mystic | 133c70b1675b1cb34aea3e0eff67e7e6465d29e89efc08f4140546a4c8f300fd

Analysis

max time kernel
127s
max time network
133s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
06/10/2023, 07:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

133c70b1675b1cb34aea3e0eff67e7e6465d29e89efc08f4140546a4c8f300fd.exe
Size

1.6MB
MD5

f3e0afaae592d714b63e319e8946c7b6
SHA1

93be6c1ef24f4eb54bdb152e9bd7ba930a3ec300
SHA256

133c70b1675b1cb34aea3e0eff67e7e6465d29e89efc08f4140546a4c8f300fd
SHA512

b7d26fde8fe14ed0260146c042bac6da7cbc07c014d9a862b60c374aa7613de5714e830c19cf3a5e51cc05dfa68c5e0e3058f1640997053c1aa26556924d0b56
SSDEEP

24576:UyQNYto3sRhOOWx4VfUKKteCAj5UQXz4Yc8Wy0g3XmNejYpdMN/gG:jkYto8R6qVgFn6z4EWyhmkIdwo

Score

10^/10

mystic persistence stealer

Malware Config

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/3796-35-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/3796-38-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/3796-39-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/3796-41-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic

Executes dropped EXE 5 IoCs

pid	Process
5008	kW0vf8OY.exe
2432	Wd5zA2fr.exe
3776	IQ7pW5Zl.exe
4872	sb7Iw2mv.exe
3128	1nr19tQ9.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Wd5zA2fr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	IQ7pW5Zl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	sb7Iw2mv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	133c70b1675b1cb34aea3e0eff67e7e6465d29e89efc08f4140546a4c8f300fd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	kW0vf8OY.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3128 set thread context of 3796	3128	1nr19tQ9.exe	75

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3788	3128	WerFault.exe	74
3540	3796	WerFault.exe	75

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 1300 wrote to memory of 5008	1300	133c70b1675b1cb34aea3e0eff67e7e6465d29e89efc08f4140546a4c8f300fd.exe	70
PID 1300 wrote to memory of 5008	1300	133c70b1675b1cb34aea3e0eff67e7e6465d29e89efc08f4140546a4c8f300fd.exe	70
PID 1300 wrote to memory of 5008	1300	133c70b1675b1cb34aea3e0eff67e7e6465d29e89efc08f4140546a4c8f300fd.exe	70
PID 5008 wrote to memory of 2432	5008	kW0vf8OY.exe	71
PID 5008 wrote to memory of 2432	5008	kW0vf8OY.exe	71
PID 5008 wrote to memory of 2432	5008	kW0vf8OY.exe	71
PID 2432 wrote to memory of 3776	2432	Wd5zA2fr.exe	72
PID 2432 wrote to memory of 3776	2432	Wd5zA2fr.exe	72
PID 2432 wrote to memory of 3776	2432	Wd5zA2fr.exe	72
PID 3776 wrote to memory of 4872	3776	IQ7pW5Zl.exe	73
PID 3776 wrote to memory of 4872	3776	IQ7pW5Zl.exe	73
PID 3776 wrote to memory of 4872	3776	IQ7pW5Zl.exe	73
PID 4872 wrote to memory of 3128	4872	sb7Iw2mv.exe	74
PID 4872 wrote to memory of 3128	4872	sb7Iw2mv.exe	74
PID 4872 wrote to memory of 3128	4872	sb7Iw2mv.exe	74
PID 3128 wrote to memory of 3796	3128	1nr19tQ9.exe	75
PID 3128 wrote to memory of 3796	3128	1nr19tQ9.exe	75
PID 3128 wrote to memory of 3796	3128	1nr19tQ9.exe	75
PID 3128 wrote to memory of 3796	3128	1nr19tQ9.exe	75
PID 3128 wrote to memory of 3796	3128	1nr19tQ9.exe	75
PID 3128 wrote to memory of 3796	3128	1nr19tQ9.exe	75
PID 3128 wrote to memory of 3796	3128	1nr19tQ9.exe	75
PID 3128 wrote to memory of 3796	3128	1nr19tQ9.exe	75
PID 3128 wrote to memory of 3796	3128	1nr19tQ9.exe	75
PID 3128 wrote to memory of 3796	3128	1nr19tQ9.exe	75

C:\Users\Admin\AppData\Local\Temp\133c70b1675b1cb34aea3e0eff67e7e6465d29e89efc08f4140546a4c8f300fd.exe
"C:\Users\Admin\AppData\Local\Temp\133c70b1675b1cb34aea3e0eff67e7e6465d29e89efc08f4140546a4c8f300fd.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1300
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kW0vf8OY.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kW0vf8OY.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:5008
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Wd5zA2fr.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Wd5zA2fr.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2432
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\IQ7pW5Zl.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\IQ7pW5Zl.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3776
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\sb7Iw2mv.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\sb7Iw2mv.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4872
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1nr19tQ9.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1nr19tQ9.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3128
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3796 -s 568
        8⤵
        Program crash
        
        PID:3540
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3128 -s 560
        7⤵
        Program crash
        
        PID:3788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kW0vf8OY.exe

Filesize
1.5MB

MD5
d437822b19be3adad24458a6ee818353

SHA1
b2569579beffc133f8c35cb5e207548b1e7dc1cf

SHA256
bf22eeecee599479a8d5a29c2c5c439ac14ac73949169383d92ab28ff1c65bda

SHA512
a147d12e7f7340fcb0ee57e0940cb3ab33783a4e3efe9b64b15c7c8a8ca689c728852440e9314589b8f50fb788f562adcc81666911b5891515525c4d7ba1502b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kW0vf8OY.exe

Filesize
1.5MB

MD5
d437822b19be3adad24458a6ee818353

SHA1
b2569579beffc133f8c35cb5e207548b1e7dc1cf

SHA256
bf22eeecee599479a8d5a29c2c5c439ac14ac73949169383d92ab28ff1c65bda

SHA512
a147d12e7f7340fcb0ee57e0940cb3ab33783a4e3efe9b64b15c7c8a8ca689c728852440e9314589b8f50fb788f562adcc81666911b5891515525c4d7ba1502b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Wd5zA2fr.exe

Filesize
1.3MB

MD5
3dabfc51cdecf93214962a9a0a6ac900

SHA1
e24aa3de31909935099a089c60afa2c968b34349

SHA256
de6f713443e904d61e98e2e67fc5b01a7daeac7ad612d4586907a4f20d329d1f

SHA512
1dc9306178cb585446edec9d4fe564be5c89c1e78c0ae39c3d6139b017a0ae080a8f23a3b76caafdb93459ea599f82347a7befbc14138b815c00616f9abee7f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Wd5zA2fr.exe

Filesize
1.3MB

MD5
3dabfc51cdecf93214962a9a0a6ac900

SHA1
e24aa3de31909935099a089c60afa2c968b34349

SHA256
de6f713443e904d61e98e2e67fc5b01a7daeac7ad612d4586907a4f20d329d1f

SHA512
1dc9306178cb585446edec9d4fe564be5c89c1e78c0ae39c3d6139b017a0ae080a8f23a3b76caafdb93459ea599f82347a7befbc14138b815c00616f9abee7f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\IQ7pW5Zl.exe

Filesize
821KB

MD5
b7f5f407732df8f877c68cb721b843bb

SHA1
a380edb0a0f3f8651b3227d15c2c75bf15930243

SHA256
c9796f6cce88099e47e97f2a4a8147fdbc68e6356ef057d21761529e01e83cd1

SHA512
0b5ee293d68a51dd5f466d24a191887591e5c1e2519277551140f723533dac29375f8dececfd8e22eb6b0c98dfe70ed84106faa7c1a2bf02ee6e63a779c19a98

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\IQ7pW5Zl.exe

Filesize
821KB

MD5
b7f5f407732df8f877c68cb721b843bb

SHA1
a380edb0a0f3f8651b3227d15c2c75bf15930243

SHA256
c9796f6cce88099e47e97f2a4a8147fdbc68e6356ef057d21761529e01e83cd1

SHA512
0b5ee293d68a51dd5f466d24a191887591e5c1e2519277551140f723533dac29375f8dececfd8e22eb6b0c98dfe70ed84106faa7c1a2bf02ee6e63a779c19a98

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\sb7Iw2mv.exe

Filesize
649KB

MD5
7d42b58c786d73d7032e5cdae678e0f9

SHA1
99ec10ab9f27a4f01fa1a5d8d09b19b40abeca69

SHA256
c3da84c38eee346c87f98a20e4f82c06d0c1df477b53fcd8fd0189fc5282d3a0

SHA512
52ef283787a6b38725c972c951ae8bb0e684694fdf6d84c576dc87331a1f71a7af6737293052ee906ba471e72b36d75a7b30558c2fe0f0458f8fe69754e1750b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\sb7Iw2mv.exe

Filesize
649KB

MD5
7d42b58c786d73d7032e5cdae678e0f9

SHA1
99ec10ab9f27a4f01fa1a5d8d09b19b40abeca69

SHA256
c3da84c38eee346c87f98a20e4f82c06d0c1df477b53fcd8fd0189fc5282d3a0

SHA512
52ef283787a6b38725c972c951ae8bb0e684694fdf6d84c576dc87331a1f71a7af6737293052ee906ba471e72b36d75a7b30558c2fe0f0458f8fe69754e1750b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1nr19tQ9.exe

Filesize
1.7MB

MD5
144dc3c0a5275a93ff86f00b5c61b9ec

SHA1
784168ab3c4711737656ca13dc4cb59ca267fa45

SHA256
179649325e561f83a53c5cba99cd8f1f589064c8d0f2029fb8e06f61ae986787

SHA512
9af6a9870077621eb046d6fed0fac88eba35edd4cd5e60f49c46018ab633d5cc77ddb9a93886178544198099a4e3b20726a32729ec9d1cf89524b4a579afb783

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1nr19tQ9.exe

Filesize
1.7MB

MD5
144dc3c0a5275a93ff86f00b5c61b9ec

SHA1
784168ab3c4711737656ca13dc4cb59ca267fa45

SHA256
179649325e561f83a53c5cba99cd8f1f589064c8d0f2029fb8e06f61ae986787

SHA512
9af6a9870077621eb046d6fed0fac88eba35edd4cd5e60f49c46018ab633d5cc77ddb9a93886178544198099a4e3b20726a32729ec9d1cf89524b4a579afb783

Download Submit
memory/3796-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3796-38-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3796-39-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3796-41-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads