mystic | b0507884a1559964533bcd1cd0b136dfe32931de579e31b72d18c18d23e9ff43

Analysis

max time kernel
71s
max time network
77s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
05-10-2023 15:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b0507884a1559964533bcd1cd0b136dfe32931de579e31b72d18c18d23e9ff43.exe
Size

1.6MB
MD5

fb50c7c314449dca7c8724bca38abdea
SHA1

de5371de7075b4f317b3e5cd8e749871ff571af9
SHA256

b0507884a1559964533bcd1cd0b136dfe32931de579e31b72d18c18d23e9ff43
SHA512

7f10e8ab010ad0ce86c616de8f9f23f434707c9d6bd5defdb7f6c8922f05c174d3a15e37d6a90f6b7eeb7d0f4e68384c01a70d764e7c3e983e24a54a441374f1
SSDEEP

49152:/0trSVk2OCVejohxDeKQxOSlCkLHZJDgzh0kzE0SXbnp:MtrSVTgjozgmO5J2hw06Tp

Score

10^/10

mystic persistence stealer

Malware Config

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/1148-35-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/1148-38-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/1148-39-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/1148-41-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic

Executes dropped EXE 5 IoCs

pid	Process
5088	hD3VO3fN.exe
2748	qK0fs4Xj.exe
2980	GI5hz0GX.exe
316	Id5tf8Aq.exe
2596	1AS88qo9.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	GI5hz0GX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	Id5tf8Aq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b0507884a1559964533bcd1cd0b136dfe32931de579e31b72d18c18d23e9ff43.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	hD3VO3fN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	qK0fs4Xj.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2596 set thread context of 1148	2596	1AS88qo9.exe	75

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1612	2596	WerFault.exe	74
1080	1148	WerFault.exe	75

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 4148 wrote to memory of 5088	4148	b0507884a1559964533bcd1cd0b136dfe32931de579e31b72d18c18d23e9ff43.exe	70
PID 4148 wrote to memory of 5088	4148	b0507884a1559964533bcd1cd0b136dfe32931de579e31b72d18c18d23e9ff43.exe	70
PID 4148 wrote to memory of 5088	4148	b0507884a1559964533bcd1cd0b136dfe32931de579e31b72d18c18d23e9ff43.exe	70
PID 5088 wrote to memory of 2748	5088	hD3VO3fN.exe	71
PID 5088 wrote to memory of 2748	5088	hD3VO3fN.exe	71
PID 5088 wrote to memory of 2748	5088	hD3VO3fN.exe	71
PID 2748 wrote to memory of 2980	2748	qK0fs4Xj.exe	72
PID 2748 wrote to memory of 2980	2748	qK0fs4Xj.exe	72
PID 2748 wrote to memory of 2980	2748	qK0fs4Xj.exe	72
PID 2980 wrote to memory of 316	2980	GI5hz0GX.exe	73
PID 2980 wrote to memory of 316	2980	GI5hz0GX.exe	73
PID 2980 wrote to memory of 316	2980	GI5hz0GX.exe	73
PID 316 wrote to memory of 2596	316	Id5tf8Aq.exe	74
PID 316 wrote to memory of 2596	316	Id5tf8Aq.exe	74
PID 316 wrote to memory of 2596	316	Id5tf8Aq.exe	74
PID 2596 wrote to memory of 1148	2596	1AS88qo9.exe	75
PID 2596 wrote to memory of 1148	2596	1AS88qo9.exe	75
PID 2596 wrote to memory of 1148	2596	1AS88qo9.exe	75
PID 2596 wrote to memory of 1148	2596	1AS88qo9.exe	75
PID 2596 wrote to memory of 1148	2596	1AS88qo9.exe	75
PID 2596 wrote to memory of 1148	2596	1AS88qo9.exe	75
PID 2596 wrote to memory of 1148	2596	1AS88qo9.exe	75
PID 2596 wrote to memory of 1148	2596	1AS88qo9.exe	75
PID 2596 wrote to memory of 1148	2596	1AS88qo9.exe	75
PID 2596 wrote to memory of 1148	2596	1AS88qo9.exe	75

C:\Users\Admin\AppData\Local\Temp\b0507884a1559964533bcd1cd0b136dfe32931de579e31b72d18c18d23e9ff43.exe
"C:\Users\Admin\AppData\Local\Temp\b0507884a1559964533bcd1cd0b136dfe32931de579e31b72d18c18d23e9ff43.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4148
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hD3VO3fN.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hD3VO3fN.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:5088
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qK0fs4Xj.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qK0fs4Xj.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2748
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\GI5hz0GX.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\GI5hz0GX.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2980
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Id5tf8Aq.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Id5tf8Aq.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:316
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1AS88qo9.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1AS88qo9.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2596
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1148 -s 568
        8⤵
        Program crash
        
        PID:1080
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2596 -s 560
        7⤵
        Program crash
        
        PID:1612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hD3VO3fN.exe

Filesize
1.5MB

MD5
8ec093ea0267d59893b82193de8152a3

SHA1
fc39a3e84ed8a5671c568e2c63da1d278032d37e

SHA256
26debed38e8eb70d9725924c6bcee8615259c7e89d3eec56b79c76f10bc988db

SHA512
69f920fae7dfd95b0ba0f1469b8d0d82ac25201872756a81d6cd0ced354083ba5675a4d6c8cc2deb92b39579133fcc669cf24b2dff277a32d2581d31dfe3c32f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hD3VO3fN.exe

Filesize
1.5MB

MD5
8ec093ea0267d59893b82193de8152a3

SHA1
fc39a3e84ed8a5671c568e2c63da1d278032d37e

SHA256
26debed38e8eb70d9725924c6bcee8615259c7e89d3eec56b79c76f10bc988db

SHA512
69f920fae7dfd95b0ba0f1469b8d0d82ac25201872756a81d6cd0ced354083ba5675a4d6c8cc2deb92b39579133fcc669cf24b2dff277a32d2581d31dfe3c32f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qK0fs4Xj.exe

Filesize
1.3MB

MD5
7d093113573c704cd6aa53928440a7ad

SHA1
78f4923275999397c569064be7282a4bbf7d6996

SHA256
7c551c95e3c21404e8f8ac37d48c861cdac63fb3f8c6cd3a3275f462001ce0b2

SHA512
3e0610717bcf58ace6ca7b437abe3bc8bb2d94b6a64a8761b5e9cda133470f58276cdbc4e6ae125573d2eb529bf98d9deeb9fcccd6c5c59ac6dc432d022d56a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qK0fs4Xj.exe

Filesize
1.3MB

MD5
7d093113573c704cd6aa53928440a7ad

SHA1
78f4923275999397c569064be7282a4bbf7d6996

SHA256
7c551c95e3c21404e8f8ac37d48c861cdac63fb3f8c6cd3a3275f462001ce0b2

SHA512
3e0610717bcf58ace6ca7b437abe3bc8bb2d94b6a64a8761b5e9cda133470f58276cdbc4e6ae125573d2eb529bf98d9deeb9fcccd6c5c59ac6dc432d022d56a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\GI5hz0GX.exe

Filesize
824KB

MD5
1274833d2c454b927510ff1de8d7b53c

SHA1
7e566e27ef7b26db0adf6bf790a6caea31c60dfc

SHA256
17824418d4a1b0a0a3c7163fe67d0fdc07d61638d8905fa7c38cb5643fe91a44

SHA512
1c4f680df409af4fd9779e1dfbb9a62f21b8d9873238ca757f1a9095099a349841336fd35d1cf23ae9c627301c80d612188f037a87cf2426fd291f8275db67fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\GI5hz0GX.exe

Filesize
824KB

MD5
1274833d2c454b927510ff1de8d7b53c

SHA1
7e566e27ef7b26db0adf6bf790a6caea31c60dfc

SHA256
17824418d4a1b0a0a3c7163fe67d0fdc07d61638d8905fa7c38cb5643fe91a44

SHA512
1c4f680df409af4fd9779e1dfbb9a62f21b8d9873238ca757f1a9095099a349841336fd35d1cf23ae9c627301c80d612188f037a87cf2426fd291f8275db67fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Id5tf8Aq.exe

Filesize
651KB

MD5
76a85b575b2188b017064023f031b47b

SHA1
b866af6ecbd44ca2fd59f9428354895da63a705e

SHA256
6d3ff767dc4bfd7295001aadf838a4fb9018b86030ccb794760c83d8bc00371f

SHA512
87f87a5991befe72295146d0b67e61b8ccd54eefe2abb2d814c1e817eff28ea451ee5c2fa7f3f779582d756b6c1d0e450c89ff1143f12d0c3811787ea6af2320

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Id5tf8Aq.exe

Filesize
651KB

MD5
76a85b575b2188b017064023f031b47b

SHA1
b866af6ecbd44ca2fd59f9428354895da63a705e

SHA256
6d3ff767dc4bfd7295001aadf838a4fb9018b86030ccb794760c83d8bc00371f

SHA512
87f87a5991befe72295146d0b67e61b8ccd54eefe2abb2d814c1e817eff28ea451ee5c2fa7f3f779582d756b6c1d0e450c89ff1143f12d0c3811787ea6af2320

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1AS88qo9.exe

Filesize
1.7MB

MD5
e2baf0e4cb7897c97f260db69208af8e

SHA1
c9ecc50df1e7e709943fc95b5dbeec1fc5bbaa85

SHA256
1d1dd9bed845a71f0b71e22efb380c4d4ac176ad88bb111c4decdd76f7c16f94

SHA512
0f58b13b982c180a335c77b7de1f6511a5e9293522701d0cfff463944f4ce7e62ef29e99d81bc57010813f92b038b9a3d2a5f17c9bd02489baa8b93102badf7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1AS88qo9.exe

Filesize
1.7MB

MD5
e2baf0e4cb7897c97f260db69208af8e

SHA1
c9ecc50df1e7e709943fc95b5dbeec1fc5bbaa85

SHA256
1d1dd9bed845a71f0b71e22efb380c4d4ac176ad88bb111c4decdd76f7c16f94

SHA512
0f58b13b982c180a335c77b7de1f6511a5e9293522701d0cfff463944f4ce7e62ef29e99d81bc57010813f92b038b9a3d2a5f17c9bd02489baa8b93102badf7e

Download Submit
memory/1148-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1148-38-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1148-39-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1148-41-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads