mystic | 35706e6913d750d2a1d1b11b6a5c919a0a1b55fbe88438d7df42553b09d82c35

Analysis

max time kernel
126s
max time network
131s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
07/10/2023, 00:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

35706e6913d750d2a1d1b11b6a5c919a0a1b55fbe88438d7df42553b09d82c35.exe
Size

1.2MB
MD5

0ce38a1f0d411f9371599fba05bf1b69
SHA1

8d436cd3de377e5f064d0d842a78a15a5b3a35d6
SHA256

35706e6913d750d2a1d1b11b6a5c919a0a1b55fbe88438d7df42553b09d82c35
SHA512

36e01ee5d75c06e8a39cd59604e7ea58abf16bb0c170adb8c22a6230061810fbf3e1668932d8220e49cf476f4ec3315065cb5770049f45e6ed98e4bcd4833bd6
SSDEEP

24576:YykdtDvTsF4G5mhXLNSVQfey1+8bqAx8FuJ2YjuiqV7ALhgD09dhn1:fkdtDbsF45h7NSVQfeUPdx8FuJ2YokLd

Score

10^/10

mystic persistence stealer

Malware Config

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/808-35-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/808-38-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/808-39-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/808-41-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic

Executes dropped EXE 5 IoCs

pid	Process
4992	qK1JO8XT.exe
3680	Ck6MS5vw.exe
4176	tQ2Xk3xs.exe
1640	BV7uH4TV.exe
920	1MO50UJ4.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	35706e6913d750d2a1d1b11b6a5c919a0a1b55fbe88438d7df42553b09d82c35.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	qK1JO8XT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Ck6MS5vw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	tQ2Xk3xs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	BV7uH4TV.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 920 set thread context of 808	920	1MO50UJ4.exe	76

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1668	920	WerFault.exe	74
3832	808	WerFault.exe	76

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 3740 wrote to memory of 4992	3740	35706e6913d750d2a1d1b11b6a5c919a0a1b55fbe88438d7df42553b09d82c35.exe	70
PID 3740 wrote to memory of 4992	3740	35706e6913d750d2a1d1b11b6a5c919a0a1b55fbe88438d7df42553b09d82c35.exe	70
PID 3740 wrote to memory of 4992	3740	35706e6913d750d2a1d1b11b6a5c919a0a1b55fbe88438d7df42553b09d82c35.exe	70
PID 4992 wrote to memory of 3680	4992	qK1JO8XT.exe	71
PID 4992 wrote to memory of 3680	4992	qK1JO8XT.exe	71
PID 4992 wrote to memory of 3680	4992	qK1JO8XT.exe	71
PID 3680 wrote to memory of 4176	3680	Ck6MS5vw.exe	72
PID 3680 wrote to memory of 4176	3680	Ck6MS5vw.exe	72
PID 3680 wrote to memory of 4176	3680	Ck6MS5vw.exe	72
PID 4176 wrote to memory of 1640	4176	tQ2Xk3xs.exe	73
PID 4176 wrote to memory of 1640	4176	tQ2Xk3xs.exe	73
PID 4176 wrote to memory of 1640	4176	tQ2Xk3xs.exe	73
PID 1640 wrote to memory of 920	1640	BV7uH4TV.exe	74
PID 1640 wrote to memory of 920	1640	BV7uH4TV.exe	74
PID 1640 wrote to memory of 920	1640	BV7uH4TV.exe	74
PID 920 wrote to memory of 808	920	1MO50UJ4.exe	76
PID 920 wrote to memory of 808	920	1MO50UJ4.exe	76
PID 920 wrote to memory of 808	920	1MO50UJ4.exe	76
PID 920 wrote to memory of 808	920	1MO50UJ4.exe	76
PID 920 wrote to memory of 808	920	1MO50UJ4.exe	76
PID 920 wrote to memory of 808	920	1MO50UJ4.exe	76
PID 920 wrote to memory of 808	920	1MO50UJ4.exe	76
PID 920 wrote to memory of 808	920	1MO50UJ4.exe	76
PID 920 wrote to memory of 808	920	1MO50UJ4.exe	76
PID 920 wrote to memory of 808	920	1MO50UJ4.exe	76

C:\Users\Admin\AppData\Local\Temp\35706e6913d750d2a1d1b11b6a5c919a0a1b55fbe88438d7df42553b09d82c35.exe
"C:\Users\Admin\AppData\Local\Temp\35706e6913d750d2a1d1b11b6a5c919a0a1b55fbe88438d7df42553b09d82c35.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3740
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qK1JO8XT.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qK1JO8XT.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4992
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ck6MS5vw.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ck6MS5vw.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3680
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\tQ2Xk3xs.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\tQ2Xk3xs.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4176
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\BV7uH4TV.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\BV7uH4TV.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1640
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1MO50UJ4.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1MO50UJ4.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:920
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:808
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 808 -s 568
        8⤵
        Program crash
        
        PID:3832
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 920 -s 148
        7⤵
        Program crash
        
        PID:1668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qK1JO8XT.exe

Filesize
1.0MB

MD5
49bdc3fe93a96f942290053b2838e353

SHA1
16e05a49dcafc3ffcd097293a7b0f6620fd8dce4

SHA256
22660f42d86c8e5d8dc40d09d5efa815f736a9a29285f92783c14569922fbe3d

SHA512
b8f7ef263fef20f55a159e02b104605f1d365d67c10fc0e88ad2182692d1934b5ebe445a806d8cc46ac22648f1a548c8bff4df70eb89be5623bd95f109b18b8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qK1JO8XT.exe

Filesize
1.0MB

MD5
49bdc3fe93a96f942290053b2838e353

SHA1
16e05a49dcafc3ffcd097293a7b0f6620fd8dce4

SHA256
22660f42d86c8e5d8dc40d09d5efa815f736a9a29285f92783c14569922fbe3d

SHA512
b8f7ef263fef20f55a159e02b104605f1d365d67c10fc0e88ad2182692d1934b5ebe445a806d8cc46ac22648f1a548c8bff4df70eb89be5623bd95f109b18b8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ck6MS5vw.exe

Filesize
884KB

MD5
392685fd0e969cff294232f1fa6c42ee

SHA1
c14605dc273b5b69571faefaa9efc1d2ef366f60

SHA256
15ca54d31707fa63bd976c3341e10e21a9ec75523caf7795cde81e307a97e2ed

SHA512
37a9db66a132a6a855e1ee37c4f01e560deff7bd6e24ea010a276e9cf457601bf33cc4655c8a9cd67f8a38614f76267c4322540c99c72a3ac9f9b3024b550ea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ck6MS5vw.exe

Filesize
884KB

MD5
392685fd0e969cff294232f1fa6c42ee

SHA1
c14605dc273b5b69571faefaa9efc1d2ef366f60

SHA256
15ca54d31707fa63bd976c3341e10e21a9ec75523caf7795cde81e307a97e2ed

SHA512
37a9db66a132a6a855e1ee37c4f01e560deff7bd6e24ea010a276e9cf457601bf33cc4655c8a9cd67f8a38614f76267c4322540c99c72a3ac9f9b3024b550ea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\tQ2Xk3xs.exe

Filesize
590KB

MD5
9862bf9623b59844a0ef43e6288686cf

SHA1
fd6fd25dc634d54992e31158a95c70dab043c2c4

SHA256
2cd2cee1b2632ddf26e9ac8dcbe6c754c358d3b9f7cd92b5ec737f5eaea2b47a

SHA512
76db8a56a9f5f2b6f28798aa06f037aae99d48249eabad387f5dca0f74a77e88d2e4b665014fedb656264a332ca185a0e0f99484508a7da10dd1824b397300cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\tQ2Xk3xs.exe

Filesize
590KB

MD5
9862bf9623b59844a0ef43e6288686cf

SHA1
fd6fd25dc634d54992e31158a95c70dab043c2c4

SHA256
2cd2cee1b2632ddf26e9ac8dcbe6c754c358d3b9f7cd92b5ec737f5eaea2b47a

SHA512
76db8a56a9f5f2b6f28798aa06f037aae99d48249eabad387f5dca0f74a77e88d2e4b665014fedb656264a332ca185a0e0f99484508a7da10dd1824b397300cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\BV7uH4TV.exe

Filesize
417KB

MD5
4255bd8ec2b9999216490f29bc04507a

SHA1
969e435d7de1155b0c44906a2d8c5452f43d1e5e

SHA256
f24a3a16f5964629ea18ad3883c30f927be2678b3b61ff33c6eff7025e00211b

SHA512
faf612c1b10f2fb70632c9115114b74247270d534077ae26d9c90d8587619523c6a655930377b29c1623dde7e84c8831d2626f5a227eefe59368ef9802ae1f4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\BV7uH4TV.exe

Filesize
417KB

MD5
4255bd8ec2b9999216490f29bc04507a

SHA1
969e435d7de1155b0c44906a2d8c5452f43d1e5e

SHA256
f24a3a16f5964629ea18ad3883c30f927be2678b3b61ff33c6eff7025e00211b

SHA512
faf612c1b10f2fb70632c9115114b74247270d534077ae26d9c90d8587619523c6a655930377b29c1623dde7e84c8831d2626f5a227eefe59368ef9802ae1f4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1MO50UJ4.exe

Filesize
378KB

MD5
f0831f173733de08511f3a0739f278a6

SHA1
06dc809d653c5d2c97386084ae13b50a73eb5b60

SHA256
8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27

SHA512
19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1MO50UJ4.exe

Filesize
378KB

MD5
f0831f173733de08511f3a0739f278a6

SHA1
06dc809d653c5d2c97386084ae13b50a73eb5b60

SHA256
8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27

SHA512
19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

Download Submit
memory/808-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/808-38-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/808-39-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/808-41-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads