mystic | b78c5287dd55f49d3e2dfc1e8ff6170bae241a6b2120a1938739df6891e26ad4

Analysis

max time kernel
115s
max time network
136s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
06/10/2023, 14:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b78c5287dd55f49d3e2dfc1e8ff6170bae241a6b2120a1938739df6891e26ad4.exe
Size

1.2MB
MD5

7c3172cf590525ed596ca0005a947f39
SHA1

e86ed0cb604ebc5538c089eee0239161720a29e6
SHA256

b78c5287dd55f49d3e2dfc1e8ff6170bae241a6b2120a1938739df6891e26ad4
SHA512

6686bbb75276da2a80db6df9cc5accffee9fd3b3941772e09826a9e5a03da32d0198061584571998cea3f185ce67af8ac039a0e818c7a031c254b44006dd9194
SSDEEP

24576:/ytU4FmuIl6JOBI740Xyt43Wo9dMLXLnZgVSW8S:KdIlm8He3D+VgEj

Score

10^/10

mystic persistence stealer

Malware Config

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/4504-35-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/4504-38-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/4504-39-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/4504-41-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic

Executes dropped EXE 5 IoCs

pid	Process
1636	CK5XL7lO.exe
3464	re9PA9km.exe
4164	xe7se9hT.exe
1292	uT6ne9Gp.exe
4404	1lK34Bd7.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	re9PA9km.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	xe7se9hT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	uT6ne9Gp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b78c5287dd55f49d3e2dfc1e8ff6170bae241a6b2120a1938739df6891e26ad4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	CK5XL7lO.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4404 set thread context of 4504	4404	1lK34Bd7.exe	75

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4872	4404	WerFault.exe	73
4724	4504	WerFault.exe	75

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 3612 wrote to memory of 1636	3612	b78c5287dd55f49d3e2dfc1e8ff6170bae241a6b2120a1938739df6891e26ad4.exe	69
PID 3612 wrote to memory of 1636	3612	b78c5287dd55f49d3e2dfc1e8ff6170bae241a6b2120a1938739df6891e26ad4.exe	69
PID 3612 wrote to memory of 1636	3612	b78c5287dd55f49d3e2dfc1e8ff6170bae241a6b2120a1938739df6891e26ad4.exe	69
PID 1636 wrote to memory of 3464	1636	CK5XL7lO.exe	70
PID 1636 wrote to memory of 3464	1636	CK5XL7lO.exe	70
PID 1636 wrote to memory of 3464	1636	CK5XL7lO.exe	70
PID 3464 wrote to memory of 4164	3464	re9PA9km.exe	71
PID 3464 wrote to memory of 4164	3464	re9PA9km.exe	71
PID 3464 wrote to memory of 4164	3464	re9PA9km.exe	71
PID 4164 wrote to memory of 1292	4164	xe7se9hT.exe	72
PID 4164 wrote to memory of 1292	4164	xe7se9hT.exe	72
PID 4164 wrote to memory of 1292	4164	xe7se9hT.exe	72
PID 1292 wrote to memory of 4404	1292	uT6ne9Gp.exe	73
PID 1292 wrote to memory of 4404	1292	uT6ne9Gp.exe	73
PID 1292 wrote to memory of 4404	1292	uT6ne9Gp.exe	73
PID 4404 wrote to memory of 4504	4404	1lK34Bd7.exe	75
PID 4404 wrote to memory of 4504	4404	1lK34Bd7.exe	75
PID 4404 wrote to memory of 4504	4404	1lK34Bd7.exe	75
PID 4404 wrote to memory of 4504	4404	1lK34Bd7.exe	75
PID 4404 wrote to memory of 4504	4404	1lK34Bd7.exe	75
PID 4404 wrote to memory of 4504	4404	1lK34Bd7.exe	75
PID 4404 wrote to memory of 4504	4404	1lK34Bd7.exe	75
PID 4404 wrote to memory of 4504	4404	1lK34Bd7.exe	75
PID 4404 wrote to memory of 4504	4404	1lK34Bd7.exe	75
PID 4404 wrote to memory of 4504	4404	1lK34Bd7.exe	75

C:\Users\Admin\AppData\Local\Temp\b78c5287dd55f49d3e2dfc1e8ff6170bae241a6b2120a1938739df6891e26ad4.exe
"C:\Users\Admin\AppData\Local\Temp\b78c5287dd55f49d3e2dfc1e8ff6170bae241a6b2120a1938739df6891e26ad4.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3612
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CK5XL7lO.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CK5XL7lO.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1636
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\re9PA9km.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\re9PA9km.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3464
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xe7se9hT.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xe7se9hT.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4164
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\uT6ne9Gp.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\uT6ne9Gp.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1292
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1lK34Bd7.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1lK34Bd7.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4404
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 568
        8⤵
        Program crash
        
        PID:4724
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 156
        7⤵
        Program crash
        
        PID:4872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CK5XL7lO.exe

Filesize
1.0MB

MD5
23e2f4ccb93210ba505f48f3da3cc79e

SHA1
45b74e7d7092b38b802be0bad88e9c33b317c08b

SHA256
9643742231661751307c7a1e1293beb206a7b55d7773092cab7681e79e4c0346

SHA512
ef8127865f94b848a08c2e0670f7f3311a906a5c2175666a282e829ea8c84fe7c2b65eec0cb7bb075c84507262a3627baa4a8739b595a7bdef239ea19e7d0109

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CK5XL7lO.exe

Filesize
1.0MB

MD5
23e2f4ccb93210ba505f48f3da3cc79e

SHA1
45b74e7d7092b38b802be0bad88e9c33b317c08b

SHA256
9643742231661751307c7a1e1293beb206a7b55d7773092cab7681e79e4c0346

SHA512
ef8127865f94b848a08c2e0670f7f3311a906a5c2175666a282e829ea8c84fe7c2b65eec0cb7bb075c84507262a3627baa4a8739b595a7bdef239ea19e7d0109

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\re9PA9km.exe

Filesize
885KB

MD5
e6379399aa0cbc1927ebab2b5a7993c8

SHA1
8848ac46620b6e58181e0c169da2a9f7133a8fb7

SHA256
467a6521c67942435c2f75df6abd1c1c202fb72020c61d795848cd7c3b15fa03

SHA512
5ec670e890d856aba778d30c445e7ffb6714eb80acb9ede22b33a947ac5315b5b4e9ebc175585402cb58527f2a2eb2851c7d3eeb30593563634d2dcce0da08ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\re9PA9km.exe

Filesize
885KB

MD5
e6379399aa0cbc1927ebab2b5a7993c8

SHA1
8848ac46620b6e58181e0c169da2a9f7133a8fb7

SHA256
467a6521c67942435c2f75df6abd1c1c202fb72020c61d795848cd7c3b15fa03

SHA512
5ec670e890d856aba778d30c445e7ffb6714eb80acb9ede22b33a947ac5315b5b4e9ebc175585402cb58527f2a2eb2851c7d3eeb30593563634d2dcce0da08ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xe7se9hT.exe

Filesize
590KB

MD5
0149c592ea58bd01f08d6b65d4c4f003

SHA1
2ee883150570648664f73c668b6a4bfa76f58d8d

SHA256
b66cd2e3dcb925860d163df1a2a6f8e0866e754b5ab512a8b13a4f114b7d08b8

SHA512
21c64d17f06bcc835d1cdc8a632982bad6670b976f6d9f167fc6ab65eb78b5d02d217d41df67cc69911c1ae15203d12073f59f1f4f03fc23916c254e78c3aeb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xe7se9hT.exe

Filesize
590KB

MD5
0149c592ea58bd01f08d6b65d4c4f003

SHA1
2ee883150570648664f73c668b6a4bfa76f58d8d

SHA256
b66cd2e3dcb925860d163df1a2a6f8e0866e754b5ab512a8b13a4f114b7d08b8

SHA512
21c64d17f06bcc835d1cdc8a632982bad6670b976f6d9f167fc6ab65eb78b5d02d217d41df67cc69911c1ae15203d12073f59f1f4f03fc23916c254e78c3aeb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\uT6ne9Gp.exe

Filesize
418KB

MD5
10bbf52f718b67bfa6798636d6864237

SHA1
7dd2eb801ac801b710c1ff628326a328a2671947

SHA256
ad6bb66c9d132d434eff4106ac002ad8538709128a8281cc8966b44bf4c21070

SHA512
eb3304e8f42e47ea971fb9ffcee820b8d350ba1686978882b3e87a70667faae3b21943078a8ebb4ee1c977cd1917658d28d5409c77a2b7e587e67e8a29014a94

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\uT6ne9Gp.exe

Filesize
418KB

MD5
10bbf52f718b67bfa6798636d6864237

SHA1
7dd2eb801ac801b710c1ff628326a328a2671947

SHA256
ad6bb66c9d132d434eff4106ac002ad8538709128a8281cc8966b44bf4c21070

SHA512
eb3304e8f42e47ea971fb9ffcee820b8d350ba1686978882b3e87a70667faae3b21943078a8ebb4ee1c977cd1917658d28d5409c77a2b7e587e67e8a29014a94

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1lK34Bd7.exe

Filesize
378KB

MD5
d3b79144ba1582aa01910b6f2bad4201

SHA1
30c98092702255ef580a0654e191f019ea3f800e

SHA256
8cc0ba996aee625384cff8f6f1ea2a641685ab0facca65070ab0bb8aac1bd40f

SHA512
423f438cdab4fdc6fd72bf89c9c04795516c1140b20dd17b660e66e4cde4293fbf0e8b40290818fa0cb8b46d353c79bbba3905baf8a410093f96a1ffb11a7643

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1lK34Bd7.exe

Filesize
378KB

MD5
d3b79144ba1582aa01910b6f2bad4201

SHA1
30c98092702255ef580a0654e191f019ea3f800e

SHA256
8cc0ba996aee625384cff8f6f1ea2a641685ab0facca65070ab0bb8aac1bd40f

SHA512
423f438cdab4fdc6fd72bf89c9c04795516c1140b20dd17b660e66e4cde4293fbf0e8b40290818fa0cb8b46d353c79bbba3905baf8a410093f96a1ffb11a7643

Download Submit
memory/4504-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4504-38-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4504-39-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4504-41-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads