mystic | 759d23760669d22e7948296c9ede99813d5026b36ec8c2f77d00444a1dddc486

Analysis

max time kernel
122s
max time network
132s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
07/10/2023, 19:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

759d23760669d22e7948296c9ede99813d5026b36ec8c2f77d00444a1dddc486.exe
Size

1.6MB
MD5

91f35215afd36231ea8df896ad364ea7
SHA1

22d64dad308d21036573d26e345bd4b7dd8baa45
SHA256

759d23760669d22e7948296c9ede99813d5026b36ec8c2f77d00444a1dddc486
SHA512

e82846fee08991080d0c3150521726e0a823eac9603aec698525ef26c98b0bf38fe37f365ca3ff00259c87d56b74d8e4086b295a887743294a9f74e701e52e8e
SSDEEP

24576:nyG0iaGESwwy4OMn2QNqSfg9/oQoe8RS8xMK2a34UMnIDlJUhtMN:yGfdEnwy4O6Nqb9/foeqS8CNUMneW

Score

10^/10

mystic persistence stealer

Malware Config

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/3636-35-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/3636-38-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/3636-39-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/3636-41-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic

Executes dropped EXE 5 IoCs

pid	Process
2888	NT7bp1IC.exe
2548	qz2as3Tn.exe
4248	ND9lm7Jk.exe
4452	pX8ra1ZR.exe
4920	1CX25YF9.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	NT7bp1IC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	qz2as3Tn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	ND9lm7Jk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	pX8ra1ZR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	759d23760669d22e7948296c9ede99813d5026b36ec8c2f77d00444a1dddc486.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4920 set thread context of 3636	4920	1CX25YF9.exe	75

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4672	4920	WerFault.exe	73
4288	3636	WerFault.exe	75

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 212 wrote to memory of 2888	212	759d23760669d22e7948296c9ede99813d5026b36ec8c2f77d00444a1dddc486.exe	69
PID 212 wrote to memory of 2888	212	759d23760669d22e7948296c9ede99813d5026b36ec8c2f77d00444a1dddc486.exe	69
PID 212 wrote to memory of 2888	212	759d23760669d22e7948296c9ede99813d5026b36ec8c2f77d00444a1dddc486.exe	69
PID 2888 wrote to memory of 2548	2888	NT7bp1IC.exe	70
PID 2888 wrote to memory of 2548	2888	NT7bp1IC.exe	70
PID 2888 wrote to memory of 2548	2888	NT7bp1IC.exe	70
PID 2548 wrote to memory of 4248	2548	qz2as3Tn.exe	71
PID 2548 wrote to memory of 4248	2548	qz2as3Tn.exe	71
PID 2548 wrote to memory of 4248	2548	qz2as3Tn.exe	71
PID 4248 wrote to memory of 4452	4248	ND9lm7Jk.exe	72
PID 4248 wrote to memory of 4452	4248	ND9lm7Jk.exe	72
PID 4248 wrote to memory of 4452	4248	ND9lm7Jk.exe	72
PID 4452 wrote to memory of 4920	4452	pX8ra1ZR.exe	73
PID 4452 wrote to memory of 4920	4452	pX8ra1ZR.exe	73
PID 4452 wrote to memory of 4920	4452	pX8ra1ZR.exe	73
PID 4920 wrote to memory of 3636	4920	1CX25YF9.exe	75
PID 4920 wrote to memory of 3636	4920	1CX25YF9.exe	75
PID 4920 wrote to memory of 3636	4920	1CX25YF9.exe	75
PID 4920 wrote to memory of 3636	4920	1CX25YF9.exe	75
PID 4920 wrote to memory of 3636	4920	1CX25YF9.exe	75
PID 4920 wrote to memory of 3636	4920	1CX25YF9.exe	75
PID 4920 wrote to memory of 3636	4920	1CX25YF9.exe	75
PID 4920 wrote to memory of 3636	4920	1CX25YF9.exe	75
PID 4920 wrote to memory of 3636	4920	1CX25YF9.exe	75
PID 4920 wrote to memory of 3636	4920	1CX25YF9.exe	75

C:\Users\Admin\AppData\Local\Temp\759d23760669d22e7948296c9ede99813d5026b36ec8c2f77d00444a1dddc486.exe
"C:\Users\Admin\AppData\Local\Temp\759d23760669d22e7948296c9ede99813d5026b36ec8c2f77d00444a1dddc486.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:212
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NT7bp1IC.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NT7bp1IC.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qz2as3Tn.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qz2as3Tn.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2548
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ND9lm7Jk.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ND9lm7Jk.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4248
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pX8ra1ZR.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pX8ra1ZR.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4452
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1CX25YF9.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1CX25YF9.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4920
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 568
        8⤵
        Program crash
        
        PID:4288
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4920 -s 584
        7⤵
        Program crash
        
        PID:4672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NT7bp1IC.exe

Filesize
1.5MB

MD5
37809490c0fd7011a23d1c2394e9194f

SHA1
28cdf7cd30f06fa37bf375f903777751309ee843

SHA256
f68bbbdc9bd3b3e9c99ed4509fe3db62106758c0b91cfcef7124c98934d31009

SHA512
72a1efe902a4536c8ac316597d5d6496d3b4e19f43b9cb043d5a39171746c305cba250c4a8f0ac023c3381753545b081824404c7143b96046c1e0f7eda299382

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NT7bp1IC.exe

Filesize
1.5MB

MD5
37809490c0fd7011a23d1c2394e9194f

SHA1
28cdf7cd30f06fa37bf375f903777751309ee843

SHA256
f68bbbdc9bd3b3e9c99ed4509fe3db62106758c0b91cfcef7124c98934d31009

SHA512
72a1efe902a4536c8ac316597d5d6496d3b4e19f43b9cb043d5a39171746c305cba250c4a8f0ac023c3381753545b081824404c7143b96046c1e0f7eda299382

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qz2as3Tn.exe

Filesize
1.3MB

MD5
b1a58d50353f90c9c68e863d27bd35ef

SHA1
6f11f1cca87c6c778e3b7f233ec0dbf05a2b7f00

SHA256
df4dc714ea7bea1fdf7b77c28a898dec663041e02978a974e0d7f62199a71bc9

SHA512
b86660574ea9ede5f82fdcb92303898e6f43ce301992b51eceeadef554dfab40e9670e1d335a14571292622136a1adeef2c2dce7272ebd69f370361bcb2126ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qz2as3Tn.exe

Filesize
1.3MB

MD5
b1a58d50353f90c9c68e863d27bd35ef

SHA1
6f11f1cca87c6c778e3b7f233ec0dbf05a2b7f00

SHA256
df4dc714ea7bea1fdf7b77c28a898dec663041e02978a974e0d7f62199a71bc9

SHA512
b86660574ea9ede5f82fdcb92303898e6f43ce301992b51eceeadef554dfab40e9670e1d335a14571292622136a1adeef2c2dce7272ebd69f370361bcb2126ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ND9lm7Jk.exe

Filesize
818KB

MD5
8e2b24afb12bcbc4f0ad7059d92be479

SHA1
ae20223ddbde82d58c47a43c66b897d950508a9b

SHA256
63c1e13995bf8953a233968457d285f6a2d286f94069cc852704d22fdcce934e

SHA512
d6ce277d8d30494f7f8c339c81ac9d77105d1da664c2e6dc7d78e102d432499c84a0ca344abefcc736d4fe87a5daa243561f7e45e81a9ba46ed1df77679da507

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ND9lm7Jk.exe

Filesize
818KB

MD5
8e2b24afb12bcbc4f0ad7059d92be479

SHA1
ae20223ddbde82d58c47a43c66b897d950508a9b

SHA256
63c1e13995bf8953a233968457d285f6a2d286f94069cc852704d22fdcce934e

SHA512
d6ce277d8d30494f7f8c339c81ac9d77105d1da664c2e6dc7d78e102d432499c84a0ca344abefcc736d4fe87a5daa243561f7e45e81a9ba46ed1df77679da507

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pX8ra1ZR.exe

Filesize
645KB

MD5
33be96a9f967ffad3e715553b49dc489

SHA1
a84855b1526e0bbe149e1bf190f68c54dfaf3957

SHA256
350b9cb73fb57f38934122a92265ec8756e7e5244902898f9de98baa19e4333b

SHA512
e87fc671dedee2040f8538ff3d60fd79cd06bf94468f953025f8304031b49c4eeab6a5c70307fd67cc732cd9e030b6ffb574365288995ec2feaf5e6f93810de3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pX8ra1ZR.exe

Filesize
645KB

MD5
33be96a9f967ffad3e715553b49dc489

SHA1
a84855b1526e0bbe149e1bf190f68c54dfaf3957

SHA256
350b9cb73fb57f38934122a92265ec8756e7e5244902898f9de98baa19e4333b

SHA512
e87fc671dedee2040f8538ff3d60fd79cd06bf94468f953025f8304031b49c4eeab6a5c70307fd67cc732cd9e030b6ffb574365288995ec2feaf5e6f93810de3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1CX25YF9.exe

Filesize
1.8MB

MD5
79d0c1fb0e5b557ec04bac89f3bbeee1

SHA1
51593b60547820c9576162268c6092c6a85fb7ca

SHA256
734828791683778403782dcfa2df329ed2b64ec8537578a0b3c079c4b245d607

SHA512
ac590f39d4e3c1151efc18757d9c421d9534f8f631dbce80c85a44343ccf9b765d8057ddd4cde4c79045acbc2c8af2bc13f4c00a3dc574916804cca181190d57

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1CX25YF9.exe

Filesize
1.8MB

MD5
79d0c1fb0e5b557ec04bac89f3bbeee1

SHA1
51593b60547820c9576162268c6092c6a85fb7ca

SHA256
734828791683778403782dcfa2df329ed2b64ec8537578a0b3c079c4b245d607

SHA512
ac590f39d4e3c1151efc18757d9c421d9534f8f631dbce80c85a44343ccf9b765d8057ddd4cde4c79045acbc2c8af2bc13f4c00a3dc574916804cca181190d57

Download Submit
memory/3636-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3636-38-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3636-39-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3636-41-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads