Analysis
-
max time kernel
122s -
max time network
132s -
platform
windows10-1703_x64 -
resource
win10-20230915-en -
resource tags
arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system -
submitted
07/10/2023, 06:03
Static task
static1
Behavioral task
behavioral1
Sample
c52f1aa4527983452b72bfcc7c7498055116825e436d192acbb7b799124415c1.exe
Resource
win10-20230915-en
General
-
Target
c52f1aa4527983452b72bfcc7c7498055116825e436d192acbb7b799124415c1.exe
-
Size
1.2MB
-
MD5
ffe7a227d672738c32a358a57cec260a
-
SHA1
510db6cee62d02c4c7c9dad24943bd3f750d7f93
-
SHA256
c52f1aa4527983452b72bfcc7c7498055116825e436d192acbb7b799124415c1
-
SHA512
5080a0d9e79b757d9892e672291f0124d852fda2be1305f26cebd6c8e1df7c9aeb03a1e76709980aa0c07542f6ba0f2249a1a859bf31d8060bb20635375b598a
-
SSDEEP
24576:AyrJFM73gR6RI52yQFjnzwgLS/+wkc+Qv+hUbW5:HNFM70El0gLS+PQ5W
Malware Config
Signatures
-
Detect Mystic stealer payload 4 IoCs
resource yara_rule behavioral1/memory/1588-35-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral1/memory/1588-38-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral1/memory/1588-39-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral1/memory/1588-41-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic -
Executes dropped EXE 5 IoCs
pid Process 2188 WQ4sg2Gq.exe 4784 ZC5pC5Xb.exe 2216 Gx6DA6Dl.exe 1836 nW6fu3Dj.exe 4568 1oA20VV8.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" c52f1aa4527983452b72bfcc7c7498055116825e436d192acbb7b799124415c1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" WQ4sg2Gq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" ZC5pC5Xb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" Gx6DA6Dl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" nW6fu3Dj.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4568 set thread context of 1588 4568 1oA20VV8.exe 75 -
Program crash 2 IoCs
pid pid_target Process procid_target 752 4568 WerFault.exe 73 520 1588 WerFault.exe 75 -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 2088 wrote to memory of 2188 2088 c52f1aa4527983452b72bfcc7c7498055116825e436d192acbb7b799124415c1.exe 69 PID 2088 wrote to memory of 2188 2088 c52f1aa4527983452b72bfcc7c7498055116825e436d192acbb7b799124415c1.exe 69 PID 2088 wrote to memory of 2188 2088 c52f1aa4527983452b72bfcc7c7498055116825e436d192acbb7b799124415c1.exe 69 PID 2188 wrote to memory of 4784 2188 WQ4sg2Gq.exe 70 PID 2188 wrote to memory of 4784 2188 WQ4sg2Gq.exe 70 PID 2188 wrote to memory of 4784 2188 WQ4sg2Gq.exe 70 PID 4784 wrote to memory of 2216 4784 ZC5pC5Xb.exe 71 PID 4784 wrote to memory of 2216 4784 ZC5pC5Xb.exe 71 PID 4784 wrote to memory of 2216 4784 ZC5pC5Xb.exe 71 PID 2216 wrote to memory of 1836 2216 Gx6DA6Dl.exe 72 PID 2216 wrote to memory of 1836 2216 Gx6DA6Dl.exe 72 PID 2216 wrote to memory of 1836 2216 Gx6DA6Dl.exe 72 PID 1836 wrote to memory of 4568 1836 nW6fu3Dj.exe 73 PID 1836 wrote to memory of 4568 1836 nW6fu3Dj.exe 73 PID 1836 wrote to memory of 4568 1836 nW6fu3Dj.exe 73 PID 4568 wrote to memory of 1588 4568 1oA20VV8.exe 75 PID 4568 wrote to memory of 1588 4568 1oA20VV8.exe 75 PID 4568 wrote to memory of 1588 4568 1oA20VV8.exe 75 PID 4568 wrote to memory of 1588 4568 1oA20VV8.exe 75 PID 4568 wrote to memory of 1588 4568 1oA20VV8.exe 75 PID 4568 wrote to memory of 1588 4568 1oA20VV8.exe 75 PID 4568 wrote to memory of 1588 4568 1oA20VV8.exe 75 PID 4568 wrote to memory of 1588 4568 1oA20VV8.exe 75 PID 4568 wrote to memory of 1588 4568 1oA20VV8.exe 75 PID 4568 wrote to memory of 1588 4568 1oA20VV8.exe 75
Processes
-
C:\Users\Admin\AppData\Local\Temp\c52f1aa4527983452b72bfcc7c7498055116825e436d192acbb7b799124415c1.exe"C:\Users\Admin\AppData\Local\Temp\c52f1aa4527983452b72bfcc7c7498055116825e436d192acbb7b799124415c1.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WQ4sg2Gq.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WQ4sg2Gq.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ZC5pC5Xb.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ZC5pC5Xb.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Gx6DA6Dl.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Gx6DA6Dl.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nW6fu3Dj.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nW6fu3Dj.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1oA20VV8.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1oA20VV8.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵PID:1588
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 5688⤵
- Program crash
PID:520
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 1407⤵
- Program crash
PID:752
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD5b9cfcc60817c8121977e71ee8c6aebd9
SHA1ced1e9401ddee75a63c1adeeb1ae3bd072702f1d
SHA25612166e655475465188552c5503a8d8e5db50d4812b0582d3bd020eb20d5da373
SHA512c95027be495067c1c39e4ffd950aa113d4a4de23939fcac8264d9c02f07eca691a43a6937b61b0cdf4c0d835487c0b18cafeeca2786f62b2de4d4ebbe2a60b2e
-
Filesize
1.0MB
MD5b9cfcc60817c8121977e71ee8c6aebd9
SHA1ced1e9401ddee75a63c1adeeb1ae3bd072702f1d
SHA25612166e655475465188552c5503a8d8e5db50d4812b0582d3bd020eb20d5da373
SHA512c95027be495067c1c39e4ffd950aa113d4a4de23939fcac8264d9c02f07eca691a43a6937b61b0cdf4c0d835487c0b18cafeeca2786f62b2de4d4ebbe2a60b2e
-
Filesize
884KB
MD53a6538c6c794a8776591c48d4d347f44
SHA12831c8594e8455f289b4de7e8e7110f0227defdc
SHA256ee5c3274f5b30bb85e429a54681d54a0841d8244c2644e0a7b30427fb347d03e
SHA512aa1af6f2b6cdc8e5d42577f24b6e0e9ebc50847f635eb0004a17852b274f4bd1156809f930e37610780063f7f5eb20c8fd752ba5e9fa6f4cb7449fb89af4d9f5
-
Filesize
884KB
MD53a6538c6c794a8776591c48d4d347f44
SHA12831c8594e8455f289b4de7e8e7110f0227defdc
SHA256ee5c3274f5b30bb85e429a54681d54a0841d8244c2644e0a7b30427fb347d03e
SHA512aa1af6f2b6cdc8e5d42577f24b6e0e9ebc50847f635eb0004a17852b274f4bd1156809f930e37610780063f7f5eb20c8fd752ba5e9fa6f4cb7449fb89af4d9f5
-
Filesize
590KB
MD5aec2a6ad8432b23e6caea51b4f676d3f
SHA147b7b07b86b6b3b165f00bde02bc38d7a94e2d90
SHA2560c9a20791a0dc9a4a77b2a598c0797583528e60e8caa40172a3b829fcd6d9cc4
SHA5125f2aed8e5cee75baaccbd98366cbc1abc9a54b590a47de26f7d9ef61721cfb3a7bd804a0ba1619703eba99af49ae858d5825842925b5ae74c78ac5db1a2aa226
-
Filesize
590KB
MD5aec2a6ad8432b23e6caea51b4f676d3f
SHA147b7b07b86b6b3b165f00bde02bc38d7a94e2d90
SHA2560c9a20791a0dc9a4a77b2a598c0797583528e60e8caa40172a3b829fcd6d9cc4
SHA5125f2aed8e5cee75baaccbd98366cbc1abc9a54b590a47de26f7d9ef61721cfb3a7bd804a0ba1619703eba99af49ae858d5825842925b5ae74c78ac5db1a2aa226
-
Filesize
417KB
MD508e301a84cf495a48b0bcf65bef50534
SHA170f4fecdd000a98aab48f5640b9fe6eafee98226
SHA2563bf26fe604efcb027de085c469a520483fd73f09ef2d53650d56768847b857aa
SHA51241ea61ebfdbfdb17b08bfa24b7691def1177f82560fbf69c2cc533bd7a63398acde07766d9f980f667f4149951bf53319f4ab330cd948ef750a7f9465e689e82
-
Filesize
417KB
MD508e301a84cf495a48b0bcf65bef50534
SHA170f4fecdd000a98aab48f5640b9fe6eafee98226
SHA2563bf26fe604efcb027de085c469a520483fd73f09ef2d53650d56768847b857aa
SHA51241ea61ebfdbfdb17b08bfa24b7691def1177f82560fbf69c2cc533bd7a63398acde07766d9f980f667f4149951bf53319f4ab330cd948ef750a7f9465e689e82
-
Filesize
378KB
MD5f0831f173733de08511f3a0739f278a6
SHA106dc809d653c5d2c97386084ae13b50a73eb5b60
SHA2568b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27
SHA51219e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3
-
Filesize
378KB
MD5f0831f173733de08511f3a0739f278a6
SHA106dc809d653c5d2c97386084ae13b50a73eb5b60
SHA2568b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27
SHA51219e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3