Analysis
-
max time kernel
69s -
max time network
74s -
platform
windows10-1703_x64 -
resource
win10-20230915-en -
resource tags
arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system -
submitted
07/10/2023, 05:29
Static task
static1
Behavioral task
behavioral1
Sample
618fb792b6e084b763990ce2b947f940e4c4739f486d149d747935368feeac0d.exe
Resource
win10-20230915-en
General
-
Target
618fb792b6e084b763990ce2b947f940e4c4739f486d149d747935368feeac0d.exe
-
Size
1.2MB
-
MD5
1f2377c551e30a35e226a7ac40c2b78f
-
SHA1
62afab15630e238061aa6b6b9bd6070760d29de4
-
SHA256
618fb792b6e084b763990ce2b947f940e4c4739f486d149d747935368feeac0d
-
SHA512
46d9defe82cc96987f9931a08ad95327b1d012395fdefaf95e26d86a472081ccc5a1dad6ef5038d1ab3bb1952c6b9165e32ae71a5f09d92d69a3e98bc44cdc3e
-
SSDEEP
24576:iyvTnLYZsXqZkShR34W+U1uze26lMuFZiSKDosmAkwO7SZs:JyDZkShR3BTR26PFsbDffO7SZ
Malware Config
Signatures
-
Detect Mystic stealer payload 4 IoCs
resource yara_rule behavioral1/memory/5084-35-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral1/memory/5084-38-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral1/memory/5084-39-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral1/memory/5084-41-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic -
Executes dropped EXE 5 IoCs
pid Process 1372 am4Bj5wZ.exe 1748 yo9Qh0IA.exe 4248 Sw1ap1AQ.exe 4216 bl3AC3oh.exe 4156 1sa00VW0.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" Sw1ap1AQ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" bl3AC3oh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 618fb792b6e084b763990ce2b947f940e4c4739f486d149d747935368feeac0d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" am4Bj5wZ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" yo9Qh0IA.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4156 set thread context of 5084 4156 1sa00VW0.exe 77 -
Program crash 2 IoCs
pid pid_target Process procid_target 5032 4156 WerFault.exe 74 2976 5084 WerFault.exe 77 -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 4800 wrote to memory of 1372 4800 618fb792b6e084b763990ce2b947f940e4c4739f486d149d747935368feeac0d.exe 70 PID 4800 wrote to memory of 1372 4800 618fb792b6e084b763990ce2b947f940e4c4739f486d149d747935368feeac0d.exe 70 PID 4800 wrote to memory of 1372 4800 618fb792b6e084b763990ce2b947f940e4c4739f486d149d747935368feeac0d.exe 70 PID 1372 wrote to memory of 1748 1372 am4Bj5wZ.exe 71 PID 1372 wrote to memory of 1748 1372 am4Bj5wZ.exe 71 PID 1372 wrote to memory of 1748 1372 am4Bj5wZ.exe 71 PID 1748 wrote to memory of 4248 1748 yo9Qh0IA.exe 72 PID 1748 wrote to memory of 4248 1748 yo9Qh0IA.exe 72 PID 1748 wrote to memory of 4248 1748 yo9Qh0IA.exe 72 PID 4248 wrote to memory of 4216 4248 Sw1ap1AQ.exe 73 PID 4248 wrote to memory of 4216 4248 Sw1ap1AQ.exe 73 PID 4248 wrote to memory of 4216 4248 Sw1ap1AQ.exe 73 PID 4216 wrote to memory of 4156 4216 bl3AC3oh.exe 74 PID 4216 wrote to memory of 4156 4216 bl3AC3oh.exe 74 PID 4216 wrote to memory of 4156 4216 bl3AC3oh.exe 74 PID 4156 wrote to memory of 5112 4156 1sa00VW0.exe 76 PID 4156 wrote to memory of 5112 4156 1sa00VW0.exe 76 PID 4156 wrote to memory of 5112 4156 1sa00VW0.exe 76 PID 4156 wrote to memory of 5084 4156 1sa00VW0.exe 77 PID 4156 wrote to memory of 5084 4156 1sa00VW0.exe 77 PID 4156 wrote to memory of 5084 4156 1sa00VW0.exe 77 PID 4156 wrote to memory of 5084 4156 1sa00VW0.exe 77 PID 4156 wrote to memory of 5084 4156 1sa00VW0.exe 77 PID 4156 wrote to memory of 5084 4156 1sa00VW0.exe 77 PID 4156 wrote to memory of 5084 4156 1sa00VW0.exe 77 PID 4156 wrote to memory of 5084 4156 1sa00VW0.exe 77 PID 4156 wrote to memory of 5084 4156 1sa00VW0.exe 77 PID 4156 wrote to memory of 5084 4156 1sa00VW0.exe 77
Processes
-
C:\Users\Admin\AppData\Local\Temp\618fb792b6e084b763990ce2b947f940e4c4739f486d149d747935368feeac0d.exe"C:\Users\Admin\AppData\Local\Temp\618fb792b6e084b763990ce2b947f940e4c4739f486d149d747935368feeac0d.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\am4Bj5wZ.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\am4Bj5wZ.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yo9Qh0IA.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yo9Qh0IA.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sw1ap1AQ.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sw1ap1AQ.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4248 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bl3AC3oh.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bl3AC3oh.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4216 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1sa00VW0.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1sa00VW0.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4156 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵PID:5112
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵PID:5084
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 5688⤵
- Program crash
PID:2976
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4156 -s 5807⤵
- Program crash
PID:5032
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD5a1f102d079667028ef76c6707bc29292
SHA142a76cfaf591201bfc000e55fa736c5f0e7b534c
SHA2568f229f70b74527f775caa2811ce76fbd9942d5da2cf6a70d5c3f7115e4a854dc
SHA5127b5a09932fe5f59b5deee567367defffff51ea224c9dc3839fd5d7af523e1d17fecdfe4579fdddd3c6481cab5fadad8fda6da8bf06d155e282411087fe83fd07
-
Filesize
1.0MB
MD5a1f102d079667028ef76c6707bc29292
SHA142a76cfaf591201bfc000e55fa736c5f0e7b534c
SHA2568f229f70b74527f775caa2811ce76fbd9942d5da2cf6a70d5c3f7115e4a854dc
SHA5127b5a09932fe5f59b5deee567367defffff51ea224c9dc3839fd5d7af523e1d17fecdfe4579fdddd3c6481cab5fadad8fda6da8bf06d155e282411087fe83fd07
-
Filesize
884KB
MD50ca21e75ae765e9336894b6f1559e257
SHA109f5a2d4ae1883b639c3d4a2d3512b68e2916c13
SHA2560231a8b245aaa3281d7973118998fed869cc99a44ad56b8715b04d722010196b
SHA512e0d2714c3f9d715460246342669a3e4f234e4f9a06553648a737eed0ba7ae75bdf00f0cee35bef7209ef3720f5c519a02c3a43c60c33043c933085924fc5d18b
-
Filesize
884KB
MD50ca21e75ae765e9336894b6f1559e257
SHA109f5a2d4ae1883b639c3d4a2d3512b68e2916c13
SHA2560231a8b245aaa3281d7973118998fed869cc99a44ad56b8715b04d722010196b
SHA512e0d2714c3f9d715460246342669a3e4f234e4f9a06553648a737eed0ba7ae75bdf00f0cee35bef7209ef3720f5c519a02c3a43c60c33043c933085924fc5d18b
-
Filesize
590KB
MD5953f6f20547811723eef9d2b31995394
SHA12108a95bd73dea8b4fd7abc67a3e4333905faacc
SHA256ec4469f238b205f8fa510a4bd070b0afe98a694c5c9a05b36cffa9d43f80a6bf
SHA51249701f2ecd294aacb23323a59dab61faab3604e7eefa66b81dc3ef48f7426a996f8da0ff700cacd039f88b1a7dc3d38819c89ea12e8738fb433727199b91f8bd
-
Filesize
590KB
MD5953f6f20547811723eef9d2b31995394
SHA12108a95bd73dea8b4fd7abc67a3e4333905faacc
SHA256ec4469f238b205f8fa510a4bd070b0afe98a694c5c9a05b36cffa9d43f80a6bf
SHA51249701f2ecd294aacb23323a59dab61faab3604e7eefa66b81dc3ef48f7426a996f8da0ff700cacd039f88b1a7dc3d38819c89ea12e8738fb433727199b91f8bd
-
Filesize
417KB
MD568a449da9a3f6b2866d77d751063d403
SHA106014bfe82a3ff82dbe81f2705973b15407bbfa0
SHA25695730b6d23207d6d16569caf3b61d294fc3dedbc65955f8f9cdcc8e98a259c2d
SHA5127f087ce3bf5004ea2612cacc1fe8038d2a5ac179ecec7cdab86f5174068dd00eb1647f1fb247ab757637edbad0bc50f8922cfec4e1efb5c7eee486ffdf0cbd5f
-
Filesize
417KB
MD568a449da9a3f6b2866d77d751063d403
SHA106014bfe82a3ff82dbe81f2705973b15407bbfa0
SHA25695730b6d23207d6d16569caf3b61d294fc3dedbc65955f8f9cdcc8e98a259c2d
SHA5127f087ce3bf5004ea2612cacc1fe8038d2a5ac179ecec7cdab86f5174068dd00eb1647f1fb247ab757637edbad0bc50f8922cfec4e1efb5c7eee486ffdf0cbd5f
-
Filesize
378KB
MD5f0831f173733de08511f3a0739f278a6
SHA106dc809d653c5d2c97386084ae13b50a73eb5b60
SHA2568b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27
SHA51219e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3
-
Filesize
378KB
MD5f0831f173733de08511f3a0739f278a6
SHA106dc809d653c5d2c97386084ae13b50a73eb5b60
SHA2568b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27
SHA51219e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3