Overview

overview

10

Static

static

3

NEAS.c89a2...40.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-11-2023 05:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.c89a27bb1bf5d48a07131b5d602ff940.exe

  • Size

    309KB

  • MD5

    c89a27bb1bf5d48a07131b5d602ff940

  • SHA1

    f68c6623455972e2b919acc997eea63a291876ee

  • SHA256

    cdff3538fac723c441ee75c5471c3ea1f25d5dec6a3b552513794ae79647d974

  • SHA512

    2925d0e5ac0f2c608ddb3b3c55536ee8896c18a5c6bec6b5e4e76f6af69ce8509d662b5bd9c52f7379e8b4425e81f377e6fa98caf691ee14707e58dd99a0b43a

  • SSDEEP

    6144:Key+bnr+Zkp0yN90QE1iEksrxO7LVq4bIbOLBv3Rmnz:uMryy90PusrxO7L7MOLV3Y

Score
10/10
mysticevasionpersistencestealertrojan

Malware Config

Signatures

  • Detect Mystic stealer payload 4 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.c89a27bb1bf5d48a07131b5d602ff940.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.c89a27bb1bf5d48a07131b5d602ff940.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:884
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1nA81RO9.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1nA81RO9.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:2272
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3⤵
          PID:1904
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 192
            4⤵
            • Program crash
            PID:3004
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6ss2dW8.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6ss2dW8.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1776
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          3⤵
          • Modifies Windows Defender Real-time Protection settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1356
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1904 -ip 1904
      1⤵
        PID:2772

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1nA81RO9.exe
        Filesize

        286KB

        MD5

        9f706f44b35c4827e3caf810177ba559

        SHA1

        423ec74a1b77869f4a9c8756f60b6c4933536a11

        SHA256

        96f917bd1ad6484886795509e0d0a58731fe455cb44d33022c8f69389453f740

        SHA512

        5333771c82485dca039c1372873bce6409c0a1c1799baedd03eed7638036e8228220349f595075f72506257f05b213ac3c2ebf6d53a8d67da3ce4c8ef05ff19c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1nA81RO9.exe
        Filesize

        286KB

        MD5

        9f706f44b35c4827e3caf810177ba559

        SHA1

        423ec74a1b77869f4a9c8756f60b6c4933536a11

        SHA256

        96f917bd1ad6484886795509e0d0a58731fe455cb44d33022c8f69389453f740

        SHA512

        5333771c82485dca039c1372873bce6409c0a1c1799baedd03eed7638036e8228220349f595075f72506257f05b213ac3c2ebf6d53a8d67da3ce4c8ef05ff19c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6ss2dW8.exe
        Filesize

        117KB

        MD5

        156a74b53feb59ac666b296b39a41706

        SHA1

        e24f65e6ecf779383b904941d1f4314bb7aa1c87

        SHA256

        388f7aa02edb57ac6dbae478f23660daffb64a2eca70942391b4de92a1977494

        SHA512

        43e202ed931799c54a9d4d0ed660cd44c43767723fd69091e174f8bee721cff6221364df0e8f902a6d59c5b0359f1cb671c5ec1eed5e56f0bfbdbeaf50faee70

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6ss2dW8.exe
        Filesize

        117KB

        MD5

        156a74b53feb59ac666b296b39a41706

        SHA1

        e24f65e6ecf779383b904941d1f4314bb7aa1c87

        SHA256

        388f7aa02edb57ac6dbae478f23660daffb64a2eca70942391b4de92a1977494

        SHA512

        43e202ed931799c54a9d4d0ed660cd44c43767723fd69091e174f8bee721cff6221364df0e8f902a6d59c5b0359f1cb671c5ec1eed5e56f0bfbdbeaf50faee70

        Download Submit

      • memory/1356-15-0x0000000000400000-0x000000000040A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/1356-16-0x0000000073AD0000-0x0000000074280000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1356-18-0x0000000073AD0000-0x0000000074280000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1904-7-0x0000000000400000-0x0000000000433000-memory.dmp

        Filesize

        204KB

        Download

      • memory/1904-8-0x0000000000400000-0x0000000000433000-memory.dmp

        Filesize

        204KB

        Download

      • memory/1904-9-0x0000000000400000-0x0000000000433000-memory.dmp

        Filesize

        204KB

        Download

      • memory/1904-11-0x0000000000400000-0x0000000000433000-memory.dmp

        Filesize

        204KB

        Download