Overview

overview

10

Static

static

3

0697314d1d...a5.exe

windows10-2004-x64

10

0f998493b8...79.exe

windows10-2004-x64

10

21e1937094...38.exe

windows10-2004-x64

10

2800d64eb3...31.exe

windows10-2004-x64

10

299e46ee08...d5.exe

windows10-2004-x64

10

3d64fae31a...d7.exe

windows10-2004-x64

10

652a4e2d36...35.exe

windows10-2004-x64

10

6b4d258a8d...1a.exe

windows10-2004-x64

10

74c99e0dfd...42.exe

windows10-2004-x64

10

7e6bab9491...d0.exe

windows10-2004-x64

10

80af2b3540...7e.exe

windows10-2004-x64

10

a96b277202...ca.exe

windows10-2004-x64

10

b618a9cedf...7f.exe

windows10-2004-x64

10

c1237a6a46...5b.exe

windows10-2004-x64

10

d7fde0f5ef...97.exe

windows10-2004-x64

10

da85318c86...60.exe

windows10-2004-x64

10

dc220ed080...4e.exe

windows10-2004-x64

10

e5e7bb0a7c...4a.exe

windows10-2004-x64

10

e91c8d8104...e0.exe

windows10-2004-x64

10

f3b6442113...3b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-05-2024 05:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    299e46ee08841fc6eb4d1c18d756d39f82a681622c3d6cb0e68ec7f71013a4d5.exe

  • Size

    621KB

  • MD5

    873fe20000f2954d9b2e2d3a1ee146ab

  • SHA1

    6d076ad8ec8c2eba2a1e1cf43a0089377c61e9b7

  • SHA256

    299e46ee08841fc6eb4d1c18d756d39f82a681622c3d6cb0e68ec7f71013a4d5

  • SHA512

    95f67206b77726a45449e20586b0e50798d6f9ec0ced4ae0c6eae88501ad33c2c1b0f5dba7856acdb96a149d97732a7ed57f88d7c7f92141b6ed05f7b6f46fce

  • SSDEEP

    12288:sMrPy90Hk8UpyDuuSZum4/9WArLJFskN/L5BLSXAAyesaNR:Lyz8gy9SArvsk1sAte5D

Score
10/10
mysticpersistencestealer

Malware Config

Signatures

  • Detect Mystic stealer payload 4 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • .NET Reactor proctector 2 IoCs

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\299e46ee08841fc6eb4d1c18d756d39f82a681622c3d6cb0e68ec7f71013a4d5.exe
    "C:\Users\Admin\AppData\Local\Temp\299e46ee08841fc6eb4d1c18d756d39f82a681622c3d6cb0e68ec7f71013a4d5.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4440
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1xT09Op9.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1xT09Op9.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3904
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2wh3272.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2wh3272.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:4348
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3⤵
          PID:1796

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1xT09Op9.exe
      Filesize

      195KB

      MD5

      7f726f7dac36a27880ea545866534dda

      SHA1

      a644a86f8ffe8497101eb2c8ef69b859fb51119d

      SHA256

      7d8062c6ae88e04ecadb6f8eb85e1d77caba2cb70fed241f04454fd5d70ced2a

      SHA512

      8d8216a173bf1b498e5bf6d9292b05cd27b913c3203e296d55b169a1980bc38d8589bdb3e88a685a238183a60b8e86049cf280dd47143445c1ba5b6d287c2775

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2wh3272.exe
      Filesize

      1.1MB

      MD5

      a1c1c44e837edbc2d55d33ba9620a109

      SHA1

      0ba4e08d7b6f17f968d1f7cad75d0a3885bae998

      SHA256

      4160c00350706d7630b0a8bfb47722e7ec956858ab07d5adc9345e37ccb751e5

      SHA512

      75267e9d0652e006107506457c5253fe701149888ad977d95f52d215410b18e3b145c8779ae389b718f090c5aa41d614e45deb38a96852a07a299a5b075c02bc

      Download Submit

    • memory/1796-22-0x0000000000400000-0x0000000000432000-memory.dmp

      Filesize

      200KB

      Download

    • memory/1796-24-0x0000000000400000-0x0000000000432000-memory.dmp

      Filesize

      200KB

      Download

    • memory/1796-21-0x0000000000400000-0x0000000000432000-memory.dmp

      Filesize

      200KB

      Download

    • memory/1796-20-0x0000000000400000-0x0000000000432000-memory.dmp

      Filesize

      200KB

      Download

    • memory/3904-12-0x0000000005070000-0x0000000005102000-memory.dmp

      Filesize

      584KB

      Download

    • memory/3904-13-0x0000000074B50000-0x0000000075300000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3904-14-0x0000000074B50000-0x0000000075300000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3904-16-0x0000000074B50000-0x0000000075300000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3904-10-0x0000000004F50000-0x0000000004F6E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/3904-11-0x0000000074B50000-0x0000000075300000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3904-9-0x0000000004990000-0x0000000004F34000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/3904-8-0x0000000002470000-0x0000000002490000-memory.dmp

      Filesize

      128KB

      Download

    • memory/3904-7-0x0000000074B5E000-0x0000000074B5F000-memory.dmp

      Filesize

      4KB

      Download