Analysis
-
max time kernel
92s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
23-05-2024 18:29
General
-
Target
3e348a855b33640bb6aa790859bfa7dbd1b740b53c1de343d38127d859c8f54e.exe
-
Size
598KB
-
MD5
ef05c4af3fa8c48fc1a3c918a044338a
-
SHA1
3b4169fb61e0bdfb2282c39ba798e74ff906bb44
-
SHA256
3e348a855b33640bb6aa790859bfa7dbd1b740b53c1de343d38127d859c8f54e
-
SHA512
5263ffe286c38403467462f3d2a2ce77b0a7ad70a7bd01c77b859dbe47e069bca8b64609a08bfa7917e834644714b86b46a5ee43e4daaee254102169bac43cd5
-
SSDEEP
12288:MMrdy90Gun5B6oTeRNKHPWbOk9fYWpGxkkY5kkfn3mfyp9TIbIpEfEdDs0:ByeB6oTebsRcfYyGxkX3jpbemg0
Malware Config
Signatures
-
Detect Mystic stealer payload 4 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Mystic
Mystic is an infostealer written in C++.
-
Executes dropped EXE 2 IoCs
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Program crash 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\3e348a855b33640bb6aa790859bfa7dbd1b740b53c1de343d38127d859c8f54e.exe"C:\Users\Admin\AppData\Local\Temp\3e348a855b33640bb6aa790859bfa7dbd1b740b53c1de343d38127d859c8f54e.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1vN75AF1.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1vN75AF1.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2GJ7354.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2GJ7354.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3236 -s 1563⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3236 -ip 32361⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1vN75AF1.exeFilesize
192KB
MD58904f85abd522c7d0cb5789d9583ccff
SHA15b34d8595b37c9e1fb9682b06dc5228efe07f0c6
SHA2567624b62fe97c8e370c82bc86f69c2f627328e701ce1f3d9bed92a1e5fe11fd7f
SHA51204dd0c4e612b6287af6a655425085d687538d756dcd639ecb6c62bcdafddde52c56ae305a6240ee1329a95d9cc59dee6de5000d273a5a560ad1adc3284e00e12
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2GJ7354.exeFilesize
1.4MB
MD5320ee3ce5dc29e83cfd0ffef376e59b0
SHA1b705ad95ea4da10c4977b5120e4daaf3806b49ab
SHA256c086478074272eb7d46878d268455dd3505011845cc8115a483ff1bacacd153c
SHA512529333fcc8ff4afd19f4d2515cd3194b4b68404fc51da128118afdc640e22dbda2e494fbf262467b5156d85f2e2a26a4e8f222286ca57c7f8c04620fe418a8df
-
memory/3872-49-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/3872-51-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/3872-48-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/3872-47-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/4604-14-0x0000000004990000-0x00000000049A6000-memory.dmpFilesize
88KB
-
memory/4604-26-0x0000000004990000-0x00000000049A6000-memory.dmpFilesize
88KB
-
memory/4604-40-0x0000000004990000-0x00000000049A6000-memory.dmpFilesize
88KB
-
memory/4604-38-0x0000000004990000-0x00000000049A6000-memory.dmpFilesize
88KB
-
memory/4604-41-0x0000000074230000-0x00000000749E0000-memory.dmpFilesize
7.7MB
-
memory/4604-36-0x0000000004990000-0x00000000049A6000-memory.dmpFilesize
88KB
-
memory/4604-34-0x0000000004990000-0x00000000049A6000-memory.dmpFilesize
88KB
-
memory/4604-16-0x0000000004990000-0x00000000049A6000-memory.dmpFilesize
88KB
-
memory/4604-12-0x0000000074230000-0x00000000749E0000-memory.dmpFilesize
7.7MB
-
memory/4604-30-0x0000000004990000-0x00000000049A6000-memory.dmpFilesize
88KB
-
memory/4604-28-0x0000000004990000-0x00000000049A6000-memory.dmpFilesize
88KB
-
memory/4604-32-0x0000000004990000-0x00000000049A6000-memory.dmpFilesize
88KB
-
memory/4604-24-0x0000000004990000-0x00000000049A6000-memory.dmpFilesize
88KB
-
memory/4604-22-0x0000000004990000-0x00000000049A6000-memory.dmpFilesize
88KB
-
memory/4604-20-0x0000000004990000-0x00000000049A6000-memory.dmpFilesize
88KB
-
memory/4604-18-0x0000000004990000-0x00000000049A6000-memory.dmpFilesize
88KB
-
memory/4604-13-0x0000000004990000-0x00000000049A6000-memory.dmpFilesize
88KB
-
memory/4604-43-0x0000000074230000-0x00000000749E0000-memory.dmpFilesize
7.7MB
-
memory/4604-11-0x0000000004990000-0x00000000049AC000-memory.dmpFilesize
112KB
-
memory/4604-10-0x0000000004A40000-0x0000000004FE4000-memory.dmpFilesize
5.6MB
-
memory/4604-9-0x0000000074230000-0x00000000749E0000-memory.dmpFilesize
7.7MB
-
memory/4604-8-0x0000000002370000-0x000000000238E000-memory.dmpFilesize
120KB
-
memory/4604-7-0x000000007423E000-0x000000007423F000-memory.dmpFilesize
4KB