mystic | 9c31b04735d221cc58568777dac1328f7940674b72a305428847e070edde9b8b

Analysis

max time kernel
127s
max time network
132s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
05/10/2023, 14:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9c31b04735d221cc58568777dac1328f7940674b72a305428847e070edde9b8b.exe
Size

255KB
MD5

9f7d6749bcf87c6ddec4ef05550e641b
SHA1

017b25ebad2127bf0cb212621a277303d82b27e4
SHA256

9c31b04735d221cc58568777dac1328f7940674b72a305428847e070edde9b8b
SHA512

d9474f5d315d6b4691df16407851d78286a4dd12807e39eff939f1998d5a9f4e237451706b94e05ed2cfd98eef85398a1e5824e840336b664b712c658ea20283
SSDEEP

3072:A/kI41pGijtsAIDBwce3LyskuXhYgDfBT03xrJUvLeNZPtr1FqFd5+J:IkI4OijFoiysfX1jBerELs

Score

10^/10

mystic stealer

Malware Config

Signatures

Detect Mystic stealer payload 5 IoCs

resource	yara_rule
behavioral1/memory/2124-27-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2124-32-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2124-33-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2124-34-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2124-35-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
2056	4912589632.exe
2196	6198768319.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2056 set thread context of 2124	2056	4912589632.exe	80

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
2356	taskkill.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2056	4912589632.exe
Token: SeDebugPrivilege	2356	taskkill.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1300 wrote to memory of 4420	1300	9c31b04735d221cc58568777dac1328f7940674b72a305428847e070edde9b8b.exe	70
PID 1300 wrote to memory of 4420	1300	9c31b04735d221cc58568777dac1328f7940674b72a305428847e070edde9b8b.exe	70
PID 1300 wrote to memory of 4420	1300	9c31b04735d221cc58568777dac1328f7940674b72a305428847e070edde9b8b.exe	70
PID 4420 wrote to memory of 2056	4420	cmd.exe	72
PID 4420 wrote to memory of 2056	4420	cmd.exe	72
PID 4420 wrote to memory of 2056	4420	cmd.exe	72
PID 1300 wrote to memory of 5020	1300	9c31b04735d221cc58568777dac1328f7940674b72a305428847e070edde9b8b.exe	73
PID 1300 wrote to memory of 5020	1300	9c31b04735d221cc58568777dac1328f7940674b72a305428847e070edde9b8b.exe	73
PID 1300 wrote to memory of 5020	1300	9c31b04735d221cc58568777dac1328f7940674b72a305428847e070edde9b8b.exe	73
PID 5020 wrote to memory of 2196	5020	cmd.exe	75
PID 5020 wrote to memory of 2196	5020	cmd.exe	75
PID 5020 wrote to memory of 2196	5020	cmd.exe	75
PID 1300 wrote to memory of 3784	1300	9c31b04735d221cc58568777dac1328f7940674b72a305428847e070edde9b8b.exe	76
PID 1300 wrote to memory of 3784	1300	9c31b04735d221cc58568777dac1328f7940674b72a305428847e070edde9b8b.exe	76
PID 1300 wrote to memory of 3784	1300	9c31b04735d221cc58568777dac1328f7940674b72a305428847e070edde9b8b.exe	76
PID 3784 wrote to memory of 2356	3784	cmd.exe	78
PID 3784 wrote to memory of 2356	3784	cmd.exe	78
PID 3784 wrote to memory of 2356	3784	cmd.exe	78
PID 2056 wrote to memory of 2124	2056	4912589632.exe	80
PID 2056 wrote to memory of 2124	2056	4912589632.exe	80
PID 2056 wrote to memory of 2124	2056	4912589632.exe	80
PID 2056 wrote to memory of 2124	2056	4912589632.exe	80
PID 2056 wrote to memory of 2124	2056	4912589632.exe	80
PID 2056 wrote to memory of 2124	2056	4912589632.exe	80
PID 2056 wrote to memory of 2124	2056	4912589632.exe	80
PID 2056 wrote to memory of 2124	2056	4912589632.exe	80
PID 2056 wrote to memory of 2124	2056	4912589632.exe	80
PID 2056 wrote to memory of 2124	2056	4912589632.exe	80

