Analysis
-
max time kernel
131s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
23-05-2024 17:01
General
-
Target
5d2993b3c14eb3f833d52e4874f37ee17b3eeb5d75594bb31700eeb723ec95f9.exe
-
Size
452KB
-
MD5
39526e106dbda09d8e555a0ff20f30d0
-
SHA1
a91b8cf366ff6fb255556160147aca84a2531ec8
-
SHA256
5d2993b3c14eb3f833d52e4874f37ee17b3eeb5d75594bb31700eeb723ec95f9
-
SHA512
ecabf935ad68fa4ff5a0791092d34f356850dec9c893f3f22c0c443353cec50aecf12a9957f4951d3f32c5362541a4a1dd87c90c6d81573cd9ab6baf84d9aca1
-
SSDEEP
12288:fMrsy906un5B6oTqaKjD7Lh1SsmrdMZ71c2w7F:LySB6oTsPSs2Uo7F
Malware Config
Signatures
-
Detect Mystic stealer payload 4 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Mystic
Mystic is an infostealer written in C++.
-
Executes dropped EXE 2 IoCs
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Program crash 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\5d2993b3c14eb3f833d52e4874f37ee17b3eeb5d75594bb31700eeb723ec95f9.exe"C:\Users\Admin\AppData\Local\Temp\5d2993b3c14eb3f833d52e4874f37ee17b3eeb5d75594bb31700eeb723ec95f9.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1xr29Lp5.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1xr29Lp5.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2ti1092.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2ti1092.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 5963⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1452 -ip 14521⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
192KB
MD58904f85abd522c7d0cb5789d9583ccff
SHA15b34d8595b37c9e1fb9682b06dc5228efe07f0c6
SHA2567624b62fe97c8e370c82bc86f69c2f627328e701ce1f3d9bed92a1e5fe11fd7f
SHA51204dd0c4e612b6287af6a655425085d687538d756dcd639ecb6c62bcdafddde52c56ae305a6240ee1329a95d9cc59dee6de5000d273a5a560ad1adc3284e00e12
-
Filesize
378KB
MD5f0831f173733de08511f3a0739f278a6
SHA106dc809d653c5d2c97386084ae13b50a73eb5b60
SHA2568b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27
SHA51219e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
112KB
-
Filesize
5.6MB
-
Filesize
7.7MB
-
Filesize
120KB
-
Filesize
4KB