Analysis

  • max time kernel
    118s
  • max time network
    127s
  • platform
    windows10-1703_x64
  • resource
    win10-20230915-en
  • resource tags

    arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
  • submitted
    07/10/2023, 06:17

General

  • Target

    1f60f8a805671b18c30ad26852979b68dc897e7aa18adcb07c36ec30dd045e52.exe

  • Size

    1.2MB

  • MD5

    9dc924ed80ff29b7a4ef2f44196e7fa5

  • SHA1

    88df52d53a9f604a99aebe30d28e0ab22a15bc1c

  • SHA256

    1f60f8a805671b18c30ad26852979b68dc897e7aa18adcb07c36ec30dd045e52

  • SHA512

    03527a404893a44a35da238bad64ae5720f187f58b9068c84e5639e9321eb011a2d70c4944776a355e4e21e6e6ed6be48500c2aa26cdaef6992028c490bda942

  • SSDEEP

    24576:IysSRcVnMnIMy8VlI9H0q3/vz+MAakp3NMNNHT6T0nfm2wy1t0ebc5GWwb+u:PZ61MHk/rgp3NMbOgOY1pAA

Malware Config

Signatures

  • Detect Mystic stealer payload 4 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

  • Executes dropped EXE 5 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 2 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1f60f8a805671b18c30ad26852979b68dc897e7aa18adcb07c36ec30dd045e52.exe
    "C:\Users\Admin\AppData\Local\Temp\1f60f8a805671b18c30ad26852979b68dc897e7aa18adcb07c36ec30dd045e52.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3432
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Oc9qu9gl.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Oc9qu9gl.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4704
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\XP1vy3DE.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\XP1vy3DE.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2628
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\FE7zP7SV.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\FE7zP7SV.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:4112
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vX2PD5Dh.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vX2PD5Dh.exe
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of WriteProcessMemory
            PID:3044
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Vu14NQ5.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Vu14NQ5.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of WriteProcessMemory
              PID:3236
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                7⤵
                  PID:2236
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 2236 -s 176
                    8⤵
                    • Program crash
                    PID:196
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 3236 -s 200
                  7⤵
                  • Program crash
                  PID:2084

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Oc9qu9gl.exe

            Filesize

            1.0MB

            MD5

            d4f1bfc54555d4cd27c7a0918372e6e5

            SHA1

            3db83fd1310ddb8a3c311eeaf9b732670daa15c3

            SHA256

            dac67c730f805dc3c8faaea68d6ba73a08f6e79566eb8d2ebdd1f561d0405cee

            SHA512

            72ad606b959508db3507e85a0ec3d69bec74a709e48815ee43f190f3cdba0c09500fcfda34afeaf435ef0c669912194d6842a406cddeb60d6e5ed8ea3012c08a

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Oc9qu9gl.exe

            Filesize

            1.0MB

            MD5

            d4f1bfc54555d4cd27c7a0918372e6e5

            SHA1

            3db83fd1310ddb8a3c311eeaf9b732670daa15c3

            SHA256

            dac67c730f805dc3c8faaea68d6ba73a08f6e79566eb8d2ebdd1f561d0405cee

            SHA512

            72ad606b959508db3507e85a0ec3d69bec74a709e48815ee43f190f3cdba0c09500fcfda34afeaf435ef0c669912194d6842a406cddeb60d6e5ed8ea3012c08a

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\XP1vy3DE.exe

            Filesize

            884KB

            MD5

            bf126308e06d245b6bd0bb5e4c72dd81

            SHA1

            ac5d015dcb97014346aa3475ddb2b40a70412840

            SHA256

            7e0b6068e313db54e82451a5414e0ed2a010f2ec958e1e7ddd5c1fd2f5138443

            SHA512

            34bff4b5ea53a68a2af89c3a3658a56ca4a5418d51bf61e7bce8edb7b4a204687c8732826c6a24a27268b188a32a9dedcb53f30b3da1fe7cd1315ad6e5f252be

