mystic | 05e973761e44463f832a1d02a7ef7615686bfee5d9cf3d585c1c8f51b9d8a2d4

General

Target

Cu8lr9EP.exe
Size

1.5MB
MD5

a40b80b9f9fe39308c0f10b152d4a715
SHA1

04437d394376e70d5382e5d2e1e6e83b189ba21e
SHA256

05e973761e44463f832a1d02a7ef7615686bfee5d9cf3d585c1c8f51b9d8a2d4
SHA512

f12605a016ff14981bad6af43909aed27a9487f0a5841e63fddaa33f4b4dfb6d50b71bbd47132e7c84c7f62562d4ac4f5544bbf5ca6a027b142b5cadec793f86
SSDEEP

24576:NyK+MXsdOLiQO3B/X8kt7YOzz4dBLcKPggKF83zfpJ5X2CBd8rA:oK+MXsdOcR/RSw4o23zRYr

Score

10^/10

Malware Config

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral2/memory/1348-28-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/1348-31-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/1348-32-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/1348-34-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic

Executes dropped EXE 4 IoCs

pid	Process
1628	On6gf7sK.exe
4236	pM7ZO9FY.exe
4264	cp6MC2WP.exe
4524	1Vl72wS3.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	Cu8lr9EP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	On6gf7sK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	pM7ZO9FY.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	cp6MC2WP.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4524 set thread context of 1348	4524	1Vl72wS3.exe	74

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2716	4524	WerFault.exe	73
3700	1348	WerFault.exe	74

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 3272 wrote to memory of 1628	3272	Cu8lr9EP.exe	70
PID 3272 wrote to memory of 1628	3272	Cu8lr9EP.exe	70
PID 3272 wrote to memory of 1628	3272	Cu8lr9EP.exe	70
PID 1628 wrote to memory of 4236	1628	On6gf7sK.exe	71
PID 1628 wrote to memory of 4236	1628	On6gf7sK.exe	71
PID 1628 wrote to memory of 4236	1628	On6gf7sK.exe	71
PID 4236 wrote to memory of 4264	4236	pM7ZO9FY.exe	72
PID 4236 wrote to memory of 4264	4236	pM7ZO9FY.exe	72
PID 4236 wrote to memory of 4264	4236	pM7ZO9FY.exe	72
PID 4264 wrote to memory of 4524	4264	cp6MC2WP.exe	73
PID 4264 wrote to memory of 4524	4264	cp6MC2WP.exe	73
PID 4264 wrote to memory of 4524	4264	cp6MC2WP.exe	73
PID 4524 wrote to memory of 1348	4524	1Vl72wS3.exe	74
PID 4524 wrote to memory of 1348	4524	1Vl72wS3.exe	74
PID 4524 wrote to memory of 1348	4524	1Vl72wS3.exe	74
PID 4524 wrote to memory of 1348	4524	1Vl72wS3.exe	74
PID 4524 wrote to memory of 1348	4524	1Vl72wS3.exe	74
PID 4524 wrote to memory of 1348	4524	1Vl72wS3.exe	74
PID 4524 wrote to memory of 1348	4524	1Vl72wS3.exe	74
PID 4524 wrote to memory of 1348	4524	1Vl72wS3.exe	74
PID 4524 wrote to memory of 1348	4524	1Vl72wS3.exe	74
PID 4524 wrote to memory of 1348	4524	1Vl72wS3.exe	74

C:\Users\Admin\AppData\Local\Temp\Cu8lr9EP.exe
"C:\Users\Admin\AppData\Local\Temp\Cu8lr9EP.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3272
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\On6gf7sK.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\On6gf7sK.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1628
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pM7ZO9FY.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pM7ZO9FY.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4236
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cp6MC2WP.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cp6MC2WP.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4264
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Vl72wS3.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Vl72wS3.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4524
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 568
        7⤵
        Program crash
        
        PID:3700
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4524 -s 580
        6⤵
        Program crash
        
        PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\On6gf7sK.exe

Filesize
1.3MB

MD5
3d50793e58f89962ddab66df07982fb0

SHA1
cef09074293ea5a1f28ab511f4c2ad7298209790

SHA256
b8f49f1427838335010672cc559f6445b71118af395e9656f14660e62e19eb05

SHA512
2b300e35011372657f1405bf669869597641d4411e0562088b51042658449ef14ed16beeef47a34b47fdfad875dedbde182e4883baf360c2bbfb13d65c7415cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\On6gf7sK.exe

Filesize
1.3MB

MD5
3d50793e58f89962ddab66df07982fb0

SHA1
cef09074293ea5a1f28ab511f4c2ad7298209790

SHA256
b8f49f1427838335010672cc559f6445b71118af395e9656f14660e62e19eb05

SHA512
2b300e35011372657f1405bf669869597641d4411e0562088b51042658449ef14ed16beeef47a34b47fdfad875dedbde182e4883baf360c2bbfb13d65c7415cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pM7ZO9FY.exe

Filesize
821KB

MD5
29c245665d7ec2a067b0efba9761203a

SHA1
21bfecc123a349c6447b2bbaf54f2921015957b2

SHA256
2c58ee580588f3af770bfbe1f4b90e3f3abc1db0635b5db9df6dc396c7e7666e

SHA512
e57f8ba651b21143633b3e5390ef585ba8a91ea58913a426de90c34005a9c2970177232c8d95855f362b894defc774f7c488bff4338b9e44c9187fc0a0e9ea39

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pM7ZO9FY.exe

Filesize
821KB

MD5
29c245665d7ec2a067b0efba9761203a

SHA1
21bfecc123a349c6447b2bbaf54f2921015957b2

SHA256
2c58ee580588f3af770bfbe1f4b90e3f3abc1db0635b5db9df6dc396c7e7666e

SHA512
e57f8ba651b21143633b3e5390ef585ba8a91ea58913a426de90c34005a9c2970177232c8d95855f362b894defc774f7c488bff4338b9e44c9187fc0a0e9ea39

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cp6MC2WP.exe

Filesize
649KB

MD5
2c42a560131ee6b2322e729a2ff216b3

SHA1
1824ca61a858fd87d69d0c32e47c92bea4145943

SHA256
b00259386069b7e0a13de23ad68449ae3d36e1174ed36221a96ab8f3af60aba3

SHA512
f6ad6d2390bc63bff72bf0fe6df5fe3efff468900b36755275585aa11ca89c0d174736ebab1b5bce0e75015f91cba5f6264ab16c77888993eafc250584e70d66

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cp6MC2WP.exe

Filesize
649KB

MD5
2c42a560131ee6b2322e729a2ff216b3

SHA1
1824ca61a858fd87d69d0c32e47c92bea4145943

SHA256
b00259386069b7e0a13de23ad68449ae3d36e1174ed36221a96ab8f3af60aba3

SHA512
f6ad6d2390bc63bff72bf0fe6df5fe3efff468900b36755275585aa11ca89c0d174736ebab1b5bce0e75015f91cba5f6264ab16c77888993eafc250584e70d66

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Vl72wS3.exe

Filesize
1.7MB

MD5
144dc3c0a5275a93ff86f00b5c61b9ec

SHA1
784168ab3c4711737656ca13dc4cb59ca267fa45

SHA256
179649325e561f83a53c5cba99cd8f1f589064c8d0f2029fb8e06f61ae986787

SHA512
9af6a9870077621eb046d6fed0fac88eba35edd4cd5e60f49c46018ab633d5cc77ddb9a93886178544198099a4e3b20726a32729ec9d1cf89524b4a579afb783

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Vl72wS3.exe

Filesize
1.7MB

MD5
144dc3c0a5275a93ff86f00b5c61b9ec

SHA1
784168ab3c4711737656ca13dc4cb59ca267fa45

SHA256
179649325e561f83a53c5cba99cd8f1f589064c8d0f2029fb8e06f61ae986787

SHA512
9af6a9870077621eb046d6fed0fac88eba35edd4cd5e60f49c46018ab633d5cc77ddb9a93886178544198099a4e3b20726a32729ec9d1cf89524b4a579afb783

Download Submit
memory/1348-28-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1348-31-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1348-32-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1348-34-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads