mystic | 3698210fac9ca446bf61be29ac07d5c53fcb31bfe6549e80c507154b7b03f02d

Analysis

max time kernel
118s
max time network
138s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
14/10/2023, 01:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3698210fac9ca446bf61be29ac07d5c53fcb31bfe6549e80c507154b7b03f02d.exe
Size

1.8MB
MD5

6dc1ae62e5061e280cd69cbd2b1089fa
SHA1

49de645282784b15f5c385f61d6fc29b32e4f014
SHA256

3698210fac9ca446bf61be29ac07d5c53fcb31bfe6549e80c507154b7b03f02d
SHA512

fe3a8855e664bd849237e0254c50e392d326d93e929d435c3dad2620e3c090bb79e8d97730d55c3b4ea416d781e80e82b2fc5783635ffebb0ba60ff510b7fad1
SSDEEP

24576:8t1NbOpYL0ln9NN05E1AZ5Rf6a9DhvhBG6cJo:ozh0ln9NNmZTf6a3vnGLa

Score

10^/10

mystic stealer

Malware Config

Signatures

Detect Mystic stealer payload 6 IoCs

resource	yara_rule
behavioral1/memory/1748-3-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/1748-4-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/1748-5-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/1748-7-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/1748-9-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/1748-11-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2180 set thread context of 1748	2180	3698210fac9ca446bf61be29ac07d5c53fcb31bfe6549e80c507154b7b03f02d.exe	30

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2656	1748	WerFault.exe	30

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 2016	2180	3698210fac9ca446bf61be29ac07d5c53fcb31bfe6549e80c507154b7b03f02d.exe	29
PID 2180 wrote to memory of 2016	2180	3698210fac9ca446bf61be29ac07d5c53fcb31bfe6549e80c507154b7b03f02d.exe	29
PID 2180 wrote to memory of 2016	2180	3698210fac9ca446bf61be29ac07d5c53fcb31bfe6549e80c507154b7b03f02d.exe	29
PID 2180 wrote to memory of 2016	2180	3698210fac9ca446bf61be29ac07d5c53fcb31bfe6549e80c507154b7b03f02d.exe	29
PID 2180 wrote to memory of 2016	2180	3698210fac9ca446bf61be29ac07d5c53fcb31bfe6549e80c507154b7b03f02d.exe	29
PID 2180 wrote to memory of 2016	2180	3698210fac9ca446bf61be29ac07d5c53fcb31bfe6549e80c507154b7b03f02d.exe	29
PID 2180 wrote to memory of 2016	2180	3698210fac9ca446bf61be29ac07d5c53fcb31bfe6549e80c507154b7b03f02d.exe	29
PID 2180 wrote to memory of 1748	2180	3698210fac9ca446bf61be29ac07d5c53fcb31bfe6549e80c507154b7b03f02d.exe	30
PID 2180 wrote to memory of 1748	2180	3698210fac9ca446bf61be29ac07d5c53fcb31bfe6549e80c507154b7b03f02d.exe	30
PID 2180 wrote to memory of 1748	2180	3698210fac9ca446bf61be29ac07d5c53fcb31bfe6549e80c507154b7b03f02d.exe	30
PID 2180 wrote to memory of 1748	2180	3698210fac9ca446bf61be29ac07d5c53fcb31bfe6549e80c507154b7b03f02d.exe	30
PID 2180 wrote to memory of 1748	2180	3698210fac9ca446bf61be29ac07d5c53fcb31bfe6549e80c507154b7b03f02d.exe	30
PID 2180 wrote to memory of 1748	2180	3698210fac9ca446bf61be29ac07d5c53fcb31bfe6549e80c507154b7b03f02d.exe	30
PID 2180 wrote to memory of 1748	2180	3698210fac9ca446bf61be29ac07d5c53fcb31bfe6549e80c507154b7b03f02d.exe	30
PID 2180 wrote to memory of 1748	2180	3698210fac9ca446bf61be29ac07d5c53fcb31bfe6549e80c507154b7b03f02d.exe	30
PID 2180 wrote to memory of 1748	2180	3698210fac9ca446bf61be29ac07d5c53fcb31bfe6549e80c507154b7b03f02d.exe	30
PID 2180 wrote to memory of 1748	2180	3698210fac9ca446bf61be29ac07d5c53fcb31bfe6549e80c507154b7b03f02d.exe	30
PID 2180 wrote to memory of 1748	2180	3698210fac9ca446bf61be29ac07d5c53fcb31bfe6549e80c507154b7b03f02d.exe	30
PID 2180 wrote to memory of 1748	2180	3698210fac9ca446bf61be29ac07d5c53fcb31bfe6549e80c507154b7b03f02d.exe	30
PID 2180 wrote to memory of 1748	2180	3698210fac9ca446bf61be29ac07d5c53fcb31bfe6549e80c507154b7b03f02d.exe	30
PID 2180 wrote to memory of 1748	2180	3698210fac9ca446bf61be29ac07d5c53fcb31bfe6549e80c507154b7b03f02d.exe	30
PID 1748 wrote to memory of 2656	1748	AppLaunch.exe	31
PID 1748 wrote to memory of 2656	1748	AppLaunch.exe	31
PID 1748 wrote to memory of 2656	1748	AppLaunch.exe	31
PID 1748 wrote to memory of 2656	1748	AppLaunch.exe	31
PID 1748 wrote to memory of 2656	1748	AppLaunch.exe	31
PID 1748 wrote to memory of 2656	1748	AppLaunch.exe	31
PID 1748 wrote to memory of 2656	1748	AppLaunch.exe	31

C:\Users\Admin\AppData\Local\Temp\3698210fac9ca446bf61be29ac07d5c53fcb31bfe6549e80c507154b7b03f02d.exe
"C:\Users\Admin\AppData\Local\Temp\3698210fac9ca446bf61be29ac07d5c53fcb31bfe6549e80c507154b7b03f02d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:2016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1748
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1748 -s 196
    3⤵
    - Program crash
    PID:2656

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1748-0-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1748-1-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1748-2-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1748-3-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1748-4-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1748-5-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1748-6-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1748-7-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1748-9-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1748-11-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads