mystic | 40c83fd2fe671b3d0c79e15c6aea427042d50fe7ca29435a38feb0685e8d1b46

Resubmissions

05-04-2024 07:57

240405-js9mjaeh5y 10

10-11-2023 04:48

231110-fe873ada44 10

Analysis

max time kernel
299s
max time network
319s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
10-11-2023 04:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

40c83fd2fe671b3d0c79e15c6aea427042d50fe7ca29435a38feb0685e8d1b46.exe
Size

330KB
MD5

73337493b31c5c10d102c7d42153c864
SHA1

903d8ba2dab13ea55e0b6f13f607caff4df56aaa
SHA256

40c83fd2fe671b3d0c79e15c6aea427042d50fe7ca29435a38feb0685e8d1b46
SHA512

7848c05fe05430d48556acc5c75ee5b2b33df29356e5f20e204fd69ae3b2fde3abb515220cb515b962ae533dea5de2f093af84d8c66f5daff6e865be58eba23e
SSDEEP

6144:KLy+bnr+fp0yN90QEE0ST8+kRAUXHx39ONZAQnJv8KW/4CMz5D+:9Mrny90pSTxymuQB8PAL+

Score

10^/10

mystic persistence stealer

Malware Config

Signatures

Detect Mystic stealer payload 6 IoCs

resource	yara_rule
behavioral1/memory/2120-16-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/2120-17-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/2120-18-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/2120-20-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/2120-22-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/2120-24-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic

Executes dropped EXE 2 IoCs

pid	Process
1088	4ty923ky.exe
2772	5Qt9WY4.exe

Loads dropped DLL 6 IoCs

pid	Process
2000	40c83fd2fe671b3d0c79e15c6aea427042d50fe7ca29435a38feb0685e8d1b46.exe
2000	40c83fd2fe671b3d0c79e15c6aea427042d50fe7ca29435a38feb0685e8d1b46.exe
1088	4ty923ky.exe
2000	40c83fd2fe671b3d0c79e15c6aea427042d50fe7ca29435a38feb0685e8d1b46.exe
2000	40c83fd2fe671b3d0c79e15c6aea427042d50fe7ca29435a38feb0685e8d1b46.exe
2772	5Qt9WY4.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	40c83fd2fe671b3d0c79e15c6aea427042d50fe7ca29435a38feb0685e8d1b46.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1088 set thread context of 2120	1088	4ty923ky.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2712	2120	WerFault.exe	30

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 1088	2000	40c83fd2fe671b3d0c79e15c6aea427042d50fe7ca29435a38feb0685e8d1b46.exe	28
PID 2000 wrote to memory of 1088	2000	40c83fd2fe671b3d0c79e15c6aea427042d50fe7ca29435a38feb0685e8d1b46.exe	28
PID 2000 wrote to memory of 1088	2000	40c83fd2fe671b3d0c79e15c6aea427042d50fe7ca29435a38feb0685e8d1b46.exe	28
PID 2000 wrote to memory of 1088	2000	40c83fd2fe671b3d0c79e15c6aea427042d50fe7ca29435a38feb0685e8d1b46.exe	28
PID 2000 wrote to memory of 1088	2000	40c83fd2fe671b3d0c79e15c6aea427042d50fe7ca29435a38feb0685e8d1b46.exe	28
PID 2000 wrote to memory of 1088	2000	40c83fd2fe671b3d0c79e15c6aea427042d50fe7ca29435a38feb0685e8d1b46.exe	28
PID 2000 wrote to memory of 1088	2000	40c83fd2fe671b3d0c79e15c6aea427042d50fe7ca29435a38feb0685e8d1b46.exe	28
PID 1088 wrote to memory of 2120	1088	4ty923ky.exe	30
PID 1088 wrote to memory of 2120	1088	4ty923ky.exe	30
PID 1088 wrote to memory of 2120	1088	4ty923ky.exe	30
PID 1088 wrote to memory of 2120	1088	4ty923ky.exe	30
PID 1088 wrote to memory of 2120	1088	4ty923ky.exe	30
PID 1088 wrote to memory of 2120	1088	4ty923ky.exe	30
PID 1088 wrote to memory of 2120	1088	4ty923ky.exe	30
PID 1088 wrote to memory of 2120	1088	4ty923ky.exe	30
PID 1088 wrote to memory of 2120	1088	4ty923ky.exe	30
PID 1088 wrote to memory of 2120	1088	4ty923ky.exe	30
PID 1088 wrote to memory of 2120	1088	4ty923ky.exe	30
PID 1088 wrote to memory of 2120	1088	4ty923ky.exe	30
PID 1088 wrote to memory of 2120	1088	4ty923ky.exe	30
PID 1088 wrote to memory of 2120	1088	4ty923ky.exe	30
PID 2000 wrote to memory of 2772	2000	40c83fd2fe671b3d0c79e15c6aea427042d50fe7ca29435a38feb0685e8d1b46.exe	31
PID 2000 wrote to memory of 2772	2000	40c83fd2fe671b3d0c79e15c6aea427042d50fe7ca29435a38feb0685e8d1b46.exe	31
PID 2000 wrote to memory of 2772	2000	40c83fd2fe671b3d0c79e15c6aea427042d50fe7ca29435a38feb0685e8d1b46.exe	31
PID 2000 wrote to memory of 2772	2000	40c83fd2fe671b3d0c79e15c6aea427042d50fe7ca29435a38feb0685e8d1b46.exe	31
PID 2000 wrote to memory of 2772	2000	40c83fd2fe671b3d0c79e15c6aea427042d50fe7ca29435a38feb0685e8d1b46.exe	31
PID 2000 wrote to memory of 2772	2000	40c83fd2fe671b3d0c79e15c6aea427042d50fe7ca29435a38feb0685e8d1b46.exe	31
PID 2000 wrote to memory of 2772	2000	40c83fd2fe671b3d0c79e15c6aea427042d50fe7ca29435a38feb0685e8d1b46.exe	31
PID 2120 wrote to memory of 2712	2120	AppLaunch.exe	32
PID 2120 wrote to memory of 2712	2120	AppLaunch.exe	32
PID 2120 wrote to memory of 2712	2120	AppLaunch.exe	32
PID 2120 wrote to memory of 2712	2120	AppLaunch.exe	32
PID 2120 wrote to memory of 2712	2120	AppLaunch.exe	32
PID 2120 wrote to memory of 2712	2120	AppLaunch.exe	32
PID 2120 wrote to memory of 2712	2120	AppLaunch.exe	32
PID 2772 wrote to memory of 2916	2772	5Qt9WY4.exe	33
PID 2772 wrote to memory of 2916	2772	5Qt9WY4.exe	33
PID 2772 wrote to memory of 2916	2772	5Qt9WY4.exe	33
PID 2772 wrote to memory of 2916	2772	5Qt9WY4.exe	33
PID 2772 wrote to memory of 2916	2772	5Qt9WY4.exe	33
PID 2772 wrote to memory of 2916	2772	5Qt9WY4.exe	33
PID 2772 wrote to memory of 2916	2772	5Qt9WY4.exe	33

C:\Users\Admin\AppData\Local\Temp\40c83fd2fe671b3d0c79e15c6aea427042d50fe7ca29435a38feb0685e8d1b46.exe
"C:\Users\Admin\AppData\Local\Temp\40c83fd2fe671b3d0c79e15c6aea427042d50fe7ca29435a38feb0685e8d1b46.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4ty923ky.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4ty923ky.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1088
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2120
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2120 -s 268
      4⤵
      Program crash
      PID:2712
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Qt9WY4.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Qt9WY4.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\is64.bat" "
    3⤵
    PID:2916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4ty923ky.exe

Filesize
300KB

MD5
029cf82638b1154788b6282d98145bd2

SHA1
eeb8c589b10cdd5a74c59003b39b241e4e1a76a6

SHA256
58a01049db4cd0c261a020d67cfbf650879435720ab9815f40372046316a4709

SHA512
c768c11e940501e92785ad1989bc7905be585a3b3363ce4aa9ec7e20c1dce069185c68f2294a4b2c6e389bf9360ce68a2046b877d38aa3aa80853a15cd0a5435

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4ty923ky.exe

Filesize
300KB

MD5
029cf82638b1154788b6282d98145bd2

SHA1
eeb8c589b10cdd5a74c59003b39b241e4e1a76a6

SHA256
58a01049db4cd0c261a020d67cfbf650879435720ab9815f40372046316a4709

SHA512
c768c11e940501e92785ad1989bc7905be585a3b3363ce4aa9ec7e20c1dce069185c68f2294a4b2c6e389bf9360ce68a2046b877d38aa3aa80853a15cd0a5435

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4ty923ky.exe

Filesize
300KB

MD5
029cf82638b1154788b6282d98145bd2

SHA1
eeb8c589b10cdd5a74c59003b39b241e4e1a76a6

SHA256
58a01049db4cd0c261a020d67cfbf650879435720ab9815f40372046316a4709

SHA512
c768c11e940501e92785ad1989bc7905be585a3b3363ce4aa9ec7e20c1dce069185c68f2294a4b2c6e389bf9360ce68a2046b877d38aa3aa80853a15cd0a5435

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Qt9WY4.exe

Filesize
73KB

MD5
b3ec308b68f91a6a792a9b150cf7447e

SHA1
c29903c1ccf07cb06147bee1990df0bf9c214561

SHA256
50221e85d5d46abd1682c85cdf175f0140521a3c3c90606136965c045a48490b

SHA512
8f25ec293fda40ac2e57033c73918ebbd6d45d991dc30fa442f611934b36fc78c00b877240aba0c131d4a058e8ec9fb506f9d4ea892cd508a51880d2849b186f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Qt9WY4.exe

Filesize
73KB

MD5
b3ec308b68f91a6a792a9b150cf7447e

SHA1
c29903c1ccf07cb06147bee1990df0bf9c214561

SHA256
50221e85d5d46abd1682c85cdf175f0140521a3c3c90606136965c045a48490b

SHA512
8f25ec293fda40ac2e57033c73918ebbd6d45d991dc30fa442f611934b36fc78c00b877240aba0c131d4a058e8ec9fb506f9d4ea892cd508a51880d2849b186f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Qt9WY4.exe

Filesize
73KB

MD5
b3ec308b68f91a6a792a9b150cf7447e

SHA1
c29903c1ccf07cb06147bee1990df0bf9c214561

SHA256
50221e85d5d46abd1682c85cdf175f0140521a3c3c90606136965c045a48490b

SHA512
8f25ec293fda40ac2e57033c73918ebbd6d45d991dc30fa442f611934b36fc78c00b877240aba0c131d4a058e8ec9fb506f9d4ea892cd508a51880d2849b186f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is64.bat

Filesize
181B

MD5
225edee1d46e0a80610db26b275d72fb

SHA1
ce206abf11aaf19278b72f5021cc64b1b427b7e8

SHA256
e1befb57d724c9dc760cf42d7e0609212b22faeb2dc0c3ffe2fbd7134ff69559

SHA512
4f01a2a248a1322cb690b7395b818d2780e46f4884e59f1ab96125d642b6358eea97c7fad6023ef17209b218daa9c88d15ea2b92f124ecb8434c0c7b4a710504

Download Submit
C:\Users\Admin\AppData\Local\Temp\is64.bat

Filesize
181B

MD5
225edee1d46e0a80610db26b275d72fb

SHA1
ce206abf11aaf19278b72f5021cc64b1b427b7e8

SHA256
e1befb57d724c9dc760cf42d7e0609212b22faeb2dc0c3ffe2fbd7134ff69559

SHA512
4f01a2a248a1322cb690b7395b818d2780e46f4884e59f1ab96125d642b6358eea97c7fad6023ef17209b218daa9c88d15ea2b92f124ecb8434c0c7b4a710504

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\4ty923ky.exe

Filesize
300KB

MD5
029cf82638b1154788b6282d98145bd2

SHA1
eeb8c589b10cdd5a74c59003b39b241e4e1a76a6

SHA256
58a01049db4cd0c261a020d67cfbf650879435720ab9815f40372046316a4709

SHA512
c768c11e940501e92785ad1989bc7905be585a3b3363ce4aa9ec7e20c1dce069185c68f2294a4b2c6e389bf9360ce68a2046b877d38aa3aa80853a15cd0a5435

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\4ty923ky.exe

Filesize
300KB

MD5
029cf82638b1154788b6282d98145bd2

SHA1
eeb8c589b10cdd5a74c59003b39b241e4e1a76a6

SHA256
58a01049db4cd0c261a020d67cfbf650879435720ab9815f40372046316a4709

SHA512
c768c11e940501e92785ad1989bc7905be585a3b3363ce4aa9ec7e20c1dce069185c68f2294a4b2c6e389bf9360ce68a2046b877d38aa3aa80853a15cd0a5435

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\4ty923ky.exe

Filesize
300KB

MD5
029cf82638b1154788b6282d98145bd2

SHA1
eeb8c589b10cdd5a74c59003b39b241e4e1a76a6

SHA256
58a01049db4cd0c261a020d67cfbf650879435720ab9815f40372046316a4709

SHA512
c768c11e940501e92785ad1989bc7905be585a3b3363ce4aa9ec7e20c1dce069185c68f2294a4b2c6e389bf9360ce68a2046b877d38aa3aa80853a15cd0a5435

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Qt9WY4.exe

Filesize
73KB

MD5
b3ec308b68f91a6a792a9b150cf7447e

SHA1
c29903c1ccf07cb06147bee1990df0bf9c214561

SHA256
50221e85d5d46abd1682c85cdf175f0140521a3c3c90606136965c045a48490b

SHA512
8f25ec293fda40ac2e57033c73918ebbd6d45d991dc30fa442f611934b36fc78c00b877240aba0c131d4a058e8ec9fb506f9d4ea892cd508a51880d2849b186f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Qt9WY4.exe

Filesize
73KB

MD5
b3ec308b68f91a6a792a9b150cf7447e

SHA1
c29903c1ccf07cb06147bee1990df0bf9c214561

SHA256
50221e85d5d46abd1682c85cdf175f0140521a3c3c90606136965c045a48490b

SHA512
8f25ec293fda40ac2e57033c73918ebbd6d45d991dc30fa442f611934b36fc78c00b877240aba0c131d4a058e8ec9fb506f9d4ea892cd508a51880d2849b186f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Qt9WY4.exe

Filesize
73KB

MD5
b3ec308b68f91a6a792a9b150cf7447e

SHA1
c29903c1ccf07cb06147bee1990df0bf9c214561

SHA256
50221e85d5d46abd1682c85cdf175f0140521a3c3c90606136965c045a48490b

SHA512
8f25ec293fda40ac2e57033c73918ebbd6d45d991dc30fa442f611934b36fc78c00b877240aba0c131d4a058e8ec9fb506f9d4ea892cd508a51880d2849b186f

Download Submit
memory/2120-13-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2120-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2120-22-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2120-20-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2120-19-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2120-18-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2120-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2120-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2120-15-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2120-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads