mystic | 6f5227be4d519cfdcb997d49aa185c91b3332803df4a4c0f2074c78312dc06b7

Analysis

max time kernel
118s
max time network
126s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
13/10/2023, 04:46 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6f5227be4d519cfdcb997d49aa185c91b3332803df4a4c0f2074c78312dc06b7.exe
Size

358KB
MD5

d02481e6a7c057a1bae16cac05c9767d
SHA1

5419b0024b5e9ae34326bde2a157d2aa47d5f85c
SHA256

6f5227be4d519cfdcb997d49aa185c91b3332803df4a4c0f2074c78312dc06b7
SHA512

b0276d87b560703551152edc21b4a900e6ec7d4f6368f9a6a1976ad3ff545821ea00c41608b183eeaf73595113386969f1dbf2c89969491780be1a91c3fc1738
SSDEEP

6144:6/SXR/bOEHHkwxOSeyCKrJz4AORJ6hwby5lN6Zu2PN6I8fi:uSX1aEHEw94bIeby5lN6ZuA8fi

Score

10^/10

mystic stealer

Malware Config

Signatures

Detect Mystic stealer payload 6 IoCs

resource	yara_rule
behavioral1/memory/700-3-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/700-4-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/700-5-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/700-7-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/700-9-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/700-11-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1520 set thread context of 700	1520	6f5227be4d519cfdcb997d49aa185c91b3332803df4a4c0f2074c78312dc06b7.exe	28

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2428	700	WerFault.exe	28

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1520 wrote to memory of 700	1520	6f5227be4d519cfdcb997d49aa185c91b3332803df4a4c0f2074c78312dc06b7.exe	28
PID 1520 wrote to memory of 700	1520	6f5227be4d519cfdcb997d49aa185c91b3332803df4a4c0f2074c78312dc06b7.exe	28
PID 1520 wrote to memory of 700	1520	6f5227be4d519cfdcb997d49aa185c91b3332803df4a4c0f2074c78312dc06b7.exe	28
PID 1520 wrote to memory of 700	1520	6f5227be4d519cfdcb997d49aa185c91b3332803df4a4c0f2074c78312dc06b7.exe	28
PID 1520 wrote to memory of 700	1520	6f5227be4d519cfdcb997d49aa185c91b3332803df4a4c0f2074c78312dc06b7.exe	28
PID 1520 wrote to memory of 700	1520	6f5227be4d519cfdcb997d49aa185c91b3332803df4a4c0f2074c78312dc06b7.exe	28
PID 1520 wrote to memory of 700	1520	6f5227be4d519cfdcb997d49aa185c91b3332803df4a4c0f2074c78312dc06b7.exe	28
PID 1520 wrote to memory of 700	1520	6f5227be4d519cfdcb997d49aa185c91b3332803df4a4c0f2074c78312dc06b7.exe	28
PID 1520 wrote to memory of 700	1520	6f5227be4d519cfdcb997d49aa185c91b3332803df4a4c0f2074c78312dc06b7.exe	28
PID 1520 wrote to memory of 700	1520	6f5227be4d519cfdcb997d49aa185c91b3332803df4a4c0f2074c78312dc06b7.exe	28
PID 1520 wrote to memory of 700	1520	6f5227be4d519cfdcb997d49aa185c91b3332803df4a4c0f2074c78312dc06b7.exe	28
PID 1520 wrote to memory of 700	1520	6f5227be4d519cfdcb997d49aa185c91b3332803df4a4c0f2074c78312dc06b7.exe	28
PID 1520 wrote to memory of 700	1520	6f5227be4d519cfdcb997d49aa185c91b3332803df4a4c0f2074c78312dc06b7.exe	28
PID 1520 wrote to memory of 700	1520	6f5227be4d519cfdcb997d49aa185c91b3332803df4a4c0f2074c78312dc06b7.exe	28
PID 700 wrote to memory of 2428	700	AppLaunch.exe	29
PID 700 wrote to memory of 2428	700	AppLaunch.exe	29
PID 700 wrote to memory of 2428	700	AppLaunch.exe	29
PID 700 wrote to memory of 2428	700	AppLaunch.exe	29
PID 700 wrote to memory of 2428	700	AppLaunch.exe	29
PID 700 wrote to memory of 2428	700	AppLaunch.exe	29
PID 700 wrote to memory of 2428	700	AppLaunch.exe	29

C:\Users\Admin\AppData\Local\Temp\6f5227be4d519cfdcb997d49aa185c91b3332803df4a4c0f2074c78312dc06b7.exe
"C:\Users\Admin\AppData\Local\Temp\6f5227be4d519cfdcb997d49aa185c91b3332803df4a4c0f2074c78312dc06b7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:700
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 700 -s 196
    3⤵
    - Program crash
    PID:2428

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/700-2-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/700-3-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/700-1-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/700-0-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/700-4-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/700-6-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/700-5-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/700-7-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/700-9-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/700-11-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.