Analysis
-
max time kernel
136s -
max time network
105s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
23-05-2024 17:26
General
-
Target
7d2d45b5937ea290b091c8ccd70073bfedc220269f4ab6c1833823d1678ed166.exe
-
Size
598KB
-
MD5
44d2059628937296edf7cf7ab9a0756b
-
SHA1
b1d514de0cd2845331038cb4f3ba1d94957ce453
-
SHA256
7d2d45b5937ea290b091c8ccd70073bfedc220269f4ab6c1833823d1678ed166
-
SHA512
62d89487ffafac8c0c81beec67ffb131a854ff072844bb33cded80c36915c5f869e8abbca0f62968edfc8be0c3baf7a77dbac0895b6df07cc454c26edaedf4af
-
SSDEEP
12288:OMrNy907un5B6oTC7L0t9WP+C5dGBIquDi4deB2pCIWCH/zfdyy:/yJB6oTEL0T++k0oy25yy
Malware Config
Signatures
-
Detect Mystic stealer payload 4 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Mystic
Mystic is an infostealer written in C++.
-
Executes dropped EXE 2 IoCs
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Program crash 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\7d2d45b5937ea290b091c8ccd70073bfedc220269f4ab6c1833823d1678ed166.exe"C:\Users\Admin\AppData\Local\Temp\7d2d45b5937ea290b091c8ccd70073bfedc220269f4ab6c1833823d1678ed166.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\q5653655.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\q5653655.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r9468086.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r9468086.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 1603⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4456 -ip 44561⤵
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
192KB
MD5839c38fc6c255f074e5d4ea8283e062a
SHA1060cb619fd168f044208ffa3035d5bf17a793930
SHA256e0c507f7bc4ce487d2e0b1e4188a11b8799fc0b0bf6c1cdf7d8bbd44fd95b7bd
SHA512448c9e60679b91aeff2a7a1530f52f05d264e186558898e8e8f5ea14abe72e123d1484db91f7e547a68b6d67944084209bac7da25f1fd7deb3861cdfb08c04d0
-
Filesize
1.4MB
MD53114ca627d5c4d30e1b4682ae4f342b5
SHA10efd30d71dcdfc8344a53b36e5937e9201ea11eb
SHA256f6ff97589d44d214aee60e9bf24b2b452dd6309ad2aa35bde284f80d1c1e5dc3
SHA512a35698a044122e8e4f5dd73dc0c3078535c7bbadb3d9d6ada6f2269d929822cda89763eea50135fd1795cf219bdfe145397cc94df4f9f6ea031169626b831293
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
120KB
-
Filesize
112KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
5.6MB
-
Filesize
88KB
-
Filesize
7.7MB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
7.7MB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
4KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB