Analysis
-
max time kernel
118s -
max time network
127s -
platform
windows10-1703_x64 -
resource
win10-20230915-en -
resource tags
arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system -
submitted
07/10/2023, 06:17
Static task
static1
Behavioral task
behavioral1
Sample
1f60f8a805671b18c30ad26852979b68dc897e7aa18adcb07c36ec30dd045e52.exe
Resource
win10-20230915-en
General
-
Target
1f60f8a805671b18c30ad26852979b68dc897e7aa18adcb07c36ec30dd045e52.exe
-
Size
1.2MB
-
MD5
9dc924ed80ff29b7a4ef2f44196e7fa5
-
SHA1
88df52d53a9f604a99aebe30d28e0ab22a15bc1c
-
SHA256
1f60f8a805671b18c30ad26852979b68dc897e7aa18adcb07c36ec30dd045e52
-
SHA512
03527a404893a44a35da238bad64ae5720f187f58b9068c84e5639e9321eb011a2d70c4944776a355e4e21e6e6ed6be48500c2aa26cdaef6992028c490bda942
-
SSDEEP
24576:IysSRcVnMnIMy8VlI9H0q3/vz+MAakp3NMNNHT6T0nfm2wy1t0ebc5GWwb+u:PZ61MHk/rgp3NMbOgOY1pAA
Malware Config
Signatures
-
Detect Mystic stealer payload 4 IoCs
resource yara_rule behavioral1/memory/2236-35-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral1/memory/2236-38-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral1/memory/2236-39-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral1/memory/2236-41-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic -
Executes dropped EXE 5 IoCs
pid Process 4704 Oc9qu9gl.exe 2628 XP1vy3DE.exe 4112 FE7zP7SV.exe 3044 vX2PD5Dh.exe 3236 1Vu14NQ5.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 1f60f8a805671b18c30ad26852979b68dc897e7aa18adcb07c36ec30dd045e52.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" Oc9qu9gl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" XP1vy3DE.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" FE7zP7SV.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" vX2PD5Dh.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3236 set thread context of 2236 3236 1Vu14NQ5.exe 76 -
Program crash 2 IoCs
pid pid_target Process procid_target 2084 3236 WerFault.exe 74 196 2236 WerFault.exe 76 -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 3432 wrote to memory of 4704 3432 1f60f8a805671b18c30ad26852979b68dc897e7aa18adcb07c36ec30dd045e52.exe 70 PID 3432 wrote to memory of 4704 3432 1f60f8a805671b18c30ad26852979b68dc897e7aa18adcb07c36ec30dd045e52.exe 70 PID 3432 wrote to memory of 4704 3432 1f60f8a805671b18c30ad26852979b68dc897e7aa18adcb07c36ec30dd045e52.exe 70 PID 4704 wrote to memory of 2628 4704 Oc9qu9gl.exe 71 PID 4704 wrote to memory of 2628 4704 Oc9qu9gl.exe 71 PID 4704 wrote to memory of 2628 4704 Oc9qu9gl.exe 71 PID 2628 wrote to memory of 4112 2628 XP1vy3DE.exe 72 PID 2628 wrote to memory of 4112 2628 XP1vy3DE.exe 72 PID 2628 wrote to memory of 4112 2628 XP1vy3DE.exe 72 PID 4112 wrote to memory of 3044 4112 FE7zP7SV.exe 73 PID 4112 wrote to memory of 3044 4112 FE7zP7SV.exe 73 PID 4112 wrote to memory of 3044 4112 FE7zP7SV.exe 73 PID 3044 wrote to memory of 3236 3044 vX2PD5Dh.exe 74 PID 3044 wrote to memory of 3236 3044 vX2PD5Dh.exe 74 PID 3044 wrote to memory of 3236 3044 vX2PD5Dh.exe 74 PID 3236 wrote to memory of 2236 3236 1Vu14NQ5.exe 76 PID 3236 wrote to memory of 2236 3236 1Vu14NQ5.exe 76 PID 3236 wrote to memory of 2236 3236 1Vu14NQ5.exe 76 PID 3236 wrote to memory of 2236 3236 1Vu14NQ5.exe 76 PID 3236 wrote to memory of 2236 3236 1Vu14NQ5.exe 76 PID 3236 wrote to memory of 2236 3236 1Vu14NQ5.exe 76 PID 3236 wrote to memory of 2236 3236 1Vu14NQ5.exe 76 PID 3236 wrote to memory of 2236 3236 1Vu14NQ5.exe 76 PID 3236 wrote to memory of 2236 3236 1Vu14NQ5.exe 76 PID 3236 wrote to memory of 2236 3236 1Vu14NQ5.exe 76
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f60f8a805671b18c30ad26852979b68dc897e7aa18adcb07c36ec30dd045e52.exe"C:\Users\Admin\AppData\Local\Temp\1f60f8a805671b18c30ad26852979b68dc897e7aa18adcb07c36ec30dd045e52.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3432 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Oc9qu9gl.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Oc9qu9gl.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4704 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\XP1vy3DE.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\XP1vy3DE.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\FE7zP7SV.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\FE7zP7SV.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4112 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vX2PD5Dh.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vX2PD5Dh.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Vu14NQ5.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Vu14NQ5.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3236 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵PID:2236
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2236 -s 1768⤵
- Program crash
PID:196
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3236 -s 2007⤵
- Program crash
PID:2084
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD5d4f1bfc54555d4cd27c7a0918372e6e5
SHA13db83fd1310ddb8a3c311eeaf9b732670daa15c3
SHA256dac67c730f805dc3c8faaea68d6ba73a08f6e79566eb8d2ebdd1f561d0405cee
SHA51272ad606b959508db3507e85a0ec3d69bec74a709e48815ee43f190f3cdba0c09500fcfda34afeaf435ef0c669912194d6842a406cddeb60d6e5ed8ea3012c08a
-
Filesize
1.0MB
MD5d4f1bfc54555d4cd27c7a0918372e6e5
SHA13db83fd1310ddb8a3c311eeaf9b732670daa15c3
SHA256dac67c730f805dc3c8faaea68d6ba73a08f6e79566eb8d2ebdd1f561d0405cee
SHA51272ad606b959508db3507e85a0ec3d69bec74a709e48815ee43f190f3cdba0c09500fcfda34afeaf435ef0c669912194d6842a406cddeb60d6e5ed8ea3012c08a
-
Filesize
884KB
MD5bf126308e06d245b6bd0bb5e4c72dd81
SHA1ac5d015dcb97014346aa3475ddb2b40a70412840
SHA2567e0b6068e313db54e82451a5414e0ed2a010f2ec958e1e7ddd5c1fd2f5138443
SHA51234bff4b5ea53a68a2af89c3a3658a56ca4a5418d51bf61e7bce8edb7b4a204687c8732826c6a24a27268b188a32a9dedcb53f30b3da1fe7cd1315ad6e5f252be
-
Filesize
884KB
MD5bf126308e06d245b6bd0bb5e4c72dd81
SHA1ac5d015dcb97014346aa3475ddb2b40a70412840
SHA2567e0b6068e313db54e82451a5414e0ed2a010f2ec958e1e7ddd5c1fd2f5138443
SHA51234bff4b5ea53a68a2af89c3a3658a56ca4a5418d51bf61e7bce8edb7b4a204687c8732826c6a24a27268b188a32a9dedcb53f30b3da1fe7cd1315ad6e5f252be
-
Filesize
590KB
MD5aee972d0841d3d678e9af0da29ac8f15
SHA1d281198305b064f3aa11ae8aceee551e857ebf7f
SHA2560b02cd41f451366f66416890a0f7ccf7965f73d77531577720240a27992fbb77
SHA512520dab402627e34afa3cdb82eaa45690e65a6fab969d48b58df1265ea57d8c0c5defa15bc24079bbc4f2a17ad028b85f4fff6966d702b1dd71c80bb8c42727ae
-
Filesize
590KB
MD5aee972d0841d3d678e9af0da29ac8f15
SHA1d281198305b064f3aa11ae8aceee551e857ebf7f
SHA2560b02cd41f451366f66416890a0f7ccf7965f73d77531577720240a27992fbb77
SHA512520dab402627e34afa3cdb82eaa45690e65a6fab969d48b58df1265ea57d8c0c5defa15bc24079bbc4f2a17ad028b85f4fff6966d702b1dd71c80bb8c42727ae
-
Filesize
417KB
MD54c6fee8e2637ea49d6983d49aba60998
SHA182c597e54eeceadb562819230f571c70fad22c6d
SHA256b939f197fa860468fac181c6a8b15a9891c6c1b7697e3531bb73edd3692e3bfd
SHA512a8c6c3fe34902c3d47411d583d0cd755d46abe2ad175f0b5a80fd213bea81576915f0478926e81e0bca6bd698af1a0fd6e47d00367168aa281827b505b170c9c
-
Filesize
417KB
MD54c6fee8e2637ea49d6983d49aba60998
SHA182c597e54eeceadb562819230f571c70fad22c6d
SHA256b939f197fa860468fac181c6a8b15a9891c6c1b7697e3531bb73edd3692e3bfd
SHA512a8c6c3fe34902c3d47411d583d0cd755d46abe2ad175f0b5a80fd213bea81576915f0478926e81e0bca6bd698af1a0fd6e47d00367168aa281827b505b170c9c
-
Filesize
378KB
MD5f0831f173733de08511f3a0739f278a6
SHA106dc809d653c5d2c97386084ae13b50a73eb5b60
SHA2568b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27
SHA51219e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3
-
Filesize
378KB
MD5f0831f173733de08511f3a0739f278a6
SHA106dc809d653c5d2c97386084ae13b50a73eb5b60
SHA2568b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27
SHA51219e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3