Analysis
-
max time kernel
128s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
19-11-2023 22:01
Static task
static1
Behavioral task
behavioral1
Sample
8abe67f3fa19414604fbb2a1510012895dbf0e89c55c9ff8d1a156b868ee9bf9.exe
Resource
win10v2004-20231020-en
General
-
Target
8abe67f3fa19414604fbb2a1510012895dbf0e89c55c9ff8d1a156b868ee9bf9.exe
-
Size
523KB
-
MD5
dcee3487134de31384cc480650d0b872
-
SHA1
728aac232b591c08d2a0a727a5024afdb17f3b56
-
SHA256
8abe67f3fa19414604fbb2a1510012895dbf0e89c55c9ff8d1a156b868ee9bf9
-
SHA512
dd0751578f48b5a2e6931c31865c235f464fb3d6fe4bdbd8389ab9d8429b0ffb69205773b276dc930ab1dc672fe7ed724559bdb4a1896ba26bc9cd3b74570399
-
SSDEEP
12288:4Mr8y900yOk63JeBswLMA9Kyzr7Hx/XupZF7:UyMx0eB0Ryzr7Hx/XupZF7
Malware Config
Signatures
-
Detect Mystic stealer payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/764-12-0x0000000000400000-0x0000000000434000-memory.dmp mystic_family behavioral1/memory/764-13-0x0000000000400000-0x0000000000434000-memory.dmp mystic_family behavioral1/memory/764-14-0x0000000000400000-0x0000000000434000-memory.dmp mystic_family behavioral1/memory/764-16-0x0000000000400000-0x0000000000434000-memory.dmp mystic_family -
Processes:
AppLaunch.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" AppLaunch.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection AppLaunch.exe -
Executes dropped EXE 2 IoCs
Processes:
1xs28ee6.exe2pm7744.exepid process 1108 1xs28ee6.exe 1636 2pm7744.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
8abe67f3fa19414604fbb2a1510012895dbf0e89c55c9ff8d1a156b868ee9bf9.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 8abe67f3fa19414604fbb2a1510012895dbf0e89c55c9ff8d1a156b868ee9bf9.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
1xs28ee6.exe2pm7744.exedescription pid process target process PID 1108 set thread context of 4740 1108 1xs28ee6.exe AppLaunch.exe PID 1636 set thread context of 764 1636 2pm7744.exe AppLaunch.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2560 764 WerFault.exe AppLaunch.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
AppLaunch.exepid process 4740 AppLaunch.exe 4740 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
AppLaunch.exedescription pid process Token: SeDebugPrivilege 4740 AppLaunch.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
8abe67f3fa19414604fbb2a1510012895dbf0e89c55c9ff8d1a156b868ee9bf9.exe1xs28ee6.exe2pm7744.exedescription pid process target process PID 5004 wrote to memory of 1108 5004 8abe67f3fa19414604fbb2a1510012895dbf0e89c55c9ff8d1a156b868ee9bf9.exe 1xs28ee6.exe PID 5004 wrote to memory of 1108 5004 8abe67f3fa19414604fbb2a1510012895dbf0e89c55c9ff8d1a156b868ee9bf9.exe 1xs28ee6.exe PID 5004 wrote to memory of 1108 5004 8abe67f3fa19414604fbb2a1510012895dbf0e89c55c9ff8d1a156b868ee9bf9.exe 1xs28ee6.exe PID 1108 wrote to memory of 3824 1108 1xs28ee6.exe AppLaunch.exe PID 1108 wrote to memory of 3824 1108 1xs28ee6.exe AppLaunch.exe PID 1108 wrote to memory of 3824 1108 1xs28ee6.exe AppLaunch.exe PID 1108 wrote to memory of 4740 1108 1xs28ee6.exe AppLaunch.exe PID 1108 wrote to memory of 4740 1108 1xs28ee6.exe AppLaunch.exe PID 1108 wrote to memory of 4740 1108 1xs28ee6.exe AppLaunch.exe PID 1108 wrote to memory of 4740 1108 1xs28ee6.exe AppLaunch.exe PID 1108 wrote to memory of 4740 1108 1xs28ee6.exe AppLaunch.exe PID 1108 wrote to memory of 4740 1108 1xs28ee6.exe AppLaunch.exe PID 1108 wrote to memory of 4740 1108 1xs28ee6.exe AppLaunch.exe PID 1108 wrote to memory of 4740 1108 1xs28ee6.exe AppLaunch.exe PID 5004 wrote to memory of 1636 5004 8abe67f3fa19414604fbb2a1510012895dbf0e89c55c9ff8d1a156b868ee9bf9.exe 2pm7744.exe PID 5004 wrote to memory of 1636 5004 8abe67f3fa19414604fbb2a1510012895dbf0e89c55c9ff8d1a156b868ee9bf9.exe 2pm7744.exe PID 5004 wrote to memory of 1636 5004 8abe67f3fa19414604fbb2a1510012895dbf0e89c55c9ff8d1a156b868ee9bf9.exe 2pm7744.exe PID 1636 wrote to memory of 764 1636 2pm7744.exe AppLaunch.exe PID 1636 wrote to memory of 764 1636 2pm7744.exe AppLaunch.exe PID 1636 wrote to memory of 764 1636 2pm7744.exe AppLaunch.exe PID 1636 wrote to memory of 764 1636 2pm7744.exe AppLaunch.exe PID 1636 wrote to memory of 764 1636 2pm7744.exe AppLaunch.exe PID 1636 wrote to memory of 764 1636 2pm7744.exe AppLaunch.exe PID 1636 wrote to memory of 764 1636 2pm7744.exe AppLaunch.exe PID 1636 wrote to memory of 764 1636 2pm7744.exe AppLaunch.exe PID 1636 wrote to memory of 764 1636 2pm7744.exe AppLaunch.exe PID 1636 wrote to memory of 764 1636 2pm7744.exe AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8abe67f3fa19414604fbb2a1510012895dbf0e89c55c9ff8d1a156b868ee9bf9.exe"C:\Users\Admin\AppData\Local\Temp\8abe67f3fa19414604fbb2a1510012895dbf0e89c55c9ff8d1a156b868ee9bf9.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1xs28ee6.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1xs28ee6.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2pm7744.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2pm7744.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 764 -s 5404⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 764 -ip 7641⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1xs28ee6.exeFilesize
878KB
MD5339ea0b5985189bed9df55b41d322bfd
SHA11bfaf3fe436a2c778d3274fc2d729f7a706fca47
SHA256c4bd0604ca387c82df1418215f3a408bc3e2877531c2f355f6df8569b7de2b49
SHA5123f1cce7155e0fca30cc9469c0566e40c43f28df6445fc284521283da0aa9f01c67b3fc026a3b9841f1630f677fa8326dba69171d594013d601beb50c68ed3f87
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1xs28ee6.exeFilesize
878KB
MD5339ea0b5985189bed9df55b41d322bfd
SHA11bfaf3fe436a2c778d3274fc2d729f7a706fca47
SHA256c4bd0604ca387c82df1418215f3a408bc3e2877531c2f355f6df8569b7de2b49
SHA5123f1cce7155e0fca30cc9469c0566e40c43f28df6445fc284521283da0aa9f01c67b3fc026a3b9841f1630f677fa8326dba69171d594013d601beb50c68ed3f87
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2pm7744.exeFilesize
1.1MB
MD56c0733d56c61c694254f33440224ade4
SHA145c9a26fbe1d7d1221655ee0ea85a2e8a138eab6
SHA2563a8f1997f1e756b408fa3e20bfd1e3fccdcc20e6d223999b253c97457224feea
SHA5122e1436edfb5b74e2a0dfb10e1da9e8c38f435e046aae5a7e418d328d52c01b4000b2e15fcbefbf6969750c638000bc4b63afc49ee15df43db30e093af5ded95d
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2pm7744.exeFilesize
1.1MB
MD56c0733d56c61c694254f33440224ade4
SHA145c9a26fbe1d7d1221655ee0ea85a2e8a138eab6
SHA2563a8f1997f1e756b408fa3e20bfd1e3fccdcc20e6d223999b253c97457224feea
SHA5122e1436edfb5b74e2a0dfb10e1da9e8c38f435e046aae5a7e418d328d52c01b4000b2e15fcbefbf6969750c638000bc4b63afc49ee15df43db30e093af5ded95d
-
memory/764-12-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/764-13-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/764-14-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/764-16-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/4740-7-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/4740-11-0x0000000074A40000-0x00000000751F0000-memory.dmpFilesize
7.7MB
-
memory/4740-18-0x0000000074A40000-0x00000000751F0000-memory.dmpFilesize
7.7MB