mystic | ec899066f95a987847b84861ef619f96bec5fd822c5c866af5699987d3d23a02

Analysis

max time kernel
121s
max time network
126s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11/10/2023, 07:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

x4223126.exe
Size

509KB
MD5

b993f23e7347015a9c19aeea5d39c192
SHA1

b15089ae8da45a4de0e548fb99e9d465fac6abe1
SHA256

ec899066f95a987847b84861ef619f96bec5fd822c5c866af5699987d3d23a02
SHA512

520f873975310d8a3fe73dac6b1d200a1ada6c7646300fff0ab26a90cd97c7c7ae2f9a7e9f403216a1d2188fac72853e81d2669413c922b8f1b5e724f5ec4669
SSDEEP

12288:6MrHy90KGSJPlGkDMo8QAjvGq4MsQ2XY65rKJ6x9ziZw7w:typxlG33Rjk4T68wHzFw

Score

10^/10

mystic persistence stealer

Malware Config

Extracted

Family

mystic

http://5.42.92.211/loghub/master

Signatures

Detect Mystic stealer payload 8 IoCs

resource	yara_rule
behavioral1/memory/1980-19-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/1980-23-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/1980-21-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/1980-26-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/1980-28-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/1980-30-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/1980-31-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/1980-35-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic

Executes dropped EXE 1 IoCs

pid	Process
2232	g8376858.exe

Loads dropped DLL 7 IoCs

pid	Process
2016	x4223126.exe
2016	x4223126.exe
2232	g8376858.exe
2880	WerFault.exe
2880	WerFault.exe
2880	WerFault.exe
2880	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	x4223126.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2232 set thread context of 1980	2232	g8376858.exe	30

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2880	2232	WerFault.exe	28

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 2232	2016	x4223126.exe	28
PID 2016 wrote to memory of 2232	2016	x4223126.exe	28
PID 2016 wrote to memory of 2232	2016	x4223126.exe	28
PID 2016 wrote to memory of 2232	2016	x4223126.exe	28
PID 2016 wrote to memory of 2232	2016	x4223126.exe	28
PID 2016 wrote to memory of 2232	2016	x4223126.exe	28
PID 2016 wrote to memory of 2232	2016	x4223126.exe	28
PID 2232 wrote to memory of 1980	2232	g8376858.exe	30
PID 2232 wrote to memory of 1980	2232	g8376858.exe	30
PID 2232 wrote to memory of 1980	2232	g8376858.exe	30
PID 2232 wrote to memory of 1980	2232	g8376858.exe	30
PID 2232 wrote to memory of 1980	2232	g8376858.exe	30
PID 2232 wrote to memory of 1980	2232	g8376858.exe	30
PID 2232 wrote to memory of 1980	2232	g8376858.exe	30
PID 2232 wrote to memory of 1980	2232	g8376858.exe	30
PID 2232 wrote to memory of 1980	2232	g8376858.exe	30
PID 2232 wrote to memory of 1980	2232	g8376858.exe	30
PID 2232 wrote to memory of 1980	2232	g8376858.exe	30
PID 2232 wrote to memory of 1980	2232	g8376858.exe	30
PID 2232 wrote to memory of 1980	2232	g8376858.exe	30
PID 2232 wrote to memory of 1980	2232	g8376858.exe	30
PID 2232 wrote to memory of 2880	2232	g8376858.exe	31
PID 2232 wrote to memory of 2880	2232	g8376858.exe	31
PID 2232 wrote to memory of 2880	2232	g8376858.exe	31
PID 2232 wrote to memory of 2880	2232	g8376858.exe	31
PID 2232 wrote to memory of 2880	2232	g8376858.exe	31
PID 2232 wrote to memory of 2880	2232	g8376858.exe	31
PID 2232 wrote to memory of 2880	2232	g8376858.exe	31

C:\Users\Admin\AppData\Local\Temp\x4223126.exe
"C:\Users\Admin\AppData\Local\Temp\x4223126.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g8376858.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g8376858.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2232
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:1980
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 268
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g8376858.exe

Filesize
1016KB

MD5
a4bd2065fde8cf1b9aa2916e4010a34d

SHA1
2e67df9cd4a4c02b8f0ae2c91101130b8c14cc33

SHA256
5d11d2324c8fd2aed4ab969a47bb04981f1f48bdbde44c502a696b2084860bc6

SHA512
cc5e4c5f6d00acf79db5b7e99bc1874cca3761339dfa862af7fd36a3fbf81b3d1ef4e30690eab78938afaea8f189d5f2da6b0b9c6b76d4106965407446fed777

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g8376858.exe

Filesize
1016KB

MD5
a4bd2065fde8cf1b9aa2916e4010a34d

SHA1
2e67df9cd4a4c02b8f0ae2c91101130b8c14cc33

SHA256
5d11d2324c8fd2aed4ab969a47bb04981f1f48bdbde44c502a696b2084860bc6

SHA512
cc5e4c5f6d00acf79db5b7e99bc1874cca3761339dfa862af7fd36a3fbf81b3d1ef4e30690eab78938afaea8f189d5f2da6b0b9c6b76d4106965407446fed777

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g8376858.exe

Filesize
1016KB

MD5
a4bd2065fde8cf1b9aa2916e4010a34d

SHA1
2e67df9cd4a4c02b8f0ae2c91101130b8c14cc33

SHA256
5d11d2324c8fd2aed4ab969a47bb04981f1f48bdbde44c502a696b2084860bc6

SHA512
cc5e4c5f6d00acf79db5b7e99bc1874cca3761339dfa862af7fd36a3fbf81b3d1ef4e30690eab78938afaea8f189d5f2da6b0b9c6b76d4106965407446fed777

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\g8376858.exe

Filesize
1016KB

MD5
a4bd2065fde8cf1b9aa2916e4010a34d

SHA1
2e67df9cd4a4c02b8f0ae2c91101130b8c14cc33

SHA256
5d11d2324c8fd2aed4ab969a47bb04981f1f48bdbde44c502a696b2084860bc6

SHA512
cc5e4c5f6d00acf79db5b7e99bc1874cca3761339dfa862af7fd36a3fbf81b3d1ef4e30690eab78938afaea8f189d5f2da6b0b9c6b76d4106965407446fed777

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\g8376858.exe

Filesize
1016KB

MD5
a4bd2065fde8cf1b9aa2916e4010a34d

SHA1
2e67df9cd4a4c02b8f0ae2c91101130b8c14cc33

SHA256
5d11d2324c8fd2aed4ab969a47bb04981f1f48bdbde44c502a696b2084860bc6

SHA512
cc5e4c5f6d00acf79db5b7e99bc1874cca3761339dfa862af7fd36a3fbf81b3d1ef4e30690eab78938afaea8f189d5f2da6b0b9c6b76d4106965407446fed777

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\g8376858.exe

Filesize
1016KB

MD5
a4bd2065fde8cf1b9aa2916e4010a34d

SHA1
2e67df9cd4a4c02b8f0ae2c91101130b8c14cc33

SHA256
5d11d2324c8fd2aed4ab969a47bb04981f1f48bdbde44c502a696b2084860bc6

SHA512
cc5e4c5f6d00acf79db5b7e99bc1874cca3761339dfa862af7fd36a3fbf81b3d1ef4e30690eab78938afaea8f189d5f2da6b0b9c6b76d4106965407446fed777

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\g8376858.exe

Filesize
1016KB

MD5
a4bd2065fde8cf1b9aa2916e4010a34d

SHA1
2e67df9cd4a4c02b8f0ae2c91101130b8c14cc33

SHA256
5d11d2324c8fd2aed4ab969a47bb04981f1f48bdbde44c502a696b2084860bc6

SHA512
cc5e4c5f6d00acf79db5b7e99bc1874cca3761339dfa862af7fd36a3fbf81b3d1ef4e30690eab78938afaea8f189d5f2da6b0b9c6b76d4106965407446fed777

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\g8376858.exe

Filesize
1016KB

MD5
a4bd2065fde8cf1b9aa2916e4010a34d

SHA1
2e67df9cd4a4c02b8f0ae2c91101130b8c14cc33

SHA256
5d11d2324c8fd2aed4ab969a47bb04981f1f48bdbde44c502a696b2084860bc6

SHA512
cc5e4c5f6d00acf79db5b7e99bc1874cca3761339dfa862af7fd36a3fbf81b3d1ef4e30690eab78938afaea8f189d5f2da6b0b9c6b76d4106965407446fed777

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\g8376858.exe

Filesize
1016KB

MD5
a4bd2065fde8cf1b9aa2916e4010a34d

SHA1
2e67df9cd4a4c02b8f0ae2c91101130b8c14cc33

SHA256
5d11d2324c8fd2aed4ab969a47bb04981f1f48bdbde44c502a696b2084860bc6

SHA512
cc5e4c5f6d00acf79db5b7e99bc1874cca3761339dfa862af7fd36a3fbf81b3d1ef4e30690eab78938afaea8f189d5f2da6b0b9c6b76d4106965407446fed777

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\g8376858.exe

Filesize
1016KB

MD5
a4bd2065fde8cf1b9aa2916e4010a34d

SHA1
2e67df9cd4a4c02b8f0ae2c91101130b8c14cc33

SHA256
5d11d2324c8fd2aed4ab969a47bb04981f1f48bdbde44c502a696b2084860bc6

SHA512
cc5e4c5f6d00acf79db5b7e99bc1874cca3761339dfa862af7fd36a3fbf81b3d1ef4e30690eab78938afaea8f189d5f2da6b0b9c6b76d4106965407446fed777

Download Submit
memory/1980-25-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1980-23-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1980-21-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1980-26-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1980-28-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1980-30-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1980-31-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1980-19-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1980-17-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1980-15-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1980-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1980-13-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads