Analysis
-
max time kernel
137s -
max time network
106s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
24-05-2024 05:30
General
-
Target
da85318c86e347642de41ee65fd6363813b5e0b29587b390f0258c819f35ec60.exe
-
Size
479KB
-
MD5
a36f65f317ac41f8fd835d9472e54596
-
SHA1
0770f7e17bee482e980bde6157d36ab6612eafa5
-
SHA256
da85318c86e347642de41ee65fd6363813b5e0b29587b390f0258c819f35ec60
-
SHA512
8dbfcc1b252a305f435b289ba4433e3c6c6256a8bfe99b73e1b323270c174885ad6ed3917607b1fc81573f79ce6e07ed7bb91dbae1d693ed9a04d948d58eb32d
-
SSDEEP
12288:QMr5y90ud12LTOXvHR3swsWf4yLlnzmXJ:5yeTOXvHRLsWQ4lnzA
Malware Config
Signatures
-
Detect Mystic stealer payload 4 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Mystic
Mystic is an infostealer written in C++.
-
Executes dropped EXE 2 IoCs
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Program crash 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\da85318c86e347642de41ee65fd6363813b5e0b29587b390f0258c819f35ec60.exe"C:\Users\Admin\AppData\Local\Temp\da85318c86e347642de41ee65fd6363813b5e0b29587b390f0258c819f35ec60.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1iL26jR8.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1iL26jR8.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2wR4164.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2wR4164.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 5763⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1920 -ip 19201⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
194KB
MD535d718538c3e1346cb4fcf54aaa0f141
SHA1234c0aa0465c27c190a83936e8e3aa3c4b991224
SHA25697e62bfa90aca06c595fb150e36f56b4a285f58cc072b8c458ae79805523fc36
SHA5124bcf5cabe93ec54608ccb95d80822f411bb32c2746be609873a493045913fb53e0a953e75f82dfe620d661f049437da7a70d34995dc915bb0b09426e97f0aec3
-
Filesize
423KB
MD54c2bad1fd96c888ce1fe27e206e3f656
SHA19daab8534f7de7bb43472fc9c9672da31567fa0e
SHA256e6f399a2b4b56b0bd7a9402e01ff13554fbae7195df6ec1e6faeafdc04f72537
SHA5127174cba5194c8ea273d0ff3dce0a426eecb0ac86b4ad8defb1b5f29ad33f9f55a7fbb9d0ded82dfdcb2846963aabc8a23ad319568b6a379fdd27715fd4071976
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
7.7MB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
7.7MB
-
Filesize
112KB
-
Filesize
5.6MB
-
Filesize
7.7MB
-
Filesize
120KB
-
Filesize
4KB