Analysis
-
max time kernel
120s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
11-10-2023 10:54
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6e5d6259d9520790df4e34761517da1c40b0052b83bd324320c5e51db4f1c07a.exe
Resource
win7-20230831-en
windows7-x64
5 signatures
150 seconds
General
-
Target
6e5d6259d9520790df4e34761517da1c40b0052b83bd324320c5e51db4f1c07a.exe
-
Size
346KB
-
MD5
11ee6447508a02f3d76c21f927550ac1
-
SHA1
5e905856ab4c69a6216999b70e884b91a9779a53
-
SHA256
6e5d6259d9520790df4e34761517da1c40b0052b83bd324320c5e51db4f1c07a
-
SHA512
fd145783a5ac63f7e942fd15f131e682e11aa37e057e9012ded1dbc05b8382d5552123ead74db69a6634deccdbefda1062ffaced11cfc266c8a16d4858180cf8
-
SSDEEP
6144:n1CZljS9PgGzqLHvw1t6mAONVWIJP4Rx5tpZhCQXn6SVxGJctK93viKC:n1GS9PgGimnVWIJP4Rx7sW1yqtKdiKC
Malware Config
Signatures
-
Detect Mystic stealer payload 6 IoCs
resource yara_rule behavioral1/memory/2360-3-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral1/memory/2360-4-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral1/memory/2360-5-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral1/memory/2360-7-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral1/memory/2360-9-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral1/memory/2360-11-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2448 set thread context of 2360 2448 6e5d6259d9520790df4e34761517da1c40b0052b83bd324320c5e51db4f1c07a.exe 29 -
Program crash 2 IoCs
pid pid_target Process procid_target 2784 2448 WerFault.exe 15 2680 2360 WerFault.exe 29 -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 2448 wrote to memory of 2360 2448 6e5d6259d9520790df4e34761517da1c40b0052b83bd324320c5e51db4f1c07a.exe 29 PID 2448 wrote to memory of 2360 2448 6e5d6259d9520790df4e34761517da1c40b0052b83bd324320c5e51db4f1c07a.exe 29 PID 2448 wrote to memory of 2360 2448 6e5d6259d9520790df4e34761517da1c40b0052b83bd324320c5e51db4f1c07a.exe 29 PID 2448 wrote to memory of 2360 2448 6e5d6259d9520790df4e34761517da1c40b0052b83bd324320c5e51db4f1c07a.exe 29 PID 2448 wrote to memory of 2360 2448 6e5d6259d9520790df4e34761517da1c40b0052b83bd324320c5e51db4f1c07a.exe 29 PID 2448 wrote to memory of 2360 2448 6e5d6259d9520790df4e34761517da1c40b0052b83bd324320c5e51db4f1c07a.exe 29 PID 2448 wrote to memory of 2360 2448 6e5d6259d9520790df4e34761517da1c40b0052b83bd324320c5e51db4f1c07a.exe 29 PID 2448 wrote to memory of 2360 2448 6e5d6259d9520790df4e34761517da1c40b0052b83bd324320c5e51db4f1c07a.exe 29 PID 2448 wrote to memory of 2360 2448 6e5d6259d9520790df4e34761517da1c40b0052b83bd324320c5e51db4f1c07a.exe 29 PID 2448 wrote to memory of 2360 2448 6e5d6259d9520790df4e34761517da1c40b0052b83bd324320c5e51db4f1c07a.exe 29 PID 2448 wrote to memory of 2360 2448 6e5d6259d9520790df4e34761517da1c40b0052b83bd324320c5e51db4f1c07a.exe 29 PID 2448 wrote to memory of 2360 2448 6e5d6259d9520790df4e34761517da1c40b0052b83bd324320c5e51db4f1c07a.exe 29 PID 2448 wrote to memory of 2360 2448 6e5d6259d9520790df4e34761517da1c40b0052b83bd324320c5e51db4f1c07a.exe 29 PID 2448 wrote to memory of 2360 2448 6e5d6259d9520790df4e34761517da1c40b0052b83bd324320c5e51db4f1c07a.exe 29 PID 2448 wrote to memory of 2784 2448 6e5d6259d9520790df4e34761517da1c40b0052b83bd324320c5e51db4f1c07a.exe 30 PID 2448 wrote to memory of 2784 2448 6e5d6259d9520790df4e34761517da1c40b0052b83bd324320c5e51db4f1c07a.exe 30 PID 2448 wrote to memory of 2784 2448 6e5d6259d9520790df4e34761517da1c40b0052b83bd324320c5e51db4f1c07a.exe 30 PID 2448 wrote to memory of 2784 2448 6e5d6259d9520790df4e34761517da1c40b0052b83bd324320c5e51db4f1c07a.exe 30 PID 2360 wrote to memory of 2680 2360 AppLaunch.exe 31 PID 2360 wrote to memory of 2680 2360 AppLaunch.exe 31 PID 2360 wrote to memory of 2680 2360 AppLaunch.exe 31 PID 2360 wrote to memory of 2680 2360 AppLaunch.exe 31 PID 2360 wrote to memory of 2680 2360 AppLaunch.exe 31 PID 2360 wrote to memory of 2680 2360 AppLaunch.exe 31 PID 2360 wrote to memory of 2680 2360 AppLaunch.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\6e5d6259d9520790df4e34761517da1c40b0052b83bd324320c5e51db4f1c07a.exe"C:\Users\Admin\AppData\Local\Temp\6e5d6259d9520790df4e34761517da1c40b0052b83bd324320c5e51db4f1c07a.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 1963⤵
- Program crash
PID:2680
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 1202⤵
- Program crash
PID:2784
-