe 76 PID 164 wrote to memory of 4812 164 1HD36rL9.exe 76 PID 164 wrote to memory of 4812 164 1HD36rL9.exe 76
Processes
-
C:\Users\Admin\AppData\Local\Temp\00386f027f485e3c325747de08d96436d0da06eabe563f34accef9a6ae02dd90.exe"C:\Users\Admin\AppData\Local\Temp\00386f027f485e3c325747de08d96436d0da06eabe563f34accef9a6ae02dd90.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MR9gI7qX.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MR9gI7qX.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:208 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\fJ5JG9LE.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\fJ5JG9LE.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Kr1QT9He.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Kr1QT9He.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\EQ4Nt1rU.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\EQ4Nt1rU.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1HD36rL9.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1HD36rL9.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:164 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵PID:4812
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4812 -s 5688⤵
- Program crash
PID:4980
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 164 -s 1487⤵
- Program crash
PID:2276
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD511be9b1ed0d88290867f543ddccc7383
SHA183fe9a6e3bc22cfb60a9fd3fe6d3105eb82c838d
SHA256ce476393b85bb8ed11fdf98681725429c2c94d1dffe4345f60df18e890504eed
SHA512796b8f2accf182e4671dd586c4860632dcc6772cf29f53ee853aa818c237d7f703f7e8e42ad10cc9349b41a6950b6ff7c06cd50b2d8edba0fc64b1fd3d95207d
-
Filesize
1.0MB
MD511be9b1ed0d88290867f543ddccc7383
SHA183fe9a6e3bc22cfb60a9fd3fe6d3105eb82c838d
SHA256ce476393b85bb8ed11fdf98681725429c2c94d1dffe4345f60df18e890504eed
SHA512796b8f2accf182e4671dd586c4860632dcc6772cf29f53ee853aa818c237d7f703f7e8e42ad10cc9349b41a6950b6ff7c06cd50b2d8edba0fc64b1fd3d95207d
-
Filesize
883KB
MD5a6c68e18e8976f1eb1bdb9d3e01061cd
SHA12f068a7350b09dbdcab9a98c776aba908173315b
SHA25659dcec749271a8ac6cdfb815b7c14de0a3a6bcc1fb2a79c9f79b73c768ca29fe
SHA512b66ac93d29e3a8c15b8ca2f20123fefca6a47fc44cf541d636f77d1dc7c7f3452ec5c56c5564352f7267e47be2e8220b7ee0c2d201f74b6e4d99fb9158e25555
-
Filesize
883KB
MD5a6c68e18e8976f1eb1bdb9d3e01061cd
SHA12f068a7350b09dbdcab9a98c776aba908173315b
SHA25659dcec749271a8ac6cdfb815b7c14de0a3a6bcc1fb2a79c9f79b73c768ca29fe
SHA512b66ac93d29e3a8c15b8ca2f20123fefca6a47fc44cf541d636f77d1dc7c7f3452ec5c56c5564352f7267e47be2e8220b7ee0c2d201f74b6e4d99fb9158e25555
-
Filesize
589KB
MD5bd6fecdf36e4658a10bd6f47a8f78e96
SHA1c82d7b1e5208196c2ee88a67a9220700944aa6f3
SHA256b13c5041986b9d31a8053fbd7633d2b97453ec36a992c6763a769813d6cc95dc
SHA512e24581e3766772f38accd06cbd3b95114646945a3e4041f27cfcda122821d0fa382a49102dee6a1fe1065ea110a28b8e67f49e84847aa2c08f09eca0802b5d90
-
Filesize
589KB
MD5bd6fecdf36e4658a10bd6f47a8f78e96
SHA1c82d7b1e5208196c2ee88a67a9220700944aa6f3
SHA256b13c5041986b9d31a8053fbd7633d2b97453ec36a992c6763a769813d6cc95dc
SHA512e24581e3766772f38accd06cbd3b95114646945a3e4041f27cfcda122821d0fa382a49102dee6a1fe1065ea110a28b8e67f49e84847aa2c08f09eca0802b5d90
-
Filesize
417KB
MD562158bf20b7ec53fb62c9b7db0e1a9e6
SHA14df8f09acbe1f3bfb9f6df22c46229ed9ad1c525
SHA2565891716eae66b5d21c6defa6d5b307f29f7d557201240400c359366e2a322dca
SHA512ddabb843c6a9fc83fed7c7ed4719f90f0b36d994fad90a8e7cd64f0aeda29aac770e480b21df7493f8979b9814c5a694dd296cfb36f62961619fa31aa088aea2
-
Filesize
417KB
MD562158bf20b7ec53fb62c9b7db0e1a9e6
SHA14df8f09acbe1f3bfb9f6df22c46229ed9ad1c525
SHA2565891716eae66b5d21c6defa6d5b307f29f7d557201240400c359366e2a322dca
SHA512ddabb843c6a9fc83fed7c7ed4719f90f0b36d994fad90a8e7cd64f0aeda29aac770e480b21df7493f8979b9814c5a694dd296cfb36f62961619fa31aa088aea2
-
Filesize
378KB
MD5f0831f173733de08511f3a0739f278a6
SHA106dc809d653c5d2c97386084ae13b50a73eb5b60
SHA2568b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27
SHA51219e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3
-
Filesize
378KB
MD5f0831f173733de08511f3a0739f278a6
SHA106dc809d653c5d2c97386084ae13b50a73eb5b60
SHA2568b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27
SHA51219e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3