mystic | d07497774827448c56a1f5ffa994df000fb91f0fb1ac190e0a7035bf308f691f

Analysis

max time kernel
108s
max time network
113s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
07/10/2023, 21:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d07497774827448c56a1f5ffa994df000fb91f0fb1ac190e0a7035bf308f691f.exe
Size

1.6MB
MD5

89f1524c9936c37b872ce2a5d3216068
SHA1

e698ace29ac1beec20f3cdec541455af2ac2a2c1
SHA256

d07497774827448c56a1f5ffa994df000fb91f0fb1ac190e0a7035bf308f691f
SHA512

fdd8a32576e816b31e53c3d3b24126077022a192c00c1023ca8a8a6f702a1c3339a482ea7ca2496a33a521921dafbc16c5147de54c39c5b285ec5e9604eb7558
SSDEEP

24576:FymOF8nCjgTmo6PqHYPCt2lIs8oVahKh8/05413i2lKtdVtI/wu2Gb1/ad2lN6:gCFTmo6PiYPCtGmoVae8q41y2wtZ+d

Score

10^/10

mystic persistence stealer

Malware Config

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/4268-35-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/4268-39-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/4268-38-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/4268-41-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic

Executes dropped EXE 5 IoCs

pid	Process
3016	zz9MP1gp.exe
3568	PU6gj1vq.exe
3544	qj8zn6DJ.exe
4792	Uu5rt9UM.exe
4672	1qH90gS7.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zz9MP1gp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	PU6gj1vq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	qj8zn6DJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	Uu5rt9UM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d07497774827448c56a1f5ffa994df000fb91f0fb1ac190e0a7035bf308f691f.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4672 set thread context of 4268	4672	1qH90gS7.exe	78

Program crash 2 IoCs

pid	pid_target	Process	procid_target
796	4672	WerFault.exe	74
1384	4268	WerFault.exe	78

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 4936 wrote to memory of 3016	4936	d07497774827448c56a1f5ffa994df000fb91f0fb1ac190e0a7035bf308f691f.exe	70
PID 4936 wrote to memory of 3016	4936	d07497774827448c56a1f5ffa994df000fb91f0fb1ac190e0a7035bf308f691f.exe	70
PID 4936 wrote to memory of 3016	4936	d07497774827448c56a1f5ffa994df000fb91f0fb1ac190e0a7035bf308f691f.exe	70
PID 3016 wrote to memory of 3568	3016	zz9MP1gp.exe	71
PID 3016 wrote to memory of 3568	3016	zz9MP1gp.exe	71
PID 3016 wrote to memory of 3568	3016	zz9MP1gp.exe	71
PID 3568 wrote to memory of 3544	3568	PU6gj1vq.exe	72
PID 3568 wrote to memory of 3544	3568	PU6gj1vq.exe	72
PID 3568 wrote to memory of 3544	3568	PU6gj1vq.exe	72
PID 3544 wrote to memory of 4792	3544	qj8zn6DJ.exe	73
PID 3544 wrote to memory of 4792	3544	qj8zn6DJ.exe	73
PID 3544 wrote to memory of 4792	3544	qj8zn6DJ.exe	73
PID 4792 wrote to memory of 4672	4792	Uu5rt9UM.exe	74
PID 4792 wrote to memory of 4672	4792	Uu5rt9UM.exe	74
PID 4792 wrote to memory of 4672	4792	Uu5rt9UM.exe	74
PID 4672 wrote to memory of 2864	4672	1qH90gS7.exe	76
PID 4672 wrote to memory of 2864	4672	1qH90gS7.exe	76
PID 4672 wrote to memory of 2864	4672	1qH90gS7.exe	76
PID 4672 wrote to memory of 3712	4672	1qH90gS7.exe	77
PID 4672 wrote to memory of 3712	4672	1qH90gS7.exe	77
PID 4672 wrote to memory of 3712	4672	1qH90gS7.exe	77
PID 4672 wrote to memory of 4268	4672	1qH90gS7.exe	78
PID 4672 wrote to memory of 4268	4672	1qH90gS7.exe	78
PID 4672 wrote to memory of 4268	4672	1qH90gS7.exe	78
PID 4672 wrote to memory of 4268	4672	1qH90gS7.exe	78
PID 4672 wrote to memory of 4268	4672	1qH90gS7.exe	78
PID 4672 wrote to memory of 4268	4672	1qH90gS7.exe	78
PID 4672 wrote to memory of 4268	4672	1qH90gS7.exe	78
PID 4672 wrote to memory of 4268	4672	1qH90gS7.exe	78
PID 4672 wrote to memory of 4268	4672	1qH90gS7.exe	78
PID 4672 wrote to memory of 4268	4672	1qH90gS7.exe	78

C:\Users\Admin\AppData\Local\Temp\d07497774827448c56a1f5ffa994df000fb91f0fb1ac190e0a7035bf308f691f.exe
"C:\Users\Admin\AppData\Local\Temp\d07497774827448c56a1f5ffa994df000fb91f0fb1ac190e0a7035bf308f691f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4936
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zz9MP1gp.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zz9MP1gp.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\PU6gj1vq.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\PU6gj1vq.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3568
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qj8zn6DJ.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qj8zn6DJ.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3544
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Uu5rt9UM.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Uu5rt9UM.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4792
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1qH90gS7.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1qH90gS7.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4672
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:2864
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:3712
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 568
        8⤵
        Program crash
        
        PID:1384
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4672 -s 604
        7⤵
        Program crash
        
        PID:796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zz9MP1gp.exe

Filesize
1.5MB

MD5
8e9679ccb3342761645f2c024d6a0622

SHA1
4ea1588c1e7e94cb61cac2185bcbc4bcab686886

SHA256
4d65e5ef0fa9ff3e398263690549a8954c99078506b8ecc4058b5182abacbec3

SHA512
dfc1eb0f7b3551064ca8c32ae0494db0edf4cfcb0fa9d577664819a5b578cedf5a58c9923dc526bec67c6f630d7c988c4e0ca69ab1cc13b9620fbf01baa67a57

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zz9MP1gp.exe

Filesize
1.5MB

MD5
8e9679ccb3342761645f2c024d6a0622

SHA1
4ea1588c1e7e94cb61cac2185bcbc4bcab686886

SHA256
4d65e5ef0fa9ff3e398263690549a8954c99078506b8ecc4058b5182abacbec3

SHA512
dfc1eb0f7b3551064ca8c32ae0494db0edf4cfcb0fa9d577664819a5b578cedf5a58c9923dc526bec67c6f630d7c988c4e0ca69ab1cc13b9620fbf01baa67a57

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\PU6gj1vq.exe

Filesize
1.3MB

MD5
8402d60bc15c4b46c269138f246ff78c

SHA1
fb851737b940ed90e772b81b4ae6c0e4a36e4207

SHA256
1a67845007aa4a46245ec876540ee5a0473646ab24d2836a9b88f00c55be849e

SHA512
402a232186e7d292cc9e27ff5bc1f3dc046359ad6e267185e7319e9a928c50b4b9b817e2475e4cb9a1630dc3e40b33234f507b605c096ac8b6981d2f3eb2fe61

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\PU6gj1vq.exe

Filesize
1.3MB

MD5
8402d60bc15c4b46c269138f246ff78c

SHA1
fb851737b940ed90e772b81b4ae6c0e4a36e4207

SHA256
1a67845007aa4a46245ec876540ee5a0473646ab24d2836a9b88f00c55be849e

SHA512
402a232186e7d292cc9e27ff5bc1f3dc046359ad6e267185e7319e9a928c50b4b9b817e2475e4cb9a1630dc3e40b33234f507b605c096ac8b6981d2f3eb2fe61

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qj8zn6DJ.exe

Filesize
818KB

MD5
c21731cb31ff6b2b55974039f52fc30c

SHA1
10a700697609c80dfc94d70fdf9e6e942af40398

SHA256
d0a87b28d3f1ce36a61c76707c9026aee5efb6c0ca8358a832093d0f4613cf61

SHA512
15fec42343f17a50e497235b024b5b6be48320ba0e5e2b24c0168dcfc28489d9205fd56ca14de8a4e359791bac96632ec80489478011e51e26f9489af2625c1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qj8zn6DJ.exe

Filesize
818KB

MD5
c21731cb31ff6b2b55974039f52fc30c

SHA1
10a700697609c80dfc94d70fdf9e6e942af40398

SHA256
d0a87b28d3f1ce36a61c76707c9026aee5efb6c0ca8358a832093d0f4613cf61

SHA512
15fec42343f17a50e497235b024b5b6be48320ba0e5e2b24c0168dcfc28489d9205fd56ca14de8a4e359791bac96632ec80489478011e51e26f9489af2625c1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Uu5rt9UM.exe

Filesize
646KB

MD5
8796c19f34f61120f7070a2b0f754218

SHA1
670ed1fb03dae198366be3e5bd45fcd6af42b09f

SHA256
db4204796016cdd8dc177b43bf02be903320a208dab8e760815c4967c6939cc3

SHA512
1383e3a8fae87b272dcef84542b163a2fb9a17a36854e35e788a006b8c9ba3e19da6c0bc8941c839ec6330b363fb79b9cd1894ce7378a203bda7fa2abb9b414c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Uu5rt9UM.exe

Filesize
646KB

MD5
8796c19f34f61120f7070a2b0f754218

SHA1
670ed1fb03dae198366be3e5bd45fcd6af42b09f

SHA256
db4204796016cdd8dc177b43bf02be903320a208dab8e760815c4967c6939cc3

SHA512
1383e3a8fae87b272dcef84542b163a2fb9a17a36854e35e788a006b8c9ba3e19da6c0bc8941c839ec6330b363fb79b9cd1894ce7378a203bda7fa2abb9b414c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1qH90gS7.exe

Filesize
1.8MB

MD5
6c8cc6bcb3f30bcc8558f91513265134

SHA1
4dc4f8623bbe26fa1e6df2ce78942957313fad2a

SHA256
8c6c5678157f8e3e085ddd7234b67e2d4e802f3c1108d711dfff5e20b5415a5c

SHA512
b3e422a7f3dcf55d2e793648afc202cf2678d6b150afeec4e5e0fc05b90747658fe18e91d9bac974244f3aae3a97325c06f3d0d200594213eeaac115933f22d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1qH90gS7.exe

Filesize
1.8MB

MD5
6c8cc6bcb3f30bcc8558f91513265134

SHA1
4dc4f8623bbe26fa1e6df2ce78942957313fad2a

SHA256
8c6c5678157f8e3e085ddd7234b67e2d4e802f3c1108d711dfff5e20b5415a5c

SHA512
b3e422a7f3dcf55d2e793648afc202cf2678d6b150afeec4e5e0fc05b90747658fe18e91d9bac974244f3aae3a97325c06f3d0d200594213eeaac115933f22d1

Download Submit
memory/4268-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4268-39-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4268-38-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4268-41-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads