mystic | fa0d42217544477d6567a594d847f81254321d9cecd8e325d95049d63b4188d0

Analysis

max time kernel
240s
max time network
286s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11/10/2023, 15:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

x5418429.exe
Size

390KB
MD5

5f7985a9f521b6b691ecf1d2825d5415
SHA1

27fc9d81cc86d57ba6cfa4d962a891bf501bc256
SHA256

fa0d42217544477d6567a594d847f81254321d9cecd8e325d95049d63b4188d0
SHA512

9160c5260432ccdacd55df02fa4dd8c6c543d2337496c77fc097f7b7136a8050db9b47c28f9cb9d434af267d78e06660632853885b140b4537110bdd91477a8d
SSDEEP

6144:Kty+bnr+fp0yN90QE1Ayx1HjNbfdYi7V7+nZJio+ombv1U0tebEc5v5Kw:nMrvy90fnHpbfSi7VEuo/mbtUr4i5Kw

Score

10^/10

mystic persistence stealer

Malware Config

Signatures

Detect Mystic stealer payload 6 IoCs

resource	yara_rule
behavioral1/memory/2480-18-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2480-20-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2480-17-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2480-16-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2480-22-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2480-24-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic

Executes dropped EXE 1 IoCs

pid	Process
2640	g0457560.exe

Loads dropped DLL 7 IoCs

pid	Process
2740	x5418429.exe
2740	x5418429.exe
2640	g0457560.exe
2960	WerFault.exe
2960	WerFault.exe
2960	WerFault.exe
2960	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	x5418429.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2640 set thread context of 2480	2640	g0457560.exe	28

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2960	2640	WerFault.exe	27
2520	2480	WerFault.exe	28

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 2740 wrote to memory of 2640	2740	x5418429.exe	27
PID 2740 wrote to memory of 2640	2740	x5418429.exe	27
PID 2740 wrote to memory of 2640	2740	x5418429.exe	27
PID 2740 wrote to memory of 2640	2740	x5418429.exe	27
PID 2740 wrote to memory of 2640	2740	x5418429.exe	27
PID 2740 wrote to memory of 2640	2740	x5418429.exe	27
PID 2740 wrote to memory of 2640	2740	x5418429.exe	27
PID 2640 wrote to memory of 2480	2640	g0457560.exe	28
PID 2640 wrote to memory of 2480	2640	g0457560.exe	28
PID 2640 wrote to memory of 2480	2640	g0457560.exe	28
PID 2640 wrote to memory of 2480	2640	g0457560.exe	28
PID 2640 wrote to memory of 2480	2640	g0457560.exe	28
PID 2640 wrote to memory of 2480	2640	g0457560.exe	28
PID 2640 wrote to memory of 2480	2640	g0457560.exe	28
PID 2640 wrote to memory of 2480	2640	g0457560.exe	28
PID 2640 wrote to memory of 2480	2640	g0457560.exe	28
PID 2640 wrote to memory of 2480	2640	g0457560.exe	28
PID 2640 wrote to memory of 2480	2640	g0457560.exe	28
PID 2640 wrote to memory of 2480	2640	g0457560.exe	28
PID 2640 wrote to memory of 2480	2640	g0457560.exe	28
PID 2640 wrote to memory of 2480	2640	g0457560.exe	28
PID 2640 wrote to memory of 2960	2640	g0457560.exe	29
PID 2640 wrote to memory of 2960	2640	g0457560.exe	29
PID 2640 wrote to memory of 2960	2640	g0457560.exe	29
PID 2640 wrote to memory of 2960	2640	g0457560.exe	29
PID 2640 wrote to memory of 2960	2640	g0457560.exe	29
PID 2640 wrote to memory of 2960	2640	g0457560.exe	29
PID 2640 wrote to memory of 2960	2640	g0457560.exe	29
PID 2480 wrote to memory of 2520	2480	AppLaunch.exe	30
PID 2480 wrote to memory of 2520	2480	AppLaunch.exe	30
PID 2480 wrote to memory of 2520	2480	AppLaunch.exe	30
PID 2480 wrote to memory of 2520	2480	AppLaunch.exe	30
PID 2480 wrote to memory of 2520	2480	AppLaunch.exe	30
PID 2480 wrote to memory of 2520	2480	AppLaunch.exe	30
PID 2480 wrote to memory of 2520	2480	AppLaunch.exe	30

C:\Users\Admin\AppData\Local\Temp\x5418429.exe
"C:\Users\Admin\AppData\Local\Temp\x5418429.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g0457560.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g0457560.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2480
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 268
      4⤵
      Program crash
      PID:2520
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2640 -s 272
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g0457560.exe

Filesize
364KB

MD5
80665c8486ca3d2fc0638344337ae697

SHA1
99b28b10493310292696c221b41649be52db3308

SHA256
8628aafd49d2ac110e8e56e980aa67b9f1f6c2253bf13e231301dc14784bd5ae

SHA512
fef9bdda002ef7348788deeae1863fc1a790ae368edb5df6827916ba557b03670e08e999d04d77b08b37d437bad167b7979362a01721ae518c76a5c501c5cc69

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g0457560.exe

Filesize
364KB

MD5
80665c8486ca3d2fc0638344337ae697

SHA1
99b28b10493310292696c221b41649be52db3308

SHA256
8628aafd49d2ac110e8e56e980aa67b9f1f6c2253bf13e231301dc14784bd5ae

SHA512
fef9bdda002ef7348788deeae1863fc1a790ae368edb5df6827916ba557b03670e08e999d04d77b08b37d437bad167b7979362a01721ae518c76a5c501c5cc69

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g0457560.exe

Filesize
364KB

MD5
80665c8486ca3d2fc0638344337ae697

SHA1
99b28b10493310292696c221b41649be52db3308

SHA256
8628aafd49d2ac110e8e56e980aa67b9f1f6c2253bf13e231301dc14784bd5ae

SHA512
fef9bdda002ef7348788deeae1863fc1a790ae368edb5df6827916ba557b03670e08e999d04d77b08b37d437bad167b7979362a01721ae518c76a5c501c5cc69

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\g0457560.exe

Filesize
364KB

MD5
80665c8486ca3d2fc0638344337ae697

SHA1
99b28b10493310292696c221b41649be52db3308

SHA256
8628aafd49d2ac110e8e56e980aa67b9f1f6c2253bf13e231301dc14784bd5ae

SHA512
fef9bdda002ef7348788deeae1863fc1a790ae368edb5df6827916ba557b03670e08e999d04d77b08b37d437bad167b7979362a01721ae518c76a5c501c5cc69

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\g0457560.exe

Filesize
364KB

MD5
80665c8486ca3d2fc0638344337ae697

SHA1
99b28b10493310292696c221b41649be52db3308

SHA256
8628aafd49d2ac110e8e56e980aa67b9f1f6c2253bf13e231301dc14784bd5ae

SHA512
fef9bdda002ef7348788deeae1863fc1a790ae368edb5df6827916ba557b03670e08e999d04d77b08b37d437bad167b7979362a01721ae518c76a5c501c5cc69

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\g0457560.exe

Filesize
364KB

MD5
80665c8486ca3d2fc0638344337ae697

SHA1
99b28b10493310292696c221b41649be52db3308

SHA256
8628aafd49d2ac110e8e56e980aa67b9f1f6c2253bf13e231301dc14784bd5ae

SHA512
fef9bdda002ef7348788deeae1863fc1a790ae368edb5df6827916ba557b03670e08e999d04d77b08b37d437bad167b7979362a01721ae518c76a5c501c5cc69

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\g0457560.exe

Filesize
364KB

MD5
80665c8486ca3d2fc0638344337ae697

SHA1
99b28b10493310292696c221b41649be52db3308

SHA256
8628aafd49d2ac110e8e56e980aa67b9f1f6c2253bf13e231301dc14784bd5ae

SHA512
fef9bdda002ef7348788deeae1863fc1a790ae368edb5df6827916ba557b03670e08e999d04d77b08b37d437bad167b7979362a01721ae518c76a5c501c5cc69

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\g0457560.exe

Filesize
364KB

MD5
80665c8486ca3d2fc0638344337ae697

SHA1
99b28b10493310292696c221b41649be52db3308

SHA256
8628aafd49d2ac110e8e56e980aa67b9f1f6c2253bf13e231301dc14784bd5ae

SHA512
fef9bdda002ef7348788deeae1863fc1a790ae368edb5df6827916ba557b03670e08e999d04d77b08b37d437bad167b7979362a01721ae518c76a5c501c5cc69

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\g0457560.exe

Filesize
364KB

MD5
80665c8486ca3d2fc0638344337ae697

SHA1
99b28b10493310292696c221b41649be52db3308

SHA256
8628aafd49d2ac110e8e56e980aa67b9f1f6c2253bf13e231301dc14784bd5ae

SHA512
fef9bdda002ef7348788deeae1863fc1a790ae368edb5df6827916ba557b03670e08e999d04d77b08b37d437bad167b7979362a01721ae518c76a5c501c5cc69

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\g0457560.exe

Filesize
364KB

MD5
80665c8486ca3d2fc0638344337ae697

SHA1
99b28b10493310292696c221b41649be52db3308

SHA256
8628aafd49d2ac110e8e56e980aa67b9f1f6c2253bf13e231301dc14784bd5ae

SHA512
fef9bdda002ef7348788deeae1863fc1a790ae368edb5df6827916ba557b03670e08e999d04d77b08b37d437bad167b7979362a01721ae518c76a5c501c5cc69

Download Submit
memory/2480-20-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2480-17-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2480-16-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2480-14-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2480-22-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2480-24-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2480-19-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2480-18-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2480-15-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2480-13-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads