mystic | ff1f18c018d0343fb016ff98e2f455bb4ec921310d6b8c75c44fecd3ed73506b

Analysis

max time kernel
141s
max time network
149s
platform
windows10-1703_x64
resource
win10-20230831-en
resource tags

arch:x64arch:x86image:win10-20230831-enlocale:en-usos:windows10-1703-x64system
submitted
07/10/2023, 08:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff1f18c018d0343fb016ff98e2f455bb4ec921310d6b8c75c44fecd3ed73506b.exe
Size

1.2MB
MD5

fbc5723c9ba994500b6db800dffb94e7
SHA1

19694e6ba766d924bc5e41b02b592e6364a628d3
SHA256

ff1f18c018d0343fb016ff98e2f455bb4ec921310d6b8c75c44fecd3ed73506b
SHA512

859f900632d369e470cdb87605d082c1252b6af1d9968b9c63d7b1c5eecec1031fa773b67999cbb6e622965f037d96d50c17a7651f38e868e34500185e46c66d
SSDEEP

24576:3ycwYDhpoFJsit+5rqUkQ33Go1pd742ZWT:CcwYFgs0vUkQHGo1r7428

Score

10^/10

mystic persistence stealer

Malware Config

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/4780-35-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/4780-38-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/4780-39-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/4780-41-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic

Executes dropped EXE 5 IoCs

pid	Process
1800	KG2cM4em.exe
5040	wH0yQ6yH.exe
4308	JK5ar5Qx.exe
2732	JW8np8Io.exe
4472	1bo01qJ0.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ff1f18c018d0343fb016ff98e2f455bb4ec921310d6b8c75c44fecd3ed73506b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	KG2cM4em.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	wH0yQ6yH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	JK5ar5Qx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	JW8np8Io.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4472 set thread context of 4780	4472	1bo01qJ0.exe	76

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4936	4472	WerFault.exe	74
4468	4780	WerFault.exe	76

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 1916 wrote to memory of 1800	1916	ff1f18c018d0343fb016ff98e2f455bb4ec921310d6b8c75c44fecd3ed73506b.exe	70
PID 1916 wrote to memory of 1800	1916	ff1f18c018d0343fb016ff98e2f455bb4ec921310d6b8c75c44fecd3ed73506b.exe	70
PID 1916 wrote to memory of 1800	1916	ff1f18c018d0343fb016ff98e2f455bb4ec921310d6b8c75c44fecd3ed73506b.exe	70
PID 1800 wrote to memory of 5040	1800	KG2cM4em.exe	71
PID 1800 wrote to memory of 5040	1800	KG2cM4em.exe	71
PID 1800 wrote to memory of 5040	1800	KG2cM4em.exe	71
PID 5040 wrote to memory of 4308	5040	wH0yQ6yH.exe	72
PID 5040 wrote to memory of 4308	5040	wH0yQ6yH.exe	72
PID 5040 wrote to memory of 4308	5040	wH0yQ6yH.exe	72
PID 4308 wrote to memory of 2732	4308	JK5ar5Qx.exe	73
PID 4308 wrote to memory of 2732	4308	JK5ar5Qx.exe	73
PID 4308 wrote to memory of 2732	4308	JK5ar5Qx.exe	73
PID 2732 wrote to memory of 4472	2732	JW8np8Io.exe	74
PID 2732 wrote to memory of 4472	2732	JW8np8Io.exe	74
PID 2732 wrote to memory of 4472	2732	JW8np8Io.exe	74
PID 4472 wrote to memory of 4780	4472	1bo01qJ0.exe	76
PID 4472 wrote to memory of 4780	4472	1bo01qJ0.exe	76
PID 4472 wrote to memory of 4780	4472	1bo01qJ0.exe	76
PID 4472 wrote to memory of 4780	4472	1bo01qJ0.exe	76
PID 4472 wrote to memory of 4780	4472	1bo01qJ0.exe	76
PID 4472 wrote to memory of 4780	4472	1bo01qJ0.exe	76
PID 4472 wrote to memory of 4780	4472	1bo01qJ0.exe	76
PID 4472 wrote to memory of 4780	4472	1bo01qJ0.exe	76
PID 4472 wrote to memory of 4780	4472	1bo01qJ0.exe	76
PID 4472 wrote to memory of 4780	4472	1bo01qJ0.exe	76

C:\Users\Admin\AppData\Local\Temp\ff1f18c018d0343fb016ff98e2f455bb4ec921310d6b8c75c44fecd3ed73506b.exe
"C:\Users\Admin\AppData\Local\Temp\ff1f18c018d0343fb016ff98e2f455bb4ec921310d6b8c75c44fecd3ed73506b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\KG2cM4em.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\KG2cM4em.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1800
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wH0yQ6yH.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wH0yQ6yH.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:5040
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JK5ar5Qx.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JK5ar5Qx.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4308
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\JW8np8Io.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\JW8np8Io.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2732
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1bo01qJ0.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1bo01qJ0.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4472
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 568
        8⤵
        Program crash
        
        PID:4468
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 132
        7⤵
        Program crash
        
        PID:4936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\KG2cM4em.exe

Filesize
1.0MB

MD5
0f152f95c32b20107e25ff51e4c95174

SHA1
d4a6f8288383aba662bb9586542275eae69e5065

SHA256
c7509f70e69e87cc89bc5cd724d2ed1713e305b0c8fd24c6b119065f90470b9c

SHA512
5b826bf62755c435953320b267774647c1dcb2b7d61655f1abf25950a884d1f0aeb4fc15fca53e561da69f6cb6b5d3394b34fb147716d799fb62b44debedcb81

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\KG2cM4em.exe

Filesize
1.0MB

MD5
0f152f95c32b20107e25ff51e4c95174

SHA1
d4a6f8288383aba662bb9586542275eae69e5065

SHA256
c7509f70e69e87cc89bc5cd724d2ed1713e305b0c8fd24c6b119065f90470b9c

SHA512
5b826bf62755c435953320b267774647c1dcb2b7d61655f1abf25950a884d1f0aeb4fc15fca53e561da69f6cb6b5d3394b34fb147716d799fb62b44debedcb81

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wH0yQ6yH.exe

Filesize
884KB

MD5
dbc61c1620b4e0e2c5beea77e0b91fb1

SHA1
1b26c8e33147b1374b812cf547188d6aea7b8c37

SHA256
b02db25c1b3b9a05d10f30a331c25152b060b2ff22911bcfd206adad08ee2626

SHA512
682d7490e0e5d32a71c3a66512d98b3964e98c4322c0ae295835d47950783643aacc74972ac8c2e35b9f0a5982221f984fd82cefb68619de788f116605040201

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wH0yQ6yH.exe

Filesize
884KB

MD5
dbc61c1620b4e0e2c5beea77e0b91fb1

SHA1
1b26c8e33147b1374b812cf547188d6aea7b8c37

SHA256
b02db25c1b3b9a05d10f30a331c25152b060b2ff22911bcfd206adad08ee2626

SHA512
682d7490e0e5d32a71c3a66512d98b3964e98c4322c0ae295835d47950783643aacc74972ac8c2e35b9f0a5982221f984fd82cefb68619de788f116605040201

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JK5ar5Qx.exe

Filesize
590KB

MD5
0f795888d25061eac211b0ec6707442a

SHA1
b47900848815444ddd6236450767462041c9aba0

SHA256
0887d0bfa0f6b3a824effa2e63e153a73670938639e919eca2ed3037211923af

SHA512
f905ccec953afdd35a771d42ec28d9857fd1ccf656dff88a3f581da02cc23128fa26b7a7b01039b1d28ae49cbec4c803f17d7bc275ffd6b8b99fb372c95ac5d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JK5ar5Qx.exe

Filesize
590KB

MD5
0f795888d25061eac211b0ec6707442a

SHA1
b47900848815444ddd6236450767462041c9aba0

SHA256
0887d0bfa0f6b3a824effa2e63e153a73670938639e919eca2ed3037211923af

SHA512
f905ccec953afdd35a771d42ec28d9857fd1ccf656dff88a3f581da02cc23128fa26b7a7b01039b1d28ae49cbec4c803f17d7bc275ffd6b8b99fb372c95ac5d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\JW8np8Io.exe

Filesize
417KB

MD5
9452f6996fc008394e3b6e5e95143d46

SHA1
6f6da4b78d7baf873756db3f300d996dba5a5fc9

SHA256
5b87b521525969d8db8c1bc4f1a6007f7bc2647323ee1dfd886be8433f9155bb

SHA512
380bbcb3c7ee75dfd8b5f4e51dd3d0135e987d5204195e6ab79e25885b75b78f9a6a0a82771559789dda7aae09e5125818bf0265a421668b8d3abdb504d3cd98

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\JW8np8Io.exe

Filesize
417KB

MD5
9452f6996fc008394e3b6e5e95143d46

SHA1
6f6da4b78d7baf873756db3f300d996dba5a5fc9

SHA256
5b87b521525969d8db8c1bc4f1a6007f7bc2647323ee1dfd886be8433f9155bb

SHA512
380bbcb3c7ee75dfd8b5f4e51dd3d0135e987d5204195e6ab79e25885b75b78f9a6a0a82771559789dda7aae09e5125818bf0265a421668b8d3abdb504d3cd98

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1bo01qJ0.exe

Filesize
378KB

MD5
f0831f173733de08511f3a0739f278a6

SHA1
06dc809d653c5d2c97386084ae13b50a73eb5b60

SHA256
8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27

SHA512
19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1bo01qJ0.exe

Filesize
378KB

MD5
f0831f173733de08511f3a0739f278a6

SHA1
06dc809d653c5d2c97386084ae13b50a73eb5b60

SHA256
8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27

SHA512
19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

Download Submit
memory/4780-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4780-38-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4780-39-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4780-41-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads