mystic | 2eeb5813bcefb62b20b1431ef85d44be708b89beeaafbff2c4b36e2913afcb4e

General

Target

2eeb5813bcefb62b20b1431ef85d44be708b89beeaafbff2c4b36e2913afcb4e.exe
Size

1.3MB
MD5

73d5dd5ced2905ef76857df18511fa9f
SHA1

984f3a1e5cedc0c26acdca22d62e9ce68acb5bdb
SHA256

2eeb5813bcefb62b20b1431ef85d44be708b89beeaafbff2c4b36e2913afcb4e
SHA512

84103291f9680b11a4ea57cdda8a23d6519eb0b0642a979543d005c19b1c577a1cd91df45f6dd72efbbf8d71940230423e9759c78cffb674027c994bab013597
SSDEEP

24576:HywMMxgDQw3Aa9mSPdNiqeE6p3doUlvtmgScQGJY/hmlewhBLuI0xXxC8/lzO:SwScw3ASHFNiqG3C+tmgfHKhWT0xXxCa

Score

10^/10

Malware Config

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/1436-21-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/1436-26-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/1436-27-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/1436-29-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic

Executes dropped EXE 4 IoCs

pid	Process
4256	SQ2si95.exe
4280	Co9YO11.exe
2132	11ae3121.exe
4928	12Ro178.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Co9YO11.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2eeb5813bcefb62b20b1431ef85d44be708b89beeaafbff2c4b36e2913afcb4e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	SQ2si95.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2132 set thread context of 1436	2132	11ae3121.exe	75

Program crash 1 IoCs

pid	pid_target	Process	procid_target
688	1436	WerFault.exe	75

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 3888 wrote to memory of 4256	3888	2eeb5813bcefb62b20b1431ef85d44be708b89beeaafbff2c4b36e2913afcb4e.exe	71
PID 3888 wrote to memory of 4256	3888	2eeb5813bcefb62b20b1431ef85d44be708b89beeaafbff2c4b36e2913afcb4e.exe	71
PID 3888 wrote to memory of 4256	3888	2eeb5813bcefb62b20b1431ef85d44be708b89beeaafbff2c4b36e2913afcb4e.exe	71
PID 4256 wrote to memory of 4280	4256	SQ2si95.exe	72
PID 4256 wrote to memory of 4280	4256	SQ2si95.exe	72
PID 4256 wrote to memory of 4280	4256	SQ2si95.exe	72
PID 4280 wrote to memory of 2132	4280	Co9YO11.exe	73
PID 4280 wrote to memory of 2132	4280	Co9YO11.exe	73
PID 4280 wrote to memory of 2132	4280	Co9YO11.exe	73
PID 2132 wrote to memory of 1436	2132	11ae3121.exe	75
PID 2132 wrote to memory of 1436	2132	11ae3121.exe	75
PID 2132 wrote to memory of 1436	2132	11ae3121.exe	75
PID 2132 wrote to memory of 1436	2132	11ae3121.exe	75
PID 2132 wrote to memory of 1436	2132	11ae3121.exe	75
PID 2132 wrote to memory of 1436	2132	11ae3121.exe	75
PID 2132 wrote to memory of 1436	2132	11ae3121.exe	75
PID 2132 wrote to memory of 1436	2132	11ae3121.exe	75
PID 2132 wrote to memory of 1436	2132	11ae3121.exe	75
PID 2132 wrote to memory of 1436	2132	11ae3121.exe	75
PID 4280 wrote to memory of 4928	4280	Co9YO11.exe	76
PID 4280 wrote to memory of 4928	4280	Co9YO11.exe	76
PID 4280 wrote to memory of 4928	4280	Co9YO11.exe	76

C:\Users\Admin\AppData\Local\Temp\2eeb5813bcefb62b20b1431ef85d44be708b89beeaafbff2c4b36e2913afcb4e.exe
"C:\Users\Admin\AppData\Local\Temp\2eeb5813bcefb62b20b1431ef85d44be708b89beeaafbff2c4b36e2913afcb4e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3888
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SQ2si95.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SQ2si95.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4256
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Co9YO11.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Co9YO11.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4280
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\11ae3121.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\11ae3121.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:2132
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:1436
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 568
        6⤵
        Program crash
        
        PID:688
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\12Ro178.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\12Ro178.exe
      4⤵
      Executes dropped EXE
      PID:4928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SQ2si95.exe

Filesize
880KB

MD5
acb68b7a3b092995eb12227ed0f83229

SHA1
8684bbfc6105a5c2488b55a264e0892a79556447

SHA256
61e8be173392345b20263b5943f4a1b4cc992e4c1291484128d3a3afcf1f59a0

SHA512
0fc46df3d1781b2f6d493b89bbf318f33cd4bb8810d9465233ccc96d8621a773901d245b1c04a36d5e0baf9c916d9921abffff0973f0c9692a4325d5e23c46c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SQ2si95.exe

Filesize
880KB

MD5
acb68b7a3b092995eb12227ed0f83229

SHA1
8684bbfc6105a5c2488b55a264e0892a79556447

SHA256
61e8be173392345b20263b5943f4a1b4cc992e4c1291484128d3a3afcf1f59a0

SHA512
0fc46df3d1781b2f6d493b89bbf318f33cd4bb8810d9465233ccc96d8621a773901d245b1c04a36d5e0baf9c916d9921abffff0973f0c9692a4325d5e23c46c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Co9YO11.exe

Filesize
419KB

MD5
b2cc7177962605348c378a59f8e07ab0

SHA1
8e4629b44e0fead30bdcbb058a4ddb063f73e158

SHA256
13e8bcc1746a867d5fffce461395b52430a9294ecc0b29090330165cc826dd5b

SHA512
bd61ca2cff2b1ca5d692739c39ae9fae96c27309584ecd19654ee47b2e9fd77e35f6da27900b55136261c0600d96420b2a04ccf15de81fd2c3fe4151238346ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Co9YO11.exe

Filesize
419KB

MD5
b2cc7177962605348c378a59f8e07ab0

SHA1
8e4629b44e0fead30bdcbb058a4ddb063f73e158

SHA256
13e8bcc1746a867d5fffce461395b52430a9294ecc0b29090330165cc826dd5b

SHA512
bd61ca2cff2b1ca5d692739c39ae9fae96c27309584ecd19654ee47b2e9fd77e35f6da27900b55136261c0600d96420b2a04ccf15de81fd2c3fe4151238346ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\11ae3121.exe

Filesize
369KB

MD5
a2b145121c7a9e43905ada670016023c

SHA1
6e362230ff21eb2c4a602b94970151b5650c06f2

SHA256
d07ce86fb03cb100724b7ead3cfc052c977a212d88af6cb60e9841315635ad7f

SHA512
e54bd034dabdf6fac510b8f89fb8389e8d83c078c0e5dc6b12882d7751917abbb1dd4566a4e48ad7e76e50546b3f18dc0ff58fb219a99c8b80b2aadeb63c415b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\11ae3121.exe

Filesize
369KB

MD5
a2b145121c7a9e43905ada670016023c

SHA1
6e362230ff21eb2c4a602b94970151b5650c06f2

SHA256
d07ce86fb03cb100724b7ead3cfc052c977a212d88af6cb60e9841315635ad7f

SHA512
e54bd034dabdf6fac510b8f89fb8389e8d83c078c0e5dc6b12882d7751917abbb1dd4566a4e48ad7e76e50546b3f18dc0ff58fb219a99c8b80b2aadeb63c415b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\12Ro178.exe

Filesize
408KB

MD5
a14c4b3ff85a1af54541847bd2bbfb7b

SHA1
9d7b1190a52aba8c143b1756f712a0d8a003366d

SHA256
eb0f69216d07a8e50051bc34af15e4a6337bd90fb9d68e3b3a4bb779b7d9801b

SHA512
1f1daa0af85c5fcfe5587e4e75009cc187d2ecccc74cc080a5edf94dc056b5e207ef69773072553e2b3f2ffecc082ad325197f4a75b1c3e13d1e493031056acd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\12Ro178.exe

Filesize
408KB

MD5
a14c4b3ff85a1af54541847bd2bbfb7b

SHA1
9d7b1190a52aba8c143b1756f712a0d8a003366d

SHA256
eb0f69216d07a8e50051bc34af15e4a6337bd90fb9d68e3b3a4bb779b7d9801b

SHA512
1f1daa0af85c5fcfe5587e4e75009cc187d2ecccc74cc080a5edf94dc056b5e207ef69773072553e2b3f2ffecc082ad325197f4a75b1c3e13d1e493031056acd

Download Submit
memory/1436-21-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1436-26-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1436-27-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1436-29-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads