mystic | bd6809262e18c2639efa48967d8764232fa9ba31dc97df2ed33f7c9fbfe0623e

Analysis

max time kernel
122s
max time network
132s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11/10/2023, 12:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bd6809262e18c2639efa48967d8764232fa9ba31dc97df2ed33f7c9fbfe0623e.exe
Size

379KB
MD5

e04d14cd921c4d462ddafc16c1cddee2
SHA1

5b110b7263ad4736fb8ddb35c731e16802e47ffe
SHA256

bd6809262e18c2639efa48967d8764232fa9ba31dc97df2ed33f7c9fbfe0623e
SHA512

2be3c3612236eee06d3645dc230fc947b8d53e8f2d57114cb03d82fafdb20f09720c1cd13101b2f3b68d34c15f8ce1056f3a357f57bf53a81581f37e63117945
SSDEEP

6144:HEAZcRgs3r9vIum2Tg0N63KAORXqfQVW98ngsr9AlK51Qtosg3F:HE5RP3r9HmebafYWarew1Qti3F

Score

10^/10

mystic stealer

Malware Config

Signatures

Detect Mystic stealer payload 6 IoCs

resource	yara_rule
behavioral1/memory/2344-3-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2344-4-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2344-5-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2344-7-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2344-9-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2344-11-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1272 set thread context of 2344	1272	bd6809262e18c2639efa48967d8764232fa9ba31dc97df2ed33f7c9fbfe0623e.exe	29

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2668	1272	WerFault.exe	27
2732	2344	WerFault.exe	29

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1272 wrote to memory of 2208	1272	bd6809262e18c2639efa48967d8764232fa9ba31dc97df2ed33f7c9fbfe0623e.exe	28
PID 1272 wrote to memory of 2208	1272	bd6809262e18c2639efa48967d8764232fa9ba31dc97df2ed33f7c9fbfe0623e.exe	28
PID 1272 wrote to memory of 2208	1272	bd6809262e18c2639efa48967d8764232fa9ba31dc97df2ed33f7c9fbfe0623e.exe	28
PID 1272 wrote to memory of 2208	1272	bd6809262e18c2639efa48967d8764232fa9ba31dc97df2ed33f7c9fbfe0623e.exe	28
PID 1272 wrote to memory of 2208	1272	bd6809262e18c2639efa48967d8764232fa9ba31dc97df2ed33f7c9fbfe0623e.exe	28
PID 1272 wrote to memory of 2208	1272	bd6809262e18c2639efa48967d8764232fa9ba31dc97df2ed33f7c9fbfe0623e.exe	28
PID 1272 wrote to memory of 2208	1272	bd6809262e18c2639efa48967d8764232fa9ba31dc97df2ed33f7c9fbfe0623e.exe	28
PID 1272 wrote to memory of 2344	1272	bd6809262e18c2639efa48967d8764232fa9ba31dc97df2ed33f7c9fbfe0623e.exe	29
PID 1272 wrote to memory of 2344	1272	bd6809262e18c2639efa48967d8764232fa9ba31dc97df2ed33f7c9fbfe0623e.exe	29
PID 1272 wrote to memory of 2344	1272	bd6809262e18c2639efa48967d8764232fa9ba31dc97df2ed33f7c9fbfe0623e.exe	29
PID 1272 wrote to memory of 2344	1272	bd6809262e18c2639efa48967d8764232fa9ba31dc97df2ed33f7c9fbfe0623e.exe	29
PID 1272 wrote to memory of 2344	1272	bd6809262e18c2639efa48967d8764232fa9ba31dc97df2ed33f7c9fbfe0623e.exe	29
PID 1272 wrote to memory of 2344	1272	bd6809262e18c2639efa48967d8764232fa9ba31dc97df2ed33f7c9fbfe0623e.exe	29
PID 1272 wrote to memory of 2344	1272	bd6809262e18c2639efa48967d8764232fa9ba31dc97df2ed33f7c9fbfe0623e.exe	29
PID 1272 wrote to memory of 2344	1272	bd6809262e18c2639efa48967d8764232fa9ba31dc97df2ed33f7c9fbfe0623e.exe	29
PID 1272 wrote to memory of 2344	1272	bd6809262e18c2639efa48967d8764232fa9ba31dc97df2ed33f7c9fbfe0623e.exe	29
PID 1272 wrote to memory of 2344	1272	bd6809262e18c2639efa48967d8764232fa9ba31dc97df2ed33f7c9fbfe0623e.exe	29
PID 1272 wrote to memory of 2344	1272	bd6809262e18c2639efa48967d8764232fa9ba31dc97df2ed33f7c9fbfe0623e.exe	29
PID 1272 wrote to memory of 2344	1272	bd6809262e18c2639efa48967d8764232fa9ba31dc97df2ed33f7c9fbfe0623e.exe	29
PID 1272 wrote to memory of 2344	1272	bd6809262e18c2639efa48967d8764232fa9ba31dc97df2ed33f7c9fbfe0623e.exe	29
PID 1272 wrote to memory of 2344	1272	bd6809262e18c2639efa48967d8764232fa9ba31dc97df2ed33f7c9fbfe0623e.exe	29
PID 1272 wrote to memory of 2668	1272	bd6809262e18c2639efa48967d8764232fa9ba31dc97df2ed33f7c9fbfe0623e.exe	30
PID 1272 wrote to memory of 2668	1272	bd6809262e18c2639efa48967d8764232fa9ba31dc97df2ed33f7c9fbfe0623e.exe	30
PID 1272 wrote to memory of 2668	1272	bd6809262e18c2639efa48967d8764232fa9ba31dc97df2ed33f7c9fbfe0623e.exe	30
PID 1272 wrote to memory of 2668	1272	bd6809262e18c2639efa48967d8764232fa9ba31dc97df2ed33f7c9fbfe0623e.exe	30
PID 2344 wrote to memory of 2732	2344	AppLaunch.exe	31
PID 2344 wrote to memory of 2732	2344	AppLaunch.exe	31
PID 2344 wrote to memory of 2732	2344	AppLaunch.exe	31
PID 2344 wrote to memory of 2732	2344	AppLaunch.exe	31
PID 2344 wrote to memory of 2732	2344	AppLaunch.exe	31
PID 2344 wrote to memory of 2732	2344	AppLaunch.exe	31
PID 2344 wrote to memory of 2732	2344	AppLaunch.exe	31

C:\Users\Admin\AppData\Local\Temp\bd6809262e18c2639efa48967d8764232fa9ba31dc97df2ed33f7c9fbfe0623e.exe
"C:\Users\Admin\AppData\Local\Temp\bd6809262e18c2639efa48967d8764232fa9ba31dc97df2ed33f7c9fbfe0623e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1272
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:2208
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 196
    3⤵
    - Program crash
    PID:2732
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1272 -s 100
  2⤵
  - Program crash
  PID:2668

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2344-0-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2344-2-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2344-1-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2344-3-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2344-4-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2344-5-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2344-6-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2344-7-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2344-9-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2344-11-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads