Overview

overview

10

Static

static

3

028b296453...a5.exe

windows10-2004-x64

10

0ebae60c47...a6.exe

windows10-2004-x64

10

3ae03a392f...c7.exe

windows10-2004-x64

10

49eb2b419a...61.exe

windows7-x64

10

49eb2b419a...61.exe

windows10-2004-x64

10

4bb1d789df...b2.exe

windows10-2004-x64

10

4c0305778b...7c.exe

windows10-2004-x64

10

56d014c086...70.exe

windows10-2004-x64

10

64572328af...7c.exe

windows10-2004-x64

10

68546b0231...3b.exe

windows10-2004-x64

10

756d67f0f1...0a.exe

windows10-2004-x64

10

88fc008066...39.exe

windows7-x64

10

88fc008066...39.exe

windows10-2004-x64

10

8ab296834f...ad.exe

windows10-2004-x64

10

903d5eea2e...ff.exe

windows10-2004-x64

10

a667459185...08.exe

windows10-2004-x64

10

b42e87afb8...84.exe

windows10-2004-x64

10

cdc820df4b...04.exe

windows10-2004-x64

10

d52db86881...86.exe

windows10-2004-x64

10

e17fa1b4c1...2e.exe

windows10-2004-x64

10

f068aa20f8...e6.exe

windows10-2004-x64

7

f3bbfb34ef...1c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/05/2024, 10:07

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    0ebae60c4738b797211b088ef84ba987010e206b4ac1f1d015c690be92c7aea6.exe

  • Size

    621KB

  • MD5

    71994583d724e9b766bfd6c77cb0b4ec

  • SHA1

    590d62cc692718fc060033759f5baa542b29f78f

  • SHA256

    0ebae60c4738b797211b088ef84ba987010e206b4ac1f1d015c690be92c7aea6

  • SHA512

    e5b2f636942ffc11ac2222247f6974dd1b4907d7e8c0c89b421b5ec00623fefa2b5769ee8ff5df135747100fdfe7ab77b17b3b637b60d177ed660cc4f38db2b8

  • SSDEEP

    12288:tMrYy90Jk8gapGMsd3dp9vSEF6v3wGrcc6ZgdlTvVfo2fREdCaGj:tyx8gaY33j9v76v3wGrr6ZgdlTBFREYh

Score
10/10
mysticpersistencestealer

Malware Config

Signatures

  • Detect Mystic stealer payload 4 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • .NET Reactor proctector 2 IoCs

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0ebae60c4738b797211b088ef84ba987010e206b4ac1f1d015c690be92c7aea6.exe
    "C:\Users\Admin\AppData\Local\Temp\0ebae60c4738b797211b088ef84ba987010e206b4ac1f1d015c690be92c7aea6.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2136
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1kp43Yd2.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1kp43Yd2.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4588
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2Sx0417.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2Sx0417.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:4984
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3⤵
          PID:2704
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          3⤵
            PID:1772
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2808 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8
        1⤵
          PID:3912

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1kp43Yd2.exe
                Filesize

                195KB

                MD5

                7f726f7dac36a27880ea545866534dda

                SHA1

                a644a86f8ffe8497101eb2c8ef69b859fb51119d

                SHA256

                7d8062c6ae88e04ecadb6f8eb85e1d77caba2cb70fed241f04454fd5d70ced2a

                SHA512

                8d8216a173bf1b498e5bf6d9292b05cd27b913c3203e296d55b169a1980bc38d8589bdb3e88a685a238183a60b8e86049cf280dd47143445c1ba5b6d287c2775

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2Sx0417.exe
                Filesize

                1.1MB

                MD5

                6ef68ec5b2d91cbc9c66fa0553e527ec

                SHA1

                8d8ab02a5f2433cf12ba62336e4d774f2bbf21d2

                SHA256

                8ffa8c6bcf0b38b229ac57e8a8eacfad2d27bd2b6ec971af827609bfb919495f

                SHA512

                1a02ccdf3d1be279169bc25eb2a4452be337389b78050811ea4367ca624d5d169c7c7e157a73fe3be13378412e8d94606f41c157b5892cc76c4344ee85d204a6

                Download Submit

              • memory/1772-24-0x0000000000400000-0x0000000000432000-memory.dmp

                Filesize

                200KB

                Download

              • memory/1772-22-0x0000000000400000-0x0000000000432000-memory.dmp

                Filesize

                200KB

                Download

              • memory/1772-21-0x0000000000400000-0x0000000000432000-memory.dmp

                Filesize

                200KB

                Download

              • memory/1772-20-0x0000000000400000-0x0000000000432000-memory.dmp

                Filesize

                200KB

                Download

              • memory/4588-12-0x00000000049C0000-0x0000000004F64000-memory.dmp

                Filesize

                5.6MB

                Download

              • memory/4588-13-0x0000000004990000-0x00000000049AE000-memory.dmp

                Filesize

                120KB

                Download

              • memory/4588-14-0x0000000005070000-0x0000000005102000-memory.dmp

                Filesize

                584KB

                Download

              • memory/4588-16-0x0000000074560000-0x0000000074D10000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/4588-11-0x0000000074560000-0x0000000074D10000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/4588-10-0x0000000074560000-0x0000000074D10000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/4588-9-0x0000000002380000-0x00000000023A0000-memory.dmp

                Filesize

                128KB

                Download

              • memory/4588-8-0x0000000074560000-0x0000000074D10000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/4588-7-0x000000007456E000-0x000000007456F000-memory.dmp

                Filesize

                4KB

                Download