mystic | 1821cc1e34094a7e9c54017d3113c67658d3b683a21052d68dc97b0815a90647

Analysis

max time kernel
119s
max time network
122s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
13-10-2023 03:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1821cc1e34094a7e9c54017d3113c67658d3b683a21052d68dc97b0815a90647.exe
Size

358KB
MD5

e3fe1587da657b11858951ce2a31ebdb
SHA1

8d76063173dc570832abc197f4083ac656736509
SHA256

1821cc1e34094a7e9c54017d3113c67658d3b683a21052d68dc97b0815a90647
SHA512

af53ddf0193fd91f6d77fe2bd40c9d17f0e4e76fa224defe9464e909d009d9b48560730f71278eea65ef0dd192a5ad28d1e35a7119dba9d7a70c936d70af8cb4
SSDEEP

6144:rnjra0nHNkkhzSSWyIBHb4AOGOzUQxa3OBTcwG1JfV06NOL8cR8fi:rnvfnHy++l4sYUOBTHms8fi

Score

10^/10

mystic stealer

Malware Config

Signatures

Detect Mystic stealer payload 6 IoCs

resource	yara_rule
behavioral1/memory/3020-4-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/3020-5-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/3020-3-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/3020-7-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/3020-9-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/3020-11-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2216 set thread context of 3020	2216	1821cc1e34094a7e9c54017d3113c67658d3b683a21052d68dc97b0815a90647.exe	29

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2668	3020	WerFault.exe	29

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 3020	2216	1821cc1e34094a7e9c54017d3113c67658d3b683a21052d68dc97b0815a90647.exe	29
PID 2216 wrote to memory of 3020	2216	1821cc1e34094a7e9c54017d3113c67658d3b683a21052d68dc97b0815a90647.exe	29
PID 2216 wrote to memory of 3020	2216	1821cc1e34094a7e9c54017d3113c67658d3b683a21052d68dc97b0815a90647.exe	29
PID 2216 wrote to memory of 3020	2216	1821cc1e34094a7e9c54017d3113c67658d3b683a21052d68dc97b0815a90647.exe	29
PID 2216 wrote to memory of 3020	2216	1821cc1e34094a7e9c54017d3113c67658d3b683a21052d68dc97b0815a90647.exe	29
PID 2216 wrote to memory of 3020	2216	1821cc1e34094a7e9c54017d3113c67658d3b683a21052d68dc97b0815a90647.exe	29
PID 2216 wrote to memory of 3020	2216	1821cc1e34094a7e9c54017d3113c67658d3b683a21052d68dc97b0815a90647.exe	29
PID 2216 wrote to memory of 3020	2216	1821cc1e34094a7e9c54017d3113c67658d3b683a21052d68dc97b0815a90647.exe	29
PID 2216 wrote to memory of 3020	2216	1821cc1e34094a7e9c54017d3113c67658d3b683a21052d68dc97b0815a90647.exe	29
PID 2216 wrote to memory of 3020	2216	1821cc1e34094a7e9c54017d3113c67658d3b683a21052d68dc97b0815a90647.exe	29
PID 2216 wrote to memory of 3020	2216	1821cc1e34094a7e9c54017d3113c67658d3b683a21052d68dc97b0815a90647.exe	29
PID 2216 wrote to memory of 3020	2216	1821cc1e34094a7e9c54017d3113c67658d3b683a21052d68dc97b0815a90647.exe	29
PID 2216 wrote to memory of 3020	2216	1821cc1e34094a7e9c54017d3113c67658d3b683a21052d68dc97b0815a90647.exe	29
PID 2216 wrote to memory of 3020	2216	1821cc1e34094a7e9c54017d3113c67658d3b683a21052d68dc97b0815a90647.exe	29
PID 3020 wrote to memory of 2668	3020	AppLaunch.exe	30
PID 3020 wrote to memory of 2668	3020	AppLaunch.exe	30
PID 3020 wrote to memory of 2668	3020	AppLaunch.exe	30
PID 3020 wrote to memory of 2668	3020	AppLaunch.exe	30
PID 3020 wrote to memory of 2668	3020	AppLaunch.exe	30
PID 3020 wrote to memory of 2668	3020	AppLaunch.exe	30
PID 3020 wrote to memory of 2668	3020	AppLaunch.exe	30

C:\Users\Admin\AppData\Local\Temp\1821cc1e34094a7e9c54017d3113c67658d3b683a21052d68dc97b0815a90647.exe
"C:\Users\Admin\AppData\Local\Temp\1821cc1e34094a7e9c54017d3113c67658d3b683a21052d68dc97b0815a90647.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 196
    3⤵
    - Program crash
    PID:2668

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3020-4-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3020-5-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3020-3-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3020-2-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3020-1-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3020-0-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3020-7-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3020-6-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/3020-9-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3020-11-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads