Analysis
-
max time kernel
140s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
23-05-2024 17:10
General
-
Target
9fb3613b8287cadb1f1a45c550f5b98f012dcc95bb947f3b8b3d68303b6bc3eb.exe
-
Size
599KB
-
MD5
197e867035f6a1eee8b6b2a0d3c19804
-
SHA1
f981fb4379333ba6c95ab8cc689c502a7c285ce8
-
SHA256
9fb3613b8287cadb1f1a45c550f5b98f012dcc95bb947f3b8b3d68303b6bc3eb
-
SHA512
379eeb4d090b0bbd013c231cfae16ba78ae3f0d2941e48158178865f8ca637a2f5948b3b18cb8519470fb398a93b4830e7531328bcef14d1ca62c3a792b07ab9
-
SSDEEP
12288:bMrby90Uun5B6oTMSX5u3QnPsRGFQO1WqeeNJ5yil2iyDlArWhhiTX:QyqB6oTM6U3hREYqBNx/yDlsES
Malware Config
Signatures
-
Detect Mystic stealer payload 4 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Mystic
Mystic is an infostealer written in C++.
-
Executes dropped EXE 2 IoCs
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Program crash 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\9fb3613b8287cadb1f1a45c550f5b98f012dcc95bb947f3b8b3d68303b6bc3eb.exe"C:\Users\Admin\AppData\Local\Temp\9fb3613b8287cadb1f1a45c550f5b98f012dcc95bb947f3b8b3d68303b6bc3eb.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\q1893835.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\q1893835.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r7232574.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r7232574.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 5923⤵
- Program crash
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4672,i,15142778360084620907,1763097090506261076,262144 --variations-seed-version --mojo-platform-channel-handle=4376 /prefetch:81⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3976 -ip 39761⤵
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\q1893835.exeFilesize
192KB
MD54e96c616a4b87e9f9b473d201fcbc7a2
SHA1517f14f4b569fa4151c4486ee623a041aaab896d
SHA2568345c3d52c960db3bedad59199edab9991c4be3caad45f969ff9638e88a481c6
SHA51225effea644bfccd3406ac24b19247e32aa45e3d24918706b513d5ae8c69150bfc2c720882bf351d96e8af5419ace67eb044752323cd1e353c9b983e930b6a073
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r7232574.exeFilesize
1.4MB
MD57518415a722d4df208536a1c8c742b2e
SHA104e8e99a7efd74c7338636194b276e6906738ce7
SHA2568723656c749074f97599acab27d9f46b4cb57a993911a11bb789ac61065f79d3
SHA512b886c23241eedd8ab93a0e8fec45e101f61a5db7015062c15a215b2a23725aa3a0c2c76f7860b78400e600f7053aa5677e01bc77645572b0e416b035a8fa5c80
-
memory/1996-48-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1996-49-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1996-51-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1996-47-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/4816-24-0x0000000004990000-0x00000000049A6000-memory.dmpFilesize
88KB
-
memory/4816-16-0x0000000004990000-0x00000000049A6000-memory.dmpFilesize
88KB
-
memory/4816-40-0x0000000004990000-0x00000000049A6000-memory.dmpFilesize
88KB
-
memory/4816-41-0x0000000074430000-0x0000000074BE0000-memory.dmpFilesize
7.7MB
-
memory/4816-39-0x0000000004990000-0x00000000049A6000-memory.dmpFilesize
88KB
-
memory/4816-30-0x0000000004990000-0x00000000049A6000-memory.dmpFilesize
88KB
-
memory/4816-28-0x0000000004990000-0x00000000049A6000-memory.dmpFilesize
88KB
-
memory/4816-26-0x0000000004990000-0x00000000049A6000-memory.dmpFilesize
88KB
-
memory/4816-12-0x0000000004990000-0x00000000049AC000-memory.dmpFilesize
112KB
-
memory/4816-22-0x0000000004990000-0x00000000049A6000-memory.dmpFilesize
88KB
-
memory/4816-18-0x0000000004990000-0x00000000049A6000-memory.dmpFilesize
88KB
-
memory/4816-20-0x0000000004990000-0x00000000049A6000-memory.dmpFilesize
88KB
-
memory/4816-14-0x0000000004990000-0x00000000049A6000-memory.dmpFilesize
88KB
-
memory/4816-13-0x0000000004990000-0x00000000049A6000-memory.dmpFilesize
88KB
-
memory/4816-36-0x0000000004990000-0x00000000049A6000-memory.dmpFilesize
88KB
-
memory/4816-34-0x0000000004990000-0x00000000049A6000-memory.dmpFilesize
88KB
-
memory/4816-32-0x0000000004990000-0x00000000049A6000-memory.dmpFilesize
88KB
-
memory/4816-43-0x0000000074430000-0x0000000074BE0000-memory.dmpFilesize
7.7MB
-
memory/4816-11-0x0000000074430000-0x0000000074BE0000-memory.dmpFilesize
7.7MB
-
memory/4816-10-0x0000000004B00000-0x00000000050A4000-memory.dmpFilesize
5.6MB
-
memory/4816-9-0x0000000074430000-0x0000000074BE0000-memory.dmpFilesize
7.7MB
-
memory/4816-8-0x00000000006F0000-0x000000000070E000-memory.dmpFilesize
120KB
-
memory/4816-7-0x000000007443E000-0x000000007443F000-memory.dmpFilesize
4KB