Resubmissions

05-04-2024 07:57

240405-js9mjaeh5y 10

10-11-2023 04:48

231110-fe873ada44 10

Analysis

  • max time kernel
    51s
  • max time network
    62s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-04-2024 07:57

General

  • Target

    40c83fd2fe671b3d0c79e15c6aea427042d50fe7ca29435a38feb0685e8d1b46.exe

  • Size

    330KB

  • MD5

    73337493b31c5c10d102c7d42153c864

  • SHA1

    903d8ba2dab13ea55e0b6f13f607caff4df56aaa

  • SHA256

    40c83fd2fe671b3d0c79e15c6aea427042d50fe7ca29435a38feb0685e8d1b46

  • SHA512

    7848c05fe05430d48556acc5c75ee5b2b33df29356e5f20e204fd69ae3b2fde3abb515220cb515b962ae533dea5de2f093af84d8c66f5daff6e865be58eba23e

  • SSDEEP

    6144:KLy+bnr+fp0yN90QEE0ST8+kRAUXHx39ONZAQnJv8KW/4CMz5D+:9Mrny90pSTxymuQB8PAL+

Malware Config

Signatures

  • Detect Mystic stealer payload 4 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\40c83fd2fe671b3d0c79e15c6aea427042d50fe7ca29435a38feb0685e8d1b46.exe
    "C:\Users\Admin\AppData\Local\Temp\40c83fd2fe671b3d0c79e15c6aea427042d50fe7ca29435a38feb0685e8d1b46.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3280
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4ty923ky.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4ty923ky.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:3024
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3⤵
          PID:3248
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3248 -s 540
            4⤵
            • Program crash
            PID:4344
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Qt9WY4.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Qt9WY4.exe
        2⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2920
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\is64.bat" "
          3⤵
            PID:3700
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3248 -ip 3248
        1⤵
          PID:2948

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4ty923ky.exe

          Filesize

          300KB

          MD5

          029cf82638b1154788b6282d98145bd2

          SHA1

          eeb8c589b10cdd5a74c59003b39b241e4e1a76a6

          SHA256

          58a01049db4cd0c261a020d67cfbf650879435720ab9815f40372046316a4709

          SHA512

          c768c11e940501e92785ad1989bc7905be585a3b3363ce4aa9ec7e20c1dce069185c68f2294a4b2c6e389bf9360ce68a2046b877d38aa3aa80853a15cd0a5435

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Qt9WY4.exe

          Filesize

          73KB

          MD5

          b3ec308b68f91a6a792a9b150cf7447e

          SHA1

          c29903c1ccf07cb06147bee1990df0bf9c214561

          SHA256

          50221e85d5d46abd1682c85cdf175f0140521a3c3c90606136965c045a48490b

          SHA512

          8f25ec293fda40ac2e57033c73918ebbd6d45d991dc30fa442f611934b36fc78c00b877240aba0c131d4a058e8ec9fb506f9d4ea892cd508a51880d2849b186f

        • C:\Users\Admin\AppData\Local\Temp\is64.bat

          Filesize

          181B

          MD5

          225edee1d46e0a80610db26b275d72fb

          SHA1

          ce206abf11aaf19278b72f5021cc64b1b427b7e8

          SHA256

          e1befb57d724c9dc760cf42d7e0609212b22faeb2dc0c3ffe2fbd7134ff69559

          SHA512

          4f01a2a248a1322cb690b7395b818d2780e46f4884e59f1ab96125d642b6358eea97c7fad6023ef17209b218daa9c88d15ea2b92f124ecb8434c0c7b4a710504

        • C:\Users\Admin\AppData\Local\Temp\is64.txt

          MD5

          d41d8cd98f00b204e9800998ecf8427e

          SHA1

          da39a3ee5e6b4b0d3255bfef95601890afd80709

          SHA256

          e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

          SHA512

          cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

        • memory/3248-7-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/3248-8-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/3248-9-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/3248-11-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB