mystic | 3a339e14c5295517caa3a654d660accee802839d22423005015206eabe6a344a

Analysis

max time kernel
146s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2023, 03:30

Target

3a339e14c5295517caa3a654d660accee802839d22423005015206eabe6a344a.exe
Size

358KB
MD5

208494b1c0389db913891992bd109e81
SHA1

da5fd7d61b2ee51c87ba24e441d93b34da8365f4
SHA256

3a339e14c5295517caa3a654d660accee802839d22423005015206eabe6a344a
SHA512

b5db6e1514e36cb754cd439c6853b7a85bf08ef3204bebba3538ee312d3a7f51bfa122243c1fd2d18fcaa88da4b74cb016a3517391cce8d66f602fff4715c549
SSDEEP

6144:T/FXR/bOEHHkwxOSeyCKrJz4AO0JBUyxD/nDAiZZoXs8fi:jFX1aEHEw94KJKyxD/n0O18fi

Score

10^/10

mystic stealer

Detect Mystic stealer payload 5 IoCs

resource	yara_rule
behavioral2/memory/1440-0-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/1440-1-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/1440-3-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/1440-2-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/1440-4-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1512 set thread context of 1440	1512	3a339e14c5295517caa3a654d660accee802839d22423005015206eabe6a344a.exe	84

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1512 wrote to memory of 1440	1512	3a339e14c5295517caa3a654d660accee802839d22423005015206eabe6a344a.exe	84
PID 1512 wrote to memory of 1440	1512	3a339e14c5295517caa3a654d660accee802839d22423005015206eabe6a344a.exe	84
PID 1512 wrote to memory of 1440	1512	3a339e14c5295517caa3a654d660accee802839d22423005015206eabe6a344a.exe	84
PID 1512 wrote to memory of 1440	1512	3a339e14c5295517caa3a654d660accee802839d22423005015206eabe6a344a.exe	84
PID 1512 wrote to memory of 1440	1512	3a339e14c5295517caa3a654d660accee802839d22423005015206eabe6a344a.exe	84
PID 1512 wrote to memory of 1440	1512	3a339e14c5295517caa3a654d660accee802839d22423005015206eabe6a344a.exe	84
PID 1512 wrote to memory of 1440	1512	3a339e14c5295517caa3a654d660accee802839d22423005015206eabe6a344a.exe	84
PID 1512 wrote to memory of 1440	1512	3a339e14c5295517caa3a654d660accee802839d22423005015206eabe6a344a.exe	84
PID 1512 wrote to memory of 1440	1512	3a339e14c5295517caa3a654d660accee802839d22423005015206eabe6a344a.exe	84
PID 1512 wrote to memory of 1440	1512	3a339e14c5295517caa3a654d660accee802839d22423005015206eabe6a344a.exe	84

C:\Users\Admin\AppData\Local\Temp\3a339e14c5295517caa3a654d660accee802839d22423005015206eabe6a344a.exe
"C:\Users\Admin\AppData\Local\Temp\3a339e14c5295517caa3a654d660accee802839d22423005015206eabe6a344a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:1440

memory/1440-0-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1440-1-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1440-3-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1440-2-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1440-4-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download