Overview

overview

10

Static

static

3

0314c3cf58...62.exe

windows10-2004-x64

10

142ed11f80...59.exe

windows10-2004-x64

10

1f54336cee...4f.exe

windows10-2004-x64

10

2470f02746...37.exe

windows10-2004-x64

10

357dca1dd0...e2.exe

windows7-x64

10

357dca1dd0...e2.exe

windows10-2004-x64

10

367729c840...03.exe

windows10-2004-x64

10

3ae8cc733e...e3.exe

windows10-2004-x64

10

3ff87c5bd0...30.exe

windows10-2004-x64

10

4157cda315...a6.exe

windows10-2004-x64

10

5f318080c6...ea.exe

windows10-2004-x64

10

620f9ee1b4...8f.exe

windows10-2004-x64

10

6817354347...3a.exe

windows10-2004-x64

10

753cdc12b9...91.exe

windows10-2004-x64

10

a4215d26b6...74.exe

windows10-2004-x64

10

a4375e040f...82.exe

windows10-2004-x64

10

a619ae77d5...2e.exe

windows10-2004-x64

10

aaab139650...12.exe

windows10-2004-x64

10

aefec08eba...49.exe

windows10-2004-x64

10

d12f5fa25c...70.exe

windows10-2004-x64

7

e5b42981fd...65.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    134s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-05-2024 09:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    620f9ee1b442855f9904f5108cf7185b16d0acbacad9aaa076f02e0ffd4f588f.exe

  • Size

    421KB

  • MD5

    f43e85202791e82c59b8e07f76dabbfa

  • SHA1

    cf80bc8a656390e4e9ed061fd84a155f0665237f

  • SHA256

    620f9ee1b442855f9904f5108cf7185b16d0acbacad9aaa076f02e0ffd4f588f

  • SHA512

    5c8dd89131b27eb110b9ec35d7e0686c7cffed62d4257d0d506d93154eeacc0f8e14733ba4ebc4a5616e7c1fff02cbdc52eaa6f1e662ec857d94532084b360ff

  • SSDEEP

    12288:YMrhy90F+08qFUvu2hyW1eKFnTA9BKXjEARJfz7IU:pyX08qF32lIKFLEAl

Score
10/10
mysticpersistencestealer

Malware Config

Signatures

  • Detect Mystic stealer payload 4 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • .NET Reactor proctector 2 IoCs

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\620f9ee1b442855f9904f5108cf7185b16d0acbacad9aaa076f02e0ffd4f588f.exe
    "C:\Users\Admin\AppData\Local\Temp\620f9ee1b442855f9904f5108cf7185b16d0acbacad9aaa076f02e0ffd4f588f.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:352
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1Ic30sc1.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1Ic30sc1.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2208
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2Zy3291.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2Zy3291.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:2776
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3⤵
          PID:4864
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2776 -s 592
          3⤵
          • Program crash
          PID:4292
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4216,i,14486271492189381216,15799931579469722648,262144 --variations-seed-version --mojo-platform-channel-handle=3768 /prefetch:8
      1⤵
        PID:4224
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2776 -ip 2776
        1⤵
          PID:2940

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1Ic30sc1.exe
          Filesize

          188KB

          MD5

          425e2a994509280a8c1e2812dfaad929

          SHA1

          4d5eff2fb3835b761e2516a873b537cbaacea1fe

          SHA256

          6f40f29ad16466785dfbe836dd375400949ff894e8aa03e2805ab1c1ac2d6f5a

          SHA512

          080a41e7926122e14b38901f2e1eb8100a08c5068a9a74099f060c5e601f056a66e607b4e006820276834bb01d913a3894de98e6d9ba62ce843df14058483aa0

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2Zy3291.exe
          Filesize

          295KB

          MD5

          17cec2c047e194d91100a03fa021f5b5

          SHA1

          167b6ff24e18b97d4e3ed2f4c1e9e6caff3641c2

          SHA256

          74b604c56af61be45cb640201d9395ff20182a6d3ef69a6a0bfb43b314c2dff7

          SHA512

          c7b6e3e8ed08bf584df411cb453a3a232a830d8f5097aee6bcd0b7bf4adc49cdcdd0f3fbb0b66c193bb42bcc124f7a1c60dedb06710444ed1d98a902353c6eae

          Download Submit

        • memory/2208-12-0x0000000005100000-0x0000000005192000-memory.dmp

          Filesize

          584KB

          Download

        • memory/2208-9-0x0000000074330000-0x0000000074AE0000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/2208-10-0x0000000004A50000-0x0000000004FF4000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/2208-11-0x00000000024B0000-0x00000000024CE000-memory.dmp

          Filesize

          120KB

          Download

        • memory/2208-8-0x0000000002390000-0x00000000023B0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/2208-13-0x0000000074330000-0x0000000074AE0000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/2208-14-0x0000000074330000-0x0000000074AE0000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/2208-16-0x0000000074330000-0x0000000074AE0000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/2208-7-0x000000007433E000-0x000000007433F000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4864-20-0x0000000000400000-0x0000000000432000-memory.dmp

          Filesize

          200KB

          Download

        • memory/4864-21-0x0000000000400000-0x0000000000432000-memory.dmp

          Filesize

          200KB

          Download

        • memory/4864-24-0x0000000000400000-0x0000000000432000-memory.dmp

          Filesize

          200KB

          Download

        • memory/4864-22-0x0000000000400000-0x0000000000432000-memory.dmp

          Filesize

          200KB

          Download