Analysis

  • max time kernel
    127s
  • max time network
    133s
  • platform
    windows10-1703_x64
  • resource
    win10-20230915-en
  • resource tags

    arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
  • submitted
    07/10/2023, 05:36

General

  • Target

    fe5b99ae2f24a02b6eb25016c9736c313a779f9de26ca9e883482b8075830bbb.exe

  • Size

    1.2MB

  • MD5

    6166d64607711c5c13d3e34594f2c922

  • SHA1

    5d2d910948e64bfe6e643a7d28f3d584ecd0f892

  • SHA256

    fe5b99ae2f24a02b6eb25016c9736c313a779f9de26ca9e883482b8075830bbb

  • SHA512

    841e8cb00184591e680a67abd5e68999ea4f14659d61775ad4195586e2f051b039837241562f28985bbcd0ef59e5faf7f17cf1c46421ca43af78616b1e3779c1

  • SSDEEP

    24576:tyn6vnWcU7F6V27AD+iul7uBdfm+lQNn2oL4b9/xFh5PQHhCe:IwnsFE27Wk6BdufrL89JZIHs

Malware Config

Signatures

  • Detect Mystic stealer payload 4 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

  • Executes dropped EXE 5 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 2 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fe5b99ae2f24a02b6eb25016c9736c313a779f9de26ca9e883482b8075830bbb.exe
    "C:\Users\Admin\AppData\Local\Temp\fe5b99ae2f24a02b6eb25016c9736c313a779f9de26ca9e883482b8075830bbb.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3896
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bV7tb1zA.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bV7tb1zA.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4192
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qp0HK7Ul.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qp0HK7Ul.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:3680
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rr4pb6lx.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rr4pb6lx.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:3804
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mm6SB2Dy.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mm6SB2Dy.exe
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of WriteProcessMemory
            PID:5004
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Qq98rd6.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Qq98rd6.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of WriteProcessMemory
              PID:768
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                7⤵
                  PID:3924
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 568
                    8⤵
                    • Program crash
                    PID:4796
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 144
                  7⤵
                  • Program crash
                  PID:4424

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bV7tb1zA.exe

            Filesize

            1.0MB

            MD5

            d3da42e88bd2c11504a978f1be9e2fc2

            SHA1

            69adf4c22ec9ddf35c8189715d03ffc96d10505b

            SHA256

            3f1fdb06f2d2df9f56632e7bdbaa7e9dc92d1985f527d7dc1618ba2de3256319

            SHA512

            bab5d6a51a1146b936e7219b6fb8c9ed4a367c6b35cc204b8301bed664420030c885d82952ac16ccaf1cc2119d3e3b26cbd677a48bac4a66b6954faf31b34da9

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bV7tb1zA.exe

            Filesize

            1.0MB

            MD5

            d3da42e88bd2c11504a978f1be9e2fc2

            SHA1

            69adf4c22ec9ddf35c8189715d03ffc96d10505b

            SHA256

            3f1fdb06f2d2df9f56632e7bdbaa7e9dc92d1985f527d7dc1618ba2de3256319

            SHA512

            bab5d6a51a1146b936e7219b6fb8c9ed4a367c6b35cc204b8301bed664420030c885d82952ac16ccaf1cc2119d3e3b26cbd677a48bac4a66b6954faf31b34da9

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qp0HK7Ul.exe

            Filesize

            884KB

            MD5

            ca9c01310163d1c147ca4505207e1c9c

            SHA1

            e8abb26a431267b80f9d621c54bc50c00e4aeb9c

            SHA256

            8529de491a2a0590d4f22d0e79a61a52401bef71a9a9fa63ef21339090de7a5b

            SHA512

            fa0fa5afb4debcfcac92afffb45d35f2c08b5b4c389bd9ff2726263b06b512d7f958c4f255caa7420cb0765097448f9dd9ee9127d1f7149e435e957ef8abee41

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qp0HK7Ul.exe

            Filesize

            884KB

            MD5

            ca9c01310163d1c147ca4505207e1c9c

            SHA1

            e8abb26a431267b80f9d621c54bc50c00e4aeb9c

            SHA256

            8529de491a2a0590d4f22d0e79a61a52401bef71a9a9fa63ef21339090de7a5b

            SHA512

            fa0fa5afb4debcfcac92afffb45d35f2c08b5b4c389bd9ff2726263b06b512d7f958c4f255caa7420cb0765097448f9dd9ee9127d1f7149e435e957ef8abee41

          • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rr4pb6lx.exe

            Filesize

            590KB

            MD5

            9c238ca3a69f0c5b481a0a037a0cf6ef

            SHA1

            9438335c07c5cf19de7c2302e8a6f98c23aa95c6

            SHA256

            99feb47969ccc229401f2c996d99e7b9455030104873bfba2b4ddf1ef6fb3504

            SHA512

            e1c2d51222de3659e92225c79e5ac42e2da41683d87f053f651d7c3a5d1a7526d66bb1815e7e4c59d9f59c59206721d3315b77f0a234aa9d880fea3a9edf2be2

          • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rr4pb6lx.exe

            Filesize

            590KB

            MD5

            9c238ca3a69f0c5b481a0a037a0cf6ef

            SHA1

            9438335c07c5cf19de7c2302e8a6f98c23aa95c6

            SHA256

            99feb47969ccc229401f2c996d99e7b9455030104873bfba2b4ddf1ef6fb3504

            SHA512

            e1c2d51222de3659e92225c79e5ac42e2da41683d87f053f651d7c3a5d1a7526d66bb1815e7e4c59d9f59c59206721d3315b77f0a234aa9d880fea3a9edf2be2

          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mm6SB2Dy.exe

            Filesize

            417KB

            MD5

            a5b1a870dd1633cec15a3b2d218e9ec0

            SHA1

            5a31e3cb7c5ffd38d740ef7958a87cd75a84e97d

            SHA256

            65eb5088cac764e5a35252fde315c16772fc54dcad1ff3ecae699f961c55b7f2

            SHA512

            5dc87525a429a2940d43ed8dbc2e30f94b80be577879af5cb2d7a4ec426bf1f7be16dbdb1920d6f8d9acda14eaa07748a1f4433cb12eb042421204a2906ef8ed

          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mm6SB2Dy.exe

            Filesize

            417KB

            MD5

            a5b1a870dd1633cec15a3b2d218e9ec0

            SHA1

            5a31e3cb7c5ffd38d740ef7958a87cd75a84e97d

            SHA256

            65eb5088cac764e5a35252fde315c16772fc54dcad1ff3ecae699f961c55b7f2

            SHA512

            5dc87525a429a2940d43ed8dbc2e30f94b80be577879af5cb2d7a4ec426bf1f7be16dbdb1920d6f8d9acda14eaa07748a1f4433cb12eb042421204a2906ef8ed

          • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Qq98rd6.exe

            Filesize

            378KB

            MD5

            f0831f173733de08511f3a0739f278a6

            SHA1

            06dc809d653c5d2c97386084ae13b50a73eb5b60

            SHA256

            8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27

            SHA512

            19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

          • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Qq98rd6.exe

            Filesize

            378KB

            MD5

            f0831f173733de08511f3a0739f278a6

            SHA1

            06dc809d653c5d2c97386084ae13b50a73eb5b60

            SHA256

            8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27

            SHA512

            19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

          • memory/3924-35-0x0000000000400000-0x0000000000428000-memory.dmp

            Filesize

            160KB

          • memory/3924-38-0x0000000000400000-0x0000000000428000-memory.dmp

            Filesize

            160KB

          • memory/3924-39-0x0000000000400000-0x0000000000428000-memory.dmp

            Filesize

            160KB

          • memory/3924-41-0x0000000000400000-0x0000000000428000-memory.dmp

            Filesize

            160KB