Overview

overview

10

Static

static

3

0314c3cf58...62.exe

windows10-2004-x64

10

142ed11f80...59.exe

windows10-2004-x64

10

1f54336cee...4f.exe

windows10-2004-x64

10

2470f02746...37.exe

windows10-2004-x64

10

357dca1dd0...e2.exe

windows7-x64

10

357dca1dd0...e2.exe

windows10-2004-x64

10

367729c840...03.exe

windows10-2004-x64

10

3ae8cc733e...e3.exe

windows10-2004-x64

10

3ff87c5bd0...30.exe

windows10-2004-x64

10

4157cda315...a6.exe

windows10-2004-x64

10

5f318080c6...ea.exe

windows10-2004-x64

10

620f9ee1b4...8f.exe

windows10-2004-x64

10

6817354347...3a.exe

windows10-2004-x64

10

753cdc12b9...91.exe

windows10-2004-x64

10

a4215d26b6...74.exe

windows10-2004-x64

10

a4375e040f...82.exe

windows10-2004-x64

10

a619ae77d5...2e.exe

windows10-2004-x64

10

aaab139650...12.exe

windows10-2004-x64

10

aefec08eba...49.exe

windows10-2004-x64

10

d12f5fa25c...70.exe

windows10-2004-x64

7

e5b42981fd...65.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    129s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-05-2024 05:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    620f9ee1b442855f9904f5108cf7185b16d0acbacad9aaa076f02e0ffd4f588f.exe

  • Size

    421KB

  • MD5

    f43e85202791e82c59b8e07f76dabbfa

  • SHA1

    cf80bc8a656390e4e9ed061fd84a155f0665237f

  • SHA256

    620f9ee1b442855f9904f5108cf7185b16d0acbacad9aaa076f02e0ffd4f588f

  • SHA512

    5c8dd89131b27eb110b9ec35d7e0686c7cffed62d4257d0d506d93154eeacc0f8e14733ba4ebc4a5616e7c1fff02cbdc52eaa6f1e662ec857d94532084b360ff

  • SSDEEP

    12288:YMrhy90F+08qFUvu2hyW1eKFnTA9BKXjEARJfz7IU:pyX08qF32lIKFLEAl

Score
10/10
mysticpersistencestealer

Malware Config

Signatures

  • Detect Mystic stealer payload 4 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • .NET Reactor proctector 2 IoCs

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\620f9ee1b442855f9904f5108cf7185b16d0acbacad9aaa076f02e0ffd4f588f.exe
    "C:\Users\Admin\AppData\Local\Temp\620f9ee1b442855f9904f5108cf7185b16d0acbacad9aaa076f02e0ffd4f588f.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:956
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1Ic30sc1.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1Ic30sc1.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4464
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2Zy3291.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2Zy3291.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:2880
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3⤵
          PID:3648
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2880 -s 152
          3⤵
          • Program crash
          PID:4284
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2880 -ip 2880
      1⤵
        PID:2832

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1Ic30sc1.exe
        Filesize

        188KB

        MD5

        425e2a994509280a8c1e2812dfaad929

        SHA1

        4d5eff2fb3835b761e2516a873b537cbaacea1fe

        SHA256

        6f40f29ad16466785dfbe836dd375400949ff894e8aa03e2805ab1c1ac2d6f5a

        SHA512

        080a41e7926122e14b38901f2e1eb8100a08c5068a9a74099f060c5e601f056a66e607b4e006820276834bb01d913a3894de98e6d9ba62ce843df14058483aa0

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2Zy3291.exe
        Filesize

        295KB

        MD5

        17cec2c047e194d91100a03fa021f5b5

        SHA1

        167b6ff24e18b97d4e3ed2f4c1e9e6caff3641c2

        SHA256

        74b604c56af61be45cb640201d9395ff20182a6d3ef69a6a0bfb43b314c2dff7

        SHA512

        c7b6e3e8ed08bf584df411cb453a3a232a830d8f5097aee6bcd0b7bf4adc49cdcdd0f3fbb0b66c193bb42bcc124f7a1c60dedb06710444ed1d98a902353c6eae

        Download Submit

      • memory/3648-20-0x0000000000400000-0x0000000000432000-memory.dmp

        Filesize

        200KB

        Download

      • memory/3648-24-0x0000000000400000-0x0000000000432000-memory.dmp

        Filesize

        200KB

        Download

      • memory/3648-21-0x0000000000400000-0x0000000000432000-memory.dmp

        Filesize

        200KB

        Download

      • memory/3648-22-0x0000000000400000-0x0000000000432000-memory.dmp

        Filesize

        200KB

        Download

      • memory/4464-12-0x00000000740C0000-0x0000000074870000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4464-13-0x00000000051B0000-0x0000000005242000-memory.dmp

        Filesize

        584KB

        Download

      • memory/4464-14-0x00000000740C0000-0x0000000074870000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4464-16-0x00000000740C0000-0x0000000074870000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4464-11-0x0000000005090000-0x00000000050AE000-memory.dmp

        Filesize

        120KB

        Download

      • memory/4464-9-0x00000000740C0000-0x0000000074870000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4464-10-0x0000000004AD0000-0x0000000005074000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/4464-8-0x00000000025B0000-0x00000000025D0000-memory.dmp

        Filesize

        128KB

        Download

      • memory/4464-7-0x00000000740CE000-0x00000000740CF000-memory.dmp

        Filesize

        4KB

        Download