mystic | c94bfde9273452a5a07501403d1ee7a98d21b7b829860504855e1abccba46f8e

Analysis

max time kernel
143s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
05/10/2023, 18:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c94bfde9273452a5a07501403d1ee7a98d21b7b829860504855e1abccba46f8e_JC.exe
Size

255KB
MD5

6f76852a6702355af9b6398c142071b6
SHA1

a113cd21cbd3c9cb30986ace53e016f2714f01ea
SHA256

c94bfde9273452a5a07501403d1ee7a98d21b7b829860504855e1abccba46f8e
SHA512

e441194a66e1ee656ff8c47be7d6fa85cd870e8bebf4c2f96a6642e7abefae6f65a20eec06b6eee964c9fae94ce01f77bb3132ced2d4a3b56416b2e65c5348b0
SSDEEP

3072:Z2Ij7IGFs5fYJHQWU+CP7xJt1DrMw33+8v7tkkcoDl2Sg+FoS8eRoi5hT0:UIj7/wsU+O6wu8vqkzJ5rXDRe

Score

10^/10

mystic stealer

Malware Config

Signatures

Detect Mystic stealer payload 5 IoCs

resource	yara_rule
behavioral2/memory/3056-29-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/3056-31-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/3056-32-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/3056-34-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/3056-35-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	c94bfde9273452a5a07501403d1ee7a98d21b7b829860504855e1abccba46f8e_JC.exe

Executes dropped EXE 2 IoCs

pid	Process
1660	1941376252.exe
1004	0884567633.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1660 set thread context of 3056	1660	1941376252.exe	109

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
924	4768	WerFault.exe	82

Kills process with taskkill 1 IoCs

evasion

pid	Process
2468	taskkill.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1660	1941376252.exe
Token: SeDebugPrivilege	2468	taskkill.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 4768 wrote to memory of 3812	4768	c94bfde9273452a5a07501403d1ee7a98d21b7b829860504855e1abccba46f8e_JC.exe	97
PID 4768 wrote to memory of 3812	4768	c94bfde9273452a5a07501403d1ee7a98d21b7b829860504855e1abccba46f8e_JC.exe	97
PID 4768 wrote to memory of 3812	4768	c94bfde9273452a5a07501403d1ee7a98d21b7b829860504855e1abccba46f8e_JC.exe	97
PID 3812 wrote to memory of 1660	3812	cmd.exe	100
PID 3812 wrote to memory of 1660	3812	cmd.exe	100
PID 3812 wrote to memory of 1660	3812	cmd.exe	100
PID 4768 wrote to memory of 3168	4768	c94bfde9273452a5a07501403d1ee7a98d21b7b829860504855e1abccba46f8e_JC.exe	102
PID 4768 wrote to memory of 3168	4768	c94bfde9273452a5a07501403d1ee7a98d21b7b829860504855e1abccba46f8e_JC.exe	102
PID 4768 wrote to memory of 3168	4768	c94bfde9273452a5a07501403d1ee7a98d21b7b829860504855e1abccba46f8e_JC.exe	102
PID 3168 wrote to memory of 1004	3168	cmd.exe	103
PID 3168 wrote to memory of 1004	3168	cmd.exe	103
PID 3168 wrote to memory of 1004	3168	cmd.exe	103
PID 4768 wrote to memory of 1944	4768	c94bfde9273452a5a07501403d1ee7a98d21b7b829860504855e1abccba46f8e_JC.exe	104
PID 4768 wrote to memory of 1944	4768	c94bfde9273452a5a07501403d1ee7a98d21b7b829860504855e1abccba46f8e_JC.exe	104
PID 4768 wrote to memory of 1944	4768	c94bfde9273452a5a07501403d1ee7a98d21b7b829860504855e1abccba46f8e_JC.exe	104
PID 1944 wrote to memory of 2468	1944	cmd.exe	107
PID 1944 wrote to memory of 2468	1944	cmd.exe	107
PID 1944 wrote to memory of 2468	1944	cmd.exe	107
PID 1660 wrote to memory of 3056	1660	1941376252.exe	109
PID 1660 wrote to memory of 3056	1660	1941376252.exe	109
PID 1660 wrote to memory of 3056	1660	1941376252.exe	109
PID 1660 wrote to memory of 3056	1660	1941376252.exe	109
PID 1660 wrote to memory of 3056	1660	1941376252.exe	109
PID 1660 wrote to memory of 3056	1660	1941376252.exe	109
PID 1660 wrote to memory of 3056	1660	1941376252.exe	109
PID 1660 wrote to memory of 3056	1660	1941376252.exe	109
PID 1660 wrote to memory of 3056	1660	1941376252.exe	109
PID 1660 wrote to memory of 3056	1660	1941376252.exe	109

C:\Users\Admin\AppData\Local\Temp\c94bfde9273452a5a07501403d1ee7a98d21b7b829860504855e1abccba46f8e_JC.exe
"C:\Users\Admin\AppData\Local\Temp\c94bfde9273452a5a07501403d1ee7a98d21b7b829860504855e1abccba46f8e_JC.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4768
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\1941376252.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3812
- - C:\Users\Admin\AppData\Local\Temp\1941376252.exe
    "C:\Users\Admin\AppData\Local\Temp\1941376252.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1660
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
      4⤵
      PID:3056
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\0884567633.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3168
- - C:\Users\Admin\AppData\Local\Temp\0884567633.exe
    "C:\Users\Admin\AppData\Local\Temp\0884567633.exe"
    3⤵
    - Executes dropped EXE
    PID:1004
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /im "c94bfde9273452a5a07501403d1ee7a98d21b7b829860504855e1abccba46f8e_JC.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\c94bfde9273452a5a07501403d1ee7a98d21b7b829860504855e1abccba46f8e_JC.exe" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1944
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im "c94bfde9273452a5a07501403d1ee7a98d21b7b829860504855e1abccba46f8e_JC.exe" /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2468
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4768 -s 1480
  2⤵
  - Program crash
  PID:924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4768 -ip 4768
1⤵
PID:3380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0884567633.exe

Filesize
243KB

MD5
8c70a0939fc6c14a23b69cbb81a2c0cf

SHA1
bc6f17b4bb478800abe9f9e97ded138cefa79e83

SHA256
7bee27d079d83f067c4ae534a281959788b85ca8fc6db7ea10c31db2ffcadaff

SHA512
5e217686f25fb670b762b222289f1338587b1548f56a934ebdc0ad4ee9219ca2b496cf5b134d23492aace091ce7e97d86bd09614dd5db5e09550f8dfdc3bb5a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\0884567633.exe

Filesize
243KB

MD5
8c70a0939fc6c14a23b69cbb81a2c0cf

SHA1
bc6f17b4bb478800abe9f9e97ded138cefa79e83

SHA256
7bee27d079d83f067c4ae534a281959788b85ca8fc6db7ea10c31db2ffcadaff

SHA512
5e217686f25fb670b762b222289f1338587b1548f56a934ebdc0ad4ee9219ca2b496cf5b134d23492aace091ce7e97d86bd09614dd5db5e09550f8dfdc3bb5a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1941376252.exe

Filesize
3.5MB

MD5
62dbbf519f3e5a050badfb02cab4652c

SHA1
ab296e6388abea10bf2dfb13007eea8807c30714

SHA256
5180793f854fe1852fc1a58a01fa50528c7689a9e24f0cb84419e862eca02ed4

SHA512
e9fee3a72f4c3ab23ba209eab71a6b8ba840f5cbe4ad6bb7b82632a7a793042948c49339fc116b37a9441a18dfd33748988dbd5e7fdc7dc23bb2de04d1d05653

Download Submit
C:\Users\Admin\AppData\Local\Temp\1941376252.exe

Filesize
3.5MB

MD5
62dbbf519f3e5a050badfb02cab4652c

SHA1
ab296e6388abea10bf2dfb13007eea8807c30714

SHA256
5180793f854fe1852fc1a58a01fa50528c7689a9e24f0cb84419e862eca02ed4

SHA512
e9fee3a72f4c3ab23ba209eab71a6b8ba840f5cbe4ad6bb7b82632a7a793042948c49339fc116b37a9441a18dfd33748988dbd5e7fdc7dc23bb2de04d1d05653

Download Submit
memory/1660-26-0x0000000005B20000-0x0000000005B42000-memory.dmp

Filesize
136KB

Download
memory/1660-33-0x00000000737B0000-0x0000000073F60000-memory.dmp

Filesize
7.7MB

Download
memory/1660-28-0x0000000005CB0000-0x0000000005DDE000-memory.dmp

Filesize
1.2MB

Download
memory/1660-27-0x0000000077CB1000-0x0000000077CB2000-memory.dmp

Filesize
4KB

Download
memory/1660-15-0x00000000737B0000-0x0000000073F60000-memory.dmp

Filesize
7.7MB

Download
memory/1660-16-0x0000000000920000-0x0000000000CAE000-memory.dmp

Filesize
3.6MB

Download
memory/1660-21-0x0000000005680000-0x0000000005690000-memory.dmp

Filesize
64KB

Download
memory/1660-22-0x0000000005570000-0x00000000055D6000-memory.dmp

Filesize
408KB

Download
memory/3056-29-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3056-31-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3056-32-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3056-34-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3056-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4768-24-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/4768-25-0x0000000000640000-0x000000000067E000-memory.dmp

Filesize
248KB

Download
memory/4768-23-0x0000000000790000-0x0000000000890000-memory.dmp

Filesize
1024KB

Download
memory/4768-11-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/4768-3-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/4768-1-0x0000000000790000-0x0000000000890000-memory.dmp

Filesize
1024KB

Download
memory/4768-2-0x0000000000640000-0x000000000067E000-memory.dmp

Filesize
248KB

Download