Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
29-10-2024 01:39
Static task
static1
Behavioral task
behavioral1
Sample
07b63c04cd2b6532b892368ef2b393b6b02f9ba659265c6efb3f81a1ac5089f3.exe
Resource
win7-20241010-en
General
-
Target
07b63c04cd2b6532b892368ef2b393b6b02f9ba659265c6efb3f81a1ac5089f3.exe
-
Size
1.2MB
-
MD5
afa8c1e73c3d66f5e35b9bb18dfa371a
-
SHA1
f124b5815eeb0e8e5228a7e379ce78f38958d426
-
SHA256
07b63c04cd2b6532b892368ef2b393b6b02f9ba659265c6efb3f81a1ac5089f3
-
SHA512
60e493e10252161e7950e133a5432ef2f6c554711fd664f0ec2836601e2e659e7b19432e5ffcad4bf5299fd4678611fa209c6a497e39de1da38ffaaaa8a6acdf
-
SSDEEP
24576:a683nkpw/6Ds2B6yxBNkMsNkaWNJv+E5C6rEbl:aznkpVDs2nQM4kaWNJv+E5C6rEbl
Malware Config
Signatures
-
Detect Mystic stealer payload 5 IoCs
resource yara_rule behavioral1/memory/1444-13-0x0000000000400000-0x0000000000433000-memory.dmp mystic_family behavioral1/memory/1444-11-0x0000000000400000-0x0000000000433000-memory.dmp mystic_family behavioral1/memory/1444-10-0x0000000000400000-0x0000000000433000-memory.dmp mystic_family behavioral1/memory/1444-9-0x0000000000400000-0x0000000000433000-memory.dmp mystic_family behavioral1/memory/1444-16-0x0000000000400000-0x0000000000433000-memory.dmp mystic_family -
Mystic family
-
Executes dropped EXE 1 IoCs
pid Process 1444 硺䕢䕅儴坅䕅 -
Loads dropped DLL 7 IoCs
pid Process 2824 WerFault.exe 2824 WerFault.exe 2824 WerFault.exe 2824 WerFault.exe 2824 WerFault.exe 2824 WerFault.exe 2824 WerFault.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2620 set thread context of 1444 2620 07b63c04cd2b6532b892368ef2b393b6b02f9ba659265c6efb3f81a1ac5089f3.exe 32 -
Program crash 1 IoCs
pid pid_target Process procid_target 2824 1444 WerFault.exe 32 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 硺䕢䕅儴坅䕅 -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2620 wrote to memory of 1444 2620 07b63c04cd2b6532b892368ef2b393b6b02f9ba659265c6efb3f81a1ac5089f3.exe 32 PID 2620 wrote to memory of 1444 2620 07b63c04cd2b6532b892368ef2b393b6b02f9ba659265c6efb3f81a1ac5089f3.exe 32 PID 2620 wrote to memory of 1444 2620 07b63c04cd2b6532b892368ef2b393b6b02f9ba659265c6efb3f81a1ac5089f3.exe 32 PID 2620 wrote to memory of 1444 2620 07b63c04cd2b6532b892368ef2b393b6b02f9ba659265c6efb3f81a1ac5089f3.exe 32 PID 2620 wrote to memory of 1444 2620 07b63c04cd2b6532b892368ef2b393b6b02f9ba659265c6efb3f81a1ac5089f3.exe 32 PID 2620 wrote to memory of 1444 2620 07b63c04cd2b6532b892368ef2b393b6b02f9ba659265c6efb3f81a1ac5089f3.exe 32 PID 2620 wrote to memory of 1444 2620 07b63c04cd2b6532b892368ef2b393b6b02f9ba659265c6efb3f81a1ac5089f3.exe 32 PID 2620 wrote to memory of 1444 2620 07b63c04cd2b6532b892368ef2b393b6b02f9ba659265c6efb3f81a1ac5089f3.exe 32 PID 2620 wrote to memory of 1444 2620 07b63c04cd2b6532b892368ef2b393b6b02f9ba659265c6efb3f81a1ac5089f3.exe 32 PID 2620 wrote to memory of 1444 2620 07b63c04cd2b6532b892368ef2b393b6b02f9ba659265c6efb3f81a1ac5089f3.exe 32 PID 2620 wrote to memory of 1444 2620 07b63c04cd2b6532b892368ef2b393b6b02f9ba659265c6efb3f81a1ac5089f3.exe 32 PID 1444 wrote to memory of 2824 1444 硺䕢䕅儴坅䕅 33 PID 1444 wrote to memory of 2824 1444 硺䕢䕅儴坅䕅 33 PID 1444 wrote to memory of 2824 1444 硺䕢䕅儴坅䕅 33 PID 1444 wrote to memory of 2824 1444 硺䕢䕅儴坅䕅 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\07b63c04cd2b6532b892368ef2b393b6b02f9ba659265c6efb3f81a1ac5089f3.exe"C:\Users\Admin\AppData\Local\Temp\07b63c04cd2b6532b892368ef2b393b6b02f9ba659265c6efb3f81a1ac5089f3.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Users\Admin\AppData\Local\Temp\硺䕢䕅儴坅䕅"C:\Users\Admin\AppData\Local\Temp\硺䕢䕅儴坅䕅"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 363⤵
- Loads dropped DLL
- Program crash
PID:2824
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
38KB
MD53992f464696b0eeff236aef93b1fdbd5
SHA18dddabaea6b342efc4f5b244420a0af055ae691e
SHA2560d1a8457014f2eb2563a91d1509dba38f6c418fedf5f241d8579d15a93e40e14
SHA51227a63b43dc50faf4d9b06e10daa15e83dfb3f3be1bd3af83ea6990bd8ae6d3a6a7fc2f928822db972aaf1305970f4587d768d68cd7e1124bc8f710c1d3ee19a6