Overview

overview

10

Static

static

3

12529f4b65...8e.exe

windows10-2004-x64

10

177d217638...c9.exe

windows10-2004-x64

10

2dd3d7aef1...30.exe

windows10-2004-x64

10

3677484a61...a2.exe

windows10-2004-x64

10

4682d27822...6e.exe

windows10-2004-x64

10

492e1a379a...be.exe

windows10-2004-x64

10

50eee0d0ce...b6.exe

windows10-2004-x64

10

54a187adfc...90.exe

windows10-2004-x64

10

779aae8d26...ea.exe

windows10-2004-x64

10

7a8a88b0a1...14.exe

windows10-2004-x64

10

7d862d9155...a1.exe

windows10-2004-x64

10

994a6a489b...70.exe

windows10-2004-x64

10

b3e77f6d31...38.exe

windows10-2004-x64

10

b8349e4fcf...97.exe

windows10-2004-x64

10

c4b092b703...86.exe

windows10-2004-x64

10

c676d41b0a...68.exe

windows10-2004-x64

10

e6003af825...08.exe

windows10-2004-x64

10

edc38eb50d...b7.exe

windows10-2004-x64

10

ee34d9132f...8c.exe

windows10-2004-x64

10

f644369631...3f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    105s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-05-2024 08:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b8349e4fcf81aaf69399949c00e2b6efa4edf8c68b2d76a88e1139a7a1017897.exe

  • Size

    448KB

  • MD5

    5c898b2f8892249d25ff1db25356629c

  • SHA1

    165e345df5ccc55b119826bfa59522c74d15a71f

  • SHA256

    b8349e4fcf81aaf69399949c00e2b6efa4edf8c68b2d76a88e1139a7a1017897

  • SHA512

    322748d61c5f44d94b21b52c6811e0358fccd8243aa6d48c5714c9301acec7a568d9c336098295e8b4410137e570f6d440d87ae4a8e892cfa77e5d02442f3022

  • SSDEEP

    12288:qMr6y90A39SI9kAc1YZ1iA0Zz2gbs3YY3:0y19SIy1Yzi552gYIY3

Score
10/10
mysticpersistencestealer

Malware Config

Signatures

  • Detect Mystic stealer payload 4 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • .NET Reactor proctector 2 IoCs

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b8349e4fcf81aaf69399949c00e2b6efa4edf8c68b2d76a88e1139a7a1017897.exe
    "C:\Users\Admin\AppData\Local\Temp\b8349e4fcf81aaf69399949c00e2b6efa4edf8c68b2d76a88e1139a7a1017897.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2268
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1vp04fs2.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1vp04fs2.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4496
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2AG0360.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2AG0360.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:3608
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3⤵
          PID:1040

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1vp04fs2.exe
      Filesize

      201KB

      MD5

      a07f1de1c9774d5a490b599e98a87928

      SHA1

      2e89540d18db9fc57132372abad292db56697b22

      SHA256

      4d39a22a2ac96eba80c0f05c8f198a8f62d49ec226a658ca9a4026f96a7799bb

      SHA512

      9d2366b0e427dde753c065430ae26ece060b70df1e6369e178a945e83efa0aec72e5d6ed236d41c09e342ec7f5040173d1d7edb46e3d1fe5877b60263747fb81

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2AG0360.exe
      Filesize

      320KB

      MD5

      a9e030fd61fa7e005d6e448b6a4f2b79

      SHA1

      98b89dbd0996494877391120414803c67ff25a66

      SHA256

      8ce4b331410d2abfc667296f2a8b06c1631b4101dff6069659fbf186d31e539d

      SHA512

      21002d8a3391341fe2404ddba546b566fe552829a6a8f5c85e896bc07ca931426ab71c64038873d0e26817c283f7a633c27db076ef124df6daef560a5e7f97c3

      Download Submit

    • memory/1040-23-0x0000000000400000-0x0000000000432000-memory.dmp

      Filesize

      200KB

      Download

    • memory/1040-20-0x0000000000400000-0x0000000000432000-memory.dmp

      Filesize

      200KB

      Download

    • memory/1040-21-0x0000000000400000-0x0000000000432000-memory.dmp

      Filesize

      200KB

      Download

    • memory/1040-19-0x0000000000400000-0x0000000000432000-memory.dmp

      Filesize

      200KB

      Download

    • memory/4496-9-0x00000000743B0000-0x0000000074B60000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4496-12-0x0000000005080000-0x0000000005112000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4496-15-0x00000000743B0000-0x0000000074B60000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4496-13-0x00000000743B0000-0x0000000074B60000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4496-11-0x0000000004F60000-0x0000000004F7E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/4496-10-0x0000000004970000-0x0000000004F14000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4496-8-0x0000000002470000-0x0000000002490000-memory.dmp

      Filesize

      128KB

      Download

    • memory/4496-7-0x00000000743BE000-0x00000000743BF000-memory.dmp

      Filesize

      4KB

      Download