mystic | 1fef7562aaf83984d6657afdeacb1ea72d9ec0258727d8af45430fcddce7c701

Analysis

max time kernel
126s
max time network
132s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
05/10/2023, 21:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1fef7562aaf83984d6657afdeacb1ea72d9ec0258727d8af45430fcddce7c701.exe
Size

1.6MB
MD5

5667cf9c9a94cb24a78457560a0ab193
SHA1

7a12852fd5945db302dcbe8ba5ae03e7d77745e1
SHA256

1fef7562aaf83984d6657afdeacb1ea72d9ec0258727d8af45430fcddce7c701
SHA512

35a512a5ac865b7c58ffac9f7c8f131b50cb8c07d46b4d06f7bceed2306843256b7c225962ad437d1d26ef4e6ce1edd9b2c91d893ee6dd04ab923cb72b372c53
SSDEEP

24576:ayQyEsAsSNd85GWuKCDIRx3EoQxzdNfIVzKD8vPz3hLReCua0lkgAwMrPcgc:hQyq3TbehuhtIu4XbHgAf0g

Score

10^/10

mystic persistence stealer

Malware Config

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/3208-35-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/3208-38-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/3208-39-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/3208-41-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic

Executes dropped EXE 5 IoCs

pid	Process
4812	bi9Sw2ll.exe
4544	Mo1wl4mY.exe
3992	hM3ur0CC.exe
1412	kH5Or5Tv.exe
4168	1LK44TU8.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1fef7562aaf83984d6657afdeacb1ea72d9ec0258727d8af45430fcddce7c701.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	bi9Sw2ll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Mo1wl4mY.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	hM3ur0CC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	kH5Or5Tv.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4168 set thread context of 3208	4168	1LK44TU8.exe	77

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3396	4168	WerFault.exe	74
4016	3208	WerFault.exe	77

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 4332 wrote to memory of 4812	4332	1fef7562aaf83984d6657afdeacb1ea72d9ec0258727d8af45430fcddce7c701.exe	70
PID 4332 wrote to memory of 4812	4332	1fef7562aaf83984d6657afdeacb1ea72d9ec0258727d8af45430fcddce7c701.exe	70
PID 4332 wrote to memory of 4812	4332	1fef7562aaf83984d6657afdeacb1ea72d9ec0258727d8af45430fcddce7c701.exe	70
PID 4812 wrote to memory of 4544	4812	bi9Sw2ll.exe	71
PID 4812 wrote to memory of 4544	4812	bi9Sw2ll.exe	71
PID 4812 wrote to memory of 4544	4812	bi9Sw2ll.exe	71
PID 4544 wrote to memory of 3992	4544	Mo1wl4mY.exe	72
PID 4544 wrote to memory of 3992	4544	Mo1wl4mY.exe	72
PID 4544 wrote to memory of 3992	4544	Mo1wl4mY.exe	72
PID 3992 wrote to memory of 1412	3992	hM3ur0CC.exe	73
PID 3992 wrote to memory of 1412	3992	hM3ur0CC.exe	73
PID 3992 wrote to memory of 1412	3992	hM3ur0CC.exe	73
PID 1412 wrote to memory of 4168	1412	kH5Or5Tv.exe	74
PID 1412 wrote to memory of 4168	1412	kH5Or5Tv.exe	74
PID 1412 wrote to memory of 4168	1412	kH5Or5Tv.exe	74
PID 4168 wrote to memory of 3736	4168	1LK44TU8.exe	75
PID 4168 wrote to memory of 3736	4168	1LK44TU8.exe	75
PID 4168 wrote to memory of 3736	4168	1LK44TU8.exe	75
PID 4168 wrote to memory of 3768	4168	1LK44TU8.exe	76
PID 4168 wrote to memory of 3768	4168	1LK44TU8.exe	76
PID 4168 wrote to memory of 3768	4168	1LK44TU8.exe	76
PID 4168 wrote to memory of 3208	4168	1LK44TU8.exe	77
PID 4168 wrote to memory of 3208	4168	1LK44TU8.exe	77
PID 4168 wrote to memory of 3208	4168	1LK44TU8.exe	77
PID 4168 wrote to memory of 3208	4168	1LK44TU8.exe	77
PID 4168 wrote to memory of 3208	4168	1LK44TU8.exe	77
PID 4168 wrote to memory of 3208	4168	1LK44TU8.exe	77
PID 4168 wrote to memory of 3208	4168	1LK44TU8.exe	77
PID 4168 wrote to memory of 3208	4168	1LK44TU8.exe	77
PID 4168 wrote to memory of 3208	4168	1LK44TU8.exe	77
PID 4168 wrote to memory of 3208	4168	1LK44TU8.exe	77

C:\Users\Admin\AppData\Local\Temp\1fef7562aaf83984d6657afdeacb1ea72d9ec0258727d8af45430fcddce7c701.exe
"C:\Users\Admin\AppData\Local\Temp\1fef7562aaf83984d6657afdeacb1ea72d9ec0258727d8af45430fcddce7c701.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4332
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bi9Sw2ll.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bi9Sw2ll.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4812
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Mo1wl4mY.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Mo1wl4mY.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4544
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hM3ur0CC.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hM3ur0CC.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3992
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kH5Or5Tv.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kH5Or5Tv.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1412
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1LK44TU8.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1LK44TU8.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4168
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:3736
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:3768
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3208 -s 568
        8⤵
        Program crash
        
        PID:4016
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4168 -s 588
        7⤵
        Program crash
        
        PID:3396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bi9Sw2ll.exe

Filesize
1.5MB

MD5
7a091baabf0fdcbaf753812e9865e158

SHA1
9cf14f4159d6ed2c2337ccdf66f52bada9402ea4

SHA256
2c24f17109f4301de68dac6acbc87a1f62ddf73100a962bb29d64a0b4f72d245

SHA512
f74164d4d9a5676d4547f4f137c4c92bb0c9f3db42921606aa21c15f2c17f19c65bfce9c256b77295b9ea3f0ac3fb74b0c0e4e15f57fd66e618f49cb0ce83f14

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bi9Sw2ll.exe

Filesize
1.5MB

MD5
7a091baabf0fdcbaf753812e9865e158

SHA1
9cf14f4159d6ed2c2337ccdf66f52bada9402ea4

SHA256
2c24f17109f4301de68dac6acbc87a1f62ddf73100a962bb29d64a0b4f72d245

SHA512
f74164d4d9a5676d4547f4f137c4c92bb0c9f3db42921606aa21c15f2c17f19c65bfce9c256b77295b9ea3f0ac3fb74b0c0e4e15f57fd66e618f49cb0ce83f14

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Mo1wl4mY.exe

Filesize
1.3MB

MD5
e33aea1b241d50caa5359db0ca204834

SHA1
84c23a1846c22b8bfeade725b8d6449a935eccf6

SHA256
e4da53d9a98527834d882eb85882a67fcb7bb7a0e93da80a823aec8ba44d8eee

SHA512
e028cf955ed86988573bbf0eecb76ed47c42ee801ad8fd227fa8348bb31fdc5c55c99b682f781e3ce05d245b7f2d8c7e31a499e3d95d4d80feec3e32c5aeec07

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Mo1wl4mY.exe

Filesize
1.3MB

MD5
e33aea1b241d50caa5359db0ca204834

SHA1
84c23a1846c22b8bfeade725b8d6449a935eccf6

SHA256
e4da53d9a98527834d882eb85882a67fcb7bb7a0e93da80a823aec8ba44d8eee

SHA512
e028cf955ed86988573bbf0eecb76ed47c42ee801ad8fd227fa8348bb31fdc5c55c99b682f781e3ce05d245b7f2d8c7e31a499e3d95d4d80feec3e32c5aeec07

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hM3ur0CC.exe

Filesize
824KB

MD5
058faedac803c5ae8f9681cd464a2bb9

SHA1
4881512fbc459ed92db57c4e1334cb7f6e2424d9

SHA256
4cd3bae406daa62561882ad6f11869863c0d68bff6d1d5b4d7555c0525b8f014

SHA512
30a49c560912b214c425948e6d369e4c483e5b791105767833d914fa387787fe85e336337a5070b54c76f8118c2b99afe9973184f2374cd304d0ac5cfdac0061

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hM3ur0CC.exe

Filesize
824KB

MD5
058faedac803c5ae8f9681cd464a2bb9

SHA1
4881512fbc459ed92db57c4e1334cb7f6e2424d9

SHA256
4cd3bae406daa62561882ad6f11869863c0d68bff6d1d5b4d7555c0525b8f014

SHA512
30a49c560912b214c425948e6d369e4c483e5b791105767833d914fa387787fe85e336337a5070b54c76f8118c2b99afe9973184f2374cd304d0ac5cfdac0061

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kH5Or5Tv.exe

Filesize
651KB

MD5
59ac8995ae81266e5a49d5742c58ac46

SHA1
87d89f02969135620ad06692e7b014cfc186867a

SHA256
1505b545e974fb24ef7874f47ce901d1ce6ceac640fbea7c4e6cfa94d51d505a

SHA512
b1116ccdd00dd4e626db6211353e672253565a09968478a8f41f62c0ff9ef185516cfaf45f312c6f968805e6aec3657fc287e5656cdcbd459cd64fa07f5e3c0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kH5Or5Tv.exe

Filesize
651KB

MD5
59ac8995ae81266e5a49d5742c58ac46

SHA1
87d89f02969135620ad06692e7b014cfc186867a

SHA256
1505b545e974fb24ef7874f47ce901d1ce6ceac640fbea7c4e6cfa94d51d505a

SHA512
b1116ccdd00dd4e626db6211353e672253565a09968478a8f41f62c0ff9ef185516cfaf45f312c6f968805e6aec3657fc287e5656cdcbd459cd64fa07f5e3c0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1LK44TU8.exe

Filesize
1.7MB

MD5
f98919bc421d28ddf114215bf823a90e

SHA1
f42af48b7a59ebbd12d26566bcae2ea42108d352

SHA256
4f55819c07a90640b1f2f5db96092f78b241c0813c5bb191d2d499e1ec306417

SHA512
eb206787bdfd9072de6019bee12ba32936d8dc9bdfd7a6fe7b7f24cc4c2d748e268dde0a18a69c8d1fd0de08722c08a6918ea797ad60b9ac149c9078af8e225c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1LK44TU8.exe

Filesize
1.7MB

MD5
f98919bc421d28ddf114215bf823a90e

SHA1
f42af48b7a59ebbd12d26566bcae2ea42108d352

SHA256
4f55819c07a90640b1f2f5db96092f78b241c0813c5bb191d2d499e1ec306417

SHA512
eb206787bdfd9072de6019bee12ba32936d8dc9bdfd7a6fe7b7f24cc4c2d748e268dde0a18a69c8d1fd0de08722c08a6918ea797ad60b9ac149c9078af8e225c

Download Submit
memory/3208-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3208-38-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3208-39-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3208-41-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads