Overview

overview

10

Static

static

3

NEAS.5c356...80.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-11-2023 22:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.5c3561b275b18f337476d1dbe9833c80.exe

  • Size

    438KB

  • MD5

    5c3561b275b18f337476d1dbe9833c80

  • SHA1

    7a74b2f5ccc7822b71126ce7b7877d15ff47227c

  • SHA256

    45304735f707e4ffe910f4b6b034a26c94f7bc58a5bda60142f1ade5d11e96b3

  • SHA512

    1a05ef2a2b07c57293a4c15c5c4a5e9f097ad046620415d19592cfbb18dcef70bcb94c433c0dcee490dc8f02f775340d7484eb85bfb2c7efd37dbcb596bdf9cc

  • SSDEEP

    6144:Kmy+bnr+6p0yN90QE7iv89AY59FaIH0KiqhDbT15hDN1nWRqde4ALGM:+MrOy9028h9FfH0KiqhHT15b1WAXM

Score
10/10
mysticevasionpersistencestealertrojan

Malware Config

Signatures

  • Detect Mystic stealer payload 4 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.5c3561b275b18f337476d1dbe9833c80.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.5c3561b275b18f337476d1dbe9833c80.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4324
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yw9Po24.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yw9Po24.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4448
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1jJ43fQ4.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1jJ43fQ4.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4068
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
            PID:3700
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            4⤵
              PID:3192
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 540
                5⤵
                • Program crash
                PID:4584
          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6HI3ek7.exe
            C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6HI3ek7.exe
            3⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:3556
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              4⤵
              • Modifies Windows Defender Real-time Protection settings
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2704
        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Xq6Zm21.exe
          C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Xq6Zm21.exe
          2⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:3436
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\is64.bat" "
            3⤵
              PID:4600
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3192 -ip 3192
          1⤵
            PID:564

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Xq6Zm21.exe
            Filesize

            73KB

            MD5

            e239ed8997e44aae5baf23eb842e26ed

            SHA1

            94c4b93d5be8d8f5e1213e9b1661780c5bef9b75

            SHA256

            90bd6afaefec5b0280274c379e86056a4a1ebb990ad081957adc7f78d22c15a7

            SHA512

            8216fde50e746c360f4ace5f5659fc5354fa869b81b652027b9c24cb230e1dbee7ff7817076932a767d8e5eee3a7f1845f93928b8ddb28103bfdba6c834b324b

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Xq6Zm21.exe
            Filesize

            73KB

            MD5

            e239ed8997e44aae5baf23eb842e26ed

            SHA1

            94c4b93d5be8d8f5e1213e9b1661780c5bef9b75

            SHA256

            90bd6afaefec5b0280274c379e86056a4a1ebb990ad081957adc7f78d22c15a7

            SHA512

            8216fde50e746c360f4ace5f5659fc5354fa869b81b652027b9c24cb230e1dbee7ff7817076932a767d8e5eee3a7f1845f93928b8ddb28103bfdba6c834b324b

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yw9Po24.exe
            Filesize

            316KB

            MD5

            780f4e442b77f55f980b37eed4189d20

            SHA1

            fc8539ecd837a2693e34e21333598887730238c2

            SHA256

            93f5da209930641a89a89e00632f83730bc08a3837f9804e7bc8b68f3a336f3e

            SHA512

            fd799cf9e2a094cc3cca9cb962987cabc2f7b9f354ad95c1783a188fe437893d99da74273aadc45de2e4000d96be84a7f4ab55a83842cbe392a39d0b9b328a2e

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yw9Po24.exe
            Filesize

            316KB

            MD5

            780f4e442b77f55f980b37eed4189d20

            SHA1

            fc8539ecd837a2693e34e21333598887730238c2

            SHA256

            93f5da209930641a89a89e00632f83730bc08a3837f9804e7bc8b68f3a336f3e

            SHA512

            fd799cf9e2a094cc3cca9cb962987cabc2f7b9f354ad95c1783a188fe437893d99da74273aadc45de2e4000d96be84a7f4ab55a83842cbe392a39d0b9b328a2e

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1jJ43fQ4.exe
            Filesize

            300KB

            MD5

            5127226ce800eb933c216c3604b8b25b

            SHA1

            e44e9b1fd21dd9786d5fd7775ef6c56212668889

            SHA256

            56449e8916bf748bc2ddc80643099bb78ddc62058ffaa635e1d191430e3b74d9

            SHA512

            59fc8b3c4480d8454821a62ce4508cbda14ea4b2669d5c0310a216726a561d35ff3827d33672281a79a9fc9153ffcedcc57f441b3930dc618cee8ebfb3f1d759

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1jJ43fQ4.exe
            Filesize

            300KB

            MD5

            5127226ce800eb933c216c3604b8b25b

            SHA1

            e44e9b1fd21dd9786d5fd7775ef6c56212668889

            SHA256

            56449e8916bf748bc2ddc80643099bb78ddc62058ffaa635e1d191430e3b74d9

            SHA512

            59fc8b3c4480d8454821a62ce4508cbda14ea4b2669d5c0310a216726a561d35ff3827d33672281a79a9fc9153ffcedcc57f441b3930dc618cee8ebfb3f1d759

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6HI3ek7.exe
            Filesize

            131KB

            MD5

            bfd1838953f5a5e8b03ee2f62bae832f

            SHA1

            ed58b651019e4153257a72078bf9de9ba9cae77a

            SHA256

            5e5d8661e59be3c2396850f99fa31aae01c82df752eddc078259b63276b86b6c

            SHA512

            d663f2c60ce6705923a3d37c597837ac5243dc1045e585bd91c91f7368862f476cd9acdd08eb02cc586e3f078b5dac8988455e1e4802807554cbbe3e8381cd3c

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6HI3ek7.exe
            Filesize

            131KB

            MD5

            bfd1838953f5a5e8b03ee2f62bae832f

            SHA1

            ed58b651019e4153257a72078bf9de9ba9cae77a

            SHA256

            5e5d8661e59be3c2396850f99fa31aae01c82df752eddc078259b63276b86b6c

            SHA512

            d663f2c60ce6705923a3d37c597837ac5243dc1045e585bd91c91f7368862f476cd9acdd08eb02cc586e3f078b5dac8988455e1e4802807554cbbe3e8381cd3c

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\is64.bat
            Filesize

            181B

            MD5

            225edee1d46e0a80610db26b275d72fb

            SHA1

            ce206abf11aaf19278b72f5021cc64b1b427b7e8

            SHA256

            e1befb57d724c9dc760cf42d7e0609212b22faeb2dc0c3ffe2fbd7134ff69559

            SHA512

            4f01a2a248a1322cb690b7395b818d2780e46f4884e59f1ab96125d642b6358eea97c7fad6023ef17209b218daa9c88d15ea2b92f124ecb8434c0c7b4a710504

            Download Submit

          • memory/2704-22-0x0000000000400000-0x000000000040A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/2704-26-0x0000000073A00000-0x00000000741B0000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/2704-36-0x0000000073A00000-0x00000000741B0000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/3192-14-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

            Download

          • memory/3192-20-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

            Download

          • memory/3192-16-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

            Download

          • memory/3192-15-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

            Download