C:\Users\Admin\AppData\Local\Temp\9c31b04735d221cc58568777dac1328f7940674b72a305428847e070edde9b8b.exe
"C:\Users\Admin\AppData\Local\Temp\9c31b04735d221cc58568777dac1328f7940674b72a305428847e070edde9b8b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1300
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\4912589632.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4420
- - C:\Users\Admin\AppData\Local\Temp\4912589632.exe
    "C:\Users\Admin\AppData\Local\Temp\4912589632.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2056
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
      4⤵
      PID:2124
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\6198768319.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5020
- - C:\Users\Admin\AppData\Local\Temp\6198768319.exe
    "C:\Users\Admin\AppData\Local\Temp\6198768319.exe"
    3⤵
    - Executes dropped EXE
    PID:2196
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /im "9c31b04735d221cc58568777dac1328f7940674b72a305428847e070edde9b8b.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\9c31b04735d221cc58568777dac1328f7940674b72a305428847e070edde9b8b.exe" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3784
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im "9c31b04735d221cc58568777dac1328f7940674b72a305428847e070edde9b8b.exe" /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4912589632.exe

Filesize
3.5MB

MD5
62dbbf519f3e5a050badfb02cab4652c

SHA1
ab296e6388abea10bf2dfb13007eea8807c30714

SHA256
5180793f854fe1852fc1a58a01fa50528c7689a9e24f0cb84419e862eca02ed4

SHA512
e9fee3a72f4c3ab23ba209eab71a6b8ba840f5cbe4ad6bb7b82632a7a793042948c49339fc116b37a9441a18dfd33748988dbd5e7fdc7dc23bb2de04d1d05653

Download Submit
C:\Users\Admin\AppData\Local\Temp\4912589632.exe

Filesize
3.5MB

MD5
62dbbf519f3e5a050badfb02cab4652c

SHA1
ab296e6388abea10bf2dfb13007eea8807c30714

SHA256
5180793f854fe1852fc1a58a01fa50528c7689a9e24f0cb84419e862eca02ed4

SHA512
e9fee3a72f4c3ab23ba209eab71a6b8ba840f5cbe4ad6bb7b82632a7a793042948c49339fc116b37a9441a18dfd33748988dbd5e7fdc7dc23bb2de04d1d05653

Download Submit
C:\Users\Admin\AppData\Local\Temp\6198768319.exe

Filesize
243KB

MD5
8c70a0939fc6c14a23b69cbb81a2c0cf

SHA1
bc6f17b4bb478800abe9f9e97ded138cefa79e83

SHA256
7bee27d079d83f067c4ae534a281959788b85ca8fc6db7ea10c31db2ffcadaff

SHA512
5e217686f25fb670b762b222289f1338587b1548f56a934ebdc0ad4ee9219ca2b496cf5b134d23492aace091ce7e97d86bd09614dd5db5e09550f8dfdc3bb5a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\6198768319.exe

Filesize
243KB

MD5
8c70a0939fc6c14a23b69cbb81a2c0cf

SHA1
bc6f17b4bb478800abe9f9e97ded138cefa79e83

SHA256
7bee27d079d83f067c4ae534a281959788b85ca8fc6db7ea10c31db2ffcadaff

SHA512
5e217686f25fb670b762b222289f1338587b1548f56a934ebdc0ad4ee9219ca2b496cf5b134d23492aace091ce7e97d86bd09614dd5db5e09550f8dfdc3bb5a9

Download Submit
memory/1300-1-0x0000000000650000-0x0000000000750000-memory.dmp

Filesize
1024KB

Download
memory/1300-2-0x0000000000750000-0x000000000078E000-memory.dmp

Filesize
248KB

Download
memory/1300-3-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/1300-23-0x0000000000750000-0x000000000078E000-memory.dmp

Filesize
248KB

Download
memory/1300-22-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/2056-21-0x0000000005C00000-0x0000000005C66000-memory.dmp

Filesize
408KB

Download
memory/2056-20-0x0000000005D70000-0x0000000005D80000-memory.dmp

Filesize
64KB

Download
memory/2056-18-0x0000000000FC0000-0x000000000134E000-memory.dmp

Filesize
3.6MB

Download
memory/2056-17-0x00000000722D0000-0x00000000729BE000-memory.dmp

Filesize
6.9MB

Download
memory/2056-24-0x0000000006160000-0x0000000006182000-memory.dmp

Filesize
136KB

Download
memory/2056-25-0x000000007715F000-0x0000000077160000-memory.dmp

Filesize
4KB

Download
memory/2056-26-0x00000000062F0000-0x000000000641E000-memory.dmp

Filesize
1.2MB

Download
memory/2056-31-0x00000000722D0000-0x00000000729BE000-memory.dmp

Filesize
6.9MB

Download
memory/2124-27-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2124-32-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2124-33-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2124-34-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2124-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download