mystic | ea8521cc18559f9ef33aa0fcc78734fc788d9d23604637c02716335641c7f2c4

General

Target

ea8521cc18559f9ef33aa0fcc78734fc788d9d23604637c02716335641c7f2c4.exe
Size

1.1MB
MD5

0144140922c83bdacbf8ef346375bef5
SHA1

5dca87fb6445a49b1414ed940f48163f7f3708f5
SHA256

ea8521cc18559f9ef33aa0fcc78734fc788d9d23604637c02716335641c7f2c4
SHA512

687fb862a0f3a5df61d03654a57f99565a9000bf17032ccf1a0affb374b9f5b3f947e94a72e2dc38c05c1e77a4c272b65a91cf3fd4c984aea3de67c22d77d7ec
SSDEEP

24576:vy3TbSaRD4qJCKu+Fa256r1N3nNZ1BtUet7//W3AhQ8u:63SiHJCKVFa25y1NXNZuetb/l

Score

10^/10

Malware Config

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/512-21-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/512-26-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/512-27-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/512-29-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic

Executes dropped EXE 4 IoCs

pid	Process
3916	sb8UV94.exe
3544	Ur5WL44.exe
1196	11xp7655.exe
4944	12jb238.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Ur5WL44.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ea8521cc18559f9ef33aa0fcc78734fc788d9d23604637c02716335641c7f2c4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	sb8UV94.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1196 set thread context of 512	1196	11xp7655.exe	75

Program crash 1 IoCs

pid	pid_target	Process	procid_target
364	512	WerFault.exe	75

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 5116 wrote to memory of 3916	5116	ea8521cc18559f9ef33aa0fcc78734fc788d9d23604637c02716335641c7f2c4.exe	71
PID 5116 wrote to memory of 3916	5116	ea8521cc18559f9ef33aa0fcc78734fc788d9d23604637c02716335641c7f2c4.exe	71
PID 5116 wrote to memory of 3916	5116	ea8521cc18559f9ef33aa0fcc78734fc788d9d23604637c02716335641c7f2c4.exe	71
PID 3916 wrote to memory of 3544	3916	sb8UV94.exe	72
PID 3916 wrote to memory of 3544	3916	sb8UV94.exe	72
PID 3916 wrote to memory of 3544	3916	sb8UV94.exe	72
PID 3544 wrote to memory of 1196	3544	Ur5WL44.exe	73
PID 3544 wrote to memory of 1196	3544	Ur5WL44.exe	73
PID 3544 wrote to memory of 1196	3544	Ur5WL44.exe	73
PID 1196 wrote to memory of 512	1196	11xp7655.exe	75
PID 1196 wrote to memory of 512	1196	11xp7655.exe	75
PID 1196 wrote to memory of 512	1196	11xp7655.exe	75
PID 1196 wrote to memory of 512	1196	11xp7655.exe	75
PID 1196 wrote to memory of 512	1196	11xp7655.exe	75
PID 1196 wrote to memory of 512	1196	11xp7655.exe	75
PID 1196 wrote to memory of 512	1196	11xp7655.exe	75
PID 1196 wrote to memory of 512	1196	11xp7655.exe	75
PID 1196 wrote to memory of 512	1196	11xp7655.exe	75
PID 1196 wrote to memory of 512	1196	11xp7655.exe	75
PID 3544 wrote to memory of 4944	3544	Ur5WL44.exe	76
PID 3544 wrote to memory of 4944	3544	Ur5WL44.exe	76
PID 3544 wrote to memory of 4944	3544	Ur5WL44.exe	76

C:\Users\Admin\AppData\Local\Temp\ea8521cc18559f9ef33aa0fcc78734fc788d9d23604637c02716335641c7f2c4.exe
"C:\Users\Admin\AppData\Local\Temp\ea8521cc18559f9ef33aa0fcc78734fc788d9d23604637c02716335641c7f2c4.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5116
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sb8UV94.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sb8UV94.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3916
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ur5WL44.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ur5WL44.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3544
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\11xp7655.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\11xp7655.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1196
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:512
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 512 -s 568
        6⤵
        Program crash
        
        PID:364
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\12jb238.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\12jb238.exe
      4⤵
      Executes dropped EXE
      PID:4944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sb8UV94.exe

