mystic | 3d5e19bb476f94f089702548a0995704cb530363dcd49e8f5a05e78645698973

Analysis

max time kernel
190s
max time network
199s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2023 12:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d5e19bb476f94f089702548a0995704cb530363dcd49e8f5a05e78645698973.exe
Size

942KB
MD5

5e24d68c1ffd39affe7061e59a8a583c
SHA1

8422a179fe6090389a3014eceb351e5153a673c8
SHA256

3d5e19bb476f94f089702548a0995704cb530363dcd49e8f5a05e78645698973
SHA512

b17fd556fe0121429ba261e80c29a8d8e9a7a1180cc68ca2909162bba7eaa444fa6b1c2d0c74e70ccee75b3da71e818d55af64a4c6dcf909fa45f52480111c84
SSDEEP

24576:8yvXgJUdpAqUcHo7YzzGawjiYe7rbNu6ByL4W:rvQJUvAdgzVbzNu68

Score

10^/10

mystic persistence stealer

Malware Config

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral2/memory/1360-28-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/1360-29-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/1360-30-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/1360-32-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic

Executes dropped EXE 4 IoCs

pid	Process
2032	x4102823.exe
3704	x3620296.exe
1832	x5443075.exe
2852	g0409876.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x3620296.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x5443075.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3d5e19bb476f94f089702548a0995704cb530363dcd49e8f5a05e78645698973.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x4102823.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2852 set thread context of 1360	2852	g0409876.exe	93

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2756	1360	WerFault.exe	93
2264	2852	WerFault.exe	90

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 8 wrote to memory of 2032	8	3d5e19bb476f94f089702548a0995704cb530363dcd49e8f5a05e78645698973.exe	86
PID 8 wrote to memory of 2032	8	3d5e19bb476f94f089702548a0995704cb530363dcd49e8f5a05e78645698973.exe	86
PID 8 wrote to memory of 2032	8	3d5e19bb476f94f089702548a0995704cb530363dcd49e8f5a05e78645698973.exe	86
PID 2032 wrote to memory of 3704	2032	x4102823.exe	87
PID 2032 wrote to memory of 3704	2032	x4102823.exe	87
PID 2032 wrote to memory of 3704	2032	x4102823.exe	87
PID 3704 wrote to memory of 1832	3704	x3620296.exe	89
PID 3704 wrote to memory of 1832	3704	x3620296.exe	89
PID 3704 wrote to memory of 1832	3704	x3620296.exe	89
PID 1832 wrote to memory of 2852	1832	x5443075.exe	90
PID 1832 wrote to memory of 2852	1832	x5443075.exe	90
PID 1832 wrote to memory of 2852	1832	x5443075.exe	90
PID 2852 wrote to memory of 396	2852	g0409876.exe	91
PID 2852 wrote to memory of 396	2852	g0409876.exe	91
PID 2852 wrote to memory of 396	2852	g0409876.exe	91
PID 2852 wrote to memory of 900	2852	g0409876.exe	92
PID 2852 wrote to memory of 900	2852	g0409876.exe	92
PID 2852 wrote to memory of 900	2852	g0409876.exe	92
PID 2852 wrote to memory of 1360	2852	g0409876.exe	93
PID 2852 wrote to memory of 1360	2852	g0409876.exe	93
PID 2852 wrote to memory of 1360	2852	g0409876.exe	93
PID 2852 wrote to memory of 1360	2852	g0409876.exe	93
PID 2852 wrote to memory of 1360	2852	g0409876.exe	93
PID 2852 wrote to memory of 1360	2852	g0409876.exe	93
PID 2852 wrote to memory of 1360	2852	g0409876.exe	93
PID 2852 wrote to memory of 1360	2852	g0409876.exe	93
PID 2852 wrote to memory of 1360	2852	g0409876.exe	93
PID 2852 wrote to memory of 1360	2852	g0409876.exe	93

C:\Users\Admin\AppData\Local\Temp\3d5e19bb476f94f089702548a0995704cb530363dcd49e8f5a05e78645698973.exe
"C:\Users\Admin\AppData\Local\Temp\3d5e19bb476f94f089702548a0995704cb530363dcd49e8f5a05e78645698973.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:8
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4102823.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4102823.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3620296.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3620296.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3704
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x5443075.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x5443075.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1832
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g0409876.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g0409876.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2852
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:396
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:900
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 540
        7⤵
        Program crash
        
        PID:2756
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 604
        6⤵
        Program crash
        
        PID:2264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2852 -ip 2852
1⤵
PID:1060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1360 -ip 1360
1⤵
PID:1012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4102823.exe

Filesize
839KB

MD5
1c5c115095a5146c9313a16b69c070d3

SHA1
a0da0f651de5016e2e5503d689b4cfe1dbdb9e23

SHA256
c4fccbfbe584a349873e3096d36d8717d6393b3bc6bfe1e70649e8b1df5a0406

SHA512
3541d597531a544e6795559246b07db293c7b57e4b1dc81ed076ad85bec5e8663a85bc1bf62d1d04d6afbd0d97b263534cfe8ac747425ff27489127d75c9d9d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4102823.exe

Filesize
839KB

MD5
1c5c115095a5146c9313a16b69c070d3

SHA1
a0da0f651de5016e2e5503d689b4cfe1dbdb9e23

SHA256
c4fccbfbe584a349873e3096d36d8717d6393b3bc6bfe1e70649e8b1df5a0406

SHA512
3541d597531a544e6795559246b07db293c7b57e4b1dc81ed076ad85bec5e8663a85bc1bf62d1d04d6afbd0d97b263534cfe8ac747425ff27489127d75c9d9d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3620296.exe

Filesize
561KB

MD5
e843171c60655be4097558beae38e99f

SHA1
2075f84cface9a01d8868077b2abee4ff3ab78a0

SHA256
5c8d632f10ddc409d52c3d43de4829a21181e041905b7d1f1b431a763a4ba9a9

SHA512
c0058a67ee03c7ec8cc37ad6b4cdc62a1a8a73f281c951591dd6bce316cd4c7a98af566e7515b72670fdc2cfc3cd0df4e7f9675887eab5b582836f8096c08079

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3620296.exe

Filesize
561KB

MD5
e843171c60655be4097558beae38e99f

SHA1
2075f84cface9a01d8868077b2abee4ff3ab78a0

SHA256
5c8d632f10ddc409d52c3d43de4829a21181e041905b7d1f1b431a763a4ba9a9

SHA512
c0058a67ee03c7ec8cc37ad6b4cdc62a1a8a73f281c951591dd6bce316cd4c7a98af566e7515b72670fdc2cfc3cd0df4e7f9675887eab5b582836f8096c08079

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x5443075.exe

Filesize
396KB

MD5
4161b575688122e1d631d3d03008db9a

SHA1
5afcc20df1beb4f88976293b642980e1c0d2c910

SHA256
8eaf0595c01be220e39739fc1be87a05db39ba61ce61b7a9c4f3f3c20fa7d7a5

SHA512
1084e42487f8e5ba3e2e61960ce93230fcb10e3412d0b7737f809e7c46525cdd00b05b2b8aa097c323f3744daa0cd1b67bef063df5b0739fb0e7636e6ad0df30

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x5443075.exe

Filesize
396KB

MD5
4161b575688122e1d631d3d03008db9a

SHA1
5afcc20df1beb4f88976293b642980e1c0d2c910

SHA256
8eaf0595c01be220e39739fc1be87a05db39ba61ce61b7a9c4f3f3c20fa7d7a5

SHA512
1084e42487f8e5ba3e2e61960ce93230fcb10e3412d0b7737f809e7c46525cdd00b05b2b8aa097c323f3744daa0cd1b67bef063df5b0739fb0e7636e6ad0df30

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g0409876.exe

Filesize
379KB

MD5
b3f56a9c6ea9eb38673eba0f9678b4ec

SHA1
38e16997b4c12572a6bf1648101d63a7abad1468

SHA256
be5f49c6766f12148090e624d69c909232dfc0963c856b164e25149c48f529d8

SHA512
fe385ba656e6ba3abc0dbef163da48c4959e3972d603f50c561b2ef1c7a63132b23c680f4aa5a21510d89e1a183cd1de726da83c0780f180e42e5c99f381aed6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g0409876.exe

Filesize
379KB

MD5
b3f56a9c6ea9eb38673eba0f9678b4ec

SHA1
38e16997b4c12572a6bf1648101d63a7abad1468

SHA256
be5f49c6766f12148090e624d69c909232dfc0963c856b164e25149c48f529d8

SHA512
fe385ba656e6ba3abc0dbef163da48c4959e3972d603f50c561b2ef1c7a63132b23c680f4aa5a21510d89e1a183cd1de726da83c0780f180e42e5c99f381aed6

Download Submit
memory/1360-28-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1360-29-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1360-30-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1360-32-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads