Analysis

  • max time kernel
    69s
  • max time network
    74s
  • platform
    windows10-1703_x64
  • resource
    win10-20230915-en
  • resource tags

    arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
  • submitted
    07/10/2023, 05:29

General

  • Target

    618fb792b6e084b763990ce2b947f940e4c4739f486d149d747935368feeac0d.exe

  • Size

    1.2MB

  • MD5

    1f2377c551e30a35e226a7ac40c2b78f

  • SHA1

    62afab15630e238061aa6b6b9bd6070760d29de4

  • SHA256

    618fb792b6e084b763990ce2b947f940e4c4739f486d149d747935368feeac0d

  • SHA512

    46d9defe82cc96987f9931a08ad95327b1d012395fdefaf95e26d86a472081ccc5a1dad6ef5038d1ab3bb1952c6b9165e32ae71a5f09d92d69a3e98bc44cdc3e

  • SSDEEP

    24576:iyvTnLYZsXqZkShR34W+U1uze26lMuFZiSKDosmAkwO7SZs:JyDZkShR3BTR26PFsbDffO7SZ

Malware Config

Signatures

  • Detect Mystic stealer payload 4 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

  • Executes dropped EXE 5 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\618fb792b6e084b763990ce2b947f940e4c4739f486d149d747935368feeac0d.exe
    "C:\Users\Admin\AppData\Local\Temp\618fb792b6e084b763990ce2b947f940e4c4739f486d149d747935368feeac0d.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4800
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\am4Bj5wZ.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\am4Bj5wZ.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1372
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yo9Qh0IA.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yo9Qh0IA.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:1748
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sw1ap1AQ.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sw1ap1AQ.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:4248
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bl3AC3oh.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bl3AC3oh.exe
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of WriteProcessMemory
            PID:4216
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1sa00VW0.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1sa00VW0.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of WriteProcessMemory
              PID:4156
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                7⤵
                  PID:5112
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                  7⤵
                    PID:5084
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 568
                      8⤵
                      • Program crash
                      PID:2976
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 4156 -s 580
                    7⤵
                    • Program crash
                    PID:5032

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\am4Bj5wZ.exe

              Filesize

              1.0MB

              MD5

              a1f102d079667028ef76c6707bc29292

              SHA1

              42a76cfaf591201bfc000e55fa736c5f0e7b534c

              SHA256

              8f229f70b74527f775caa2811ce76fbd9942d5da2cf6a70d5c3f7115e4a854dc

              SHA512

              7b5a09932fe5f59b5deee567367defffff51ea224c9dc3839fd5d7af523e1d17fecdfe4579fdddd3c6481cab5fadad8fda6da8bf06d155e282411087fe83fd07

            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\am4Bj5wZ.exe

              Filesize

              1.0MB

              MD5

              a1f102d079667028ef76c6707bc29292

              SHA1

              42a76cfaf591201bfc000e55fa736c5f0e7b534c

              SHA256

              8f229f70b74527f775caa2811ce76fbd9942d5da2cf6a70d5c3f7115e4a854dc

              SHA512

              7b5a09932fe5f59b5deee567367defffff51ea224c9dc3839fd5d7af523e1d17fecdfe4579fdddd3c6481cab5fadad8fda6da8bf06d155e282411087fe83fd07

            • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yo9Qh0IA.exe

              Filesize

              884KB

              MD5

              0ca21e75ae765e9336894b6f1559e257

              SHA1

              09f5a2d4ae1883b639c3d4a2d3512b68e2916c13

              SHA256

              0231a8b245aaa3281d7973118998fed869cc99a44ad56b8715b04d722010196b

              SHA512

              e0d2714c3f9d715460246342669a3e4f234e4f9a06553648a737eed0ba7ae75bdf00f0cee35bef7209ef3720f5c519a02c3a43c60c33043c933085924fc5d18b

            • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yo9Qh0IA.exe

              Filesize

              884KB

              MD5

              0ca21e75ae765e9336894b6f1559e257

              SHA1

              09f5a2d4ae1883b639c3d4a2d3512b68e2916c13

              SHA256

              0231a8b245aaa3281d7973118998fed869cc99a44ad56b8715b04d722010196b

              SHA512

              e0d2714c3f9d715460246342669a3e4f234e4f9a06553648a737eed0ba7ae75bdf00f0cee35bef7209ef3720f5c519a02c3a43c60c33043c933085924fc5d18b

            • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sw1ap1AQ.exe

              Filesize

              590KB

              MD5

              953f6f20547811723eef9d2b31995394

              SHA1

              2108a95bd73dea8b4fd7abc67a3e4333905faacc

              SHA256

              ec4469f238b205f8fa510a4bd070b0afe98a694c5c9a05b36cffa9d43f80a6bf

              SHA512

              49701f2ecd294aacb23323a59dab61faab3604e7eefa66b81dc3ef48f7426a996f8da0ff700cacd039f88b1a7dc3d38819c89ea12e8738fb433727199b91f8bd

            • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sw1ap1AQ.exe

              Filesize

              590KB

              MD5

              953f6f20547811723eef9d2b31995394

              SHA1

              2108a95bd73dea8b4fd7abc67a3e4333905faacc

              SHA256

              ec4469f238b205f8fa510a4bd070b0afe98a694c5c9a05b36cffa9d43f80a6bf

              SHA512

              49701f2ecd294aacb23323a59dab61faab3604e7eefa66b81dc3ef48f7426a996f8da0ff700cacd039f88b1a7dc3d38819c89ea12e8738fb433727199b91f8bd

            • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bl3AC3oh.exe

              Filesize

              417KB

              MD5

              68a449da9a3f6b2866d77d751063d403

              SHA1

              06014bfe82a3ff82dbe81f2705973b15407bbfa0

              SHA256

              95730b6d23207d6d16569caf3b61d294fc3dedbc65955f8f9cdcc8e98a259c2d

              SHA512

              7f087ce3bf5004ea2612cacc1fe8038d2a5ac179ecec7cdab86f5174068dd00eb1647f1fb247ab757637edbad0bc50f8922cfec4e1efb5c7eee486ffdf0cbd5f

            • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bl3AC3oh.exe

              Filesize

              417KB

              MD5

              68a449da9a3f6b2866d77d751063d403

              SHA1

              06014bfe82a3ff82dbe81f2705973b15407bbfa0

              SHA256

              95730b6d23207d6d16569caf3b61d294fc3dedbc65955f8f9cdcc8e98a259c2d

              SHA512

              7f087ce3bf5004ea2612cacc1fe8038d2a5ac179ecec7cdab86f5174068dd00eb1647f1fb247ab757637edbad0bc50f8922cfec4e1efb5c7eee486ffdf0cbd5f

            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1sa00VW0.exe

              Filesize

              378KB

              MD5

              f0831f173733de08511f3a0739f278a6

              SHA1

              06dc809d653c5d2c97386084ae13b50a73eb5b60

              SHA256

              8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27

              SHA512

              19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1sa00VW0.exe

              Filesize

              378KB

              MD5

              f0831f173733de08511f3a0739f278a6

              SHA1

              06dc809d653c5d2c97386084ae13b50a73eb5b60

              SHA256

              8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27

              SHA512

              19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

            • memory/5084-35-0x0000000000400000-0x0000000000428000-memory.dmp

              Filesize

              160KB

            • memory/5084-38-0x0000000000400000-0x0000000000428000-memory.dmp

              Filesize

              160KB

            • memory/5084-39-0x0000000000400000-0x0000000000428000-memory.dmp

              Filesize

              160KB

            • memory/5084-41-0x0000000000400000-0x0000000000428000-memory.dmp

              Filesize

              160KB