Analysis
-
max time kernel
142s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
19-11-2023 22:25
Static task
static1
Behavioral task
behavioral1
Sample
8abe67f3fa19414604fbb2a1510012895dbf0e89c55c9ff8d1a156b868ee9bf9.exe
Resource
win10v2004-20231020-en
General
-
Target
8abe67f3fa19414604fbb2a1510012895dbf0e89c55c9ff8d1a156b868ee9bf9.exe
-
Size
523KB
-
MD5
dcee3487134de31384cc480650d0b872
-
SHA1
728aac232b591c08d2a0a727a5024afdb17f3b56
-
SHA256
8abe67f3fa19414604fbb2a1510012895dbf0e89c55c9ff8d1a156b868ee9bf9
-
SHA512
dd0751578f48b5a2e6931c31865c235f464fb3d6fe4bdbd8389ab9d8429b0ffb69205773b276dc930ab1dc672fe7ed724559bdb4a1896ba26bc9cd3b74570399
-
SSDEEP
12288:4Mr8y900yOk63JeBswLMA9Kyzr7Hx/XupZF7:UyMx0eB0Ryzr7Hx/XupZF7
Malware Config
Signatures
-
Detect Mystic stealer payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/3856-12-0x0000000000400000-0x0000000000434000-memory.dmp mystic_family behavioral1/memory/3856-13-0x0000000000400000-0x0000000000434000-memory.dmp mystic_family behavioral1/memory/3856-14-0x0000000000400000-0x0000000000434000-memory.dmp mystic_family behavioral1/memory/3856-16-0x0000000000400000-0x0000000000434000-memory.dmp mystic_family -
Processes:
AppLaunch.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" AppLaunch.exe -
Executes dropped EXE 2 IoCs
Processes:
1xs28ee6.exe2pm7744.exepid process 2572 1xs28ee6.exe 1540 2pm7744.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
8abe67f3fa19414604fbb2a1510012895dbf0e89c55c9ff8d1a156b868ee9bf9.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 8abe67f3fa19414604fbb2a1510012895dbf0e89c55c9ff8d1a156b868ee9bf9.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
1xs28ee6.exe2pm7744.exedescription pid process target process PID 2572 set thread context of 548 2572 1xs28ee6.exe AppLaunch.exe PID 1540 set thread context of 3856 1540 2pm7744.exe AppLaunch.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2952 3856 WerFault.exe AppLaunch.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
AppLaunch.exepid process 548 AppLaunch.exe 548 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
AppLaunch.exedescription pid process Token: SeDebugPrivilege 548 AppLaunch.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
8abe67f3fa19414604fbb2a1510012895dbf0e89c55c9ff8d1a156b868ee9bf9.exe1xs28ee6.exe2pm7744.exedescription pid process target process PID 4548 wrote to memory of 2572 4548 8abe67f3fa19414604fbb2a1510012895dbf0e89c55c9ff8d1a156b868ee9bf9.exe 1xs28ee6.exe PID 4548 wrote to memory of 2572 4548 8abe67f3fa19414604fbb2a1510012895dbf0e89c55c9ff8d1a156b868ee9bf9.exe 1xs28ee6.exe PID 4548 wrote to memory of 2572 4548 8abe67f3fa19414604fbb2a1510012895dbf0e89c55c9ff8d1a156b868ee9bf9.exe 1xs28ee6.exe PID 2572 wrote to memory of 548 2572 1xs28ee6.exe AppLaunch.exe PID 2572 wrote to memory of 548 2572 1xs28ee6.exe AppLaunch.exe PID 2572 wrote to memory of 548 2572 1xs28ee6.exe AppLaunch.exe PID 2572 wrote to memory of 548 2572 1xs28ee6.exe AppLaunch.exe PID 2572 wrote to memory of 548 2572 1xs28ee6.exe AppLaunch.exe PID 2572 wrote to memory of 548 2572 1xs28ee6.exe AppLaunch.exe PID 2572 wrote to memory of 548 2572 1xs28ee6.exe AppLaunch.exe PID 2572 wrote to memory of 548 2572 1xs28ee6.exe AppLaunch.exe PID 4548 wrote to memory of 1540 4548 8abe67f3fa19414604fbb2a1510012895dbf0e89c55c9ff8d1a156b868ee9bf9.exe 2pm7744.exe PID 4548 wrote to memory of 1540 4548 8abe67f3fa19414604fbb2a1510012895dbf0e89c55c9ff8d1a156b868ee9bf9.exe 2pm7744.exe PID 4548 wrote to memory of 1540 4548 8abe67f3fa19414604fbb2a1510012895dbf0e89c55c9ff8d1a156b868ee9bf9.exe 2pm7744.exe PID 1540 wrote to memory of 700 1540 2pm7744.exe AppLaunch.exe PID 1540 wrote to memory of 700 1540 2pm7744.exe AppLaunch.exe PID 1540 wrote to memory of 700 1540 2pm7744.exe AppLaunch.exe PID 1540 wrote to memory of 3856 1540 2pm7744.exe AppLaunch.exe PID 1540 wrote to memory of 3856 1540 2pm7744.exe AppLaunch.exe PID 1540 wrote to memory of 3856 1540 2pm7744.exe AppLaunch.exe PID 1540 wrote to memory of 3856 1540 2pm7744.exe AppLaunch.exe PID 1540 wrote to memory of 3856 1540 2pm7744.exe AppLaunch.exe PID 1540 wrote to memory of 3856 1540 2pm7744.exe AppLaunch.exe PID 1540 wrote to memory of 3856 1540 2pm7744.exe AppLaunch.exe PID 1540 wrote to memory of 3856 1540 2pm7744.exe AppLaunch.exe PID 1540 wrote to memory of 3856 1540 2pm7744.exe AppLaunch.exe PID 1540 wrote to memory of 3856 1540 2pm7744.exe AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8abe67f3fa19414604fbb2a1510012895dbf0e89c55c9ff8d1a156b868ee9bf9.exe"C:\Users\Admin\AppData\Local\Temp\8abe67f3fa19414604fbb2a1510012895dbf0e89c55c9ff8d1a156b868ee9bf9.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1xs28ee6.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1xs28ee6.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2pm7744.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2pm7744.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 5404⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3856 -ip 38561⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1xs28ee6.exeFilesize
878KB
MD5339ea0b5985189bed9df55b41d322bfd
SHA11bfaf3fe436a2c778d3274fc2d729f7a706fca47
SHA256c4bd0604ca387c82df1418215f3a408bc3e2877531c2f355f6df8569b7de2b49
SHA5123f1cce7155e0fca30cc9469c0566e40c43f28df6445fc284521283da0aa9f01c67b3fc026a3b9841f1630f677fa8326dba69171d594013d601beb50c68ed3f87
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1xs28ee6.exeFilesize
878KB
MD5339ea0b5985189bed9df55b41d322bfd
SHA11bfaf3fe436a2c778d3274fc2d729f7a706fca47
SHA256c4bd0604ca387c82df1418215f3a408bc3e2877531c2f355f6df8569b7de2b49
SHA5123f1cce7155e0fca30cc9469c0566e40c43f28df6445fc284521283da0aa9f01c67b3fc026a3b9841f1630f677fa8326dba69171d594013d601beb50c68ed3f87
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2pm7744.exeFilesize
1.1MB
MD56c0733d56c61c694254f33440224ade4
SHA145c9a26fbe1d7d1221655ee0ea85a2e8a138eab6
SHA2563a8f1997f1e756b408fa3e20bfd1e3fccdcc20e6d223999b253c97457224feea
SHA5122e1436edfb5b74e2a0dfb10e1da9e8c38f435e046aae5a7e418d328d52c01b4000b2e15fcbefbf6969750c638000bc4b63afc49ee15df43db30e093af5ded95d
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2pm7744.exeFilesize
1.1MB
MD56c0733d56c61c694254f33440224ade4
SHA145c9a26fbe1d7d1221655ee0ea85a2e8a138eab6
SHA2563a8f1997f1e756b408fa3e20bfd1e3fccdcc20e6d223999b253c97457224feea
SHA5122e1436edfb5b74e2a0dfb10e1da9e8c38f435e046aae5a7e418d328d52c01b4000b2e15fcbefbf6969750c638000bc4b63afc49ee15df43db30e093af5ded95d
-
memory/548-7-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/548-11-0x0000000074800000-0x0000000074FB0000-memory.dmpFilesize
7.7MB
-
memory/548-18-0x0000000074800000-0x0000000074FB0000-memory.dmpFilesize
7.7MB
-
memory/3856-12-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/3856-13-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/3856-14-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/3856-16-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB