Analysis
-
max time kernel
72s -
max time network
76s -
platform
windows10-1703_x64 -
resource
win10-20230915-en -
resource tags
arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system -
submitted
07/10/2023, 06:10
Static task
static1
Behavioral task
behavioral1
Sample
1028758d81311bf28fd1a39e9894a3b130c1266ef4daa07d94061457720675c8.exe
Resource
win10-20230915-en
General
-
Target
1028758d81311bf28fd1a39e9894a3b130c1266ef4daa07d94061457720675c8.exe
-
Size
1.2MB
-
MD5
d70c46a0072fc1e0f94041d246d1a307
-
SHA1
b4a3a84383351e58bbc6bb48ecb637cee267006b
-
SHA256
1028758d81311bf28fd1a39e9894a3b130c1266ef4daa07d94061457720675c8
-
SHA512
57fa598d5f53dfea90d313cf0d14cf1802d98293412bae1f6980ce5cfc61f882c87ffbb419e3bed6b84aebd6fd988bcbd967e340dc9b50a90a57da9f07c1def3
-
SSDEEP
24576:Yy4MSznBqLQn6kMjCV0KcxdA+XfzzxLxz+o30xumJJlZ5Yjsm:fhSdqLQXMfVxWqzzxLre/Zh
Malware Config
Signatures
-
Detect Mystic stealer payload 4 IoCs
resource yara_rule behavioral1/memory/600-35-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral1/memory/600-38-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral1/memory/600-39-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral1/memory/600-41-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic -
Executes dropped EXE 5 IoCs
pid Process 4924 mc0TS7eZ.exe 828 tN5gx5ZB.exe 1184 fG8Qp4EE.exe 4860 We8on1Qk.exe 4108 1pz65pt1.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 1028758d81311bf28fd1a39e9894a3b130c1266ef4daa07d94061457720675c8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" mc0TS7eZ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" tN5gx5ZB.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" fG8Qp4EE.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" We8on1Qk.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4108 set thread context of 600 4108 1pz65pt1.exe 76 -
Program crash 2 IoCs
pid pid_target Process procid_target 3960 4108 WerFault.exe 74 3492 600 WerFault.exe 76 -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 2744 wrote to memory of 4924 2744 1028758d81311bf28fd1a39e9894a3b130c1266ef4daa07d94061457720675c8.exe 70 PID 2744 wrote to memory of 4924 2744 1028758d81311bf28fd1a39e9894a3b130c1266ef4daa07d94061457720675c8.exe 70 PID 2744 wrote to memory of 4924 2744 1028758d81311bf28fd1a39e9894a3b130c1266ef4daa07d94061457720675c8.exe 70 PID 4924 wrote to memory of 828 4924 mc0TS7eZ.exe 71 PID 4924 wrote to memory of 828 4924 mc0TS7eZ.exe 71 PID 4924 wrote to memory of 828 4924 mc0TS7eZ.exe 71 PID 828 wrote to memory of 1184 828 tN5gx5ZB.exe 72 PID 828 wrote to memory of 1184 828 tN5gx5ZB.exe 72 PID 828 wrote to memory of 1184 828 tN5gx5ZB.exe 72 PID 1184 wrote to memory of 4860 1184 fG8Qp4EE.exe 73 PID 1184 wrote to memory of 4860 1184 fG8Qp4EE.exe 73 PID 1184 wrote to memory of 4860 1184 fG8Qp4EE.exe 73 PID 4860 wrote to memory of 4108 4860 We8on1Qk.exe 74 PID 4860 wrote to memory of 4108 4860 We8on1Qk.exe 74 PID 4860 wrote to memory of 4108 4860 We8on1Qk.exe 74 PID 4108 wrote to memory of 600 4108 1pz65pt1.exe 76 PID 4108 wrote to memory of 600 4108 1pz65pt1.exe 76 PID 4108 wrote to memory of 600 4108 1pz65pt1.exe 76 PID 4108 wrote to memory of 600 4108 1pz65pt1.exe 76 PID 4108 wrote to memory of 600 4108 1pz65pt1.exe 76 PID 4108 wrote to memory of 600 4108 1pz65pt1.exe 76 PID 4108 wrote to memory of 600 4108 1pz65pt1.exe 76 PID 4108 wrote to memory of 600 4108 1pz65pt1.exe 76 PID 4108 wrote to memory of 600 4108 1pz65pt1.exe 76 PID 4108 wrote to memory of 600 4108 1pz65pt1.exe 76
Processes
-
C:\Users\Admin\AppData\Local\Temp\1028758d81311bf28fd1a39e9894a3b130c1266ef4daa07d94061457720675c8.exe"C:\Users\Admin\AppData\Local\Temp\1028758d81311bf28fd1a39e9894a3b130c1266ef4daa07d94061457720675c8.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mc0TS7eZ.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mc0TS7eZ.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tN5gx5ZB.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tN5gx5ZB.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fG8Qp4EE.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fG8Qp4EE.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\We8on1Qk.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\We8on1Qk.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4860 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1pz65pt1.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1pz65pt1.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4108 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵PID:600
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 600 -s 5688⤵
- Program crash
PID:3492
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 5887⤵
- Program crash
PID:3960
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD582fa0b61cb3aa852ddd135fab8ea05ab
SHA1c6ae6e27dd90806dd99b83899db68d38ab37a372
SHA2568f594667b32dbf0b930f70ff8113dc510e8c872f80d7953a203179a3ebeb0d2e
SHA512aa6627455843eccfceb9919777b9f5e9832293b76d9c0e1620437028d57ce3fea4775116495a4cfc719a8113875b56cb6e985e31cb31dcb88a8804dfc3b913e3
-
Filesize
1.0MB
MD582fa0b61cb3aa852ddd135fab8ea05ab
SHA1c6ae6e27dd90806dd99b83899db68d38ab37a372
SHA2568f594667b32dbf0b930f70ff8113dc510e8c872f80d7953a203179a3ebeb0d2e
SHA512aa6627455843eccfceb9919777b9f5e9832293b76d9c0e1620437028d57ce3fea4775116495a4cfc719a8113875b56cb6e985e31cb31dcb88a8804dfc3b913e3
-
Filesize
884KB
MD5d3f9c1faa7a01f825aaabd2b5b98970c
SHA1fb4119e7f3d3e96d43d9f694e10cf12ee0c0e3ae
SHA2560709711ff39f499d80d03d5f14b19e7137efa414e1a4571d0d892953c6fefa4e
SHA51240187030302bc19af8d42cb2fcaeefc71480d555d46f3e694cd3a5773e3caeb563c533293d746e6697a0f04587d4200523b099a25c876efd09dbf07cfdc7ab54
-
Filesize
884KB
MD5d3f9c1faa7a01f825aaabd2b5b98970c
SHA1fb4119e7f3d3e96d43d9f694e10cf12ee0c0e3ae
SHA2560709711ff39f499d80d03d5f14b19e7137efa414e1a4571d0d892953c6fefa4e
SHA51240187030302bc19af8d42cb2fcaeefc71480d555d46f3e694cd3a5773e3caeb563c533293d746e6697a0f04587d4200523b099a25c876efd09dbf07cfdc7ab54
-
Filesize
590KB
MD593363bedaf9cd28aae401a6f5bada33b
SHA16c477f9ec39bc41e3e577d470b55587704b9208d
SHA256664e4ec485dba8e32c03a20b68bc6b19883254721d083762abc57acc40686ccf
SHA512d9947ace95a7c38171c8d3d309b38a7af97bfa23e9f77372078b06326501a54633d5798eb199e98d4e1c46991171eb504438234c873b42b2aa55a4f719946156
-
Filesize
590KB
MD593363bedaf9cd28aae401a6f5bada33b
SHA16c477f9ec39bc41e3e577d470b55587704b9208d
SHA256664e4ec485dba8e32c03a20b68bc6b19883254721d083762abc57acc40686ccf
SHA512d9947ace95a7c38171c8d3d309b38a7af97bfa23e9f77372078b06326501a54633d5798eb199e98d4e1c46991171eb504438234c873b42b2aa55a4f719946156
-
Filesize
417KB
MD50dc8f7d79cfade9c5dfe760eb92de13a
SHA16d258db018fc96ce7baea4be96e8b8db590a832d
SHA256435aa84120a6944cc73c849059ea1cde5491583ccef37e2c3b78658ebca198cd
SHA512c4c3eb9b5d4a4f3a6a1397af8a6d37a9808d6cb752d6d7cf9111af979dc07e5eef481e1d4079605185863362ea0b192e6b62dae6a591cbfdbdf863c06f7dc39a
-
Filesize
417KB
MD50dc8f7d79cfade9c5dfe760eb92de13a
SHA16d258db018fc96ce7baea4be96e8b8db590a832d
SHA256435aa84120a6944cc73c849059ea1cde5491583ccef37e2c3b78658ebca198cd
SHA512c4c3eb9b5d4a4f3a6a1397af8a6d37a9808d6cb752d6d7cf9111af979dc07e5eef481e1d4079605185863362ea0b192e6b62dae6a591cbfdbdf863c06f7dc39a
-
Filesize
378KB
MD5f0831f173733de08511f3a0739f278a6
SHA106dc809d653c5d2c97386084ae13b50a73eb5b60
SHA2568b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27
SHA51219e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3
-
Filesize
378KB
MD5f0831f173733de08511f3a0739f278a6
SHA106dc809d653c5d2c97386084ae13b50a73eb5b60
SHA2568b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27
SHA51219e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3