Overview

overview

10

Static

static

3

8abe67f3fa...f9.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    92s
  • max time network
    115s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-04-2024 13:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8abe67f3fa19414604fbb2a1510012895dbf0e89c55c9ff8d1a156b868ee9bf9.exe

  • Size

    523KB

  • MD5

    dcee3487134de31384cc480650d0b872

  • SHA1

    728aac232b591c08d2a0a727a5024afdb17f3b56

  • SHA256

    8abe67f3fa19414604fbb2a1510012895dbf0e89c55c9ff8d1a156b868ee9bf9

  • SHA512

    dd0751578f48b5a2e6931c31865c235f464fb3d6fe4bdbd8389ab9d8429b0ffb69205773b276dc930ab1dc672fe7ed724559bdb4a1896ba26bc9cd3b74570399

  • SSDEEP

    12288:4Mr8y900yOk63JeBswLMA9Kyzr7Hx/XupZF7:UyMx0eB0Ryzr7Hx/XupZF7

Score
10/10
mysticevasionpersistencestealertrojan

Malware Config

Signatures

  • Detect Mystic stealer payload 4 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8abe67f3fa19414604fbb2a1510012895dbf0e89c55c9ff8d1a156b868ee9bf9.exe
    "C:\Users\Admin\AppData\Local\Temp\8abe67f3fa19414604fbb2a1510012895dbf0e89c55c9ff8d1a156b868ee9bf9.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4052
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1xs28ee6.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1xs28ee6.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:4784
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4152
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2pm7744.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2pm7744.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:4504
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3⤵
          PID:2004
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 540
            4⤵
            • Program crash
            PID:3568
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2004 -ip 2004
      1⤵
        PID:3172

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Create or Modify System Process

      1
      T1543

      Windows Service

      1
      T1543.003

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Privilege Escalation

      Create or Modify System Process

      1
      T1543

      Windows Service

      1
      T1543.003

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Defense Evasion

      Modify Registry

      2
      T1112

      Impair Defenses

      1
      T1562

      Disable or Modify Tools

      1
      T1562.001

      Credential Access

      Discovery

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1xs28ee6.exe
        Filesize

        878KB

        MD5

        339ea0b5985189bed9df55b41d322bfd

        SHA1

        1bfaf3fe436a2c778d3274fc2d729f7a706fca47

        SHA256

        c4bd0604ca387c82df1418215f3a408bc3e2877531c2f355f6df8569b7de2b49

        SHA512

        3f1cce7155e0fca30cc9469c0566e40c43f28df6445fc284521283da0aa9f01c67b3fc026a3b9841f1630f677fa8326dba69171d594013d601beb50c68ed3f87

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2pm7744.exe
        Filesize

        1.1MB

        MD5

        6c0733d56c61c694254f33440224ade4

        SHA1

        45c9a26fbe1d7d1221655ee0ea85a2e8a138eab6

        SHA256

        3a8f1997f1e756b408fa3e20bfd1e3fccdcc20e6d223999b253c97457224feea

        SHA512

        2e1436edfb5b74e2a0dfb10e1da9e8c38f435e046aae5a7e418d328d52c01b4000b2e15fcbefbf6969750c638000bc4b63afc49ee15df43db30e093af5ded95d

        Download Submit
      • memory/2004-12-0x0000000000400000-0x0000000000434000-memory.dmp
        Filesize

        208KB

        Download
      • memory/2004-13-0x0000000000400000-0x0000000000434000-memory.dmp
        Filesize

        208KB

        Download
      • memory/2004-14-0x0000000000400000-0x0000000000434000-memory.dmp
        Filesize

        208KB

        Download
      • memory/2004-16-0x0000000000400000-0x0000000000434000-memory.dmp
        Filesize

        208KB

        Download
      • memory/4152-7-0x0000000000400000-0x000000000040A000-memory.dmp
        Filesize

        40KB

        Download
      • memory/4152-11-0x0000000074290000-0x0000000074A40000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/4152-18-0x0000000074290000-0x0000000074A40000-memory.dmp
        Filesize

        7.7MB

        Download