mystic | 37f0da8ebe6ef869b979da6fca09989282809f6ea0995c13af2474a96d4ca461

Analysis

max time kernel
143s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
05/10/2023, 19:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

37f0da8ebe6ef869b979da6fca09989282809f6ea0995c13af2474a96d4ca461.exe
Size

252KB
MD5

925b64623f850080a82fad73378518b4
SHA1

aeafb33ad71f79625dec7fbdc58888e4b5ea8e4b
SHA256

37f0da8ebe6ef869b979da6fca09989282809f6ea0995c13af2474a96d4ca461
SHA512

d60f0c3be608dbca4b5a59e95c5dea3c50a73094f804ba1876d04c6d96befd02030e7bfd968aea48f031cfb08212fc86ade7aee63a3e1401bd00cc5cd64457f3
SSDEEP

6144:huXEdtgwbr0HfMYhalswyHJmIIOADaoTIS:cXmtgwbr0HfMYhzv0KAe

Score

10^/10

mystic stealer

Malware Config

Signatures

Detect Mystic stealer payload 5 IoCs

resource	yara_rule
behavioral1/memory/908-28-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/908-32-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/908-30-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/908-33-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/908-34-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation	37f0da8ebe6ef869b979da6fca09989282809f6ea0995c13af2474a96d4ca461.exe

Executes dropped EXE 2 IoCs

pid	Process
3296	0324394433.exe
1756	2374094265.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3296 set thread context of 908	3296	0324394433.exe	106

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2812	4708	WerFault.exe	84

Kills process with taskkill 1 IoCs

evasion

pid	Process
380	taskkill.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3296	0324394433.exe
Token: SeDebugPrivilege	380	taskkill.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 4708 wrote to memory of 400	4708	37f0da8ebe6ef869b979da6fca09989282809f6ea0995c13af2474a96d4ca461.exe	93
PID 4708 wrote to memory of 400	4708	37f0da8ebe6ef869b979da6fca09989282809f6ea0995c13af2474a96d4ca461.exe	93
PID 4708 wrote to memory of 400	4708	37f0da8ebe6ef869b979da6fca09989282809f6ea0995c13af2474a96d4ca461.exe	93
PID 400 wrote to memory of 3296	400	cmd.exe	95
PID 400 wrote to memory of 3296	400	cmd.exe	95
PID 400 wrote to memory of 3296	400	cmd.exe	95
PID 4708 wrote to memory of 2144	4708	37f0da8ebe6ef869b979da6fca09989282809f6ea0995c13af2474a96d4ca461.exe	96
PID 4708 wrote to memory of 2144	4708	37f0da8ebe6ef869b979da6fca09989282809f6ea0995c13af2474a96d4ca461.exe	96
PID 4708 wrote to memory of 2144	4708	37f0da8ebe6ef869b979da6fca09989282809f6ea0995c13af2474a96d4ca461.exe	96
PID 2144 wrote to memory of 1756	2144	cmd.exe	98
PID 2144 wrote to memory of 1756	2144	cmd.exe	98
PID 2144 wrote to memory of 1756	2144	cmd.exe	98
PID 4708 wrote to memory of 2860	4708	37f0da8ebe6ef869b979da6fca09989282809f6ea0995c13af2474a96d4ca461.exe	101
PID 4708 wrote to memory of 2860	4708	37f0da8ebe6ef869b979da6fca09989282809f6ea0995c13af2474a96d4ca461.exe	101
PID 4708 wrote to memory of 2860	4708	37f0da8ebe6ef869b979da6fca09989282809f6ea0995c13af2474a96d4ca461.exe	101
PID 2860 wrote to memory of 380	2860	cmd.exe	104
PID 2860 wrote to memory of 380	2860	cmd.exe	104
PID 2860 wrote to memory of 380	2860	cmd.exe	104
PID 3296 wrote to memory of 908	3296	0324394433.exe	106
PID 3296 wrote to memory of 908	3296	0324394433.exe	106
PID 3296 wrote to memory of 908	3296	0324394433.exe	106
PID 3296 wrote to memory of 908	3296	0324394433.exe	106
PID 3296 wrote to memory of 908	3296	0324394433.exe	106
PID 3296 wrote to memory of 908	3296	0324394433.exe	106
PID 3296 wrote to memory of 908	3296	0324394433.exe	106
PID 3296 wrote to memory of 908	3296	0324394433.exe	106
PID 3296 wrote to memory of 908	3296	0324394433.exe	106
PID 3296 wrote to memory of 908	3296	0324394433.exe	106

C:\Users\Admin\AppData\Local\Temp\37f0da8ebe6ef869b979da6fca09989282809f6ea0995c13af2474a96d4ca461.exe
"C:\Users\Admin\AppData\Local\Temp\37f0da8ebe6ef869b979da6fca09989282809f6ea0995c13af2474a96d4ca461.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4708
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\0324394433.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:400
- - C:\Users\Admin\AppData\Local\Temp\0324394433.exe
    "C:\Users\Admin\AppData\Local\Temp\0324394433.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3296
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
      4⤵
      PID:908
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\2374094265.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2144
- - C:\Users\Admin\AppData\Local\Temp\2374094265.exe
    "C:\Users\Admin\AppData\Local\Temp\2374094265.exe"
    3⤵
    - Executes dropped EXE
    PID:1756
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /im "37f0da8ebe6ef869b979da6fca09989282809f6ea0995c13af2474a96d4ca461.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\37f0da8ebe6ef869b979da6fca09989282809f6ea0995c13af2474a96d4ca461.exe" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im "37f0da8ebe6ef869b979da6fca09989282809f6ea0995c13af2474a96d4ca461.exe" /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:380
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 1460
  2⤵
  - Program crash
  PID:2812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4708 -ip 4708
1⤵
PID:1328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0324394433.exe

Filesize
3.5MB

MD5
62dbbf519f3e5a050badfb02cab4652c

SHA1
ab296e6388abea10bf2dfb13007eea8807c30714

SHA256
5180793f854fe1852fc1a58a01fa50528c7689a9e24f0cb84419e862eca02ed4

SHA512
e9fee3a72f4c3ab23ba209eab71a6b8ba840f5cbe4ad6bb7b82632a7a793042948c49339fc116b37a9441a18dfd33748988dbd5e7fdc7dc23bb2de04d1d05653

Download Submit
C:\Users\Admin\AppData\Local\Temp\0324394433.exe

Filesize
3.5MB

MD5
62dbbf519f3e5a050badfb02cab4652c

SHA1
ab296e6388abea10bf2dfb13007eea8807c30714

SHA256
5180793f854fe1852fc1a58a01fa50528c7689a9e24f0cb84419e862eca02ed4

SHA512
e9fee3a72f4c3ab23ba209eab71a6b8ba840f5cbe4ad6bb7b82632a7a793042948c49339fc116b37a9441a18dfd33748988dbd5e7fdc7dc23bb2de04d1d05653

Download Submit
C:\Users\Admin\AppData\Local\Temp\2374094265.exe

Filesize
243KB

MD5
8c70a0939fc6c14a23b69cbb81a2c0cf

SHA1
bc6f17b4bb478800abe9f9e97ded138cefa79e83

SHA256
7bee27d079d83f067c4ae534a281959788b85ca8fc6db7ea10c31db2ffcadaff

SHA512
5e217686f25fb670b762b222289f1338587b1548f56a934ebdc0ad4ee9219ca2b496cf5b134d23492aace091ce7e97d86bd09614dd5db5e09550f8dfdc3bb5a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\2374094265.exe

Filesize
243KB

MD5
8c70a0939fc6c14a23b69cbb81a2c0cf

SHA1
bc6f17b4bb478800abe9f9e97ded138cefa79e83

SHA256
7bee27d079d83f067c4ae534a281959788b85ca8fc6db7ea10c31db2ffcadaff

SHA512
5e217686f25fb670b762b222289f1338587b1548f56a934ebdc0ad4ee9219ca2b496cf5b134d23492aace091ce7e97d86bd09614dd5db5e09550f8dfdc3bb5a9

Download Submit
memory/908-28-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/908-34-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/908-33-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/908-30-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/908-32-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3296-31-0x00000000736E0000-0x0000000073E90000-memory.dmp

Filesize
7.7MB

Download
memory/3296-18-0x0000000000710000-0x0000000000A9E000-memory.dmp

Filesize
3.6MB

Download
memory/3296-20-0x00000000055E0000-0x00000000055F0000-memory.dmp

Filesize
64KB

Download
memory/3296-22-0x00000000054E0000-0x0000000005546000-memory.dmp

Filesize
408KB

Download
memory/3296-19-0x00000000736E0000-0x0000000073E90000-memory.dmp

Filesize
7.7MB

Download
memory/3296-25-0x0000000005A50000-0x0000000005A72000-memory.dmp

Filesize
136KB

Download
memory/3296-26-0x0000000077BE1000-0x0000000077BE2000-memory.dmp

Filesize
4KB

Download
memory/3296-27-0x0000000005BE0000-0x0000000005D0E000-memory.dmp

Filesize
1.2MB

Download
memory/4708-24-0x0000000002320000-0x000000000235E000-memory.dmp

Filesize
248KB

Download
memory/4708-1-0x0000000000780000-0x0000000000880000-memory.dmp

Filesize
1024KB

Download
memory/4708-14-0x0000000000780000-0x0000000000880000-memory.dmp

Filesize
1024KB

Download
memory/4708-4-0x0000000000400000-0x00000000005B6000-memory.dmp

Filesize
1.7MB

Download
memory/4708-3-0x0000000000400000-0x00000000005B6000-memory.dmp

Filesize
1.7MB

Download
memory/4708-2-0x0000000002320000-0x000000000235E000-memory.dmp

Filesize
248KB

Download
memory/4708-35-0x0000000000400000-0x00000000005B6000-memory.dmp

Filesize
1.7MB

Download