Analysis Overview
SHA256
164255283eeb9b38d4be91e9216b2f09a103f9cc91fa108aec1d0d350ca6b053
Threat Level: Known bad
The file 164255283eeb9b38d4be91e9216b2f09a103f9cc91fa108aec1d0d350ca6b053 was found to be: Known bad.
Malicious Activity Summary
Detect Mystic stealer payload
Modifies Windows Defender Real-time Protection settings
Mystic
Executes dropped EXE
Windows security modification
Adds Run key to start application
Suspicious use of SetThreadContext
Program crash
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-07 06:03
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-07 06:03
Reported
2023-10-07 06:06
Platform
win10-20230915-en
Max time kernel
112s
Max time network
115s
Command Line
Signatures
Detect Mystic stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1RJ79nC7.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1RJ79nC7.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1RJ79nC7.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1RJ79nC7.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1RJ79nC7.exe | N/A |
Mystic
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uQ6fx10.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\It8Bs50.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\In9DE33.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1RJ79nC7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2hJ3214.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1RJ79nC7.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1RJ79nC7.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\164255283eeb9b38d4be91e9216b2f09a103f9cc91fa108aec1d0d350ca6b053.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uQ6fx10.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\It8Bs50.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\In9DE33.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4292 set thread context of 4576 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2hJ3214.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2hJ3214.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1RJ79nC7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1RJ79nC7.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1RJ79nC7.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\164255283eeb9b38d4be91e9216b2f09a103f9cc91fa108aec1d0d350ca6b053.exe
"C:\Users\Admin\AppData\Local\Temp\164255283eeb9b38d4be91e9216b2f09a103f9cc91fa108aec1d0d350ca6b053.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uQ6fx10.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uQ6fx10.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\It8Bs50.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\It8Bs50.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\In9DE33.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\In9DE33.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1RJ79nC7.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1RJ79nC7.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2hJ3214.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2hJ3214.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 212
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4576 -s 568
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 71.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.81.21.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.65.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uQ6fx10.exe
| MD5 | 2fb7beb720c0473999af5c13f0e0c565 |
| SHA1 | a0dd87c1dac6e94544f632a7058feb87fc44e510 |
| SHA256 | 9fe3268ddf21544a41f5da9860a62dc8ea927f37a5ce817a7f8918b1fec2436a |
| SHA512 | 27dfaaa7eb74ac0841c6a46061f05744be6bca16eaa569e5bd83ae1f957bca3ddce6d0e6d8ab3ed251e8a9393f0159e09cd8a1784a6db09913d660a5f250ac5c |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uQ6fx10.exe
| MD5 | 2fb7beb720c0473999af5c13f0e0c565 |
| SHA1 | a0dd87c1dac6e94544f632a7058feb87fc44e510 |
| SHA256 | 9fe3268ddf21544a41f5da9860a62dc8ea927f37a5ce817a7f8918b1fec2436a |
| SHA512 | 27dfaaa7eb74ac0841c6a46061f05744be6bca16eaa569e5bd83ae1f957bca3ddce6d0e6d8ab3ed251e8a9393f0159e09cd8a1784a6db09913d660a5f250ac5c |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\It8Bs50.exe
| MD5 | fd26daf07ff629f52e5bce288bd760cb |
| SHA1 | abbcfe1a49d1aee2b575a2076d02631c6aea7210 |
| SHA256 | f8c9b40cce4f22b3bb440369e5f59a709fc64ac1606ee904df15453472e7099e |
| SHA512 | d047c24dceb751d83e53eebe64573f2289eec677d1ae4312600b0084db009b1e8356746971a935d9e225d2493ca506cb8740313611498063f34c44ab13915730 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\It8Bs50.exe
| MD5 | fd26daf07ff629f52e5bce288bd760cb |
| SHA1 | abbcfe1a49d1aee2b575a2076d02631c6aea7210 |
| SHA256 | f8c9b40cce4f22b3bb440369e5f59a709fc64ac1606ee904df15453472e7099e |
| SHA512 | d047c24dceb751d83e53eebe64573f2289eec677d1ae4312600b0084db009b1e8356746971a935d9e225d2493ca506cb8740313611498063f34c44ab13915730 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\In9DE33.exe
| MD5 | 1eb6aa8674c547a3f0a5786e985a6d2e |
| SHA1 | 86c7f53dd032ffc5cef5bda714b1cf3c2fc3eca3 |
| SHA256 | e4bc9d516cb00d7926811e95cfc6bb15e85a257d2254d0fb061358c8fddc171a |
| SHA512 | 7e26f39d87892c6a562990087183ebc5c9ef19cc939ea7a47a98e98299addb30cbe167521898bc711cc117ed5395c21334f047ec4fd3502e46041457db7cc272 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\In9DE33.exe
| MD5 | 1eb6aa8674c547a3f0a5786e985a6d2e |
| SHA1 | 86c7f53dd032ffc5cef5bda714b1cf3c2fc3eca3 |
| SHA256 | e4bc9d516cb00d7926811e95cfc6bb15e85a257d2254d0fb061358c8fddc171a |
| SHA512 | 7e26f39d87892c6a562990087183ebc5c9ef19cc939ea7a47a98e98299addb30cbe167521898bc711cc117ed5395c21334f047ec4fd3502e46041457db7cc272 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1RJ79nC7.exe
| MD5 | 8904f85abd522c7d0cb5789d9583ccff |
| SHA1 | 5b34d8595b37c9e1fb9682b06dc5228efe07f0c6 |
| SHA256 | 7624b62fe97c8e370c82bc86f69c2f627328e701ce1f3d9bed92a1e5fe11fd7f |
| SHA512 | 04dd0c4e612b6287af6a655425085d687538d756dcd639ecb6c62bcdafddde52c56ae305a6240ee1329a95d9cc59dee6de5000d273a5a560ad1adc3284e00e12 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1RJ79nC7.exe
| MD5 | 8904f85abd522c7d0cb5789d9583ccff |
| SHA1 | 5b34d8595b37c9e1fb9682b06dc5228efe07f0c6 |
| SHA256 | 7624b62fe97c8e370c82bc86f69c2f627328e701ce1f3d9bed92a1e5fe11fd7f |
| SHA512 | 04dd0c4e612b6287af6a655425085d687538d756dcd639ecb6c62bcdafddde52c56ae305a6240ee1329a95d9cc59dee6de5000d273a5a560ad1adc3284e00e12 |
memory/920-29-0x0000000073520000-0x0000000073C0E000-memory.dmp
memory/920-28-0x0000000001FF0000-0x000000000200E000-memory.dmp
memory/920-30-0x0000000004B60000-0x000000000505E000-memory.dmp
memory/920-31-0x0000000002440000-0x000000000245C000-memory.dmp
memory/920-32-0x0000000002440000-0x0000000002456000-memory.dmp
memory/920-33-0x0000000002440000-0x0000000002456000-memory.dmp
memory/920-35-0x0000000002440000-0x0000000002456000-memory.dmp
memory/920-37-0x0000000002440000-0x0000000002456000-memory.dmp
memory/920-39-0x0000000002440000-0x0000000002456000-memory.dmp
memory/920-41-0x0000000002440000-0x0000000002456000-memory.dmp
memory/920-43-0x0000000002440000-0x0000000002456000-memory.dmp
memory/920-45-0x0000000002440000-0x0000000002456000-memory.dmp
memory/920-47-0x0000000002440000-0x0000000002456000-memory.dmp
memory/920-49-0x0000000002440000-0x0000000002456000-memory.dmp
memory/920-51-0x0000000002440000-0x0000000002456000-memory.dmp
memory/920-53-0x0000000002440000-0x0000000002456000-memory.dmp
memory/920-55-0x0000000002440000-0x0000000002456000-memory.dmp
memory/920-57-0x0000000002440000-0x0000000002456000-memory.dmp
memory/920-59-0x0000000002440000-0x0000000002456000-memory.dmp
memory/920-60-0x0000000073520000-0x0000000073C0E000-memory.dmp
memory/920-62-0x0000000073520000-0x0000000073C0E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2hJ3214.exe
| MD5 | f0831f173733de08511f3a0739f278a6 |
| SHA1 | 06dc809d653c5d2c97386084ae13b50a73eb5b60 |
| SHA256 | 8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27 |
| SHA512 | 19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2hJ3214.exe
| MD5 | f0831f173733de08511f3a0739f278a6 |
| SHA1 | 06dc809d653c5d2c97386084ae13b50a73eb5b60 |
| SHA256 | 8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27 |
| SHA512 | 19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3 |
memory/4576-66-0x0000000000400000-0x0000000000428000-memory.dmp
memory/4576-69-0x0000000000400000-0x0000000000428000-memory.dmp
memory/4576-70-0x0000000000400000-0x0000000000428000-memory.dmp
memory/4576-72-0x0000000000400000-0x0000000000428000-memory.dmp