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\XP1vy3DE.exe

            Filesize

            884KB

            MD5

            bf126308e06d245b6bd0bb5e4c72dd81

            SHA1

            ac5d015dcb97014346aa3475ddb2b40a70412840

            SHA256

            7e0b6068e313db54e82451a5414e0ed2a010f2ec958e1e7ddd5c1fd2f5138443

            SHA512

            34bff4b5ea53a68a2af89c3a3658a56ca4a5418d51bf61e7bce8edb7b4a204687c8732826c6a24a27268b188a32a9dedcb53f30b3da1fe7cd1315ad6e5f252be

          • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\FE7zP7SV.exe

            Filesize

            590KB

            MD5

            aee972d0841d3d678e9af0da29ac8f15

            SHA1

            d281198305b064f3aa11ae8aceee551e857ebf7f

            SHA256

            0b02cd41f451366f66416890a0f7ccf7965f73d77531577720240a27992fbb77

            SHA512

            520dab402627e34afa3cdb82eaa45690e65a6fab969d48b58df1265ea57d8c0c5defa15bc24079bbc4f2a17ad028b85f4fff6966d702b1dd71c80bb8c42727ae

          • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\FE7zP7SV.exe

            Filesize

            590KB

            MD5

            aee972d0841d3d678e9af0da29ac8f15

            SHA1

            d281198305b064f3aa11ae8aceee551e857ebf7f

            SHA256

            0b02cd41f451366f66416890a0f7ccf7965f73d77531577720240a27992fbb77

            SHA512

            520dab402627e34afa3cdb82eaa45690e65a6fab969d48b58df1265ea57d8c0c5defa15bc24079bbc4f2a17ad028b85f4fff6966d702b1dd71c80bb8c42727ae

          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vX2PD5Dh.exe

            Filesize

            417KB

            MD5

            4c6fee8e2637ea49d6983d49aba60998

            SHA1

            82c597e54eeceadb562819230f571c70fad22c6d

            SHA256

            b939f197fa860468fac181c6a8b15a9891c6c1b7697e3531bb73edd3692e3bfd

            SHA512

            a8c6c3fe34902c3d47411d583d0cd755d46abe2ad175f0b5a80fd213bea81576915f0478926e81e0bca6bd698af1a0fd6e47d00367168aa281827b505b170c9c

          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vX2PD5Dh.exe

            Filesize

            417KB

            MD5

            4c6fee8e2637ea49d6983d49aba60998

            SHA1

            82c597e54eeceadb562819230f571c70fad22c6d

            SHA256

            b939f197fa860468fac181c6a8b15a9891c6c1b7697e3531bb73edd3692e3bfd

            SHA512

            a8c6c3fe34902c3d47411d583d0cd755d46abe2ad175f0b5a80fd213bea81576915f0478926e81e0bca6bd698af1a0fd6e47d00367168aa281827b505b170c9c

          • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Vu14NQ5.exe

            Filesize

            378KB

            MD5

            f0831f173733de08511f3a0739f278a6

            SHA1

            06dc809d653c5d2c97386084ae13b50a73eb5b60

            SHA256

            8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27

            SHA512

            19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

          • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Vu14NQ5.exe

            Filesize

            378KB

            MD5

            f0831f173733de08511f3a0739f278a6

            SHA1

            06dc809d653c5d2c97386084ae13b50a73eb5b60

            SHA256

            8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27

            SHA512

            19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

          • memory/2236-35-0x0000000000400000-0x0000000000428000-memory.dmp

            Filesize

            160KB

          • memory/2236-38-0x0000000000400000-0x0000000000428000-memory.dmp

            Filesize

            160KB

          • memory/2236-39-0x0000000000400000-0x0000000000428000-memory.dmp

            Filesize

            160KB

          • memory/2236-41-0x0000000000400000-0x0000000000428000-memory.dmp

            Filesize

            160KB