Filesize
889KB

MD5
75ffc74a96a3f8f92b56c1d57c528170

SHA1
486d7c4e0a4f551609a40057790fbc5afc76d0e7

SHA256
7bcac743a548ca59c14ce032fd06a2a767343a876e7eb5bcdb9cbc471f05f88b

SHA512
30d898718560dcba9e023c9887dc5ccaa439a3e71d10a7553bfaa0709c4d14342cc56d2f7241c705d7f350dc25b378b7b4d8756c1cc973bb09b23b144595299d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sb8UV94.exe

Filesize
889KB

MD5
75ffc74a96a3f8f92b56c1d57c528170

SHA1
486d7c4e0a4f551609a40057790fbc5afc76d0e7

SHA256
7bcac743a548ca59c14ce032fd06a2a767343a876e7eb5bcdb9cbc471f05f88b

SHA512
30d898718560dcba9e023c9887dc5ccaa439a3e71d10a7553bfaa0709c4d14342cc56d2f7241c705d7f350dc25b378b7b4d8756c1cc973bb09b23b144595299d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ur5WL44.exe

Filesize
426KB

MD5
1cfcc52c462884921efcd71d2964a590

SHA1
f0950b2f31f492d57dd07e1070419b2a8d376166

SHA256
2dd3d7aef156b5db3c5785a7d818ed1c4109c841ee63bb99312915840d12c030

SHA512
cae2b703fd2e337c19f905d30112f379c1c5c2fe0f8bdf9a24076671ea1af71a6e2b82e142c20d5b364517600789ad0ca46d365140fffb9f218fdd61ac80eb6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ur5WL44.exe

Filesize
426KB

MD5
1cfcc52c462884921efcd71d2964a590

SHA1
f0950b2f31f492d57dd07e1070419b2a8d376166

SHA256
2dd3d7aef156b5db3c5785a7d818ed1c4109c841ee63bb99312915840d12c030

SHA512
cae2b703fd2e337c19f905d30112f379c1c5c2fe0f8bdf9a24076671ea1af71a6e2b82e142c20d5b364517600789ad0ca46d365140fffb9f218fdd61ac80eb6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\11xp7655.exe

Filesize
369KB

MD5
ca09344fbf4a1dbaffe18eb4a00a931a

SHA1
81d5ed2e00d4d297cda4882641e957eb75d9f9a9

SHA256
6113e109ebd9701ce5c91d223394bf22a027534a4dc46f654afabe53efd16c35

SHA512
c8663715e54d8618464aa2f1edfa3b4d1a6deac744d6fa39a5656937610bdd5af9c9ae6b405a329dc0b965c983330e875f691e2b5c7b9a891cd0bc013df6187f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\11xp7655.exe

Filesize
369KB

MD5
ca09344fbf4a1dbaffe18eb4a00a931a

SHA1
81d5ed2e00d4d297cda4882641e957eb75d9f9a9

SHA256
6113e109ebd9701ce5c91d223394bf22a027534a4dc46f654afabe53efd16c35

SHA512
c8663715e54d8618464aa2f1edfa3b4d1a6deac744d6fa39a5656937610bdd5af9c9ae6b405a329dc0b965c983330e875f691e2b5c7b9a891cd0bc013df6187f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\12jb238.exe

Filesize
408KB

MD5
1027a27916c1340828d23a53d93358b5

SHA1
66cc85c589f8c9ce0bcf4e8f8588233c3885dbcc

SHA256
173e31ff7b01259106f4ab3434aaf97a3ded33bb675ae8d737d9a696821b106f

SHA512
0e6bddad66d784ca200106ef62b51be245da066f3b7b93292a9153c602b9842ca31b9c2f73b66a99ccfb0591fa205fd56ba931eb4f06c9b9f54f264016e045d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\12jb238.exe

Filesize
408KB

MD5
1027a27916c1340828d23a53d93358b5

SHA1
66cc85c589f8c9ce0bcf4e8f8588233c3885dbcc

SHA256
173e31ff7b01259106f4ab3434aaf97a3ded33bb675ae8d737d9a696821b106f

SHA512
0e6bddad66d784ca200106ef62b51be245da066f3b7b93292a9153c602b9842ca31b9c2f73b66a99ccfb0591fa205fd56ba931eb4f06c9b9f54f264016e045d0

Download Submit
memory/512-21-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/512-26-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/512-27-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/512-29-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads