Analysis
-
max time kernel
107s -
max time network
117s -
platform
windows10-1703_x64 -
resource
win10-20230915-en -
resource tags
arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system -
submitted
07/10/2023, 05:43
Static task
static1
Behavioral task
behavioral1
Sample
1265c9feb2661ff66f75d4696eade4397f9a8871b82ed6714f79003db769a850.exe
Resource
win10-20230915-en
General
-
Target
1265c9feb2661ff66f75d4696eade4397f9a8871b82ed6714f79003db769a850.exe
-
Size
1.2MB
-
MD5
27055fccd13cd5bb1a7c21bd5f6d5f0c
-
SHA1
47e458ce6557bf7b240a66f67aacb69aec316f18
-
SHA256
1265c9feb2661ff66f75d4696eade4397f9a8871b82ed6714f79003db769a850
-
SHA512
b8102ee8b391df7b9806c27cca8da2a4cebcc297c5d5e35c9b57e7e24f7503442808eb3a18ac7fb997fa8b2123d3b7c088df5c43203e91d20f417801f72e2b3c
-
SSDEEP
24576:GyeG6Er8yapnWDkwSOyZ8e0ixVyU+5YK9E+t7CmrP/RELB:VG+ZapnWDGOYJFxV1LK9E+jZ
Malware Config
Signatures
-
Detect Mystic stealer payload 4 IoCs
resource yara_rule behavioral1/memory/4480-35-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral1/memory/4480-38-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral1/memory/4480-39-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral1/memory/4480-41-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic -
Executes dropped EXE 5 IoCs
pid Process 3896 dk4zG5MA.exe 4288 mA2HM7os.exe 4256 sL7mS2Tz.exe 4420 Dp5zA7vB.exe 2480 1hD41Mq6.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" Dp5zA7vB.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 1265c9feb2661ff66f75d4696eade4397f9a8871b82ed6714f79003db769a850.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" dk4zG5MA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" mA2HM7os.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" sL7mS2Tz.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2480 set thread context of 4480 2480 1hD41Mq6.exe 76 -
Program crash 2 IoCs
pid pid_target Process procid_target 928 2480 WerFault.exe 74 3284 4480 WerFault.exe 76 -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 4520 wrote to memory of 3896 4520 1265c9feb2661ff66f75d4696eade4397f9a8871b82ed6714f79003db769a850.exe 70 PID 4520 wrote to memory of 3896 4520 1265c9feb2661ff66f75d4696eade4397f9a8871b82ed6714f79003db769a850.exe 70 PID 4520 wrote to memory of 3896 4520 1265c9feb2661ff66f75d4696eade4397f9a8871b82ed6714f79003db769a850.exe 70 PID 3896 wrote to memory of 4288 3896 dk4zG5MA.exe 71 PID 3896 wrote to memory of 4288 3896 dk4zG5MA.exe 71 PID 3896 wrote to memory of 4288 3896 dk4zG5MA.exe 71 PID 4288 wrote to memory of 4256 4288 mA2HM7os.exe 72 PID 4288 wrote to memory of 4256 4288 mA2HM7os.exe 72 PID 4288 wrote to memory of 4256 4288 mA2HM7os.exe 72 PID 4256 wrote to memory of 4420 4256 sL7mS2Tz.exe 73 PID 4256 wrote to memory of 4420 4256 sL7mS2Tz.exe 73 PID 4256 wrote to memory of 4420 4256 sL7mS2Tz.exe 73 PID 4420 wrote to memory of 2480 4420 Dp5zA7vB.exe 74 PID 4420 wrote to memory of 2480 4420 Dp5zA7vB.exe 74 PID 4420 wrote to memory of 2480 4420 Dp5zA7vB.exe 74 PID 2480 wrote to memory of 4480 2480 1hD41Mq6.exe 76 PID 2480 wrote to memory of 4480 2480 1hD41Mq6.exe 76 PID 2480 wrote to memory of 4480 2480 1hD41Mq6.exe 76 PID 2480 wrote to memory of 4480 2480 1hD41Mq6.exe 76 PID 2480 wrote to memory of 4480 2480 1hD41Mq6.exe 76 PID 2480 wrote to memory of 4480 2480 1hD41Mq6.exe 76 PID 2480 wrote to memory of 4480 2480 1hD41Mq6.exe 76 PID 2480 wrote to memory of 4480 2480 1hD41Mq6.exe 76 PID 2480 wrote to memory of 4480 2480 1hD41Mq6.exe 76 PID 2480 wrote to memory of 4480 2480 1hD41Mq6.exe 76
Processes
-
C:\Users\Admin\AppData\Local\Temp\1265c9feb2661ff66f75d4696eade4397f9a8871b82ed6714f79003db769a850.exe"C:\Users\Admin\AppData\Local\Temp\1265c9feb2661ff66f75d4696eade4397f9a8871b82ed6714f79003db769a850.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4520 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dk4zG5MA.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dk4zG5MA.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3896 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mA2HM7os.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mA2HM7os.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4288 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sL7mS2Tz.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sL7mS2Tz.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4256 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Dp5zA7vB.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Dp5zA7vB.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4420 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hD41Mq6.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hD41Mq6.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵PID:4480
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 5688⤵
- Program crash
PID:3284
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 5887⤵
- Program crash
PID:928
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD5d1a7d571e01718c3ca8a5847dcc74a18
SHA176c6f44074922ebce33319243e91c6fe482cb5b8
SHA2568aae25c2d677508e2d397e8bb43f76476d9084dfbd2cadf023f0c2def54ab627
SHA512a30443a9f9511ea4f0e21065eff4037e380eeed70d7c16702b8e5ca51f1ecd171905c3e33fa57f4e3c48d83938731c0e740dce9490320893937b3b6f3b438dba
-
Filesize
1.0MB
MD5d1a7d571e01718c3ca8a5847dcc74a18
SHA176c6f44074922ebce33319243e91c6fe482cb5b8
SHA2568aae25c2d677508e2d397e8bb43f76476d9084dfbd2cadf023f0c2def54ab627
SHA512a30443a9f9511ea4f0e21065eff4037e380eeed70d7c16702b8e5ca51f1ecd171905c3e33fa57f4e3c48d83938731c0e740dce9490320893937b3b6f3b438dba
-
Filesize
884KB
MD5b76e5bb2b2bcb1c45f4732bae27648ce
SHA1582205cbe1ef05c525c49d762bf9d0138d2fabd9
SHA256aabdc92d3092215c39aff5ff3cdd7b86a2827e8ddaa5a11c8ac53332bfd6fa96
SHA512b5df9d18ba2fd30ba47211d12d0dce5b79663415b4f67aca0faa27314ecadf9d573bb32d16f767408efe4c906890b8d240abdd415826ff5ec95d519708d01284
-
Filesize
884KB
MD5b76e5bb2b2bcb1c45f4732bae27648ce
SHA1582205cbe1ef05c525c49d762bf9d0138d2fabd9
SHA256aabdc92d3092215c39aff5ff3cdd7b86a2827e8ddaa5a11c8ac53332bfd6fa96
SHA512b5df9d18ba2fd30ba47211d12d0dce5b79663415b4f67aca0faa27314ecadf9d573bb32d16f767408efe4c906890b8d240abdd415826ff5ec95d519708d01284
-
Filesize
590KB
MD5946af263c73122ad4ee5099272530eb8
SHA13f8bf4fec7400c77ff33606e8f976225f9b9652b
SHA256f1620cc3419a4d787de01a5b658e1d4664280f8a5a75718c213915022285257b
SHA5123d9794d39b10aa0186ab922307f3f4c2e97bfc95a4fff20587dea0e1be28f54492c4d36d7bc0ab0ca30d4717a9e3032daeec7d2694ada37586dff54c1ba43b16
-
Filesize
590KB
MD5946af263c73122ad4ee5099272530eb8
SHA13f8bf4fec7400c77ff33606e8f976225f9b9652b
SHA256f1620cc3419a4d787de01a5b658e1d4664280f8a5a75718c213915022285257b
SHA5123d9794d39b10aa0186ab922307f3f4c2e97bfc95a4fff20587dea0e1be28f54492c4d36d7bc0ab0ca30d4717a9e3032daeec7d2694ada37586dff54c1ba43b16
-
Filesize
417KB
MD5e1c9d4f85608f0e6448ed8db61a5896a
SHA1188fc05f4c991148ea07aca59981c080004a2018
SHA256fea82e7b3763a4a247e5d137baf84d23cfbc160bafa740755796be846b58f83d
SHA51259c83eae8949a8346016bd510d6f3ab1fbfdd50591e516c54bec47ff2d55343a05dcc85f279cf31aabdfb4c3dbd4e157bac1d6a9b8b4454911b5f9f0b29d7b53
-
Filesize
417KB
MD5e1c9d4f85608f0e6448ed8db61a5896a
SHA1188fc05f4c991148ea07aca59981c080004a2018
SHA256fea82e7b3763a4a247e5d137baf84d23cfbc160bafa740755796be846b58f83d
SHA51259c83eae8949a8346016bd510d6f3ab1fbfdd50591e516c54bec47ff2d55343a05dcc85f279cf31aabdfb4c3dbd4e157bac1d6a9b8b4454911b5f9f0b29d7b53
-
Filesize
378KB
MD5f0831f173733de08511f3a0739f278a6
SHA106dc809d653c5d2c97386084ae13b50a73eb5b60
SHA2568b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27
SHA51219e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3
-
Filesize
378KB
MD5f0831f173733de08511f3a0739f278a6
SHA106dc809d653c5d2c97386084ae13b50a73eb5b60
SHA2568b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27
SHA51219e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3