Overview

overview

10

Static

static

3

NEAS.ccb17...30.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231025-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-11-2023 11:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.ccb17e5b9e9fb676e0c501f829d4d830.exe

  • Size

    574KB

  • MD5

    ccb17e5b9e9fb676e0c501f829d4d830

  • SHA1

    4a10b5b1bb705927ed1d4950661a86af09cd6e7a

  • SHA256

    a1d6b57cc70975aa60113ebb58149b75915df230f1a1795f1ad79a5e58b7e4dd

  • SHA512

    c78e612ce1e2a1197c228c136f2909842140272cfb28fe4fecea98718104e48038ea1583e4ea669575a9755c2443815bb0636b0d86deff5bb655b4f55ca667f5

  • SSDEEP

    12288:zMray90dPOw+DFYZrOQb2iDp0DfyO6Z9nuFMYDHluACg5:py3lD6ZyQb2iD2byOE2RDLV

Score
10/10
mysticevasionpersistencestealertrojan

Malware Config

Signatures

  • Detect Mystic stealer payload 2 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.ccb17e5b9e9fb676e0c501f829d4d830.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.ccb17e5b9e9fb676e0c501f829d4d830.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4356
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1wW08ZO0.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1wW08ZO0.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:4876
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3864
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2py0682.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2py0682.exe
      2⤵
      • Executes dropped EXE
      PID:216
  • C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start wuauserv
    1⤵
    • Launches sc.exe
    PID:4660

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1wW08ZO0.exe
    Filesize

    1.6MB

    MD5

    29e9546e7fe835b413a5d65599213b53

    SHA1

    64d6d2eca4e197a390702a08b074c5ef6da2fa32

    SHA256

    d65b10dc2c1598935786fd0d562aaee9c9fc6b7d6f950da6de13db6686cab814

    SHA512

    e556877abd79052f3d3bc6175971001531f363745d396aa96302218cf11b4fc94980f946aae758ff14d8cc8af4d9dcb26503142e2d1cded2d21ab37ddc009658

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1wW08ZO0.exe
    Filesize

    1.6MB

    MD5

    29e9546e7fe835b413a5d65599213b53

    SHA1

    64d6d2eca4e197a390702a08b074c5ef6da2fa32

    SHA256

    d65b10dc2c1598935786fd0d562aaee9c9fc6b7d6f950da6de13db6686cab814

    SHA512

    e556877abd79052f3d3bc6175971001531f363745d396aa96302218cf11b4fc94980f946aae758ff14d8cc8af4d9dcb26503142e2d1cded2d21ab37ddc009658

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2py0682.exe
    Filesize

    180KB

    MD5

    6cf6572d49c0461ebd65f832c7f24165

    SHA1

    22133af866f22b4f3b24cb935d5b3e344cec54f6

    SHA256

    1e3d334aa4cc4ce07fad916cb61ecb6d6b687932fa2fc8651e0835bd86d2e5e4

    SHA512

    e62d60ae98c7585dda92ace90bf0ed69b807923b41f412f3a7655e488c03ec2710bf0017c9017140f77e3e70eb5d1260d0e70324f0a9a39b200ebb9c838bd9d7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2py0682.exe
    Filesize

    180KB

    MD5

    6cf6572d49c0461ebd65f832c7f24165

    SHA1

    22133af866f22b4f3b24cb935d5b3e344cec54f6

    SHA256

    1e3d334aa4cc4ce07fad916cb61ecb6d6b687932fa2fc8651e0835bd86d2e5e4

    SHA512

    e62d60ae98c7585dda92ace90bf0ed69b807923b41f412f3a7655e488c03ec2710bf0017c9017140f77e3e70eb5d1260d0e70324f0a9a39b200ebb9c838bd9d7

    Download Submit

  • memory/3864-7-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3864-11-0x0000000074340000-0x0000000074AF0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3864-13-0x0000000074340000-0x0000000074AF0000-memory.dmp

    Filesize

    7.7MB

    Download