Analysis
-
max time kernel
51s -
max time network
62s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
05-04-2024 07:57
Static task
static1
Behavioral task
behavioral1
Sample
40c83fd2fe671b3d0c79e15c6aea427042d50fe7ca29435a38feb0685e8d1b46.exe
Resource
win10v2004-20240226-en
General
-
Target
40c83fd2fe671b3d0c79e15c6aea427042d50fe7ca29435a38feb0685e8d1b46.exe
-
Size
330KB
-
MD5
73337493b31c5c10d102c7d42153c864
-
SHA1
903d8ba2dab13ea55e0b6f13f607caff4df56aaa
-
SHA256
40c83fd2fe671b3d0c79e15c6aea427042d50fe7ca29435a38feb0685e8d1b46
-
SHA512
7848c05fe05430d48556acc5c75ee5b2b33df29356e5f20e204fd69ae3b2fde3abb515220cb515b962ae533dea5de2f093af84d8c66f5daff6e865be58eba23e
-
SSDEEP
6144:KLy+bnr+fp0yN90QEE0ST8+kRAUXHx39ONZAQnJv8KW/4CMz5D+:9Mrny90pSTxymuQB8PAL+
Malware Config
Signatures
-
Detect Mystic stealer payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/3248-7-0x0000000000400000-0x0000000000433000-memory.dmp mystic_family behavioral1/memory/3248-8-0x0000000000400000-0x0000000000433000-memory.dmp mystic_family behavioral1/memory/3248-9-0x0000000000400000-0x0000000000433000-memory.dmp mystic_family behavioral1/memory/3248-11-0x0000000000400000-0x0000000000433000-memory.dmp mystic_family -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
5Qt9WY4.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation 5Qt9WY4.exe -
Executes dropped EXE 2 IoCs
Processes:
4ty923ky.exe5Qt9WY4.exepid process 3024 4ty923ky.exe 2920 5Qt9WY4.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
40c83fd2fe671b3d0c79e15c6aea427042d50fe7ca29435a38feb0685e8d1b46.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 40c83fd2fe671b3d0c79e15c6aea427042d50fe7ca29435a38feb0685e8d1b46.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
4ty923ky.exedescription pid process target process PID 3024 set thread context of 3248 3024 4ty923ky.exe AppLaunch.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4344 3248 WerFault.exe AppLaunch.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
40c83fd2fe671b3d0c79e15c6aea427042d50fe7ca29435a38feb0685e8d1b46.exe4ty923ky.exe5Qt9WY4.exedescription pid process target process PID 3280 wrote to memory of 3024 3280 40c83fd2fe671b3d0c79e15c6aea427042d50fe7ca29435a38feb0685e8d1b46.exe 4ty923ky.exe PID 3280 wrote to memory of 3024 3280 40c83fd2fe671b3d0c79e15c6aea427042d50fe7ca29435a38feb0685e8d1b46.exe 4ty923ky.exe PID 3280 wrote to memory of 3024 3280 40c83fd2fe671b3d0c79e15c6aea427042d50fe7ca29435a38feb0685e8d1b46.exe 4ty923ky.exe PID 3024 wrote to memory of 3248 3024 4ty923ky.exe AppLaunch.exe PID 3024 wrote to memory of 3248 3024 4ty923ky.exe AppLaunch.exe PID 3024 wrote to memory of 3248 3024 4ty923ky.exe AppLaunch.exe PID 3024 wrote to memory of 3248 3024 4ty923ky.exe AppLaunch.exe PID 3024 wrote to memory of 3248 3024 4ty923ky.exe AppLaunch.exe PID 3024 wrote to memory of 3248 3024 4ty923ky.exe AppLaunch.exe PID 3024 wrote to memory of 3248 3024 4ty923ky.exe AppLaunch.exe PID 3024 wrote to memory of 3248 3024 4ty923ky.exe AppLaunch.exe PID 3024 wrote to memory of 3248 3024 4ty923ky.exe AppLaunch.exe PID 3024 wrote to memory of 3248 3024 4ty923ky.exe AppLaunch.exe PID 3280 wrote to memory of 2920 3280 40c83fd2fe671b3d0c79e15c6aea427042d50fe7ca29435a38feb0685e8d1b46.exe 5Qt9WY4.exe PID 3280 wrote to memory of 2920 3280 40c83fd2fe671b3d0c79e15c6aea427042d50fe7ca29435a38feb0685e8d1b46.exe 5Qt9WY4.exe PID 3280 wrote to memory of 2920 3280 40c83fd2fe671b3d0c79e15c6aea427042d50fe7ca29435a38feb0685e8d1b46.exe 5Qt9WY4.exe PID 2920 wrote to memory of 3700 2920 5Qt9WY4.exe cmd.exe PID 2920 wrote to memory of 3700 2920 5Qt9WY4.exe cmd.exe PID 2920 wrote to memory of 3700 2920 5Qt9WY4.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\40c83fd2fe671b3d0c79e15c6aea427042d50fe7ca29435a38feb0685e8d1b46.exe"C:\Users\Admin\AppData\Local\Temp\40c83fd2fe671b3d0c79e15c6aea427042d50fe7ca29435a38feb0685e8d1b46.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3280 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4ty923ky.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4ty923ky.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵PID:3248
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3248 -s 5404⤵
- Program crash
PID:4344 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Qt9WY4.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Qt9WY4.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\is64.bat" "3⤵PID:3700
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3248 -ip 32481⤵PID:2948
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
300KB
MD5029cf82638b1154788b6282d98145bd2
SHA1eeb8c589b10cdd5a74c59003b39b241e4e1a76a6
SHA25658a01049db4cd0c261a020d67cfbf650879435720ab9815f40372046316a4709
SHA512c768c11e940501e92785ad1989bc7905be585a3b3363ce4aa9ec7e20c1dce069185c68f2294a4b2c6e389bf9360ce68a2046b877d38aa3aa80853a15cd0a5435
-
Filesize
73KB
MD5b3ec308b68f91a6a792a9b150cf7447e
SHA1c29903c1ccf07cb06147bee1990df0bf9c214561
SHA25650221e85d5d46abd1682c85cdf175f0140521a3c3c90606136965c045a48490b
SHA5128f25ec293fda40ac2e57033c73918ebbd6d45d991dc30fa442f611934b36fc78c00b877240aba0c131d4a058e8ec9fb506f9d4ea892cd508a51880d2849b186f
-
Filesize
181B
MD5225edee1d46e0a80610db26b275d72fb
SHA1ce206abf11aaf19278b72f5021cc64b1b427b7e8
SHA256e1befb57d724c9dc760cf42d7e0609212b22faeb2dc0c3ffe2fbd7134ff69559
SHA5124f01a2a248a1322cb690b7395b818d2780e46f4884e59f1ab96125d642b6358eea97c7fad6023ef17209b218daa9c88d15ea2b92f124ecb8434c0c7b4a710504
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e