mystic | 5a7c31b5c0b9951a8789fab6681789046cfa97cf637fd7eef11e2d65b9dcf3da

Analysis

max time kernel
126s
max time network
135s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
06/10/2023, 16:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5a7c31b5c0b9951a8789fab6681789046cfa97cf637fd7eef11e2d65b9dcf3da.exe
Size

1.2MB
MD5

fffffe125969cbbe6ccee9753ae33415
SHA1

aad336d9eedc9f77358169cf77c3580e52a9998c
SHA256

5a7c31b5c0b9951a8789fab6681789046cfa97cf637fd7eef11e2d65b9dcf3da
SHA512

7a0a85b1df53258c54086fe76a23f0b7eaaff88eb74e509a23e97e3975908752c6c422b35779a4fb416af2af0f1039adf1fde4c1986b6f43f50ddd617439cf2d
SSDEEP

24576:dysI1+2j148/+BF2qzD73483PwK+Bd5oxNjeKHCxVAYN+:4sd2v2RP3nf3zHCXN

Score

10^/10

mystic persistence stealer

Malware Config

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/2852-35-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2852-38-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2852-39-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2852-41-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic

Executes dropped EXE 5 IoCs

pid	Process
3540	rX8aO7jT.exe
3084	CE0JT1Nl.exe
4008	qF1Ld3qq.exe
2696	Sg5Aa1vj.exe
4492	1Kv13ru9.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	qF1Ld3qq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	Sg5Aa1vj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5a7c31b5c0b9951a8789fab6681789046cfa97cf637fd7eef11e2d65b9dcf3da.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	rX8aO7jT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	CE0JT1Nl.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4492 set thread context of 2852	4492	1Kv13ru9.exe	77

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4276	4492	WerFault.exe	75
3340	2852	WerFault.exe	77

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 4604 wrote to memory of 3540	4604	5a7c31b5c0b9951a8789fab6681789046cfa97cf637fd7eef11e2d65b9dcf3da.exe	71
PID 4604 wrote to memory of 3540	4604	5a7c31b5c0b9951a8789fab6681789046cfa97cf637fd7eef11e2d65b9dcf3da.exe	71
PID 4604 wrote to memory of 3540	4604	5a7c31b5c0b9951a8789fab6681789046cfa97cf637fd7eef11e2d65b9dcf3da.exe	71
PID 3540 wrote to memory of 3084	3540	rX8aO7jT.exe	72
PID 3540 wrote to memory of 3084	3540	rX8aO7jT.exe	72
PID 3540 wrote to memory of 3084	3540	rX8aO7jT.exe	72
PID 3084 wrote to memory of 4008	3084	CE0JT1Nl.exe	73
PID 3084 wrote to memory of 4008	3084	CE0JT1Nl.exe	73
PID 3084 wrote to memory of 4008	3084	CE0JT1Nl.exe	73
PID 4008 wrote to memory of 2696	4008	qF1Ld3qq.exe	74
PID 4008 wrote to memory of 2696	4008	qF1Ld3qq.exe	74
PID 4008 wrote to memory of 2696	4008	qF1Ld3qq.exe	74
PID 2696 wrote to memory of 4492	2696	Sg5Aa1vj.exe	75
PID 2696 wrote to memory of 4492	2696	Sg5Aa1vj.exe	75
PID 2696 wrote to memory of 4492	2696	Sg5Aa1vj.exe	75
PID 4492 wrote to memory of 2852	4492	1Kv13ru9.exe	77
PID 4492 wrote to memory of 2852	4492	1Kv13ru9.exe	77
PID 4492 wrote to memory of 2852	4492	1Kv13ru9.exe	77
PID 4492 wrote to memory of 2852	4492	1Kv13ru9.exe	77
PID 4492 wrote to memory of 2852	4492	1Kv13ru9.exe	77
PID 4492 wrote to memory of 2852	4492	1Kv13ru9.exe	77
PID 4492 wrote to memory of 2852	4492	1Kv13ru9.exe	77
PID 4492 wrote to memory of 2852	4492	1Kv13ru9.exe	77
PID 4492 wrote to memory of 2852	4492	1Kv13ru9.exe	77
PID 4492 wrote to memory of 2852	4492	1Kv13ru9.exe	77

C:\Users\Admin\AppData\Local\Temp\5a7c31b5c0b9951a8789fab6681789046cfa97cf637fd7eef11e2d65b9dcf3da.exe
"C:\Users\Admin\AppData\Local\Temp\5a7c31b5c0b9951a8789fab6681789046cfa97cf637fd7eef11e2d65b9dcf3da.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4604
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rX8aO7jT.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rX8aO7jT.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3540
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CE0JT1Nl.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CE0JT1Nl.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3084
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qF1Ld3qq.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qF1Ld3qq.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4008
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Sg5Aa1vj.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Sg5Aa1vj.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2696
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Kv13ru9.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Kv13ru9.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4492
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 568
        8⤵
        Program crash
        
        PID:3340
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 584
        7⤵
        Program crash
        
        PID:4276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rX8aO7jT.exe

Filesize
1.0MB

MD5
c381d805cd9e7bcf66646ff21fda776c

SHA1
9574bb3dc55b6a766d947a96872799620c40c96c

SHA256
2151143b8e643594b03fb4eb168b94de7900efc405fc75b80918a96216ff9c63

SHA512
da87bdaac1aa665891f6ede6a70e64f8e709fe2f93812e50aec7ec9d310212c5042cd5445e2b7f98c9d76944545813c678b6fdaeb3b51b065cd789afe419a2b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rX8aO7jT.exe

Filesize
1.0MB

MD5
c381d805cd9e7bcf66646ff21fda776c

SHA1
9574bb3dc55b6a766d947a96872799620c40c96c

SHA256
2151143b8e643594b03fb4eb168b94de7900efc405fc75b80918a96216ff9c63

SHA512
da87bdaac1aa665891f6ede6a70e64f8e709fe2f93812e50aec7ec9d310212c5042cd5445e2b7f98c9d76944545813c678b6fdaeb3b51b065cd789afe419a2b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CE0JT1Nl.exe

Filesize
883KB

MD5
5a1219f99262363893498006f95d5850

SHA1
8cebb928ba589103afa2028735f624b936e0a021

SHA256
5b0688c84c54409d565196a6408256edccf4a7e5fbf4fe0e8370593c41770a3e

SHA512
826d775e7b3e3f6d5c328abd96e28ed96c5ef8061762ae207b1daa8128b027ac6149c180a4846c49e46d7c65219f7335c5f9b558cc01dee9139eb6983ee2ee29

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CE0JT1Nl.exe

Filesize
883KB

MD5
5a1219f99262363893498006f95d5850

SHA1
8cebb928ba589103afa2028735f624b936e0a021

SHA256
5b0688c84c54409d565196a6408256edccf4a7e5fbf4fe0e8370593c41770a3e

SHA512
826d775e7b3e3f6d5c328abd96e28ed96c5ef8061762ae207b1daa8128b027ac6149c180a4846c49e46d7c65219f7335c5f9b558cc01dee9139eb6983ee2ee29

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qF1Ld3qq.exe

Filesize
590KB

MD5
bbacc7fd8f7c818b1248951277e47bf1

SHA1
43bc26ac005095bdac2000170bc67c2fe2688ebc

SHA256
2ae4b7c75099b88aea8a1b7d5fc525f32b132a1171c68805001e4769192b044d

SHA512
12f8054af67641e1b78bbbecc2f38b8af284ff3220a349b6ac580f43dd8a42abeb6a57f2ff7653af7f4feb94046859ff923443e5251766c4dacc3a82583d1d48

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qF1Ld3qq.exe

Filesize
590KB

MD5
bbacc7fd8f7c818b1248951277e47bf1

SHA1
43bc26ac005095bdac2000170bc67c2fe2688ebc

SHA256
2ae4b7c75099b88aea8a1b7d5fc525f32b132a1171c68805001e4769192b044d

SHA512
12f8054af67641e1b78bbbecc2f38b8af284ff3220a349b6ac580f43dd8a42abeb6a57f2ff7653af7f4feb94046859ff923443e5251766c4dacc3a82583d1d48

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Sg5Aa1vj.exe

Filesize
417KB

MD5
e602f2bdba013f73f35e35a3afb9a63d

SHA1
f552218ef8eaa876002803e8a09f719151ffad18

SHA256
a976247603221a465face5aaf7092bdc8441d50f79ba7d883c160d57a741e3b0

SHA512
6f8a2a0a902980964f4529c009a60164261249bd925c235fd270e4b4ce9ab6407554d09781ccef2bbd9cee5b43ba5a2f97c477e1ea8c82d164cc4244ac185c6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Sg5Aa1vj.exe

Filesize
417KB

MD5
e602f2bdba013f73f35e35a3afb9a63d

SHA1
f552218ef8eaa876002803e8a09f719151ffad18

SHA256
a976247603221a465face5aaf7092bdc8441d50f79ba7d883c160d57a741e3b0

SHA512
6f8a2a0a902980964f4529c009a60164261249bd925c235fd270e4b4ce9ab6407554d09781ccef2bbd9cee5b43ba5a2f97c477e1ea8c82d164cc4244ac185c6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Kv13ru9.exe

Filesize
378KB

MD5
3add60391ed3b1f4ec853d9e048a25ba

SHA1
efb4cf0ceedec06218d1a69d23d619b51e3cfcb1

SHA256
575db37697611a41e60bd9f33dd3cdcf693a665a739916bc40d06b69a3f13ac5

SHA512
9c294d833887aa63603d6d5283c7a424105698ce5d7ff86d6fde741cbf07fcf6630b1bf9019ab310fac6714e0164bf97a836777fe58c4af78f69c8703ff75866

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Kv13ru9.exe

Filesize
378KB

MD5
3add60391ed3b1f4ec853d9e048a25ba

SHA1
efb4cf0ceedec06218d1a69d23d619b51e3cfcb1

SHA256
575db37697611a41e60bd9f33dd3cdcf693a665a739916bc40d06b69a3f13ac5

SHA512
9c294d833887aa63603d6d5283c7a424105698ce5d7ff86d6fde741cbf07fcf6630b1bf9019ab310fac6714e0164bf97a836777fe58c4af78f69c8703ff75866

Download Submit
memory/2852-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2852-38-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2852-39-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2852-41-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads