mystic | cb4a5a54c98e2797e55f739bcea590d4ddbe247690eaba064ec4f38fa9e06e9c

Analysis

max time kernel
107s
max time network
113s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
06/10/2023, 13:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cb4a5a54c98e2797e55f739bcea590d4ddbe247690eaba064ec4f38fa9e06e9c.exe
Size

1.2MB
MD5

2642fefc48b0172a5298b347d2198e6f
SHA1

7abdbfaebfceecdc06bb6ad34961084d81dc7f10
SHA256

cb4a5a54c98e2797e55f739bcea590d4ddbe247690eaba064ec4f38fa9e06e9c
SHA512

3027e0dfa0a6534638862f53216784f80a497522ab9deb6f0c7efb02f8f03b73976e0023711ed61b555a8b52faf5fd259f724c55567810f342ace84d729203e1
SSDEEP

24576:vyERi4YBavqCwG7aJfvOKGyGOZY02LvWfAokcmTahN5UnWTFH:6EPUavvwGCzGPF02nckahNQWT

Score

10^/10

mystic persistence stealer

Malware Config

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/2488-35-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2488-38-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2488-39-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2488-41-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic

Executes dropped EXE 5 IoCs

pid	Process
3604	aJ7NF7ru.exe
4416	By6aT2VU.exe
3508	xQ7Ew6yI.exe
232	zy8Jo4qv.exe
2980	1TL52Wd3.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	By6aT2VU.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	xQ7Ew6yI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	zy8Jo4qv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	cb4a5a54c98e2797e55f739bcea590d4ddbe247690eaba064ec4f38fa9e06e9c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	aJ7NF7ru.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2980 set thread context of 2488	2980	1TL52Wd3.exe	77

Program crash 2 IoCs

pid	pid_target	Process	procid_target
244	2980	WerFault.exe	74
208	2488	WerFault.exe	77

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 4820 wrote to memory of 3604	4820	cb4a5a54c98e2797e55f739bcea590d4ddbe247690eaba064ec4f38fa9e06e9c.exe	70
PID 4820 wrote to memory of 3604	4820	cb4a5a54c98e2797e55f739bcea590d4ddbe247690eaba064ec4f38fa9e06e9c.exe	70
PID 4820 wrote to memory of 3604	4820	cb4a5a54c98e2797e55f739bcea590d4ddbe247690eaba064ec4f38fa9e06e9c.exe	70
PID 3604 wrote to memory of 4416	3604	aJ7NF7ru.exe	71
PID 3604 wrote to memory of 4416	3604	aJ7NF7ru.exe	71
PID 3604 wrote to memory of 4416	3604	aJ7NF7ru.exe	71
PID 4416 wrote to memory of 3508	4416	By6aT2VU.exe	72
PID 4416 wrote to memory of 3508	4416	By6aT2VU.exe	72
PID 4416 wrote to memory of 3508	4416	By6aT2VU.exe	72
PID 3508 wrote to memory of 232	3508	xQ7Ew6yI.exe	73
PID 3508 wrote to memory of 232	3508	xQ7Ew6yI.exe	73
PID 3508 wrote to memory of 232	3508	xQ7Ew6yI.exe	73
PID 232 wrote to memory of 2980	232	zy8Jo4qv.exe	74
PID 232 wrote to memory of 2980	232	zy8Jo4qv.exe	74
PID 232 wrote to memory of 2980	232	zy8Jo4qv.exe	74
PID 2980 wrote to memory of 4912	2980	1TL52Wd3.exe	76
PID 2980 wrote to memory of 4912	2980	1TL52Wd3.exe	76
PID 2980 wrote to memory of 4912	2980	1TL52Wd3.exe	76
PID 2980 wrote to memory of 2488	2980	1TL52Wd3.exe	77
PID 2980 wrote to memory of 2488	2980	1TL52Wd3.exe	77
PID 2980 wrote to memory of 2488	2980	1TL52Wd3.exe	77
PID 2980 wrote to memory of 2488	2980	1TL52Wd3.exe	77
PID 2980 wrote to memory of 2488	2980	1TL52Wd3.exe	77
PID 2980 wrote to memory of 2488	2980	1TL52Wd3.exe	77
PID 2980 wrote to memory of 2488	2980	1TL52Wd3.exe	77
PID 2980 wrote to memory of 2488	2980	1TL52Wd3.exe	77
PID 2980 wrote to memory of 2488	2980	1TL52Wd3.exe	77
PID 2980 wrote to memory of 2488	2980	1TL52Wd3.exe	77

C:\Users\Admin\AppData\Local\Temp\cb4a5a54c98e2797e55f739bcea590d4ddbe247690eaba064ec4f38fa9e06e9c.exe
"C:\Users\Admin\AppData\Local\Temp\cb4a5a54c98e2797e55f739bcea590d4ddbe247690eaba064ec4f38fa9e06e9c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4820
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aJ7NF7ru.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aJ7NF7ru.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3604
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\By6aT2VU.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\By6aT2VU.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4416
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xQ7Ew6yI.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xQ7Ew6yI.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3508
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zy8Jo4qv.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zy8Jo4qv.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:232
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1TL52Wd3.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1TL52Wd3.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4912
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2488 -s 200
        8⤵
        Program crash
        
        PID:208
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2980 -s 596
        7⤵
        Program crash
        
        PID:244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aJ7NF7ru.exe

Filesize
1.0MB

MD5
6d5e6e51d5e2b11332bce027bcc89200

SHA1
55b8455e2e2b461c37bd7e760108c1911dd8e8ae

SHA256
60caf06b295869c0120e47fca1f6706ef78deb5e9969eb6e3ef4db52724f097c

SHA512
55e01cc49b7e3501b77f85022335842abdcf8cc74326adec897604a3da1b6b311fbc0fe9740e4ad458c1595b63f07993af19ee7998638eea35c057b905be79a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aJ7NF7ru.exe

Filesize
1.0MB

MD5
6d5e6e51d5e2b11332bce027bcc89200

SHA1
55b8455e2e2b461c37bd7e760108c1911dd8e8ae

SHA256
60caf06b295869c0120e47fca1f6706ef78deb5e9969eb6e3ef4db52724f097c

SHA512
55e01cc49b7e3501b77f85022335842abdcf8cc74326adec897604a3da1b6b311fbc0fe9740e4ad458c1595b63f07993af19ee7998638eea35c057b905be79a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\By6aT2VU.exe

Filesize
884KB

MD5
db479b2d2aa54b899435d96e6db02f25

SHA1
5ba1ca3905b544dc2297e705a55e6349abf36552

SHA256
59889d0962f263120b2fd4942f0049ab94cb716187af2eb6e54aae20f83a7bf1

SHA512
5d0db93d1238d168620778e6b7bcd63316933f5a334c59da9bb979486a7f1023221d140a32fc89bb1aa1d67b480da0ac8f5c4e769ed547440ec04b2cd18647fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\By6aT2VU.exe

Filesize
884KB

MD5
db479b2d2aa54b899435d96e6db02f25

SHA1
5ba1ca3905b544dc2297e705a55e6349abf36552

SHA256
59889d0962f263120b2fd4942f0049ab94cb716187af2eb6e54aae20f83a7bf1

SHA512
5d0db93d1238d168620778e6b7bcd63316933f5a334c59da9bb979486a7f1023221d140a32fc89bb1aa1d67b480da0ac8f5c4e769ed547440ec04b2cd18647fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xQ7Ew6yI.exe

Filesize
590KB

MD5
adc522edb12c5a240e65ba7c2d03e09a

SHA1
8f39412d6b45da532193a08b3f28dcb9c32b9047

SHA256
d107f3b3f8fc1caf9e3fb7313aff723b03b6591a3efed8502db42654bba0a506

SHA512
2c29dcf72ca52d9458ed1d512563a8c0b2099ea61d2642c2634c059df37aa68fe1e8ff4e5105d0a0183dcbaf229be5249ceed07c472b72ecbddabf9e0b372b29

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xQ7Ew6yI.exe

Filesize
590KB

MD5
adc522edb12c5a240e65ba7c2d03e09a

SHA1
8f39412d6b45da532193a08b3f28dcb9c32b9047

SHA256
d107f3b3f8fc1caf9e3fb7313aff723b03b6591a3efed8502db42654bba0a506

SHA512
2c29dcf72ca52d9458ed1d512563a8c0b2099ea61d2642c2634c059df37aa68fe1e8ff4e5105d0a0183dcbaf229be5249ceed07c472b72ecbddabf9e0b372b29

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zy8Jo4qv.exe

Filesize
417KB

MD5
9b7369e025b67bd1cbb73de74b5ef95e

SHA1
e8cdbddf887cfc45f823a179b62ecd62e58ffbcd

SHA256
4eebe7f7142f78c017c88b146561de34ba6d20d9a08089ed944b937405c47d3e

SHA512
579d0589f7ff18691ffa295386e6c98c9674dc81287da2391ab27cd202929d88c294aa71aaccb8a8cb953f083f22796176b04ba3cec114d4b999c16407866bbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zy8Jo4qv.exe

Filesize
417KB

MD5
9b7369e025b67bd1cbb73de74b5ef95e

SHA1
e8cdbddf887cfc45f823a179b62ecd62e58ffbcd

SHA256
4eebe7f7142f78c017c88b146561de34ba6d20d9a08089ed944b937405c47d3e

SHA512
579d0589f7ff18691ffa295386e6c98c9674dc81287da2391ab27cd202929d88c294aa71aaccb8a8cb953f083f22796176b04ba3cec114d4b999c16407866bbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1TL52Wd3.exe

Filesize
378KB

MD5
c108bb41522629415c858f5f93d7649d

SHA1
f1f6ab083fec50434c820057208a331f858cfb72

SHA256
c8ea06545eb28cf446dd8287c5b1e3a7d677ea5749aa2dcc37a85a776879bd32

SHA512
c86cae7de34e9262436e6bb020903bb2bbf67434a36c8e5a17803d4b2785521c2eafb243b631d700eb13c58ea2883cfa0ee71418d91c2a6a0639ee69abba547b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1TL52Wd3.exe

Filesize
378KB

MD5
c108bb41522629415c858f5f93d7649d

SHA1
f1f6ab083fec50434c820057208a331f858cfb72

SHA256
c8ea06545eb28cf446dd8287c5b1e3a7d677ea5749aa2dcc37a85a776879bd32

SHA512
c86cae7de34e9262436e6bb020903bb2bbf67434a36c8e5a17803d4b2785521c2eafb243b631d700eb13c58ea2883cfa0ee71418d91c2a6a0639ee69abba547b

Download Submit
memory/2488-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2488-38-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2488-39-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2488-41-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads