mystic | 06993048d5fa831ed9988ecd5f8eeb0b901a8e96fe33fd166fd282782cda70e1

General

Target

06993048d5fa831ed9988ecd5f8eeb0b901a8e96fe33fd166fd282782cda70e1.exe
Size

276KB
MD5

979fb20cae68f7eccad77840539aa8dd
SHA1

e52f6ba035369549edffe875ccc9ec16f2df1c05
SHA256

06993048d5fa831ed9988ecd5f8eeb0b901a8e96fe33fd166fd282782cda70e1
SHA512

35f110b941f412ce8ae2698e55a6d73d2157d531568da89b30f3379a21371f6fc299ae0da8d0a05bcb74ea39c293e20b90cef52e7ce2b848d4c63296518979d3
SSDEEP

6144:Wh4YKajWpVP06PmjpfTdqGTIopE5mVHrj:W7KajWijpfTI6nE5kj

Score

10^/10

Malware Config

Signatures

Detect Mystic stealer payload 6 IoCs

resource	yara_rule
behavioral1/memory/1280-3-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/1280-4-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/1280-7-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/1280-5-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/1280-9-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/1280-11-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1200 set thread context of 1280	1200	06993048d5fa831ed9988ecd5f8eeb0b901a8e96fe33fd166fd282782cda70e1.exe	29

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1736	1200	WerFault.exe	27
3044	1280	WerFault.exe	29

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 1200 wrote to memory of 1280	1200	06993048d5fa831ed9988ecd5f8eeb0b901a8e96fe33fd166fd282782cda70e1.exe	29
PID 1200 wrote to memory of 1280	1200	06993048d5fa831ed9988ecd5f8eeb0b901a8e96fe33fd166fd282782cda70e1.exe	29
PID 1200 wrote to memory of 1280	1200	06993048d5fa831ed9988ecd5f8eeb0b901a8e96fe33fd166fd282782cda70e1.exe	29
PID 1200 wrote to memory of 1280	1200	06993048d5fa831ed9988ecd5f8eeb0b901a8e96fe33fd166fd282782cda70e1.exe	29
PID 1200 wrote to memory of 1280	1200	06993048d5fa831ed9988ecd5f8eeb0b901a8e96fe33fd166fd282782cda70e1.exe	29
PID 1200 wrote to memory of 1280	1200	06993048d5fa831ed9988ecd5f8eeb0b901a8e96fe33fd166fd282782cda70e1.exe	29
PID 1200 wrote to memory of 1280	1200	06993048d5fa831ed9988ecd5f8eeb0b901a8e96fe33fd166fd282782cda70e1.exe	29
PID 1200 wrote to memory of 1280	1200	06993048d5fa831ed9988ecd5f8eeb0b901a8e96fe33fd166fd282782cda70e1.exe	29
PID 1200 wrote to memory of 1280	1200	06993048d5fa831ed9988ecd5f8eeb0b901a8e96fe33fd166fd282782cda70e1.exe	29
PID 1200 wrote to memory of 1280	1200	06993048d5fa831ed9988ecd5f8eeb0b901a8e96fe33fd166fd282782cda70e1.exe	29
PID 1200 wrote to memory of 1280	1200	06993048d5fa831ed9988ecd5f8eeb0b901a8e96fe33fd166fd282782cda70e1.exe	29
PID 1200 wrote to memory of 1280	1200	06993048d5fa831ed9988ecd5f8eeb0b901a8e96fe33fd166fd282782cda70e1.exe	29
PID 1200 wrote to memory of 1280	1200	06993048d5fa831ed9988ecd5f8eeb0b901a8e96fe33fd166fd282782cda70e1.exe	29
PID 1200 wrote to memory of 1280	1200	06993048d5fa831ed9988ecd5f8eeb0b901a8e96fe33fd166fd282782cda70e1.exe	29
PID 1200 wrote to memory of 1736	1200	06993048d5fa831ed9988ecd5f8eeb0b901a8e96fe33fd166fd282782cda70e1.exe	30
PID 1200 wrote to memory of 1736	1200	06993048d5fa831ed9988ecd5f8eeb0b901a8e96fe33fd166fd282782cda70e1.exe	30
PID 1200 wrote to memory of 1736	1200	06993048d5fa831ed9988ecd5f8eeb0b901a8e96fe33fd166fd282782cda70e1.exe	30
PID 1200 wrote to memory of 1736	1200	06993048d5fa831ed9988ecd5f8eeb0b901a8e96fe33fd166fd282782cda70e1.exe	30
PID 1280 wrote to memory of 3044	1280	AppLaunch.exe	31
PID 1280 wrote to memory of 3044	1280	AppLaunch.exe	31
PID 1280 wrote to memory of 3044	1280	AppLaunch.exe	31
PID 1280 wrote to memory of 3044	1280	AppLaunch.exe	31
PID 1280 wrote to memory of 3044	1280	AppLaunch.exe	31
PID 1280 wrote to memory of 3044	1280	AppLaunch.exe	31
PID 1280 wrote to memory of 3044	1280	AppLaunch.exe	31

C:\Users\Admin\AppData\Local\Temp\06993048d5fa831ed9988ecd5f8eeb0b901a8e96fe33fd166fd282782cda70e1.exe
"C:\Users\Admin\AppData\Local\Temp\06993048d5fa831ed9988ecd5f8eeb0b901a8e96fe33fd166fd282782cda70e1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1200
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1280
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 196
    3⤵
    - Program crash
    PID:3044
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1200 -s 68
  2⤵
  - Program crash
  PID:1736

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1280-0-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1280-2-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1280-3-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1280-1-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1280-4-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1280-6-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1280-7-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1280-5-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1280-9-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1280-11-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads