Analysis

  • max time kernel
    107s
  • max time network
    117s
  • platform
    windows10-1703_x64
  • resource
    win10-20230915-en
  • resource tags

    arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
  • submitted
    07/10/2023, 05:43

General

  • Target

    1265c9feb2661ff66f75d4696eade4397f9a8871b82ed6714f79003db769a850.exe

  • Size

    1.2MB

  • MD5

    27055fccd13cd5bb1a7c21bd5f6d5f0c

  • SHA1

    47e458ce6557bf7b240a66f67aacb69aec316f18

  • SHA256

    1265c9feb2661ff66f75d4696eade4397f9a8871b82ed6714f79003db769a850

  • SHA512

    b8102ee8b391df7b9806c27cca8da2a4cebcc297c5d5e35c9b57e7e24f7503442808eb3a18ac7fb997fa8b2123d3b7c088df5c43203e91d20f417801f72e2b3c

  • SSDEEP

    24576:GyeG6Er8yapnWDkwSOyZ8e0ixVyU+5YK9E+t7CmrP/RELB:VG+ZapnWDGOYJFxV1LK9E+jZ

Malware Config

Signatures

  • Detect Mystic stealer payload 4 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

  • Executes dropped EXE 5 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 2 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1265c9feb2661ff66f75d4696eade4397f9a8871b82ed6714f79003db769a850.exe
    "C:\Users\Admin\AppData\Local\Temp\1265c9feb2661ff66f75d4696eade4397f9a8871b82ed6714f79003db769a850.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4520
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dk4zG5MA.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dk4zG5MA.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3896
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mA2HM7os.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mA2HM7os.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4288
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sL7mS2Tz.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sL7mS2Tz.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:4256
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Dp5zA7vB.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Dp5zA7vB.exe
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of WriteProcessMemory
            PID:4420
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hD41Mq6.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hD41Mq6.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of WriteProcessMemory
              PID:2480
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                7⤵
                  PID:4480
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 568
                    8⤵
                    • Program crash
                    PID:3284
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 588
                  7⤵
                  • Program crash
                  PID:928

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dk4zG5MA.exe

            Filesize

            1.0MB

            MD5

            d1a7d571e01718c3ca8a5847dcc74a18

            SHA1

            76c6f44074922ebce33319243e91c6fe482cb5b8

            SHA256

            8aae25c2d677508e2d397e8bb43f76476d9084dfbd2cadf023f0c2def54ab627

            SHA512

            a30443a9f9511ea4f0e21065eff4037e380eeed70d7c16702b8e5ca51f1ecd171905c3e33fa57f4e3c48d83938731c0e740dce9490320893937b3b6f3b438dba

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dk4zG5MA.exe

            Filesize

            1.0MB

            MD5

            d1a7d571e01718c3ca8a5847dcc74a18

            SHA1

            76c6f44074922ebce33319243e91c6fe482cb5b8

            SHA256

            8aae25c2d677508e2d397e8bb43f76476d9084dfbd2cadf023f0c2def54ab627

            SHA512

            a30443a9f9511ea4f0e21065eff4037e380eeed70d7c16702b8e5ca51f1ecd171905c3e33fa57f4e3c48d83938731c0e740dce9490320893937b3b6f3b438dba

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mA2HM7os.exe

            Filesize

            884KB

            MD5

            b76e5bb2b2bcb1c45f4732bae27648ce

            SHA1

            582205cbe1ef05c525c49d762bf9d0138d2fabd9

            SHA256

            aabdc92d3092215c39aff5ff3cdd7b86a2827e8ddaa5a11c8ac53332bfd6fa96

            SHA512

            b5df9d18ba2fd30ba47211d12d0dce5b79663415b4f67aca0faa27314ecadf9d573bb32d16f767408efe4c906890b8d240abdd415826ff5ec95d519708d01284

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mA2HM7os.exe

            Filesize

            884KB

            MD5

            b76e5bb2b2bcb1c45f4732bae27648ce

            SHA1

            582205cbe1ef05c525c49d762bf9d0138d2fabd9

            SHA256

            aabdc92d3092215c39aff5ff3cdd7b86a2827e8ddaa5a11c8ac53332bfd6fa96

            SHA512

            b5df9d18ba2fd30ba47211d12d0dce5b79663415b4f67aca0faa27314ecadf9d573bb32d16f767408efe4c906890b8d240abdd415826ff5ec95d519708d01284

          • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sL7mS2Tz.exe

            Filesize

            590KB

            MD5

            946af263c73122ad4ee5099272530eb8

            SHA1

            3f8bf4fec7400c77ff33606e8f976225f9b9652b

            SHA256

            f1620cc3419a4d787de01a5b658e1d4664280f8a5a75718c213915022285257b

            SHA512

            3d9794d39b10aa0186ab922307f3f4c2e97bfc95a4fff20587dea0e1be28f54492c4d36d7bc0ab0ca30d4717a9e3032daeec7d2694ada37586dff54c1ba43b16

          • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sL7mS2Tz.exe

            Filesize

            590KB

            MD5

            946af263c73122ad4ee5099272530eb8

            SHA1

            3f8bf4fec7400c77ff33606e8f976225f9b9652b

            SHA256

            f1620cc3419a4d787de01a5b658e1d4664280f8a5a75718c213915022285257b

            SHA512

            3d9794d39b10aa0186ab922307f3f4c2e97bfc95a4fff20587dea0e1be28f54492c4d36d7bc0ab0ca30d4717a9e3032daeec7d2694ada37586dff54c1ba43b16

          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Dp5zA7vB.exe

            Filesize

            417KB

            MD5

            e1c9d4f85608f0e6448ed8db61a5896a

            SHA1

            188fc05f4c991148ea07aca59981c080004a2018

            SHA256

            fea82e7b3763a4a247e5d137baf84d23cfbc160bafa740755796be846b58f83d

            SHA512

            59c83eae8949a8346016bd510d6f3ab1fbfdd50591e516c54bec47ff2d55343a05dcc85f279cf31aabdfb4c3dbd4e157bac1d6a9b8b4454911b5f9f0b29d7b53

          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Dp5zA7vB.exe

            Filesize

            417KB

            MD5

            e1c9d4f85608f0e6448ed8db61a5896a

            SHA1

            188fc05f4c991148ea07aca59981c080004a2018

            SHA256

            fea82e7b3763a4a247e5d137baf84d23cfbc160bafa740755796be846b58f83d

            SHA512

            59c83eae8949a8346016bd510d6f3ab1fbfdd50591e516c54bec47ff2d55343a05dcc85f279cf31aabdfb4c3dbd4e157bac1d6a9b8b4454911b5f9f0b29d7b53

          • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hD41Mq6.exe

            Filesize

            378KB

            MD5

            f0831f173733de08511f3a0739f278a6

            SHA1

            06dc809d653c5d2c97386084ae13b50a73eb5b60

            SHA256

            8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27

            SHA512

            19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

          • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hD41Mq6.exe

            Filesize

            378KB

            MD5

            f0831f173733de08511f3a0739f278a6

            SHA1

            06dc809d653c5d2c97386084ae13b50a73eb5b60

            SHA256

            8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27

            SHA512

            19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

          • memory/4480-35-0x0000000000400000-0x0000000000428000-memory.dmp

            Filesize

            160KB

          • memory/4480-38-0x0000000000400000-0x0000000000428000-memory.dmp

            Filesize

            160KB

          • memory/4480-39-0x0000000000400000-0x0000000000428000-memory.dmp

            Filesize

            160KB

          • memory/4480-41-0x0000000000400000-0x0000000000428000-memory.dmp

            Filesize

            160KB