mystic | cf1b7c877498a94f6342840ca8f5be9e2543ee23eaf7269126fddd023f72a3cd

General

Target

NEAS.ba26d1fb90c49929e058635655cd7e30.exe
Size

330KB
MD5

ba26d1fb90c49929e058635655cd7e30
SHA1

aa59a7a0645e8fd5a9be6bae6e749f8e2e6a022a
SHA256

cf1b7c877498a94f6342840ca8f5be9e2543ee23eaf7269126fddd023f72a3cd
SHA512

f26382b696e1469d0e134a5a86430537bf83a2997fc0ba9a6e7912ec46ce913632acee120f3e8205a3f0e771aadb592cff05f48c1f7ace1bb6ce511b3c88e2ba
SSDEEP

6144:Kny+bnr+Tp0yN90QEvPYGozB3ko4Vo6Aw5TpeGYIpAfkNgoZjcP2HE:RMrry90BYGGB3q2FGXHiEjY

Score

10^/10

Malware Config

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/4576-7-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/4576-8-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/4576-9-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/4576-11-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation	5yZ7IP2.exe

Executes dropped EXE 2 IoCs

pid	Process
1708	4XW440tT.exe
3436	5yZ7IP2.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	NEAS.ba26d1fb90c49929e058635655cd7e30.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1708 set thread context of 4576	1708	4XW440tT.exe	89

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4792	4576	WerFault.exe	89

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 4768 wrote to memory of 1708	4768	NEAS.ba26d1fb90c49929e058635655cd7e30.exe	85
PID 4768 wrote to memory of 1708	4768	NEAS.ba26d1fb90c49929e058635655cd7e30.exe	85
PID 4768 wrote to memory of 1708	4768	NEAS.ba26d1fb90c49929e058635655cd7e30.exe	85
PID 1708 wrote to memory of 1728	1708	4XW440tT.exe	88
PID 1708 wrote to memory of 1728	1708	4XW440tT.exe	88
PID 1708 wrote to memory of 1728	1708	4XW440tT.exe	88
PID 1708 wrote to memory of 4576	1708	4XW440tT.exe	89
PID 1708 wrote to memory of 4576	1708	4XW440tT.exe	89
PID 1708 wrote to memory of 4576	1708	4XW440tT.exe	89
PID 1708 wrote to memory of 4576	1708	4XW440tT.exe	89
PID 1708 wrote to memory of 4576	1708	4XW440tT.exe	89
PID 1708 wrote to memory of 4576	1708	4XW440tT.exe	89
PID 1708 wrote to memory of 4576	1708	4XW440tT.exe	89
PID 1708 wrote to memory of 4576	1708	4XW440tT.exe	89
PID 1708 wrote to memory of 4576	1708	4XW440tT.exe	89
PID 1708 wrote to memory of 4576	1708	4XW440tT.exe	89
PID 4768 wrote to memory of 3436	4768	NEAS.ba26d1fb90c49929e058635655cd7e30.exe	91
PID 4768 wrote to memory of 3436	4768	NEAS.ba26d1fb90c49929e058635655cd7e30.exe	91
PID 4768 wrote to memory of 3436	4768	NEAS.ba26d1fb90c49929e058635655cd7e30.exe	91
PID 3436 wrote to memory of 2536	3436	5yZ7IP2.exe	96
PID 3436 wrote to memory of 2536	3436	5yZ7IP2.exe	96
PID 3436 wrote to memory of 2536	3436	5yZ7IP2.exe	96

C:\Users\Admin\AppData\Local\Temp\NEAS.ba26d1fb90c49929e058635655cd7e30.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.ba26d1fb90c49929e058635655cd7e30.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4768
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4XW440tT.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4XW440tT.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1708
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:1728
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:4576
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4576 -s 540
      4⤵
      Program crash
      PID:4792
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5yZ7IP2.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5yZ7IP2.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\is64.bat" "
    3⤵
    PID:2536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4576 -ip 4576
1⤵
PID:2212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4XW440tT.exe

Filesize
300KB

MD5
7c2202b6f6d9308b345f07260804d62f

SHA1
870362f6e528216392561ecafe9fe868876ca649

SHA256
906adf2c13e0c208b70017a7111ae576dd5881d954d67b0bf969c186b00da44c

SHA512
18df1c9a914c3b7b8438c639c320da1760a74f3949b4502a6a56c7808f7478ae4bdc64e2958e7ed2140a72671fc5bbdb2de3dfe12d7ad6fd765884dc51a26706

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4XW440tT.exe

Filesize
300KB

MD5
7c2202b6f6d9308b345f07260804d62f

SHA1
870362f6e528216392561ecafe9fe868876ca649

SHA256
906adf2c13e0c208b70017a7111ae576dd5881d954d67b0bf969c186b00da44c

SHA512
18df1c9a914c3b7b8438c639c320da1760a74f3949b4502a6a56c7808f7478ae4bdc64e2958e7ed2140a72671fc5bbdb2de3dfe12d7ad6fd765884dc51a26706

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5yZ7IP2.exe

Filesize
73KB

MD5
6e778a79ac0a93896cc3dc343102d661

SHA1
2cc8b428e53e7cccf0b5b5d9e88fad5a1fc9a08c

SHA256
db01c6c017845c0c7f8bf65455ef480a67ba5a71a757000aa99a60935493df1d

SHA512
68c6dcaa1f7a659a5a19763fc9bc89eb497cca3deb4fdcb85a7370be79ef8cb87537b4af62350e30ff4705124d4dcfd4e0922d227c01bbdc1840dbcc6fc7a75a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5yZ7IP2.exe

Filesize
73KB

MD5
6e778a79ac0a93896cc3dc343102d661

SHA1
2cc8b428e53e7cccf0b5b5d9e88fad5a1fc9a08c

SHA256
db01c6c017845c0c7f8bf65455ef480a67ba5a71a757000aa99a60935493df1d

SHA512
68c6dcaa1f7a659a5a19763fc9bc89eb497cca3deb4fdcb85a7370be79ef8cb87537b4af62350e30ff4705124d4dcfd4e0922d227c01bbdc1840dbcc6fc7a75a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is64.bat

Filesize
181B

MD5
225edee1d46e0a80610db26b275d72fb

SHA1
ce206abf11aaf19278b72f5021cc64b1b427b7e8

SHA256
e1befb57d724c9dc760cf42d7e0609212b22faeb2dc0c3ffe2fbd7134ff69559

SHA512
4f01a2a248a1322cb690b7395b818d2780e46f4884e59f1ab96125d642b6358eea97c7fad6023ef17209b218daa9c88d15ea2b92f124ecb8434c0c7b4a710504

Download Submit
C:\Users\Admin\AppData\Local\Temp\is64.txt

Filesize
3B

MD5
a5ea0ad9260b1550a14cc58d2c39b03d

SHA1
f0aedf295071ed34ab8c6a7692223d22b6a19841

SHA256
f1b2f662800122bed0ff255693df89c4487fbdcf453d3524a42d4ec20c3d9c04

SHA512
7c735c613ece191801114785c1ee26a0485cbf1e8ee2c3b85ba1ad290ef75eec9fede5e1a5dc26d504701f3542e6b6457818f4c1d62448d0db40d5f35c357d74

Download Submit
memory/4576-7-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4576-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4576-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4576-11-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads