mystic | c802e1c66f8a92f9af63b8dadd61c3b01b681046710b00e891c9717a85f1dbb9

Analysis

max time kernel
70s
max time network
82s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
07-10-2023 13:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c802e1c66f8a92f9af63b8dadd61c3b01b681046710b00e891c9717a85f1dbb9.exe
Size

1.2MB
MD5

c68dfd5894d92367d2141781dab89968
SHA1

ee4833b833e75d41e8e4b8704b44b7f2200c89b6
SHA256

c802e1c66f8a92f9af63b8dadd61c3b01b681046710b00e891c9717a85f1dbb9
SHA512

6facc49c6126135b5322232eb646f71a5c0e0e8ad58ff99227499164fa776d43c0de85f8d6d04494ca81aadecb40bf30cd8d2f2124474404e666c58f1bd89d6a
SSDEEP

24576:Py/GCieQaYtH+wU/8RVf3nmvQToxkidwz8TSdhprThdwTs:a/GCNQaYV+j/8/mvXkidVGTprS

Score

10^/10

mystic persistence stealer

Malware Config

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/3256-35-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/3256-38-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/3256-39-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/3256-41-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic

Executes dropped EXE 5 IoCs

pid	Process
4464	eF4eL7GO.exe
3488	PH7nV4ML.exe
1564	Ce9kw3Ll.exe
4944	Ol5ly2oO.exe
1776	1nR38tk8.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c802e1c66f8a92f9af63b8dadd61c3b01b681046710b00e891c9717a85f1dbb9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	eF4eL7GO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	PH7nV4ML.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Ce9kw3Ll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	Ol5ly2oO.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1776 set thread context of 3256	1776	1nR38tk8.exe	77

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3616	1776	WerFault.exe	74
3700	3256	WerFault.exe	77

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 792 wrote to memory of 4464	792	c802e1c66f8a92f9af63b8dadd61c3b01b681046710b00e891c9717a85f1dbb9.exe	70
PID 792 wrote to memory of 4464	792	c802e1c66f8a92f9af63b8dadd61c3b01b681046710b00e891c9717a85f1dbb9.exe	70
PID 792 wrote to memory of 4464	792	c802e1c66f8a92f9af63b8dadd61c3b01b681046710b00e891c9717a85f1dbb9.exe	70
PID 4464 wrote to memory of 3488	4464	eF4eL7GO.exe	71
PID 4464 wrote to memory of 3488	4464	eF4eL7GO.exe	71
PID 4464 wrote to memory of 3488	4464	eF4eL7GO.exe	71
PID 3488 wrote to memory of 1564	3488	PH7nV4ML.exe	72
PID 3488 wrote to memory of 1564	3488	PH7nV4ML.exe	72
PID 3488 wrote to memory of 1564	3488	PH7nV4ML.exe	72
PID 1564 wrote to memory of 4944	1564	Ce9kw3Ll.exe	73
PID 1564 wrote to memory of 4944	1564	Ce9kw3Ll.exe	73
PID 1564 wrote to memory of 4944	1564	Ce9kw3Ll.exe	73
PID 4944 wrote to memory of 1776	4944	Ol5ly2oO.exe	74
PID 4944 wrote to memory of 1776	4944	Ol5ly2oO.exe	74
PID 4944 wrote to memory of 1776	4944	Ol5ly2oO.exe	74
PID 1776 wrote to memory of 4760	1776	1nR38tk8.exe	76
PID 1776 wrote to memory of 4760	1776	1nR38tk8.exe	76
PID 1776 wrote to memory of 4760	1776	1nR38tk8.exe	76
PID 1776 wrote to memory of 3256	1776	1nR38tk8.exe	77
PID 1776 wrote to memory of 3256	1776	1nR38tk8.exe	77
PID 1776 wrote to memory of 3256	1776	1nR38tk8.exe	77
PID 1776 wrote to memory of 3256	1776	1nR38tk8.exe	77
PID 1776 wrote to memory of 3256	1776	1nR38tk8.exe	77
PID 1776 wrote to memory of 3256	1776	1nR38tk8.exe	77
PID 1776 wrote to memory of 3256	1776	1nR38tk8.exe	77
PID 1776 wrote to memory of 3256	1776	1nR38tk8.exe	77
PID 1776 wrote to memory of 3256	1776	1nR38tk8.exe	77
PID 1776 wrote to memory of 3256	1776	1nR38tk8.exe	77

C:\Users\Admin\AppData\Local\Temp\c802e1c66f8a92f9af63b8dadd61c3b01b681046710b00e891c9717a85f1dbb9.exe
"C:\Users\Admin\AppData\Local\Temp\c802e1c66f8a92f9af63b8dadd61c3b01b681046710b00e891c9717a85f1dbb9.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:792
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eF4eL7GO.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eF4eL7GO.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4464
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\PH7nV4ML.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\PH7nV4ML.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3488
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ce9kw3Ll.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ce9kw3Ll.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1564
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ol5ly2oO.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ol5ly2oO.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4944
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1nR38tk8.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1nR38tk8.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1776
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4760
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3256 -s 568
        8⤵
        Program crash
        
        PID:3700
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1776 -s 604
        7⤵
        Program crash
        
        PID:3616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eF4eL7GO.exe

Filesize
1.0MB

MD5
9e1b27121d867cdedd1b84d233a7562c

SHA1
4d640dca345377ddb7028116999f7feb7016cb3a

SHA256
04dd7eb73604f64e7cab06c4def1811eb5997a723c28010292bd989ee1d4b6a3

SHA512
72c1b30407581c1cbfe075a8b6ce40086b794282ce92aaffea79ed4339c05444ab2deee822cdc0a95bc21705d8dc98633f8d40c6004778714eb7a1d8c63563cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eF4eL7GO.exe

Filesize
1.0MB

MD5
9e1b27121d867cdedd1b84d233a7562c

SHA1
4d640dca345377ddb7028116999f7feb7016cb3a

SHA256
04dd7eb73604f64e7cab06c4def1811eb5997a723c28010292bd989ee1d4b6a3

SHA512
72c1b30407581c1cbfe075a8b6ce40086b794282ce92aaffea79ed4339c05444ab2deee822cdc0a95bc21705d8dc98633f8d40c6004778714eb7a1d8c63563cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\PH7nV4ML.exe

Filesize
879KB

MD5
c52ebb5b16db12ed4270f0188d2181ac

SHA1
7ba27021b4695f27ac96f0b56238f393f8a077dc

SHA256
533f6292ce2fd57d09bfb90cb08803f301fe3efaeb735f7200abc76a46bf11ed

SHA512
efe69e252fdbe1324a6853a2e8a748a783b3ee08ceca89bc1b1331131418308a283b487fd55ea12420c81d65fde5e6b762d4bd25265a93fbb9bc3f79432558f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\PH7nV4ML.exe

Filesize
879KB

MD5
c52ebb5b16db12ed4270f0188d2181ac

SHA1
7ba27021b4695f27ac96f0b56238f393f8a077dc

SHA256
533f6292ce2fd57d09bfb90cb08803f301fe3efaeb735f7200abc76a46bf11ed

SHA512
efe69e252fdbe1324a6853a2e8a748a783b3ee08ceca89bc1b1331131418308a283b487fd55ea12420c81d65fde5e6b762d4bd25265a93fbb9bc3f79432558f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ce9kw3Ll.exe

Filesize
585KB

MD5
e8154836337641f9b0de7b5f7dc55d61

SHA1
474dc0e12d0494e35c7365765e7de22609de34f1

SHA256
bfdea477c10672c986bdaa6983fa1b7cf67b51b55e18778414492d359c7c0b51

SHA512
3e78587d0e67cd56f9d32d8785aeddbbae00e91afb29263b609db5afd051358eebf8f5a56d9f8d1233f1b050b02fbcd623da87fa7e3d5de29da744a3c860f8b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ce9kw3Ll.exe

Filesize
585KB

MD5
e8154836337641f9b0de7b5f7dc55d61

SHA1
474dc0e12d0494e35c7365765e7de22609de34f1

SHA256
bfdea477c10672c986bdaa6983fa1b7cf67b51b55e18778414492d359c7c0b51

SHA512
3e78587d0e67cd56f9d32d8785aeddbbae00e91afb29263b609db5afd051358eebf8f5a56d9f8d1233f1b050b02fbcd623da87fa7e3d5de29da744a3c860f8b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ol5ly2oO.exe

Filesize
413KB

MD5
a25de030cedce05264cd286b024c7008

SHA1
ef1cd0aed9e40551981fe02691adddc0e7da4be6

SHA256
128980c5e27dd1b3ecacdd3d6b6a57c7b50ef399aff62678f5eabb5639d626e3

SHA512
324618b721ef1fee1eb0a1ddfb3142931c1ee8f8ea5ef1945545322b699789ac04140837c71a9f34f23cd391cf4dd866180c659a46da4d02eb4daf49d87ad588

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ol5ly2oO.exe

Filesize
413KB

MD5
a25de030cedce05264cd286b024c7008

SHA1
ef1cd0aed9e40551981fe02691adddc0e7da4be6

SHA256
128980c5e27dd1b3ecacdd3d6b6a57c7b50ef399aff62678f5eabb5639d626e3

SHA512
324618b721ef1fee1eb0a1ddfb3142931c1ee8f8ea5ef1945545322b699789ac04140837c71a9f34f23cd391cf4dd866180c659a46da4d02eb4daf49d87ad588

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1nR38tk8.exe

Filesize
378KB

MD5
598cc26e246e2f1e0e6d602adaffaa4d

SHA1
711c0d7431c61eaab172f9d748a16c5c970353a3

SHA256
48884b0d82b5081bec8ba81058bd15c3c162a94ff47deb4435110fb405c35832

SHA512
6109803a0b52628b142cb09b7a479f4681a3584dda036386bb6a76883b287a589a9928fef369cb5c6df3ea4c25f8e1c0475e22f5bd152d30d7295d82fea8443f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1nR38tk8.exe

Filesize
378KB

MD5
598cc26e246e2f1e0e6d602adaffaa4d

SHA1
711c0d7431c61eaab172f9d748a16c5c970353a3

SHA256
48884b0d82b5081bec8ba81058bd15c3c162a94ff47deb4435110fb405c35832

SHA512
6109803a0b52628b142cb09b7a479f4681a3584dda036386bb6a76883b287a589a9928fef369cb5c6df3ea4c25f8e1c0475e22f5bd152d30d7295d82fea8443f

Download Submit
memory/3256-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3256-38-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3256-39-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3256-41-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads