Overview

overview

10

Static

static

3

16b785fdba...08.exe

windows10-2004-x64

10

17bfe16ecf...a7.exe

windows10-2004-x64

10

30deda44ad...a8.exe

windows10-2004-x64

10

3e348a855b...4e.exe

windows10-2004-x64

10

458df588f5...8e.exe

windows10-2004-x64

10

481a0f4fa4...b6.exe

windows10-2004-x64

10

54ca1e2099...d4.exe

windows10-2004-x64

10

5645ed9dff...fa.exe

windows10-2004-x64

10

5d8e30863d...60.exe

windows10-2004-x64

7

74646b4cce...46.exe

windows10-2004-x64

10

86e6dff72e...d8.exe

windows10-2004-x64

10

8fe46c7fa8...3b.exe

windows10-2004-x64

10

a261c92b0b...5a.exe

windows10-2004-x64

10

a67b0f00c8...14.exe

windows10-2004-x64

10

acb13f0321...3c.exe

windows10-2004-x64

10

b59f946473...f9.exe

windows10-2004-x64

10

c15c0b27fc...af.exe

windows10-2004-x64

10

dbb1ff59d8...b8.exe

windows10-2004-x64

10

e45cad29f3...cf.exe

windows10-2004-x64

10

fd708e30f7...e2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    131s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 19:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3e348a855b33640bb6aa790859bfa7dbd1b740b53c1de343d38127d859c8f54e.exe

  • Size

    598KB

  • MD5

    ef05c4af3fa8c48fc1a3c918a044338a

  • SHA1

    3b4169fb61e0bdfb2282c39ba798e74ff906bb44

  • SHA256

    3e348a855b33640bb6aa790859bfa7dbd1b740b53c1de343d38127d859c8f54e

  • SHA512

    5263ffe286c38403467462f3d2a2ce77b0a7ad70a7bd01c77b859dbe47e069bca8b64609a08bfa7917e834644714b86b46a5ee43e4daaee254102169bac43cd5

  • SSDEEP

    12288:MMrdy90Gun5B6oTeRNKHPWbOk9fYWpGxkkY5kkfn3mfyp9TIbIpEfEdDs0:ByeB6oTebsRcfYyGxkX3jpbemg0

Score
10/10
mysticevasionpersistencestealertrojan

Malware Config

Signatures

  • Detect Mystic stealer payload 4 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • Executes dropped EXE 2 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3e348a855b33640bb6aa790859bfa7dbd1b740b53c1de343d38127d859c8f54e.exe
    "C:\Users\Admin\AppData\Local\Temp\3e348a855b33640bb6aa790859bfa7dbd1b740b53c1de343d38127d859c8f54e.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1128
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1vN75AF1.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1vN75AF1.exe
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • Executes dropped EXE
      • Windows security modification
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4592
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2GJ7354.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2GJ7354.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1828
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3⤵
          PID:4556
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 596
          3⤵
          • Program crash
          PID:2884
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3148,i,1697479186275492802,18058102846092193784,262144 --variations-seed-version --mojo-platform-channel-handle=4256 /prefetch:8
      1⤵
        PID:4696
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1828 -ip 1828
        1⤵
          PID:2800
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe start wuauserv
          1⤵
          • Launches sc.exe
          PID:2244

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1vN75AF1.exe
          Filesize

          192KB

          MD5

          8904f85abd522c7d0cb5789d9583ccff

          SHA1

          5b34d8595b37c9e1fb9682b06dc5228efe07f0c6

          SHA256

          7624b62fe97c8e370c82bc86f69c2f627328e701ce1f3d9bed92a1e5fe11fd7f

          SHA512

          04dd0c4e612b6287af6a655425085d687538d756dcd639ecb6c62bcdafddde52c56ae305a6240ee1329a95d9cc59dee6de5000d273a5a560ad1adc3284e00e12

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2GJ7354.exe
          Filesize

          1.4MB

          MD5

          320ee3ce5dc29e83cfd0ffef376e59b0

          SHA1

          b705ad95ea4da10c4977b5120e4daaf3806b49ab

          SHA256

          c086478074272eb7d46878d268455dd3505011845cc8115a483ff1bacacd153c

          SHA512

          529333fcc8ff4afd19f4d2515cd3194b4b68404fc51da128118afdc640e22dbda2e494fbf262467b5156d85f2e2a26a4e8f222286ca57c7f8c04620fe418a8df

          Download Submit

        • memory/4556-51-0x0000000000400000-0x0000000000428000-memory.dmp

          Filesize

          160KB

          Download

        • memory/4556-49-0x0000000000400000-0x0000000000428000-memory.dmp

          Filesize

          160KB

          Download

        • memory/4556-48-0x0000000000400000-0x0000000000428000-memory.dmp

          Filesize

          160KB

          Download

        • memory/4556-47-0x0000000000400000-0x0000000000428000-memory.dmp

          Filesize

          160KB

          Download

        • memory/4592-31-0x0000000002650000-0x0000000002666000-memory.dmp

          Filesize

          88KB

          Download

        • memory/4592-23-0x0000000002650000-0x0000000002666000-memory.dmp

          Filesize

          88KB

          Download

        • memory/4592-25-0x0000000002650000-0x0000000002666000-memory.dmp

          Filesize

          88KB

          Download

        • memory/4592-35-0x0000000002650000-0x0000000002666000-memory.dmp

          Filesize

          88KB

          Download

        • memory/4592-41-0x0000000002650000-0x0000000002666000-memory.dmp

          Filesize

          88KB

          Download

        • memory/4592-39-0x0000000002650000-0x0000000002666000-memory.dmp

          Filesize

          88KB

          Download

        • memory/4592-37-0x0000000002650000-0x0000000002666000-memory.dmp

          Filesize

          88KB

          Download

        • memory/4592-33-0x0000000002650000-0x0000000002666000-memory.dmp

          Filesize

          88KB

          Download

        • memory/4592-12-0x0000000074860000-0x0000000075010000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/4592-29-0x0000000002650000-0x0000000002666000-memory.dmp

          Filesize

          88KB

          Download

        • memory/4592-27-0x0000000002650000-0x0000000002666000-memory.dmp

          Filesize

          88KB

          Download

        • memory/4592-13-0x0000000074860000-0x0000000075010000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/4592-21-0x0000000002650000-0x0000000002666000-memory.dmp

          Filesize

          88KB

          Download

        • memory/4592-19-0x0000000002650000-0x0000000002666000-memory.dmp

          Filesize

          88KB

          Download

        • memory/4592-17-0x0000000002650000-0x0000000002666000-memory.dmp

          Filesize

          88KB

          Download

        • memory/4592-15-0x0000000002650000-0x0000000002666000-memory.dmp

          Filesize

          88KB

          Download

        • memory/4592-14-0x0000000002650000-0x0000000002666000-memory.dmp

          Filesize

          88KB

          Download

        • memory/4592-43-0x0000000074860000-0x0000000075010000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/4592-11-0x0000000002650000-0x000000000266C000-memory.dmp

          Filesize

          112KB

          Download

        • memory/4592-10-0x00000000049E0000-0x0000000004F84000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/4592-9-0x0000000074860000-0x0000000075010000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/4592-8-0x0000000002470000-0x000000000248E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/4592-7-0x000000007486E000-0x000000007486F000-memory.dmp

          Filesize

          4KB

          Download