Analysis
-
max time kernel
148s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
23-05-2024 19:19
General
-
Target
3e348a855b33640bb6aa790859bfa7dbd1b740b53c1de343d38127d859c8f54e.exe
-
Size
598KB
-
MD5
ef05c4af3fa8c48fc1a3c918a044338a
-
SHA1
3b4169fb61e0bdfb2282c39ba798e74ff906bb44
-
SHA256
3e348a855b33640bb6aa790859bfa7dbd1b740b53c1de343d38127d859c8f54e
-
SHA512
5263ffe286c38403467462f3d2a2ce77b0a7ad70a7bd01c77b859dbe47e069bca8b64609a08bfa7917e834644714b86b46a5ee43e4daaee254102169bac43cd5
-
SSDEEP
12288:MMrdy90Gun5B6oTeRNKHPWbOk9fYWpGxkkY5kkfn3mfyp9TIbIpEfEdDs0:ByeB6oTebsRcfYyGxkX3jpbemg0
Malware Config
Signatures
-
Detect Mystic stealer payload 4 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Mystic
Mystic is an infostealer written in C++.
-
Executes dropped EXE 2 IoCs
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Program crash 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\3e348a855b33640bb6aa790859bfa7dbd1b740b53c1de343d38127d859c8f54e.exe"C:\Users\Admin\AppData\Local\Temp\3e348a855b33640bb6aa790859bfa7dbd1b740b53c1de343d38127d859c8f54e.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1vN75AF1.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1vN75AF1.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2GJ7354.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2GJ7354.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 5963⤵
- Program crash
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3148,i,1697479186275492802,18058102846092193784,262144 --variations-seed-version --mojo-platform-channel-handle=4256 /prefetch:81⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1828 -ip 18281⤵
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1vN75AF1.exeFilesize
192KB
MD58904f85abd522c7d0cb5789d9583ccff
SHA15b34d8595b37c9e1fb9682b06dc5228efe07f0c6
SHA2567624b62fe97c8e370c82bc86f69c2f627328e701ce1f3d9bed92a1e5fe11fd7f
SHA51204dd0c4e612b6287af6a655425085d687538d756dcd639ecb6c62bcdafddde52c56ae305a6240ee1329a95d9cc59dee6de5000d273a5a560ad1adc3284e00e12
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2GJ7354.exeFilesize
1.4MB
MD5320ee3ce5dc29e83cfd0ffef376e59b0
SHA1b705ad95ea4da10c4977b5120e4daaf3806b49ab
SHA256c086478074272eb7d46878d268455dd3505011845cc8115a483ff1bacacd153c
SHA512529333fcc8ff4afd19f4d2515cd3194b4b68404fc51da128118afdc640e22dbda2e494fbf262467b5156d85f2e2a26a4e8f222286ca57c7f8c04620fe418a8df
-
memory/4556-51-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/4556-49-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/4556-48-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/4556-47-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/4592-31-0x0000000002650000-0x0000000002666000-memory.dmpFilesize
88KB
-
memory/4592-23-0x0000000002650000-0x0000000002666000-memory.dmpFilesize
88KB
-
memory/4592-25-0x0000000002650000-0x0000000002666000-memory.dmpFilesize
88KB
-
memory/4592-35-0x0000000002650000-0x0000000002666000-memory.dmpFilesize
88KB
-
memory/4592-41-0x0000000002650000-0x0000000002666000-memory.dmpFilesize
88KB
-
memory/4592-39-0x0000000002650000-0x0000000002666000-memory.dmpFilesize
88KB
-
memory/4592-37-0x0000000002650000-0x0000000002666000-memory.dmpFilesize
88KB
-
memory/4592-33-0x0000000002650000-0x0000000002666000-memory.dmpFilesize
88KB
-
memory/4592-12-0x0000000074860000-0x0000000075010000-memory.dmpFilesize
7.7MB
-
memory/4592-29-0x0000000002650000-0x0000000002666000-memory.dmpFilesize
88KB
-
memory/4592-27-0x0000000002650000-0x0000000002666000-memory.dmpFilesize
88KB
-
memory/4592-13-0x0000000074860000-0x0000000075010000-memory.dmpFilesize
7.7MB
-
memory/4592-21-0x0000000002650000-0x0000000002666000-memory.dmpFilesize
88KB
-
memory/4592-19-0x0000000002650000-0x0000000002666000-memory.dmpFilesize
88KB
-
memory/4592-17-0x0000000002650000-0x0000000002666000-memory.dmpFilesize
88KB
-
memory/4592-15-0x0000000002650000-0x0000000002666000-memory.dmpFilesize
88KB
-
memory/4592-14-0x0000000002650000-0x0000000002666000-memory.dmpFilesize
88KB
-
memory/4592-43-0x0000000074860000-0x0000000075010000-memory.dmpFilesize
7.7MB
-
memory/4592-11-0x0000000002650000-0x000000000266C000-memory.dmpFilesize
112KB
-
memory/4592-10-0x00000000049E0000-0x0000000004F84000-memory.dmpFilesize
5.6MB
-
memory/4592-9-0x0000000074860000-0x0000000075010000-memory.dmpFilesize
7.7MB
-
memory/4592-8-0x0000000002470000-0x000000000248E000-memory.dmpFilesize
120KB
-
memory/4592-7-0x000000007486E000-0x000000007486F000-memory.dmpFilesize
4KB