Analysis
-
max time kernel
127s -
max time network
133s -
platform
windows10-1703_x64 -
resource
win10-20230915-en -
resource tags
arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system -
submitted
07/10/2023, 05:36
Static task
static1
Behavioral task
behavioral1
Sample
fe5b99ae2f24a02b6eb25016c9736c313a779f9de26ca9e883482b8075830bbb.exe
Resource
win10-20230915-en
General
-
Target
fe5b99ae2f24a02b6eb25016c9736c313a779f9de26ca9e883482b8075830bbb.exe
-
Size
1.2MB
-
MD5
6166d64607711c5c13d3e34594f2c922
-
SHA1
5d2d910948e64bfe6e643a7d28f3d584ecd0f892
-
SHA256
fe5b99ae2f24a02b6eb25016c9736c313a779f9de26ca9e883482b8075830bbb
-
SHA512
841e8cb00184591e680a67abd5e68999ea4f14659d61775ad4195586e2f051b039837241562f28985bbcd0ef59e5faf7f17cf1c46421ca43af78616b1e3779c1
-
SSDEEP
24576:tyn6vnWcU7F6V27AD+iul7uBdfm+lQNn2oL4b9/xFh5PQHhCe:IwnsFE27Wk6BdufrL89JZIHs
Malware Config
Signatures
-
Detect Mystic stealer payload 4 IoCs
resource yara_rule behavioral1/memory/3924-35-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral1/memory/3924-38-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral1/memory/3924-39-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral1/memory/3924-41-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic -
Executes dropped EXE 5 IoCs
pid Process 4192 bV7tb1zA.exe 3680 qp0HK7Ul.exe 3804 rr4pb6lx.exe 5004 mm6SB2Dy.exe 768 1Qq98rd6.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" fe5b99ae2f24a02b6eb25016c9736c313a779f9de26ca9e883482b8075830bbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" bV7tb1zA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" qp0HK7Ul.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" rr4pb6lx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" mm6SB2Dy.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 768 set thread context of 3924 768 1Qq98rd6.exe 76 -
Program crash 2 IoCs
pid pid_target Process procid_target 4424 768 WerFault.exe 74 4796 3924 WerFault.exe 76 -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 3896 wrote to memory of 4192 3896 fe5b99ae2f24a02b6eb25016c9736c313a779f9de26ca9e883482b8075830bbb.exe 70 PID 3896 wrote to memory of 4192 3896 fe5b99ae2f24a02b6eb25016c9736c313a779f9de26ca9e883482b8075830bbb.exe 70 PID 3896 wrote to memory of 4192 3896 fe5b99ae2f24a02b6eb25016c9736c313a779f9de26ca9e883482b8075830bbb.exe 70 PID 4192 wrote to memory of 3680 4192 bV7tb1zA.exe 71 PID 4192 wrote to memory of 3680 4192 bV7tb1zA.exe 71 PID 4192 wrote to memory of 3680 4192 bV7tb1zA.exe 71 PID 3680 wrote to memory of 3804 3680 qp0HK7Ul.exe 72 PID 3680 wrote to memory of 3804 3680 qp0HK7Ul.exe 72 PID 3680 wrote to memory of 3804 3680 qp0HK7Ul.exe 72 PID 3804 wrote to memory of 5004 3804 rr4pb6lx.exe 73 PID 3804 wrote to memory of 5004 3804 rr4pb6lx.exe 73 PID 3804 wrote to memory of 5004 3804 rr4pb6lx.exe 73 PID 5004 wrote to memory of 768 5004 mm6SB2Dy.exe 74 PID 5004 wrote to memory of 768 5004 mm6SB2Dy.exe 74 PID 5004 wrote to memory of 768 5004 mm6SB2Dy.exe 74 PID 768 wrote to memory of 3924 768 1Qq98rd6.exe 76 PID 768 wrote to memory of 3924 768 1Qq98rd6.exe 76 PID 768 wrote to memory of 3924 768 1Qq98rd6.exe 76 PID 768 wrote to memory of 3924 768 1Qq98rd6.exe 76 PID 768 wrote to memory of 3924 768 1Qq98rd6.exe 76 PID 768 wrote to memory of 3924 768 1Qq98rd6.exe 76 PID 768 wrote to memory of 3924 768 1Qq98rd6.exe 76 PID 768 wrote to memory of 3924 768 1Qq98rd6.exe 76 PID 768 wrote to memory of 3924 768 1Qq98rd6.exe 76 PID 768 wrote to memory of 3924 768 1Qq98rd6.exe 76
Processes
-
C:\Users\Admin\AppData\Local\Temp\fe5b99ae2f24a02b6eb25016c9736c313a779f9de26ca9e883482b8075830bbb.exe"C:\Users\Admin\AppData\Local\Temp\fe5b99ae2f24a02b6eb25016c9736c313a779f9de26ca9e883482b8075830bbb.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3896 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bV7tb1zA.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bV7tb1zA.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4192 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qp0HK7Ul.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qp0HK7Ul.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3680 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rr4pb6lx.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rr4pb6lx.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3804 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mm6SB2Dy.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mm6SB2Dy.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Qq98rd6.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Qq98rd6.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵PID:3924
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 5688⤵
- Program crash
PID:4796
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 1447⤵
- Program crash
PID:4424
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD5d3da42e88bd2c11504a978f1be9e2fc2
SHA169adf4c22ec9ddf35c8189715d03ffc96d10505b
SHA2563f1fdb06f2d2df9f56632e7bdbaa7e9dc92d1985f527d7dc1618ba2de3256319
SHA512bab5d6a51a1146b936e7219b6fb8c9ed4a367c6b35cc204b8301bed664420030c885d82952ac16ccaf1cc2119d3e3b26cbd677a48bac4a66b6954faf31b34da9
-
Filesize
1.0MB
MD5d3da42e88bd2c11504a978f1be9e2fc2
SHA169adf4c22ec9ddf35c8189715d03ffc96d10505b
SHA2563f1fdb06f2d2df9f56632e7bdbaa7e9dc92d1985f527d7dc1618ba2de3256319
SHA512bab5d6a51a1146b936e7219b6fb8c9ed4a367c6b35cc204b8301bed664420030c885d82952ac16ccaf1cc2119d3e3b26cbd677a48bac4a66b6954faf31b34da9
-
Filesize
884KB
MD5ca9c01310163d1c147ca4505207e1c9c
SHA1e8abb26a431267b80f9d621c54bc50c00e4aeb9c
SHA2568529de491a2a0590d4f22d0e79a61a52401bef71a9a9fa63ef21339090de7a5b
SHA512fa0fa5afb4debcfcac92afffb45d35f2c08b5b4c389bd9ff2726263b06b512d7f958c4f255caa7420cb0765097448f9dd9ee9127d1f7149e435e957ef8abee41
-
Filesize
884KB
MD5ca9c01310163d1c147ca4505207e1c9c
SHA1e8abb26a431267b80f9d621c54bc50c00e4aeb9c
SHA2568529de491a2a0590d4f22d0e79a61a52401bef71a9a9fa63ef21339090de7a5b
SHA512fa0fa5afb4debcfcac92afffb45d35f2c08b5b4c389bd9ff2726263b06b512d7f958c4f255caa7420cb0765097448f9dd9ee9127d1f7149e435e957ef8abee41
-
Filesize
590KB
MD59c238ca3a69f0c5b481a0a037a0cf6ef
SHA19438335c07c5cf19de7c2302e8a6f98c23aa95c6
SHA25699feb47969ccc229401f2c996d99e7b9455030104873bfba2b4ddf1ef6fb3504
SHA512e1c2d51222de3659e92225c79e5ac42e2da41683d87f053f651d7c3a5d1a7526d66bb1815e7e4c59d9f59c59206721d3315b77f0a234aa9d880fea3a9edf2be2
-
Filesize
590KB
MD59c238ca3a69f0c5b481a0a037a0cf6ef
SHA19438335c07c5cf19de7c2302e8a6f98c23aa95c6
SHA25699feb47969ccc229401f2c996d99e7b9455030104873bfba2b4ddf1ef6fb3504
SHA512e1c2d51222de3659e92225c79e5ac42e2da41683d87f053f651d7c3a5d1a7526d66bb1815e7e4c59d9f59c59206721d3315b77f0a234aa9d880fea3a9edf2be2
-
Filesize
417KB
MD5a5b1a870dd1633cec15a3b2d218e9ec0
SHA15a31e3cb7c5ffd38d740ef7958a87cd75a84e97d
SHA25665eb5088cac764e5a35252fde315c16772fc54dcad1ff3ecae699f961c55b7f2
SHA5125dc87525a429a2940d43ed8dbc2e30f94b80be577879af5cb2d7a4ec426bf1f7be16dbdb1920d6f8d9acda14eaa07748a1f4433cb12eb042421204a2906ef8ed
-
Filesize
417KB
MD5a5b1a870dd1633cec15a3b2d218e9ec0
SHA15a31e3cb7c5ffd38d740ef7958a87cd75a84e97d
SHA25665eb5088cac764e5a35252fde315c16772fc54dcad1ff3ecae699f961c55b7f2
SHA5125dc87525a429a2940d43ed8dbc2e30f94b80be577879af5cb2d7a4ec426bf1f7be16dbdb1920d6f8d9acda14eaa07748a1f4433cb12eb042421204a2906ef8ed
-
Filesize
378KB
MD5f0831f173733de08511f3a0739f278a6
SHA106dc809d653c5d2c97386084ae13b50a73eb5b60
SHA2568b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27
SHA51219e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3
-
Filesize
378KB
MD5f0831f173733de08511f3a0739f278a6
SHA106dc809d653c5d2c97386084ae13b50a73eb5b60
SHA2568b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27
SHA51219e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3