mystic | 7b6fd8ce809d795cf0fff65251257aa279cd0290a209724150e97c6cbc96a0c7

Analysis

max time kernel
71s
max time network
82s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
06-10-2023 23:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7b6fd8ce809d795cf0fff65251257aa279cd0290a209724150e97c6cbc96a0c7.exe
Size

1.2MB
MD5

c6f1d33de61ddd032d2b778b741e73ae
SHA1

c3961d6c389b430a28ee2759e4bb9fab0b8ab1bb
SHA256

7b6fd8ce809d795cf0fff65251257aa279cd0290a209724150e97c6cbc96a0c7
SHA512

81555c9d7eb00667127a0b676ed0ddd929da4a2ec66c9ef94202a4c93a48b0fc84e7963feae4132e03db89bb3ea1b5db46205811ffed645f3528f8c2fe5dc3c2
SSDEEP

24576:SyUrxkyluKvfjDxQa7+TIkhgR1YGInPV+wVrol/q:5Urpl/7NQmJRTM+sk

Score

10^/10

mystic persistence stealer

Malware Config

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/2008-35-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2008-38-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2008-39-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2008-41-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic

Executes dropped EXE 5 IoCs

pid	Process
2336	aE3XE1fI.exe
3488	uo7Wg6zp.exe
1684	Gk6UK5zx.exe
3868	TY0HF6ao.exe
4388	1kx98wl3.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	TY0HF6ao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7b6fd8ce809d795cf0fff65251257aa279cd0290a209724150e97c6cbc96a0c7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	aE3XE1fI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	uo7Wg6zp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Gk6UK5zx.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4388 set thread context of 2008	4388	1kx98wl3.exe	77

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3616	4388	WerFault.exe	74
4964	2008	WerFault.exe	77

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1168 wrote to memory of 2336	1168	7b6fd8ce809d795cf0fff65251257aa279cd0290a209724150e97c6cbc96a0c7.exe	70
PID 1168 wrote to memory of 2336	1168	7b6fd8ce809d795cf0fff65251257aa279cd0290a209724150e97c6cbc96a0c7.exe	70
PID 1168 wrote to memory of 2336	1168	7b6fd8ce809d795cf0fff65251257aa279cd0290a209724150e97c6cbc96a0c7.exe	70
PID 2336 wrote to memory of 3488	2336	aE3XE1fI.exe	71
PID 2336 wrote to memory of 3488	2336	aE3XE1fI.exe	71
PID 2336 wrote to memory of 3488	2336	aE3XE1fI.exe	71
PID 3488 wrote to memory of 1684	3488	uo7Wg6zp.exe	72
PID 3488 wrote to memory of 1684	3488	uo7Wg6zp.exe	72
PID 3488 wrote to memory of 1684	3488	uo7Wg6zp.exe	72
PID 1684 wrote to memory of 3868	1684	Gk6UK5zx.exe	73
PID 1684 wrote to memory of 3868	1684	Gk6UK5zx.exe	73
PID 1684 wrote to memory of 3868	1684	Gk6UK5zx.exe	73
PID 3868 wrote to memory of 4388	3868	TY0HF6ao.exe	74
PID 3868 wrote to memory of 4388	3868	TY0HF6ao.exe	74
PID 3868 wrote to memory of 4388	3868	TY0HF6ao.exe	74
PID 4388 wrote to memory of 1832	4388	1kx98wl3.exe	76
PID 4388 wrote to memory of 1832	4388	1kx98wl3.exe	76
PID 4388 wrote to memory of 1832	4388	1kx98wl3.exe	76
PID 4388 wrote to memory of 2008	4388	1kx98wl3.exe	77
PID 4388 wrote to memory of 2008	4388	1kx98wl3.exe	77
PID 4388 wrote to memory of 2008	4388	1kx98wl3.exe	77
PID 4388 wrote to memory of 2008	4388	1kx98wl3.exe	77
PID 4388 wrote to memory of 2008	4388	1kx98wl3.exe	77
PID 4388 wrote to memory of 2008	4388	1kx98wl3.exe	77
PID 4388 wrote to memory of 2008	4388	1kx98wl3.exe	77
PID 4388 wrote to memory of 2008	4388	1kx98wl3.exe	77
PID 4388 wrote to memory of 2008	4388	1kx98wl3.exe	77
PID 4388 wrote to memory of 2008	4388	1kx98wl3.exe	77

C:\Users\Admin\AppData\Local\Temp\7b6fd8ce809d795cf0fff65251257aa279cd0290a209724150e97c6cbc96a0c7.exe
"C:\Users\Admin\AppData\Local\Temp\7b6fd8ce809d795cf0fff65251257aa279cd0290a209724150e97c6cbc96a0c7.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1168
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aE3XE1fI.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aE3XE1fI.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2336
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uo7Wg6zp.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uo7Wg6zp.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3488
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Gk6UK5zx.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Gk6UK5zx.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1684
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TY0HF6ao.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TY0HF6ao.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3868
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1kx98wl3.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1kx98wl3.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4388
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1832
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 568
        8⤵
        Program crash
        
        PID:4964
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 604
        7⤵
        Program crash
        
        PID:3616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aE3XE1fI.exe

Filesize
1.0MB

MD5
097bfd58d2d4d0a1ae4ab0560e366bca

SHA1
1dbd962883e7b426427795087c25497e129c070d

SHA256
343a292642da4eba6bf7ccc84e8ef689f4cbd4e98093d49968718f0b307fdea9

SHA512
34e5a29235a4762f61b6ba0ad92694739da26a281682656a10fff20c9f2cb2681f34e85b9dd16e06ed2c9c9413381b75bf736409b314bab5319f13091feccd47

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aE3XE1fI.exe

Filesize
1.0MB

MD5
097bfd58d2d4d0a1ae4ab0560e366bca

SHA1
1dbd962883e7b426427795087c25497e129c070d

SHA256
343a292642da4eba6bf7ccc84e8ef689f4cbd4e98093d49968718f0b307fdea9

SHA512
34e5a29235a4762f61b6ba0ad92694739da26a281682656a10fff20c9f2cb2681f34e85b9dd16e06ed2c9c9413381b75bf736409b314bab5319f13091feccd47

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uo7Wg6zp.exe

Filesize
884KB

MD5
cc7a8e700ca8dec5608c1b12e8577c21

SHA1
235d8a72f331ea1c405ad1e2b0a62527d4c4bf81

SHA256
c8eccb980eccc2673e1ce2fd89e068d3ab5a52e2e69ec9b97537a75f3d2ab761

SHA512
d1576b531ba73374f783a6fbec41d0cc36ec54fcf6128fb8cc4bf85f8cfdda1b60036e687b033d7c723c842036e9a5f0056ccb97aa62b369c13baa9c4f082f74

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uo7Wg6zp.exe

Filesize
884KB

MD5
cc7a8e700ca8dec5608c1b12e8577c21

SHA1
235d8a72f331ea1c405ad1e2b0a62527d4c4bf81

SHA256
c8eccb980eccc2673e1ce2fd89e068d3ab5a52e2e69ec9b97537a75f3d2ab761

SHA512
d1576b531ba73374f783a6fbec41d0cc36ec54fcf6128fb8cc4bf85f8cfdda1b60036e687b033d7c723c842036e9a5f0056ccb97aa62b369c13baa9c4f082f74

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Gk6UK5zx.exe

Filesize
590KB

MD5
c699e67436aaf0b67c2b36f8574a019d

SHA1
72a843f60b31f2649106e9976e7747d6fd4a488d

SHA256
2df6a13a7cad24b74e1d012d001c80e983322b1544ec33c0a6078348529c8af9

SHA512
568b3877846efb208ae7117b329c202bb817b22d3d84b0e1024ed788e5655b282ed129db3729ea79ae5e39b5e6491daa3af90b52b5f21e962ece6727e44f4c61

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Gk6UK5zx.exe

Filesize
590KB

MD5
c699e67436aaf0b67c2b36f8574a019d

SHA1
72a843f60b31f2649106e9976e7747d6fd4a488d

SHA256
2df6a13a7cad24b74e1d012d001c80e983322b1544ec33c0a6078348529c8af9

SHA512
568b3877846efb208ae7117b329c202bb817b22d3d84b0e1024ed788e5655b282ed129db3729ea79ae5e39b5e6491daa3af90b52b5f21e962ece6727e44f4c61

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TY0HF6ao.exe

Filesize
417KB

MD5
4fb29937a03a981d7f763b443673856f

SHA1
c097e48e7187f03018c6938c700b0ed29bc2be34

SHA256
fb9677a51bfad49490123a15766e3e5c643e12cb1134c6efda1f61831d7bbe42

SHA512
31112e605eb5c4d46d87d2c9a0705b771e771a3f299e370cf19aae0ea1e66d037651f5b63c6fadca67fb396c2cca98aef3380c31bdc6d9e4145fd6dd55f600ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TY0HF6ao.exe

Filesize
417KB

MD5
4fb29937a03a981d7f763b443673856f

SHA1
c097e48e7187f03018c6938c700b0ed29bc2be34

SHA256
fb9677a51bfad49490123a15766e3e5c643e12cb1134c6efda1f61831d7bbe42

SHA512
31112e605eb5c4d46d87d2c9a0705b771e771a3f299e370cf19aae0ea1e66d037651f5b63c6fadca67fb396c2cca98aef3380c31bdc6d9e4145fd6dd55f600ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1kx98wl3.exe

Filesize
378KB

MD5
f0831f173733de08511f3a0739f278a6

SHA1
06dc809d653c5d2c97386084ae13b50a73eb5b60

SHA256
8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27

SHA512
19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1kx98wl3.exe

Filesize
378KB

MD5
f0831f173733de08511f3a0739f278a6

SHA1
06dc809d653c5d2c97386084ae13b50a73eb5b60

SHA256
8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27

SHA512
19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

Download Submit
memory/2008-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2008-38-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2008-39-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2008-41-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads