mystic | f8d217c5b0a9d967c0fbf590c63a941659835e87173ab4aef5c815e3c0d5fcc9

Analysis

max time kernel
118s
max time network
143s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12/10/2023, 17:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f8d217c5b0a9d967c0fbf590c63a941659835e87173ab4aef5c815e3c0d5fcc9.exe
Size

371KB
MD5

dfcd9fe8971808e9d577622e2ce65e14
SHA1

15cd11794537a820008f967306960559e0569ad1
SHA256

f8d217c5b0a9d967c0fbf590c63a941659835e87173ab4aef5c815e3c0d5fcc9
SHA512

027d994dc23e0727678b6fc3c914ab5b4395bec0e560541fdb8b52eba1c6ed361940fb00110e640d4b5f18f7b7cd94d80c8dc9059e450368d8cc8776db5d3dde
SSDEEP

6144:2xvJm09zORs+z/TMify9DAOagQ7yAreb00TtxQhLmVUer8/:2Rw09CK5NNqyZxyLmVUer8/

Score

10^/10

mystic stealer

Malware Config

Signatures

Detect Mystic stealer payload 6 IoCs

resource	yara_rule
behavioral1/memory/2604-5-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2604-4-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2604-6-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2604-8-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2604-10-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2604-12-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1976 set thread context of 2604	1976	f8d217c5b0a9d967c0fbf590c63a941659835e87173ab4aef5c815e3c0d5fcc9.exe	27

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2856	2604	WerFault.exe	27

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 2604	1976	f8d217c5b0a9d967c0fbf590c63a941659835e87173ab4aef5c815e3c0d5fcc9.exe	27
PID 1976 wrote to memory of 2604	1976	f8d217c5b0a9d967c0fbf590c63a941659835e87173ab4aef5c815e3c0d5fcc9.exe	27
PID 1976 wrote to memory of 2604	1976	f8d217c5b0a9d967c0fbf590c63a941659835e87173ab4aef5c815e3c0d5fcc9.exe	27
PID 1976 wrote to memory of 2604	1976	f8d217c5b0a9d967c0fbf590c63a941659835e87173ab4aef5c815e3c0d5fcc9.exe	27
PID 1976 wrote to memory of 2604	1976	f8d217c5b0a9d967c0fbf590c63a941659835e87173ab4aef5c815e3c0d5fcc9.exe	27
PID 1976 wrote to memory of 2604	1976	f8d217c5b0a9d967c0fbf590c63a941659835e87173ab4aef5c815e3c0d5fcc9.exe	27
PID 1976 wrote to memory of 2604	1976	f8d217c5b0a9d967c0fbf590c63a941659835e87173ab4aef5c815e3c0d5fcc9.exe	27
PID 1976 wrote to memory of 2604	1976	f8d217c5b0a9d967c0fbf590c63a941659835e87173ab4aef5c815e3c0d5fcc9.exe	27
PID 1976 wrote to memory of 2604	1976	f8d217c5b0a9d967c0fbf590c63a941659835e87173ab4aef5c815e3c0d5fcc9.exe	27
PID 1976 wrote to memory of 2604	1976	f8d217c5b0a9d967c0fbf590c63a941659835e87173ab4aef5c815e3c0d5fcc9.exe	27
PID 1976 wrote to memory of 2604	1976	f8d217c5b0a9d967c0fbf590c63a941659835e87173ab4aef5c815e3c0d5fcc9.exe	27
PID 1976 wrote to memory of 2604	1976	f8d217c5b0a9d967c0fbf590c63a941659835e87173ab4aef5c815e3c0d5fcc9.exe	27
PID 1976 wrote to memory of 2604	1976	f8d217c5b0a9d967c0fbf590c63a941659835e87173ab4aef5c815e3c0d5fcc9.exe	27
PID 1976 wrote to memory of 2604	1976	f8d217c5b0a9d967c0fbf590c63a941659835e87173ab4aef5c815e3c0d5fcc9.exe	27
PID 2604 wrote to memory of 2856	2604	AppLaunch.exe	28
PID 2604 wrote to memory of 2856	2604	AppLaunch.exe	28
PID 2604 wrote to memory of 2856	2604	AppLaunch.exe	28
PID 2604 wrote to memory of 2856	2604	AppLaunch.exe	28
PID 2604 wrote to memory of 2856	2604	AppLaunch.exe	28
PID 2604 wrote to memory of 2856	2604	AppLaunch.exe	28
PID 2604 wrote to memory of 2856	2604	AppLaunch.exe	28

C:\Users\Admin\AppData\Local\Temp\f8d217c5b0a9d967c0fbf590c63a941659835e87173ab4aef5c815e3c0d5fcc9.exe
"C:\Users\Admin\AppData\Local\Temp\f8d217c5b0a9d967c0fbf590c63a941659835e87173ab4aef5c815e3c0d5fcc9.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 196
    3⤵
    - Program crash
    PID:2856

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2604-0-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2604-1-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2604-2-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2604-5-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2604-4-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2604-6-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2604-7-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2604-8-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2604-10-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2604-12-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads